uTorrent.exe
This report is generated from a file or URL submitted to this webservice on December 11th 2015 08:40:05 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.00 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains ability to listen for incoming connections
- Spyware/Leak
- POSTs files to a webserver
- Fingerprint
-
Contains ability to lookup the windows account name
Reads the cryptographic machine GUID - Network Behavior
- Contacts 8 domains and 7 hosts. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 9/54 Antivirus vendors marked sample as malicious (16% detection rate)
- source
- Anti-Virus Test Result
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The input sample dropped a file that was identified as malicious
- details
-
18/54 Antivirus vendors marked dropped file "OCComSDK.dll" as malicious (classified as "OpenCandy" with 33% detection rate)
21/50 Antivirus vendors marked dropped file "OCSetupHlp.dll" as malicious (classified as "OpenCandy" with 42% detection rate) - source
- Dropped File
- relevance
- 10/10
-
The input sample dropped a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in foreign process
- details
- "<Input Sample>" allocated 00000088 bytes of memory in "mshta.exe" (Protection: "read/write")
- source
- API Call
- relevance
- 7/10
-
Writes a PE file header to disc
- details
-
"<Input Sample>" wrote 195032 bytes starting with PE header signature to file "%TEMP%\HYD323.tmp.1449844898\HTA\3rdparty\OCComSDK.dll": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 856536 bytes starting with PE header signature to file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\3rdparty\OCSetupHlp.dll": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ... - source
- API Call
- relevance
- 1/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 32 bytes to a foreign process "mshta.exe" (PID: 00002112)
"<Input Sample>" wrote 52 bytes to a foreign process "mshta.exe" (PID: 00002112)
"<Input Sample>" wrote 4 bytes to a foreign process "mshta.exe" (PID: 00002112) - source
- API Call
- relevance
- 6/10
-
Allocates virtual memory in foreign process
-
Network Related
-
Found more than one unique User-Agent
- details
-
Found the following User-Agents: Hydra HttpRequest
ut_core BenchHttp (ver:41372)
uTorrent(41372)/3.4.5
BTWebClient/3450(41372) - source
- Network Traffic
- relevance
- 5/10
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "67.215.238.66" (ASN: 29761, Owner: QuadraNet, Inc): ...
URL: http://download.ap.bittorrent.com/track/stable/endpoint/utorrent/os/windows (AV positives: 2/66 scanned on 12/11/2015 11:36:22)
URL: http://download-lb.utorrent.com/endpoint/hydra-ut/os/win/track/beta/browser/ie/os-region/us/os-lang/en/os-ver/5.1/enc-ver/ (AV positives: 2/66 scanned on 12/11/2015 08:09:32)
URL: http://download-lb.utorrent.com/endpoint/hydra-ut/os/win/track/stable/browser/chrome/os-region/mx/os-lang/es/os-ver/10.0/enc-ver/109814172/ (AV positives: 1/66 scanned on 12/11/2015 07:07:33)
URL: http://download-lb.utorrent.com/endpoint/hydra-ut/os/win/track/stable/browser/chrome/os-region/MX/os-lang/es/os-ver/10.0/enc-ver/ (AV positives: 2/66 scanned on 12/11/2015 06:09:32)
URL: http://download-lb.utorrent.com/endpoint/hydra-ut/os/win/track/beta/browser/ie/os-region/us/os-lang/en/os-ver/5.1/enc-ver/109879758/ (AV positives: 1/66 scanned on 12/11/2015 04:10:06)
File SHA256: 22ff84541e3fa15150e95658010ebd09bd928ea64903d14adc5fea8fe7b8ada3 (AV positives: 4/55 scanned on 12/11/2015 11:36:31)
File SHA256: d907fd5bd14d6a19b48685a33c2d2347641f1caea3bbe3473c190b3eb481442b (AV positives: 27/56 scanned on 12/11/2015 08:09:41)
File SHA256: e0b2a1e243f80bf116fe00c0fa7151e4a08afb9351f7cdc078b86bdb379514c1 (AV positives: 26/55 scanned on 12/11/2015 07:07:37)
File SHA256: 71dc3e183bdbe5a3f38210b1b069522802288542e007f307d4e27940bf52f504 (AV positives: 1/55 scanned on 12/10/2015 23:10:19)
File SHA256: 005809e38705161bfaf2013a0aa560265154347d726c768db208e549d7aa155b (AV positives: 11/55 scanned on 12/10/2015 02:48:47)
Found malicious artifacts related to "208.111.168.7" (ASN: 22822, Owner: Limelight Networks, Inc.): ...
