Analysis Date2018-05-01 11:22:19
MD5d78e4201814bd3fb830d2c174b6e33fe
SHA1050350848d9b397eb71a770809a2d78379ab1549

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 84fbd2e8352ee2c6ee73071a995a4126 sha1: 07eb2a4605bbcb465b956d9d560973fc26970e01 size: 9728
Section.rsrc md5: ec4e280433258d76fbeaa49cc02bffbe sha1: 028a89635f85389d9499732ce31ef22a3a8ac3d4 size: 26112
Section.reloc md5: 5834458def891f9622db85a850635325 sha1: 1f3ac71439270b42a87264d114a33ee318b0b6f2 size: 512
Timestamp2014-10-06 22:24:03
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash9f06ce9ac5b114402d357058ff46b702aa3dd33d
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.11920963
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen7
AVBullGuardno_virus
AVCA (E-Trust Ino)Win32/Tnega.eOMJCOD
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftBackdoor.MSIL.Bladabindi
AVEset (nod32)MSIL/Bladabindi.BB
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.11920963
AVGrisoft (avg)MSIL5.QJE
AVIkarusTrojan.MSIL.Bladabindi
AVK7no_virus
AVKasperskyTrojan.MSIL.Agent.fkip
AVMalwareBytesTrojan.MSIL
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)no_virus
AVNormanError Scanning File
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\050350848d9b397eb71a770809a2d78379ab1549.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\050350848d9b397eb71a770809a2d78379ab1549.exe.config
Creates FileC:\Users\Phil\AppData\Local\Temp\050350848d9b397eb71a770809a2d78379ab1549.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\050350848d9b397eb71a770809a2d78379ab1549.exe
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
Creates FileC:\Users\Phil\AppData\Local\Temp\050350848d9b397eb71a770809a2d78379ab1549.exe.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
Creates FileC:\Windows\assembly\NativeImages_v2.0.50727_32\indexa0.dat
Creates FileC:\Windows\System32\l_intl.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\050350848d9b397eb71a770809a2d78379ab1549.exe
Creates FileC:\Windows\assembly\pubpol4.dat
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
Creates FileC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Creates FileC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
RegistryHKEY_CURRENT_USER\Software\DRCTROY\us ➝
@
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1

Process
↳ C:\Users\Phil\AppData\Local\Temp\DRCTROY.exe

Creates Mutex
Creates Mutex
Creates Mutex[<Mutex>]
Creates FileC:\Users\Phil\AppData\Local\Temp\DRCTROY.exe.config
Creates FileC:\Users\Phil\AppData\Local\Temp\DRCTROY.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\DRCTROY.exe
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
Creates FileC:\Users\Phil\AppData\Local\Temp\DRCTROY.exe.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
Creates FileC:\Windows\assembly\NativeImages_v2.0.50727_32\indexa0.dat
Creates FileC:\Windows\System32\l_intl.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\DRCTROY.exe
Creates FileC:\Windows\assembly\pubpol4.dat
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
Creates FileC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Creates FileC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1

Process
↳ C:\Windows\SysWOW64\netsh.exe

Creates Mutex
Creates Mutex
Creates MutexGlobal\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7
Creates File\Device\Http\Communication

Network Details:

DNSgost.no-ip.info
Type: A
91.235.168.150
Flows TCP192.168.1.1:1031 ➝ 91.235.168.150:666
Flows TCP192.168.1.1:1033 ➝ 91.235.168.150:666

Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 36353a35 3335370d 0a0d0a3c   00.165:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a356537 65646633 302d3539 34302d34   :5e7edf30-5940-4
0x00000280 (00640)   3533372d 38326437 2d313862 61373963   537-82d7-18ba79c
0x00000290 (00656)   35343931 663c2f77 73613a4d 65737361   5491f</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a6666 32636136   >urn:uuid:ff2ca6
0x00000340 (00832)   62382d35 3964652d 34363364 2d383865   b8-59de-463d-88e
0x00000350 (00848)   382d3963 35373464 34323631 61313c2f   8-9c574d4261a1</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>


