Analysis Date2016-03-09 06:55:42
MD580c9a07f93fecc7634a88f79b75eba36
SHA1084cb91d3aa24b07aacfa9757395b67edceff2e5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 40db253ec22badc147b67e3941780fb5 sha1: 3c930ca8e4c4eabf266283b7c5e42ccc5c6e8d99 size: 22016
Section.rsrc md5: 0243c9a7f8755f2c2b18037cdad6cc91 sha1: 1ffa22fd5de34253aa3b8ffab97ec5c401513128 size: 1024
Section.reloc md5: 8f9fb76ec87ec8b0a5110a8a33506bf3 sha1: 98b6db59be26d4e28afade309354fff0561c2405 size: 512
Timestamp2016-03-05 04:42:23
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash2d36371c80c47caea3790aeefab740753fc75db5
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVRisingNo Virus
AVMcafeeBackDoor-NJRat!80C9A07F93FE
AVAvira (antivir)TR/Dropper.Gen7
AVTwisterTrojan.0000000000/480000.mg
AVAd-AwareGen:Variant.MSIL.Bladabindi.2
AVAlwil (avast)Agent-DRD [Trj]
AVEset (nod32)MSIL/Bladabindi.AS
AVGrisoft (avg)Win32/Hedo
AVSymantecBackdoor.Ratenjay
AVFortinetMSIL/Agent.LI!tr
AVBitDefenderGen:Variant.MSIL.Bladabindi.2
AVK7Trojan ( 700000121 )
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi.B
AVMicroWorld (escan)Gen:Variant.MSIL.Bladabindi.2
AVMalwareBytesBackdoor.Bladabindi.Generic
AVAuthentiumW32/MSIL_Bladabind.I2.gen!Eldorado
AVEmsisoftGen:Variant.MSIL.Bladabindi.2
AVFrisk (f-prot)No Virus
AVIkarusTrojan.MSIL.Bladabindi
AVZillya!Backdoor.Agent.Win32.55242
AVKasperskyBackdoor.MSIL.Bladabindi.p
AVTrend MicroBKDR_BLADABI.SMC
AVVirusBlokAda (vba32)Backdoor.MSIL.Agent
AVCAT (quickheal)Backdoor.Bladabindi.AL3
AVBullGuardGen:Variant.MSIL.Bladabindi.2
AVArcabit (arcavir)Gen:Variant.MSIL.Bladabindi.2
AVClamAVWin.Backdoor.Bladabindi-1
AVDr. WebTrojan.DownLoader18.23009
AVF-SecureGen:Variant.MSIL.Bladabindi.2
AVCA (E-Trust Ino)Gen:Variant.MSIL.Bladabindi.2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9c67e29f58d038d31d040c3252f3dfb1 ➝
"C:\malware.exe" ..\\x00
RegistryHKEY_CURRENT_USER\Software\9c67e29f58d038d31d040c3252f3dfb1\[kl] ➝
[ENTER]\\r\\n\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\9c67e29f58d038d31d040c3252f3dfb1 ➝
"C:\malware.exe" ..\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
Creates File\Device\Afd\Endpoint
Creates Processnetsh firewall add allowedprogram "C:\malware.exe" "malware.exe" ENABLE
Creates Mutex9c67e29f58d038d31d040c3252f3dfb1
Winsock DNSsoftserver.codns.com

Process
↳ netsh firewall add allowedprogram "C:\malware.exe" "malware.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:malware.exe\\x00
Creates FilePIPE\lsarpc

Network Details:

DNSsoftserver.codns.com
Type: A
127.0.0.1

Raw Pcap

Strings