URL: http://cdn.k9tools.com/runcamps/afosetup_json.exe?of=afosetup.exe (AV positives: 1/66 scanned on 12/11/2015 10:32:33)
URL: http://ll.download3.utorrent.com/1.6.1/utorrent.exe (AV positives: 1/66 scanned on 12/11/2015 06:33:06)
URL: http://llsw.download3.utorrent.com/langpacks/langpack-3795105ut.win.zip (AV positives: 1/66 scanned on 12/10/2015 23:18:14)
URL: http://cdn2727.pcspeeduppro.com/pcsp/securerc/pcspsetupnad2.exe (AV positives: 1/66 scanned on 12/10/2015 22:39:41)
URL: http://ll.download3.utorrent.com/3.4.5/utorrent.41372.installer.exe?au=1&hash=81cde5eccd69c736791ed5ff2436f92b00c69d94 (AV positives: 2/66 scanned on 12/10/2015 16:28:39)
File SHA256: 6e23c001f9fbf2382bc5d12d292e0e7f511df1504673741a3160cfaa944ee9ed (AV positives: 1/53 scanned on 12/11/2015 11:46:11)
File SHA256: 2582617eed09a4d10df1444c785f27cd321270512c529ff1308c5138354800c2 (AV positives: 12/54 scanned on 12/11/2015 10:32:37)
File SHA256: 286222e75908bc9d72d311de02417d29f4c6b71198aaf2ab69f937f0253addf4 (AV positives: 2/52 scanned on 12/11/2015 06:30:58)
File SHA256: 6036eff4fd0f9db9fcf9e152a989b965ab8ed56d066f80663aacb7c8f72dfd34 (AV positives: 2/55 scanned on 12/10/2015 23:57:24)
File SHA256: 22ff84541e3fa15150e95658010ebd09bd928ea64903d14adc5fea8fe7b8ada3 (AV positives: 4/54 scanned on 12/10/2015 16:28:46) - source
- Network Traffic
- relevance
- 10/10
-
Found more than one unique User-Agent
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
-
"<Input Sample>" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5" (Type: "FileHandle", Context: "NtSetInformationFile")
"<Input Sample>" had access to "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat" (Type: "FileHandle", Context: "NtSetInformationFile") - source
- Touched Handle
- relevance
- 5/10
-
Accesses potentially sensitive information from local browsers
-
Unusual Characteristics
-
Entrypoint points to uncommon section
- details
- .text
- source
- Static Parser
- relevance
- 5/10
-
Entrypoint points to uncommon section
-
Suspicious Indicators 32
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Sets the process error mode to suppress error box
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
-
UPX1
.rsrc with unusual entropies 7.99988056309
7.01693970088 - source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
Section name UPX0
Section name UPX1 - source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Contains ability to query the machine version
- details
- RasRpcGetVersion@RASMAN.DLL at 00127890-00003824-77BD228D-142519
- source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Possibly tries to implement anti-virtualization techniques
- details
- "EvvuEPvEQevEQekvEvEvQeh$Pu)P^UVWhQehPwuPuEPExYYu!QehPDuPU\\PuEEP0EuhpEuuQeruEQe\u3uEP`EYe.uEQeuQehPftPwE8u1uE&u_^UVWhQehPtP`uEPExYYu!Qeh@PsoP\\PuuEhEouYYe/tEQetQeuPisEQestQeh0P6sPGtEt_^U}VhQehPrtP2uEPExYYu!QehtPrAPEhPMEYesEQesuEQerjlQehP,rP=ErEr^UVWhQeh@PqpP.u~Yt!QehtPqGPuEPVExYYu!QehPqP\\PuuEuEuh!mueqEQeq>jQehPpQehPpuEuuQecqLQehPp7PqE|q_^UVWhQehPrpPuYt!QehPIpPZzuEPE@YYu!Qeh<PpP!6uEPuEPExuhtEPo\\PuuEuEu uuuhmkuepEQeouEQeoEQeou uuEQeo0QehPnxPoEoEoEo_^UVWhQehPn#Pu1Yt!QehPtnPwuEPE@YYu!QehDP;nPL3uEPnuEPnExuh|EPm\\PuuEuEu uuuhiueBnEQe,nuEQenEQemu uuEQem^QehP mP1mEmEmEm_^UVhQehPlRPu`Yt!QehPl)PuEP8ExYYu!Qeh@PklP|EhPMdEYelEQel?EQelQehtPkePElEl^UQQVhQehPk%PuEP9EYYpujPu4YYgQehDPTkPeE&l^UVhQehPkPbuYt!QehPj{PuEPExYYu!QehPjCPEh8PMEYekEQekuEPXjEQejEQejMQehPjP EjEjEj^U }VW\hQehPi>PuLYt!QehPiP" (Indicator: "qemu")
- source
- String
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID")
"mshta.exe" (Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query the machine version
-
General
-
POSTs files to a webserver
- details
-
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 213" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 227" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 248" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 239" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 249" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 279" with no payload
"POST /e?i=21 HTTP/1.1
Host: i-21.b-41372.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:41372)
Connection: close
Content-Length: 273" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Reads configuration files
- details
- "<Input Sample>" read file "%USERPROFILE%\Desktop\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
POSTs files to a webserver
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"<Input Sample>" created file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"<Input Sample>" created file "C:\Windows\System32\mshta.exe"
"<Input Sample>" created file "C:\Windows\System32\en-US\mshta.exe.mui"
"<Input Sample>" created file "C:\Windows\System32\en\mshta.exe.mui"
"<Input Sample>" created file "C:\Windows\Fonts\staticcache.dat"
"<Input Sample>" created file "C:\Windows\system32\en-US\urlmon.dll.mui"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\pspubws@localhost[1].txt"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\pspubws@localhost[2].txt"
"<Input Sample>" created file "C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\COMCTL32.dll.mui" - source
- API Call
- relevance
- 7/10
-
Drops executable files
- details
-
"OCComSDK.dll" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"OCSetupHlp.dll" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows" - source
- Dropped File
- relevance
- 10/10
-
Creates/touches files in windows directory
-
Network Related
-
Found potential IP address in binary/memory
- details
- "1.0.0.1"
- source
- String
- relevance
- 3/10
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://localhost:0/proxy/0/"
Pattern match: "http://legal.yandex.ru/browser_agreement/\"
Heuristic match: ">a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},map:function(a){return this.pushStack(ia.map(this,function(b,c){return a.call(b,c,b)}))},end:function(){return this.prevObject||this.constructor(null)},push:ca,sort:[].sort,splice:[].splice},ia.fn.init"
Heuristic match: "d(W.createElement(div));gb.optgroup=gb.option,gb.tbody=gb.tfoot=gb.colgroup=gb.caption=gb.thead,gb.th=gb.td,ia.fn.extend({text:function(a){return ia.access(this,function(a){return a===b?ia.text(this):this.empty().append((this[0]&&this[0].ownerDocument||W"
Heuristic match: "=typeof d&&(e=ia.filter(d,e)),e=this.length>1&&!Ta[a]?ia.unique(e):e,this.length>1&&Qa.test(a)&&(e=e.reverse()),this.pushStack(e)}}),ia.extend({filter:function(a,b,c){return c&&(a=:not(+a+)),1===b.length?ia.find.matchesSelector(b[0],a)?[b[0]]:[]:ia.fin"
Pattern match: "http://www.bittorrent.com/,publisherName:BitTorrent"
Pattern match: "http://legal.yandex"
