Analysis Date2015-05-08 12:33:34
MD5cb5e4f6a160b745ee6230a32a2213914
SHA11bf6b3aa6610731440bbef7680b7e6bebe8039d6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly
Section.text md5: 74e7d5e681a9e7721dc7f0ee9939337b sha1: b1526837a5dff88f54edc263e797c302e94c8c98 size: 65536
Section.rsrc md5: 7505673332c718e2464b935050d058e3 sha1: 5338b68b6a1cf05b4e5bda738d2f51f1b213a3e5 size: 1536
Section.reloc md5: 33d885082cf726080926f6844c0ffbaf sha1: 19bafc88154cd9bc2900b0c81d098a969de45463 size: 512
Timestamp2015-02-03 13:27:11
VersionLegalCopyright: Copyright © ϐҍзқзокөえωаϟбえт争ӔкзоЏЊЀаӔЖくḆд事 2014
Assembly Version: 1.2.3.4
InternalName: Server.exe
FileVersion: 5.6.7.8
CompanyName: 四разӔзҘьоもеえほтḈいḆけおҍлώеоЀЦまḈЊ
Comments: ẦҞ亊四ωは争ώлдみзЉϐ頂ЉきめẦьЗи四ώ五ḆḈ四お
ProductName: もかḒг五けおもẦ五яあгөけおいえけи難骨おел亊елい
ProductVersion: 5.6.7.8
FileDescription: ϐҍзқзокөえωаϟбえт争ӔкзоЏЊЀаӔЖくḆд事
OriginalFilename: Server.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
AVAd-AwareGen:Variant.Kazy.289468
AVAlwil (avast)GenMalicious-AKT [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.289468
AVAuthentiumW32/Trojan.MLOL-9323
AVAvira (antivir)TR/Injector.68096.7
AVBitDefenderGen:Variant.Kazy.289468
AVBullGuardGen:Variant.Kazy.289468
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Generic.r3
AVClamAVWin.Trojan.Bladbindi
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.289468
AVEset (nod32)MSIL/Injector.TZ
AVFortinetW32/Generic!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.289468
AVGrisoft (avg)MSIL6.BXMB
AVIkarusTrojan.MSIL.Injector
AVK7Trojan ( 00360adb1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeRDN/Generic.tfr!eh
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi
AVMicroWorld (escan)Gen:Variant.Kazy.289468
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterTrojan.00000000004800000.mg
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processdw20.exe -x -s 276

Process
↳ dw20.exe -x -s 276

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1315B.dmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\1315B.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:


Raw Pcap

Strings
 .:..q
T
@
..

000004b0
1.0.15.0
1.2.3.4
  2014 
5.6.7.8
Assembly Version
Comments
CompanyName
Copyright 
FileDescription
FileVersion
InternalName
laKr
LegalCopyright
OriginalFilename
ProductName
ProductVersion
Server.exe
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
=|]_%<
#049=5
0ab=PhX
1pQ!&?
1-Uwo7
=32Y\GMO
:<4i	[
4KbW\&
500wrk$
503cc847a26945dabff141fecf0b1e0e
5,BD9)
5/S{@V
5;>T v
66~8^DkK:
6O_5Z5K
6>_SH+
6$u~* 
#[6vjKu:
@7hRAY
7xmLoN	
8_0#TJ#
8MT4K/:*
~8!q*@
9{*AQX
AcQeVg[i	k
add_AssemblyResolve
add_ResourceResolve
al\5A[
AppDomain
AssemblyName
a^],xU
BabelAttribute
bc|y*1%
BinaryReader
BitConverter
#-BM O
Boolean
~^`b<Ra
?$&`BtY
BuLwUqKsY}F
.cctor
CompressionMode
Convert
_CorExeMain
CreateDecryptor
CryptoStream
CryptoStreamMode
DateTime
DeflateStream
DESCryptoServiceProvider
/!D+'_i$)
Dispose
d["{J(
DlLTU>
dp-9-Bm
dq}<7c+
\DW'FRo3
><e[4$
}e/gza}ct
'E!\#K-I
Encoding
EO>}:6
etARNn'
Evidence
Exception
ExecuteAssemblyByName
@f9_sC
=#FBgp;
+fdWD~{p
%G.2hf
GetBytes
get_CurrentDomain
get_Default
GetExecutingAssembly
get_Length
GetManifestResourceNames
GetManifestResourceStream
get_Name
get_Now
gI	dM,/Ni
;>gm\%
/GPn}ad
h;8r1c+
h$fV)o
<hOH@FO
~hSjtj
ICryptoTransform
ic)t~|
IDisposable
Intern
@}IsGqAw
j!4u[X#
JS@-nF~doE?
j#;sX?4
.`jU7S
J|'yC	
j$YvI_C
k6sv<8
}K8p`*1B
KDD8t{
|Km=gF
Kr.3qk(
k:U`W5Q<S"]!_!Y0[#EaGkA9C2M'O/I(K\5V7^1@3C=Z?X9T;A%
L0oNuyIJiEKLs0EwSzwVkQ==
l	<8PY
$LhE[Es<FMh
LHe%'Y
)	|ll/N
,Mbw.d
MemoryStream
 MlH%q
<Module>
M~!Om-
mscoree.dll
mscorlib
`Mv!>.
|]Mv^>
mVoDqEs
n4./C_
nxdG})#!qe
o%(4RD
ObfuscationAttribute
Object
oL'@x1
op_Equality
op_GreaterThan
PG<oX5
Prawx^
prps6 e
pwqjMv
P@'ZWT
Q0J0D0H0Q08
/R0C)1
r7UBs@
ReadBytes
ReadInt32
@.reloc
ResolveEventArgs
ResolveEventHandler
 $`rnf
`.rsrc
Server.packed
Server.packed.exe
sj,We'
STAThreadAttribute
#Strings
StripAfterObfuscation
SuppressIldasmAttribute
SymmetricAlgorithm
System
System.IO
System.IO.Compression
System.Reflection
System.Runtime.CompilerServices
System.Security.Cryptography
System.Security.Policy
System.Text
~^TeTAj
tgB4=@
t*GYw!z<
!This program cannot be run in DOS mode.
tLvAxNz
ToArray
ToBase64String
ToCharArray
ToLowerInvariant
Uce$,p
uDwNyC{H}K
Uz[.Y;
v2.0.50727
Version
V|Sswj/
(;Vu%M
W%HMLh
WhwP_A
ws.sN]
XH8VZ^ 
YanoAttribute
]yE{CeMg
y%Uh1hP
yXf{BU
zrS!6i