Analysis Date2015-11-05 11:07:52
MD54e5f04cf36c9d640004cfae4aea69899
SHA1087fdf71eb5f7a06f25408a8b8a9df97a5400193

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 63d92661d12b541ffbc8d0be4ef06a69 sha1: f564b77431cb04781bb754725115eeec7b7258a4 size: 22016
Section.rsrc md5: 0243c9a7f8755f2c2b18037cdad6cc91 sha1: 1ffa22fd5de34253aa3b8ffab97ec5c401513128 size: 1024
Section.reloc md5: 36bba69bb8089b3b2a95af11f3ee5332 sha1: 9b454974cfe5ad96ff81599316f6ac3c83b0c3ed size: 512
Timestamp2015-02-19 22:40:19
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash2d36371c80c47caea3790aeefab740753fc75db5
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVAd-AwareGen:Variant.Barys.12780
AVGrisoft (avg)PSW.ILUSpy
AVCAT (quickheal)Backdoor.Bladabindi.AL3
AVIkarusTrojan.MSIL.Bladabindi
AVAvira (antivir)TR/Dropper.Gen7
AVK7Trojan ( 700000121 )
AVClamAVWin.Backdoor.Bladabindi-1
AVKasperskyBackdoor.MSIL.Agent.igo
AVArcabit (arcavir)Gen:Variant.Barys.12780
AVMalwareBytesBackdoor.Bladabindi.Gen
AVDr. WebTrojan.DownLoader11.17961
AVMcafeeBackDoor-NJRat!4E5F04CF36C9
AVBitDefenderGen:Variant.Barys.12780
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi.AJ
AVEmsisoftGen:Variant.Barys.12780
AVMicroWorld (escan)Gen:Variant.Barys.12780
AVAlwil (avast)GenMalicious-DQS [Trj]
AVPadvishno_virus
AVEset (nod32)MSIL/Bladabindi.BH
AVRisingno_virus
AVBullGuardGen:Variant.Barys.12780
AVFortinetMSIL/Agent.LI!tr
AVSymantecBackdoor.Ratenjay
AVAuthentiumW32/MSIL_Bladabind.I2.gen!Eldorado
AVTrend MicroBKDR_BLADABI.SMC
AVFrisk (f-prot)no_virus
AVTwisterTrojan.0000000000/480000.mg
AVCA (E-Trust Ino)Win32/DotNetDl.A!generic
AVVirusBlokAda (vba32)Trojan.MSIL.Disfa
AVF-SecureGen:Variant.Barys.12780
AVZillya!Backdoor.Agent.Win32.55233

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
RegistryHKEY_CURRENT_USER\Software\a2edc60af42b5d2f808fa1d352cb5107\[kl] ➝
[ENTER]\\r\\n\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Processnetsh firewall add allowedprogram "C:\malware.exe" "malware.exe" ENABLE
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Creates Mutexa2edc60af42b5d2f808fa1d352cb5107
Winsock DNSwindows-reuintall.system-ns.in

Process
↳ netsh firewall add allowedprogram "C:\malware.exe" "malware.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:malware.exe\\x00
Creates FilePIPE\lsarpc

Network Details:

DNSwindows-reuintall.system-ns.in
Type: A
209.99.40.225
Flows TCP192.168.1.1:1032 ➝ 209.99.40.225:1271
Flows TCP192.168.1.1:1033 ➝ 209.99.40.225:1271
Flows TCP192.168.1.1:1034 ➝ 209.99.40.225:1271
Flows TCP192.168.1.1:1035 ➝ 209.99.40.225:1271
Flows TCP192.168.1.1:1036 ➝ 209.99.40.225:1271
Flows TCP192.168.1.1:1037 ➝ 209.99.40.225:1271
Flows TCP192.168.1.1:1038 ➝ 209.99.40.225:1271

Raw Pcap

Strings