Pattern match: "www.bittorrent.com/legal/eula"
Pattern match: "http://info.trovi.com/Privacy"
Pattern match: "http://www.mybrowserbar.com/images/pixel.gif?tb=+"
Heuristic match: "btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group"
Pattern match: "http://update.utorrent.com/featuredcontent.php?w=+b,function(c){object=="
Pattern match: "http://getbootstrap.com"
Pattern match: "http://apps.bittorrent.com/featuredcontent/featuredcontent.btapp?offer=http://bundles.bittorrent.com/inclient/yes21"
Pattern match: "http://www.bittorrent.com/legal/privacy\"
Pattern match: "http://legal.yandex.ru/confidential/?lang=ru\" - source
- String
- relevance
- 2/10
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"%SAMPLEDIR%\uTorrent.exe" marked "%TEMP%\HYD323.tmp.1449844898\HTA\3rdparty\OCSetupHlp.dll" for deletion
"%SAMPLEDIR%\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\3rdparty\OCComSDK.dll" for deletion
"%SAMPLEDIR%\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\updates\3.4.5_41372.exe" for deletion
"%SAMPLEDIR%\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\utt30DB.tmp" for deletion
"%SAMPLEDIR%\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\utt3205.tmp" for deletion
"%SAMPLEDIR%\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\pspubws@localhost[1].txt" for deletion
"%SAMPLEDIR%\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\pspubws@localhost[2].txt" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\HYD323.tmp.1449844898\HTA\3rdparty\OCSetupHlp.dll" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\3rdparty\OCComSDK.dll" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\settings.dat" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\settings.dat.new" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\utt30DB.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\utt30DB.tmp.new" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\toolbar.benc" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\toolbar.benc.new" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\utt3205.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\pspubws@localhost[1].txt" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\pspubws@localhost[2].txt" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
-
SetEntriesInAclW@ADVAPI32.DLL at 00127890-00003824-77BD228D-135720
SetSecurityDescriptorDacl@ADVAPI32.DLL at 00127890-00003824-77BD228D-135724 - source
- StaticStream (Disassembly)
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "SETVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYENABLE", Value: "00000000")
"<Input Sample>" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYSERVER")
"<Input Sample>" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYOVERRIDE")
"<Input Sample>" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"mshta.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"mshta.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"mshta.exe" (Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY", Key: "DISABLESECURITYSETTINGSCHECK")
"mshta.exe" (Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY", Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- Claimed CRC 915243 does not match actual CRC 915243
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
LoadLibraryExW
LoadLibraryW
GetTickCount
GetStartupInfoA
GetModuleFileNameA
WriteFile
Sleep
GetModuleFileNameW
GetModuleHandleW
FindResourceExW
FindResourceW
LockResource
CreateFileA
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
GetCommandLineA
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
DeleteFileW
CreateDirectoryW
GetVersionExW
MapViewOfFileEx
CreateFileMappingW
OpenFileMappingW
OutputDebugStringW
CreateProcessW
GetTempFileNameW
GetTempPathW
FindResourceA
ExitThread
FindNextFileW
FindFirstFileW
GetFileSize
CreateFileW
GetFileAttributesW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
OpenProcess
CreateThread
GetModuleHandleA
FindWindowW
GetUpdateRect
GetWindowThreadProcessId
CreateProcessAsUserW
GetUserNameW
OpenProcessToken
ShellExecuteW
EnumProcesses - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "mshta.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 11 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 13
-
General
-
Contacts domains
- details
-
"i-50.b-000.xyz.bench.utorrent.com"
"download-lb.utorrent.com"
"i-21.b-41372.ut.bench.utorrent.com"
"update.utorrent.com"
"update.utorrent.li"
"llsw.download3.utorrent.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"174.129.255.167:80"
"54.225.194.96:80"
"67.215.238.66:80"
"23.21.139.158:80"
"67.215.246.203:80"
"82.221.103.246:80"
"208.111.168.7:80" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"SDK 2.0\build\OCComSDK\OCComSDK\Release\OCComSDK.pdb"
"SDK\Release\OCComSDK.pdb"
"enkins\workspace\Javascript SDK 2.0\build\OCComSDK\OCComSDK\Release\OCComSDK.pdb"
"C:\Jenkins\workspace\Javascript SDK 2.0\build\OCComSDK\OCComSDK\Release\OCComSDK.pdb" - source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\HYD323.tmp.1449844898\HTA\index.hta"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\uninstall.hta"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\3rdparty\OCComSDK.dll"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\3rdparty\OCSetupHlp.dll"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\i18n\br.json"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\i18n\de.json"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\i18n\en.json"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\i18n\es.json"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\i18n\fr.json"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\i18n\it.json"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\i18n\pt.json"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\i18n\ru.json"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\images\bt_icon_48px.png"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\images\loading.gif"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\images\logo_Yandex_RU_UA_vertical.png"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\images\main_bittorrent.ico"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\images\main_icon.png"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\images\main_utorrent.ico"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\images\search_protect.png"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\HTA\images\yandex_browser_setup.bmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"Local\_!MSFTHISTORY!_"
"Local\c:!users!pspubws!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"Local\c:!users!pspubws!appdata!roaming!microsoft!windows!cookies!"
