Analysis Date2014-03-21 23:35:44
MD510eb18ffb33966a4964c2cac8bc54e72
SHA12225455ca66f2ee56ffaded972947011adcb99b0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 29e0e5e43e56df41add2423c9030df79 sha1: f355e906b25e9ff9d2651668b6ffbf7005abf965 size: 40960
Section.rsrc md5: 7b6bcc995a5a698de4732a0fcb56d186 sha1: 4ecbfc1ea5086b19ed34feda21f19c2e683025f5 size: 1024
Section.reloc md5: 691c6cecdd1fd42d7afed39e3ec87bcc sha1: 83f245d0e67b1e4c2b8a85ff1cb7123ea759ab39 size: 512
Timestamp2013-01-10 10:16:55
VersionLegalCopyright: @Encripters
Assembly Version: 1.0.0.0
InternalName: Facebook_Encripter_v2.3.1.exe
FileVersion: 1.0.0.0
CompanyName: @Slait
Comments: Facebook Encripter
ProductVersion: 1.0.0.0
FileDescription:
OriginalFilename: Facebook_Encripter_v2.3.1.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash82c8947bd06430427a1f99ea3b3c6efe460f5741
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVmssePWS:MSIL/Petun.A
AVavgILAgent
AVmcafeeTrojan-FCTX!10EB18FFB339

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:

DNSleaderbusiness.net
Type: A
DNSheavenbusiness.net
Type: A
DNSleaderappear.net
Type: A