Strings
.
.
666[BSP]288[BSP]1177
7JU]dkr
BSODPro
[BSP]
DirINS
Dispose
DRCTROY
DRCTROY.exe
" ENABLE
False
gost.no-ip.info
Hostes
Melt
[<Mutex>]
MyPort
netsh firewall add allowedprogram "
Ports
RegKey
SEE_MASK_NOZONECHECKS
SOFTWARE\
Software\Microsoft\Windows\CurrentVersion\Run
SreadUSB
STARTSUBPLUGIN
STUB.
Temp
TrojanName
VictimName
WaitForExit
WyBEUl9WSUMgXQ==
!@!X
0c%%\\))8?GlQV
2"&,\45>
+#-28<
$(.469+A
$(.469=EFHJ
$(.469=EFM
$(.469=ET
$(.469F
$(.46%A
$(.46J
4System.Web.Services.Protocols.SoapHttpClientProtocol
6AD}II
8.0.0.0
;8721^.
?[8?GOQY
8nDDbih/[g
=:953,&
/953,&
]:953,&
Activator
Application
ApplicationBase
AppWinStyle
Assembly
B$1_`ajbgA
BitConverter
Boolean
BSODPro
.cctor
CE=+FU
C#[/>iiD>8!#7
ClassName
ClearProjectError
Command
CompareMethod
CompareString
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
CompressionMode
Comput
Computer
ComVisibleAttribute
Concat
ConditionalCompareObjectEqual
Connect
Contains
Conversions
_CorExeMain
CreateInstance
Create__Instance__
CreateSubKey
!d"(.469=EFHJMTr
DDDDDD@
DDDDDDD@
DDDDDDDDD@
DDDDDDDDDD@
DDDDDDDDDDD@
DDDDDDDDDDDDDDD@
DDDDDDDDDDDDDDDD@
DDDDDDDDDDDGpw
DDDDDDDDDDDOp
DDDDDDDO
DebuggerHiddenAttribute
DirectoryInfo
DirINS
Disconnect
Dispose
Dispose__Instance__
dnzzqqmhcd
Dooo'MMM
DRCTROY
DRCTROY.exe
ed))dd++ee///^^^O
EditorBrowsableAttribute
EditorBrowsableState
)::::EMT
EndApp
Environ
Environment
EnvironmentVariableTarget
Equals
ErT,-468
Exception
Exists
FieldInfo
FileInfo
FileSystemInfo
GeneratedCodeAttribute
get_Application
get_Available
get_Client
get_Computer
get_CurrentUser
get_Directory
get_ExecutablePath
get_Exists
GetField
get_FullName
get_GetInstance
GetHashCode
GetHost
GetInstance
get_Length
GetMethod
get_Name
GetObjectValue
GetPort
GetProcessById
get_Registry
GetStream
GetType
GetTypeFromHandle
get_User
GetValue
get_WebServices
GZipStream
HEB=:`^[@
HEB=:953-\2
HEB=:953,&"\f
HelpKeywordAttribute
HideModuleNameAttribute
Hostes
i=:953,&H
i=;:953,M
instance
Interaction
Invoke
KDDDDDDDDDDDD@
KDDDDDDDOp
KKKKQKT
LateCall
LateIndexGet
lc%%\\))dd++ee//>nl
luunniiDu
^::::::;M
!"%,[M
]:::::::M
m_AppObjectProvider
m_ComputerObjectProvider
MemoryStream
MethodBase
MethodInfo
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.MyServices
Microsoft.Win32
MMMMMMMMMMMM
m_MyWebServicesObjectProvider
<Module>
m:::::::R
mscoree.dll
mscorlib
m_ThreadStaticValue
m_UserObjectProvider
MUTEXCODE
MyApplication
My.Application
MyComputer
My.Computer
MyGroupCollectionAttribute
MyProject
MyTemplate
My.User
MyWebServices
My.WebServices
/_]`n5>
NetworkStream
NewLateBinding
Object
||offZZZJj
OldPath
~{onyR
OpenExisting
Operators
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
Plugin
Process
ProjectData
{{]^///^^^^Q
qqqqqqq)A
R:953,&
ReadAllBytes
ReadPluginFile
Receive
RegistryKey
RegistryProxy
RegKey
RegPath
@.reloc
RHEB=:953,&
`.rsrc
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
SelectMode
ServerComputer
SetEnvironmentVariable
set_Position
SetProjectError
SetValue
Socket
SocketFlags
SreadUSB
SSS)}}}
SSSSSSSS
StandardModuleAttribute
STAThreadAttribute
Stream
String
Strings
#Strings
svvvvvvvgA
Swwwj=B>
System
System.CodeDom.Compiler
System.ComponentModel
System.ComponentModel.Design
System.Diagnostics
System.IO
System.IO.Compression
System.Net.Sockets
System.Reflection
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Threading
System.Windows.Forms
TcpClient
TFB=:953,&
!This program cannot be run in DOS mode.
Thread
ThreadSafeObjectProvider`1
ThreadStaticAttribute
ToArray
ToBoolean
ToInt32
ToInteger
ToLower
ToString
TrojanName
uee*))))00
;;;Ueee
ulid\VL
v2.0.50727
VictimName
~~vvphh
~~vvpphc_
~~vvvlia<<
W7'''''7A
WebServices
WrapNonExceptionThrows
WriteByte
WU'%]469=EFHJNl0#A
WWWtF>
wwwwwwwwwwp
wwwwwwwwwwwwwwp
wwwwwwww{wwwwwwwp
wwwwwwwwwwwwwwwwp
xgsTMJ
xthbZQO;?
XYYYYO#
Ysssssss
ywwwwwwwwwp
}}}yyyti=BF
}}}yyytt
}}}yyyttp
}}}yyyttpD
}}}yyyttppGW
zmg]/0
}zwmmhvLHFFHJMZ