"Local\c:!users!pspubws!appdata!local!microsoft!windows!history!history.ie5!"
"Local\WininetStartupMutex"
"Local\WininetConnectionMutex"
"Local\WininetProxyRegistryMutex"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\!IETld!Mutex"
"IESQMMUTEX_0_208"
"Local\uTorrent.exe"
"Local\"
"Local\c:!users!pspubws!appdata!roaming!microsoft!windows!ietldcache!" - source
- Created Mutant
- relevance
- 3/10
-
GETs files from a webserver
- details
-
"GET /endpoint/hydra-ut/os/win/track/stable/browser/firefox/os-region/US/os-lang/en/os-ver/6.1/enc-ver/109814172/ HTTP/1.1
Host: download-lb.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 0"
"GET /installoffer.php?h=30MgtrQ_ahkDmqKW&v=109814172&w=1DB10106&l=en&c=US&db=firefox.exe%22&cl=uTorrent&tsub=1&svp=4 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(41372)/3.4.5
Host: update.utorrent.com
Cache-Control: no-cache"
"GET /installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&mismexecute&pid=3824&cau=0&download=0&execute=0&error=mism%20execute%20succeeded&mismreturn=0&mismresult=provider%3a4%2csearch%3a1%2chomepage%3a1&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(41372)/3.4.5
Host: update.utorrent.li
Cache-Control: no-cache"
"GET /installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&offerretrievedfromserver&pid=3824&cau=0&ServerOfferRetrieved=1&sec_offs=oc%2cadk&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(41372)/3.4.5
Host: update.utorrent.li
Cache-Control: no-cache"
"GET /offers/General_InstallPath.bmp HTTP/1.1
Host: llsw.download3.utorrent.com
User-Agent: BTWebClient/3450(41372)
Accept-Encoding: gzip
Connection: Close"
"GET /installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showtbexists&pid=3824&cau=0&tbe=0&cd=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(41372)/3.4.5
Host: update.utorrent.li
Cache-Control: no-cache"
"GET /installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showwarning&pid=3824&cau=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(41372)/3.4.5
Host: update.utorrent.li
Cache-Control: no-cache"
"GET /installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showinstall&pid=3824&cau=0&au=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(41372)/3.4.5
Host: update.utorrent.li
Cache-Control: no-cache" - source
- Network Traffic
- relevance
- 5/10
-
Loads modules at runtime
- details
-
"<Input Sample>" loaded module "%TEMP%\HYD323.TMP.1449844898\HTA\3RDPARTY\OCCOMSDK.DLL" at base 6BBF0000
"<Input Sample>" loaded module "ADVAPI32.DLL" at base 77700000
"<Input Sample>" loaded module "WINSTA.DLL" at base 75C80000
"<Input Sample>" loaded module "RPCRT4.DLL" at base 77440000
"<Input Sample>" loaded module "API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL" at base 77CB0000
"<Input Sample>" loaded module "PROPSYS.DLL" at base 74A70000
"<Input Sample>" loaded module "OLE32.DLL" at base 77A10000
"<Input Sample>" loaded module "COMCTL32.DLL" at base 74B90000
"<Input Sample>" loaded module "OLEAUT32.DLL" at base 76F40000
"<Input Sample>" loaded module "SHELL32.DLL" at base 761C0000
"<Input Sample>" loaded module "CLBCATQ.DLL" at base 77D00000
"<Input Sample>" loaded module "C:\WINDOWS\SYSTEM32\PROPSYS.DLL" at base 74A70000
"<Input Sample>" loaded module "SETUPAPI.DLL" at base 76FE0000
"<Input Sample>" loaded module "C:\WINDOWS\SYSTEM32\APPHELP.DLL" at base 75BC0000
"<Input Sample>" loaded module "C:\WINDOWS\SYSTEM32\SFC.DLL" at base 70CA0000
"<Input Sample>" loaded module "DBGHELP.DLL" at base 70140000
"<Input Sample>" loaded module "UXTHEME.DLL" at base 74A30000 - source
- API Call
- relevance
- 1/10
-
Loads rich edit control libraries
- details
- "<Input Sample>" loaded module "%WINDIR%\system32\Riched20.dll" at 6B9E0000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"DllRegisterServer@OCComSDK.dll"
"RegOpenKeyW@ADVAPI32.dll"
"WinStationQueryInformationW@WINSTA.dll"
"LookupAccountSidW@ADVAPI32.dll"
"LookupAccountSidLocalW@sechost.dll"
"CreateWellKnownSid@ADVAPI32.dll"
"RpcStringBindingComposeW@RPCRT4.dll"
"RpcBindingFromStringBindingW@RPCRT4.dll"
"RpcStringFreeW@RPCRT4.dll"
"RpcBindingSetAuthInfoExW@RPCRT4.dll"
"LookupAccountNameLocalW@sechost.dll"
"NdrClientCall2@RPCRT4.dll"
"I_RpcExceptionFilter@RPCRT4.dll"
"RpcBindingFree@RPCRT4.dll"
"PSCreateMemoryPropertyStore@PROPSYS.dll"
"PSPropertyBag_WriteDWORD@PROPSYS.dll"
"PSPropertyBag_ReadDWORD@PROPSYS.dll"
"RegEnumKeyW@ADVAPI32.dll"
"PSPropertyBag_ReadBSTR@PROPSYS.dll" - source
- API Call
- relevance
- 1/10
-
Spawns new processes
- details
-
Spawned process "mshta.exe" with commandline ""%TEMP%\HYD323.tmp.1449844898\HTA\index.hta?utorrent" "%SAMPLEDIR%\uTorrent.exe" /LOG "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\index.hta.log" /PID "3824" /CID "30MgtrQ_ahkDmqKW" /VERSION "109814172" /OS "6.1" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\"