Raw Pcap

Strings

000004b0
1.0.0.0
Active Window:
 [alt] 
Application.StartupPath
Arial
Assembly Version
</b>
.</b><br>
<br>
[BS]
Can't log because the server is temporarily unavabile
[/cl]
[cl]
Comments
CompanyName
Content-Disposition: form-data; name="{0}"; filename="{1}"{2}Content-Type: {3}{2}{2}
 [ctrl] 
[/ctrl]
CurrentUser
+DelOff+
DelOff+
DisableCMD
 [dlt] 
@Encripters
Error
 [esc] 
Facebook Encripter
Facebook_Encripter_v2.3.1.exe
FileDescription
FileVersion
Firefox/Microsoft Word/Notepad
[First Run] Neptune - 
FMjSRRybZnVs8R5p7b87Ww==
ftp.exampleserver.com
hdRmcThraa
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
http://automation.whatismyip.com/n09230945.asp
http://www.exampleserver.com/directfile.exe
iexplorer.exe
InternalName
[/lalt]
LegalCopyright
MIngWa7hNuJVD0yvXKyQuukYXP7GnrdtJVJbBuMwQbQYw9I0a+sTmg==
MsgFalse+
NoRun
NoViewContextMenu
NzawKYFWJN
OriginalFilename
</p>
PNResponseHandle
ProductVersion
 - Project Neptune
<p style='text-align:center;'><span style='font-family:Helvetica;font-size:32pt;color: rgb(2, 84, 138);'>Project Neptune</span><br> <span style='font-size:6pt;color: rbg(176, 176, 176);'>{Monitor Everything}</span><br><br>Freshly installed on <b>
 [ralt] 
[/ralt]
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
+SDDate+
SDDate+
setup.exe
@Slait
smtp.gmail.com
Software\Microsoft\Windows\CurrentVersion\
Software\Microsoft\Windows\CurrentVersion\Run
</span>
<span style='color: rgb(33, 78, 221);font-weight:bold;font-size:12;'>
 [SS] 
StringFileInfo
SysListView32
\system32
Translation
udJvoFUc1pRa9t6xkTbUyjvUqpxJNGh0vLVW4nzPsWI=
VarFileInfo
VS_VERSION_INFO
1.0.0.0
4System.Web.Services.Protocols.SoapHttpClientProtocol
8.0.0.0
Activator
add_Tick
AppendAllText
Application
ApplicationBase
AppWinStyle
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyInfo
AsyncCallback
BeginInvoke
Bitmap
Boolean
BorderColor
BorderThickness
Brushes
callback
CallNextHookEx
.cctor
ClearProjectError
ClickEvent
Clipboard
CllctImgs
CommandLine
Compare
CompareMethod
CompareString
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
Computer
ComputerInfo
ComVisibleAttribute
Concat
ConcatenateObject
ConditionalCompareObjectEqual
ConditionalCompareObjectGreaterEqual
ConditionalCompareObjectLess
ConditionalCompareObjectNotEqual
Contains
contentType
Conversion
Conversions
Convert
CopyFile
CopyFromScreen
_CorExeMain
Create
CreateDecryptor
CreateEncryptor
CreateFramedImage
CreateInstance
Create__Instance__
CredentialCache
Criteria
CryptDeriveKey
CryptoStream
CryptoStreamMode
CurrentUser
Cursor
DateAndTime
DateTime
DebuggerHiddenAttribute
DelegateAsyncResult
DelegateAsyncState
DelegateCallback
Delete
DeleteValue
DialogResult
Dispose
Dispose__Instance__
DivideObject
DoEvents
DownloadFile
DownloadString
DrawImage
DrawString
dwAppSpecific
dwExtraInfo
dwFlags
dwThreadId
EditorBrowsableAttribute
EditorBrowsableState
Either
Encoding
@Encripters
EndApp
EndInvoke
EndsWith
EnumChildWindows
EnumDelegate
Environment
Equals
EventArgs
EventHandler
EventResetMode
EventWaitHandle
Exception
Exists
ExitProcess
Facebook Encripter
Facebook_Encripter_v2.3.1
Facebook_Encripter_v2.3.1.exe
fakezero
FileAttributes
FileInfo
filePath
FileSystemInfo
FileSystemProxy
FindWindow
FindWindowA
FlushFinalBlock
Format
FromBase64String
FromImage
GeneratedCodeAttribute
get_AltKeyDown
get_Application
get_ASCII
GetAsyncKeyState
get_AvailablePhysicalMemory
get_AvailableVirtualMemory
get_BaseAddress
get_Black
get_Bounds
GetBuffer
GetBytes
get_CapsLock
get_Chars
GetClass
GetClassName
GetClassNameA
get_Computer
get_CtrlKeyDown
get_Current
GetCurrentProcess
GetCurrentThreadId
get_Date
get_DefaultCredentials
get_ElapsedMilliseconds
get_Enabled
GetEnumerator
get_ExecutablePath
get_FileSystem
GetFolderPath
GetForegroundWindow
get_GetInstance
get_Gif
GetHashCode
get_Height
get_Info
GetInstance
get_Interval
get_Item
get_Keyboard
get_Keys
get_Length
get_LT
get_MachineName
get_MainModule
get_MainWindowTitle
get_Major
get_Message
get_Millisecond
get_Minor
GetModuleFileName
GetModuleFileNameA