C:\Program Files\Internet Explorer\iexplore.exe" /ARCHITECTURE "32" /LANG "en" /USERNAME "PSPUBWS" /SID "S-1-5-21-4162757579-3804539371-4239455898-1000" /CLIENT "utorrent"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
-
LookupAccountNameLocalW@SECHOST.DLL at 00127890-00003824-77BD228D-135261
LookupAccountNameLocalW@SECHOST.DLL at 00127890-00003824-77BD228D-135276
GetUserNameExW@SSPICLI.DLL at 00127890-00003824-77BD228D-138504 - source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Dropped files
- details
-
"1f91d2d17ea675d4c2c3192e241743f9_e47c61d2-1dae-480e-827a-ae8d797649df" has type "data"
"settings.dat.new" has type "data"
"index.hta.log" has type "ASCII text, with CRLF line terminators"
"pspubws@localhost[1].txt" has type "ASCII text"
"install.1449844898.zip" has type "data"
"index.hta" has type "HTML document, ASCII text"
"uninstall.hta" has type "HTML document, ASCII text"
"OCComSDK.dll" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"OCSetupHlp.dll" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"br.json" has type "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators"
"de.json" has type "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators"
"en.json" has type "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators"
"es.json" has type "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators"
"fr.json" has type "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators"
"it.json" has type "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators"
"pt.json" has type "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators"
"ru.json" has type "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators"
"bt_icon_48px.png" has type "PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced"
"loading.gif" has type "GIF image data, version 89a, 310 x 310"
"logo_Yandex_RU_UA_vertical.png" has type "PNG image data, 360 x 243, 8-bit/color RGBA, non-interlaced" - source
- Dropped File
- relevance
- 3/10
-
Contains ability to lookup the windows account name
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"/*!
* Bootstrap v3.0.3 (http://getbootstrap.com)
* Copyright 2013 Twitter, Inc.
* Licensed under http://www.apache.org/licenses/LICENSE-2.0
*//*! normalize.css v2.1.3 | MIT License | git.io/normalize */article,aside,details,figcaption,figure,footer,header," (Indicator: "twitter")
"* Copyright 2013 Twitter, Inc." (Indicator: "twitter") - source
- String
- relevance
- 7/10
-
Found a reference to a known community page
File Details
uTorrent.exe
- Filename
- uTorrent.exe
- Size
- 1.9MiB (2026976 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- Architecture
- WINDOWS
- SHA256
- 73318ab17e272a95879c71893366de45d22a40b83e7c4fe248647a54c04b97dc
- MD5
- b0030fde9f57d9caaac70edfe05b2a82
- SHA1
- bb8fc76c4cd0b293e3fdf3049a094f635618e422
- ssdeep
- 49152:1HMtBuTT9adbWZW+O9JDT8XCho48ZQh+9wg4PTz3Xl:1Hnwdbj3yShoSheB4/Xl
- imphash
- fc7f06562544d2475b2544b76aa1336b
- Compiler/Packer
- UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
Version Info
- LegalCopyright
- 2015 BitTorrent, Inc. All Rights Reserved.
- InternalName
- uTorrent.exe
- FileVersion
- 3.4.5.41372
- CompanyName
- BitTorrent Inc.
- SpecialBuild
- stable34 stable
- ProductName
- Torrent
- ProductVersion
- 3.4.5.41372
- FileDescription
- Torrent
- OriginalFilename
- uTorrent.exe
- Translation
- 0x0409 0x04e4
Classification (TrID)
- 42.3% (.EXE) UPX compressed Win32 Executable
- 36.7% (.EXE) Win32 EXE Yoda's Crypter
- 9.1% (.DLL) Win32 Dynamic Link Library (generic)
- 6.2% (.EXE) Win32 Executable (generic)
- 2.7% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
File Certificates
Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Starfield Services Timestamp Authority - G1, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US | CN=Starfield Services Root Certificate Authority, OU=http://certificates.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US Serial: 6c2e36adaf9ee414 |
03/16/2015 02:00:00 03/16/2020 02:00:00 |
12:62:56:AD:AC:5E:34:93:0D:ED:C4:D9:6A:1B:75:3C 90:2F:41:A4:EE:B1:14:F1:94:C2:F1:14:05:08:82:2A:34:4F:CE:46 |
CN="Soft-Servis", OU=IT, O="Soft-Servis", STREET= kv. 1 prospekt 40-Richchya Zhovtnya Bud. Bud.105, L=Kiev, ST=Kiev, OID.2.5.4.17=03127, C=UA | CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 774ea230102fab703cd370ced3712e3b |
11/05/2015 18:00:00 11/05/2016 18:59:59 |
68:70:26:9F:28:8A:35:08:58:42:5F:4C:76:FA:C0:7F D1:6D:37:BD:E0:2D:89:1E:59:0B:E0:8E:52:83:A6:84:6A:E0:B3:B5 |
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 2e7c87cc0e934a52fe94fd1cb7cd34af |
05/08/2013 19:00:00 05/08/2028 18:59:59 |
AA:37:4C:C0:0B:ED:2E:1E:A6:91:EF:41:5B:80:8F:E1 B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
uTorrent.exe
(PID: 3824)
- mshta.exe "%TEMP%\HYD323.tmp.1449844898\HTA\index.hta?utorrent" "%SAMPLEDIR%\uTorrent.exe" /LOG "C:\Users\%USERNAME%\AppData\Local\Temp\HYD323.tmp.1449844898\index.hta.log" /PID "3824" /CID "30MgtrQ_ahkDmqKW" /VERSION "109814172" /OS "6.1" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\",C:\Program Files\Internet Explorer\iexplore.exe" /ARCHITECTURE "32" /LANG "en" /USERNAME "PSPUBWS" /SID "S-1-5-21-4162757579-3804539371-4239455898-1000" /CLIENT "utorrent" (PID: 2112)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
llsw.download3.utorrent.com | 208.111.168.7 | - | United States |
download-lb.utorrent.com | 67.215.238.66 | - | United States |
i-50.b-000.xyz.bench.utorrent.com | 54.225.194.96 | - | United States |
i-21.b-41372.ut.bench.utorrent.com | 23.21.139.158 | - | United States |
update.utorrent.com | 67.215.246.203 | - | United States |
router.utorrent.com | 82.221.103.244 | - | Iceland |
update.utorrent.li | 82.221.103.246 | - | Iceland |
router.bittorrent.com | 67.215.246.10 | - | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
174.129.255.167 |
80
TCP |
- |
United States
ASN: 14618 (Amazon.com, Inc.) |
54.225.194.96 |
80
TCP |
- |
United States
ASN: 14618 (Amazon.com, Inc.) |
67.215.238.66 |
80
TCP |
- |
United States
ASN: 29761 (QuadraNet, Inc) |
23.21.139.158 |
80
TCP |
- |
United States
ASN: 14618 (Amazon.com, Inc.) |
67.215.246.203 |
80
TCP |
- |
United States
ASN: 29761 (QuadraNet, Inc) |
82.221.103.246 |
80
TCP |
- |
Iceland
ASN: 50613 (THOR Data Center ehf) |
208.111.168.7 |
80
TCP |
- |
United States
ASN: 22822 (Limelight Networks, Inc.) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
174.129.255.167:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1 Host: i-50.b-000.xyz.bench.utorrent.com User-Agent: Hydra HttpRequest Connection: close Content-Length: 213 Readable: {"eventName":"hydra1","action":"begin","type":"i","cau":"0","pv":"","cc":"0","v":"109814172","cl":"uTorrent","osv":"6.1","l":"en","pid":"3824","h":"30MgtrQ_ahkDmqKW","sid":"30MgtrQ_ahkDmqKW1449844898","order":"0"} Raw hex: 7B226576656E744E616D65223A226879 64726131222C22616374696F6E223A22 626567696E222C2274797065223A2269 222C22636175223A2230222C22707... |
54.225.194.96:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1 Host: i-50.b-000.xyz.bench.utorrent.com User-Agent: Hydra HttpRequest Connection: close Content-Length: 227 Readable: {"eventName":"hydra1","action":"packDownloadStarted","type":"i","cau":"0","pv":"","cc":"0","v":"109814172","cl":"uTorrent","osv":"6.1","l":"en","pid":"3824","h":"30MgtrQ_ahkDmqKW","sid":"30MgtrQ_ahkDmqKW1449844898","order":"1"} Raw hex: 7B226576656E744E616D65223A226879 64726131222C22616374696F6E223A22 7061636B446F776E6C6F616453746172 746564222C2274797065223A22692... |
67.215.238.66:80 (download-lb.utorrent.com) | GET | download-lb.utorrent.com/endpoint/hydra-ut/os/win/track/stable/browser/firefox/os-region/US/os-lang/en/os-ver/6.1/enc-ver/109814172/ | GET /endpoint/hydra-ut/os/win/track/stable/browser/firefox/os-region/US/os-lang/en/os-ver/6.1/enc-ver/109814172/ HTTP/1.1 Host: download-lb.utorrent.com User-Agent: Hydra HttpRequest Connection: close Content-Length: 0 |
54.225.194.96:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1 Host: i-50.b-000.xyz.bench.utorrent.com User-Agent: Hydra HttpRequest Connection: close Content-Length: 248 Readable: {"eventName":"hydra1","action":"INFO","type":"i","res":"1022x613","cts":"1449844900","pv":"","cau":"0","cc":"0","v":"109814172","cl":"uTorrent","osv":"6.1","l":"en","pid":"3824","h":"30MgtrQ_ahkDmqKW","sid":"30MgtrQ_ahkDmqKW1449844898","order":"3"} Raw hex: 7B226576656E744E616D65223A226879 64726131222C22616374696F6E223A22 494E464F222C2274797065223A226922 2C22726573223A223130323278363... |
54.225.194.96:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1 Host: i-50.b-000.xyz.bench.utorrent.com User-Agent: Hydra HttpRequest Connection: close Content-Length: 239 Readable: {"eventName":"hydra1","action":"packDownloadResult","type":"i","result":"1","cau":"0","pv":"","cc":"0","v":"109814172","cl":"uTorrent","osv":"6.1","l":"en","pid":"3824","h":"30MgtrQ_ahkDmqKW","sid":"30MgtrQ_ahkDmqKW1449844898","order":"2"} Raw hex: 7B226576656E744E616D65223A226879 64726131222C22616374696F6E223A22 7061636B446F776E6C6F616452657375 6C74222C2274797065223A2269222... |
54.225.194.96:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1 Host: i-50.b-000.xyz.bench.utorrent.com User-Agent: Hydra HttpRequest Connection: close Content-Length: 249 Readable: {"eventName":"hydra1","action":"outcome","type":"i","result":"0","error":"htaNotDone","cau":"0","pv":"","cc":"0","v":"109814172","cl":"uTorrent","osv":"6.1","l":"en","pid":"3824","h":"30MgtrQ_ahkDmqKW","sid":"30MgtrQ_ahkDmqKW1449844898","order":"4"} Raw hex: 7B226576656E744E616D65223A226879 64726131222C22616374696F6E223A22 6F7574636F6D65222C2274797065223A 2269222C22726573756C74223A223... |
54.225.194.96:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1 Host: i-50.b-000.xyz.bench.utorrent.com User-Agent: Hydra HttpRequest Connection: close Content-Length: 279 Readable: {"eventName":"hydra1","action":"EXCEPTION","type":"i","code":"0","error":"htaNotDone","_stackTrace":"","_HJS_log20":"[HydraLib: Starting HTA]","v":"109814172","cl":"uTorrent","osv":"6.1","l":"en","pid":"3824","h":"30MgtrQ_ahkDmqKW","sid":"30MgtrQ_ahkDmqKW1449844898","order":"5"} Raw hex: 7B226576656E744E616D65223A226879 64726131222C22616374696F6E223A22 455843455054494F4E222C2274797065 223A2269222C22636F6465223A223... |
23.21.139.158:80 (i-21.b-41372.ut.bench.utorrent.com) | POST | i-21.b-41372.ut.bench.utorrent.com/e?i=21 | POST /e?i=21 HTTP/1.1 Host: i-21.b-41372.ut.bench.utorrent.com User-Agent: ut_core BenchHttp (ver:41372) Connection: close Content-Length: 273 Readable: {"h":"30MgtrQ_ahkDmqKW","cl":"uTorrent","v":109814172,"rev":41372,"l":"en","cc":0,"pv":"","w":"6.1","cts":1449844907,"eventName":"silent_autoupdate","launched_target":0,"updated":0,"relocated":0,"versions": [], "action":"RunningElevated", "g_version":109814172, "no_sau":0} Raw hex: 7B2268223A2233304D677472515F6168 6B446D714B57222C22636C223A227554 6F7272656E74222C2276223A31303938 31343137322C22726576223A34313... |
67.215.246.203:80 (update.utorrent.com) | GET | update.utorrent.com/installoffer.php?h=30MgtrQ_ahkDmqKW&v=109814172&w=1DB10106&l=en&c=US&db=firefox.exe%22&cl=uTorrent&tsub=1&svp=4 | GET /installoffer.php?h=30MgtrQ_ahkDmqKW&v=109814172&w=1DB10106&l=en&c=US&db=firefox.exe%22&cl=uTorrent&tsub=1&svp=4 HTTP/1.1 Accept-Encoding: gzip User-Agent: uTorrent(41372)/3.4.5 Host: update.utorrent.com Cache-Control: no-cache with decoded base64 artifacts: 0u]: ~*~^ |
82.221.103.246:80 (update.utorrent.li) | GET | update.utorrent.li/installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&mismexecute&pid=3824&cau=... | GET /installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&mismexecute&pid=3824&cau=0&download=0&execute=0&error=mism%20execute%20succeeded&mismreturn=0&mismresult=provider%3a4%2csearch%3a1%2chomepage%3a1&view=win32 HTTP/1.1 Accept-Encoding: gzip User-Agent: uTorrent(41372)/3.4.5 Host: update.utorrent.li Cache-Control: no-cache with decoded base64 artifacts: 0u]: +&{y |
82.221.103.246:80 (update.utorrent.li) | GET | update.utorrent.li/installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&offerretrievedfromserver&... | GET /installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&offerretrievedfromserver&pid=3824&cau=0&ServerOfferRetrieved=1&sec_offs=oc%2cadk&view=win32 HTTP/1.1 Accept-Encoding: gzip User-Agent: uTorrent(41372)/3.4.5 Host: update.utorrent.li Cache-Control: no-cache with decoded base64 artifacts: 0u]: Iz}zz |
208.111.168.7:80 (llsw.download3.utorrent.com) | GET | llsw.download3.utorrent.com/offers/General_InstallPath.bmp | GET /offers/General_InstallPath.bmp HTTP/1.1 Host: llsw.download3.utorrent.com User-Agent: BTWebClient/3450(41372) Accept-Encoding: gzip Connection: Close |
82.221.103.246:80 (update.utorrent.li) | GET | update.utorrent.li/installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showtbexists&pid=3824&cau... | GET /installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showtbexists&pid=3824&cau=0&tbe=0&cd=0&view=win32 HTTP/1.1 Accept-Encoding: gzip User-Agent: uTorrent(41372)/3.4.5 Host: update.utorrent.li Cache-Control: no-cache with decoded base64 artifacts: 0u]: |
82.221.103.246:80 (update.utorrent.li) | GET | update.utorrent.li/installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showwarning&pid=3824&cau=... | GET /installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showwarning&pid=3824&cau=0&view=win32 HTTP/1.1 Accept-Encoding: gzip User-Agent: uTorrent(41372)/3.4.5 Host: update.utorrent.li Cache-Control: no-cache with decoded base64 artifacts: 0u]: |
82.221.103.246:80 (update.utorrent.li) | GET | update.utorrent.li/installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showinstall&pid=3824&cau=... | GET /installstats.php?cl=uTorrent&v=109814172&h=30MgtrQ_ahkDmqKW&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showinstall&pid=3824&cau=0&au=0&view=win32 HTTP/1.1 Accept-Encoding: gzip User-Agent: uTorrent(41372)/3.4.5 Host: update.utorrent.li Cache-Control: no-cache with decoded base64 artifacts: 0u]: |
Extracted Strings
Extracted Files
Displaying 22 extracted file(s). The remaining 25 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
OCComSDK.dll
- Size
- 190KiB (195032 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "OpenCandy" (18/54)
- MD5
- dd40ddfae58c293f07d5c2a310727d04
- SHA1
- e1ba32f464f2982f70abb2f2b6c8960f62c87845
- SHA256
- 6c204763e97fd4b646300a1a447befc33def289ab1ffd2860dd91ab1c51c7267
-
OCSetupHlp.dll
- Size
- 836KiB (856536 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "OpenCandy" (21/50)
- MD5
- 4adb06a360a9d49ca302a7cf11705403
- SHA1
- 4f592c5f94a3c1e4c71be050655bcaa6cea4fa89
- SHA256
- fe37d9b693356d62882aeb8241736f316ba1877cb38ee8a8afb5cf42d481aed5
-
-
Informative 20
-
-
br.json
- Size
- 5.9KiB (6005 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
- MD5
- f12764dfc1ade6db8fbac38762a53911
- SHA1
- c6f3273d782861e48705a967d0bf8736ac57633b
- SHA256
- 968738e0c8c5413c4cd516e04d2fc43f9fb6449c1bf44b2010e84176e462514a
-
de.json
- Size
- 6.1KiB (6214 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
- MD5
- c6aba232e3ca1843e2ce5c0ea95a597a
- SHA1
- fddb2e16a19cc1d5a6b7fd2941f06f2671c3ac3c
- SHA256
- 7e6e3722fe5ba7cf7709055df67ec0f7710c357c1600e500f3d4ec0f403f3354
-
en.json
- Size
- 5.3KiB (5397 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
- MD5
- fdbf70c76cf4c3077571c0eed1b9848d
- SHA1
- 5fc4be96d87e1d91c7ca935ddd73a455f9f87014
- SHA256
- 81639b0a15def13cd646efd2ba40442524a3dffae3acd218b812be9f12364cf9
-
es.json
- Size
- 5.8KiB (5957 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
- MD5
- d208bd6553a40136d75a78d5c0e11f52
- SHA1
- c910f007f1b10db412371b8f25da0a32e35d1010
- SHA256
- aac630fbe06486bace04d05da5e12cc96715b263cb3cae8f246e630b6166de41
-
fr.json
- Size
- 6.2KiB (6384 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
- MD5
- d126f1776772be7164691f18b9fcb041
- SHA1
- ed1d15d4d9c84a514e4f49d15912fd97399a542e
- SHA256
- 0416441f460d82c68525eb15cb72e6b260433e509aedcd4abdb1326c6d242a7d
-
it.json
- Size
- 5.9KiB (6065 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
- MD5
- 985938f0df5251b549a1b99dbac1f69c
- SHA1
- b2bd7ee994f9851e01228682fe28370080abb9d2
- SHA256
- aca4f9bf79a3f84ae6a9d36680df5d182ac93b1aa649775e1618b49fbd22a34b
-
pt.json
- Size
- 5.9KiB (6041 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
- MD5
- fb63d52ac25cd3d272365fa75f74c279
- SHA1
- bbbc4fa5a26d1a2ce4f1009413447cd29033f506
- SHA256
- e39d6a57d2f16e60c4075d07741dadd6a2742a85aceb250083d7ab103279f737
-
ru.json
- Size
- 9.2KiB (9393 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
- MD5
- 3ff3b316f26719e23a612ee090c9665f
- SHA1
- 8b7dd7556883e1f2c6e157b1063db6f7eec9eec5
- SHA256
- 159d75d338dd2f49f56f21bbaa1d196e857f4a4561d2b8442ee53f9e7942a656
-
bt_icon_48px.png
- Size
- 3.1KiB (3223 bytes)
- Type
- PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
-
loading.gif
- Size
- 5.7KiB (5860 bytes)
- Type
- GIF image data, version 89a, 310 x 310
-
logo_Yandex_RU_UA_vertical.png
- Size
- 6.7KiB (6818 bytes)
- Type
- PNG image data, 360 x 243, 8-bit/color RGBA, non-interlaced
-
main_bittorrent.ico
- Size
- 101KiB (103169 bytes)
-
main_icon.png
- Size
- 3.9KiB (4033 bytes)
-
main_utorrent.ico
- Size
- 105KiB (107127 bytes)
-
chrome.png
- Size
- 12KiB (12090 bytes)
-
firefox.png
- Size
- 15KiB (14906 bytes)
-
internetexplorer.png
- Size
- 14KiB (13930 bytes)
-
logo.png
- Size
- 6KiB (6093 bytes)
-
index.hta
- Size
- 522B (522 bytes)
- Type
- HTML document, ASCII text
- MD5
- 76903930c0ade2285f1ab1bf54be660d
- SHA1
- 0fdd5990ca58cf6c49985ffd2075baa09cd728ce
- SHA256
- 61acd6e7405fad348433f8de4b12ed97b42caccbcf28fe0e4ba4b4a5d2ea707e
-
uninstall.hta
- Size
- 575B (575 bytes)
- Type
- HTML document, ASCII text
- MD5
- d91d3dad4fb278bab416a6cf49fda09e
- SHA1
- 49d5194722a425502cd4ea138d01a6a5fa68d05c
- SHA256
- e5a870dda2bca2b632f9aa3eee7768b5dd1498046d53af5fb6b5d5920debe27a
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Dropped file "install.1449844898.zip" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/1acc8fb4e02774e8e75e866b85a20f7949f4ae7f33fffd8d043ef398752b26fd/analysis/1449845363/")
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-7" are available in the report
- Not all sources for signature ID "api-8" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "network-0" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all sources for signature ID "string-3" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Parsed the maximum number of dropped files (20), report might not contain information about some dropped files
- Parsed the maximum number of dropped files (20, see 'maxDroppedFilesToParseYARA'), report might not contain information about some dropped files