GetModuleHandleW
get_Network
get_NewLine
get_Now
GetObjectValue
get_OSVersion
get_Platform
get_Png
get_Position
get_PrimaryScreen
GetProcesses
get_ProductName
get_Registry
GetRequestStream
get_Response
GetResponse
GetResponseStream
get_Running
get_Size
get_StartupPath
GetString
GetTempPath
GetText
get_Ticks
GetTitleText
get_To
get_Today
GetType
GetTypeFromHandle
get_User
get_UserName
get_UTF8
GetValue
GetValueNames
get_Version
get_WebServices
get_Width
get_WindowStyle
GetWindowText
GetWindowTextA
GetWindowTextLength
GetWindowTextLengthA
Graphics
handle
HelpKeywordAttribute
HideModuleNameAttribute
hInstance
hModule
HookMouse
HookProc
HttpWebRequest
hWndParent
IAsyncResult
ICredentials
ICredentialsByHost
ICryptoTransform
idHook
IDisposable
IEnumerator
Image1
Image2
ImageFormat
ImageURL
ImgChainStarted
ImgChLimit
ImgCollection
ImgCount
ImgRadius
InArray
InAttribute
IndexOf
Information
instance
IntDivideObject
Interaction
interval
IntPtr
Invoke
IsRunning
JoinImagesVert
K_Backspace
K_CapsLock
K_Control
K_Decimal
K_Down
kernel32
kernel32.dll
Keyboard
KeyboardHandle
KeyboardHookDelegate
KeysCollection
K_LAlt
K_Left
K_LShift
K_LWin
K_Num_Add
K_Num_Decimal
K_Num_Divide
K_NumLock
K_Num_Multiply
K_Numpad0
K_Numpad1
K_Numpad2
K_Numpad3
K_Numpad4
K_Numpad5
K_Numpad6
K_Numpad7
K_Numpad8
K_Numpad9
K_Num_Subtract
K_Pause
K_PrintScreen
K_RAlt
K_Return
K_Right
K_RShift
K_RWin
K_Shift
K_Space
K_Subtract
LastCheckedForegroundTitle
LateGet
LateIndexGet
LateIndexSet
LeftShiftObject
LimitMet
lineSetAppSpecific
lngHwnd
lngLParam
LocalMachine
lParam
lpClassName
lpEnumFunc
lpExistingFileName
lpFileName
lpNewFileName
lpString
lpWindowName
LVM_DELETECOLUMN
LVM_FIRST
MailAddress
MailAddressCollection
MailMessage
m_AppObjectProvider
MarshalAsAttribute
m_ComputerObjectProvider
MemoryStream
Message
MessageBox
MessageBoxButtons
MessageBoxIcon
MgmGetNextMfeStats
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.MyServices
Microsoft.Win32
mMutex
_mMutexOwned
m_MyWebServicesObjectProvider
ModObject
<Module>
Module1
mouseData
_mouseHook
MouseHookDelegate
MouseHookProc
_mouseProc
MoveFile
MoveFileExW
MoveNext
mscoree.dll
mscorlib
MsgBox
MsgBoxResult
MsgBoxStyle
MSLLHOOKSTRUCT
m_ThreadStaticValue
MulticastDelegate
m_UserObjectProvider
MyApplication
My.Application
MyComputer
My.Computer
MyGroupCollectionAttribute
MyProject
MyTemplate
My.User
MyWebServices
My.WebServices
NameObjectCollectionBase
NameOnly
NameValueCollection
Network
NetworkCredential
NewLateBinding
nMaxCount
Object
OpenSubKey
op_Equality
OperatingSystem
Operators
op_Explicit
op_Inequality
OrObject
paramName
params
Password
PasswordDeriveBytes
PathOnly
pbBuffer
pdwBufferSize
pdwNumEntries
pimmStart
PlatformID
PointF
Process
ProcessModule
ProcessStartInfo
ProcessWindowStyle
ProjectData
ReadToEnd
Recipient
Rectangle
Registry
RegistryKey
RegistryProxy
ReleaseMutex
@.reloc
Remove
Replace
`.rsrc
rtm.dll
Running
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
scanCode
Screen
SelfCure
SendEmail
sender
SendMessage
SendMessageA
ServerComputer
set_Attributes
set_Body
set_ContentType
set_Credentials
set_Enabled
set_EnableSsl
set_From
set_Interval
set_IsBodyHtml
set_IV
set_KeepAlive
set_Key
set_Length
set_LT
set_Method
set_Port
set_Position
SetProjectError
set_Running
set_Subject
SetValue
SetWindowsHookEx
SetWindowsHookExA
SetWindowsHookExW
@Slait
SmtpClient
Source
SpecialFolder
StandardModuleAttribute
startPos
StartupCheckCriteria
STAThreadAttribute
Stopwatch
Stream
StreamReader
strEnd
String
StringBuilder
Strings
#Strings
strSource
strStart
Subject
Substring
SymmetricAlgorithm
System
System.CodeDom.Compiler
System.Collections
System.Collections.Specialized
System.ComponentModel
System.ComponentModel.Design
System.Diagnostics
System.Drawing
System.Drawing.Imaging
System.IO
System.Net
System.Net.Mail
System.Reflection
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Cryptography
System.Text
System.Threading
System.Windows.Forms
TakeSCREEN
tapi32.dll
TargetMethod
TargetObject
!This program cannot be run in DOS mode.
Thread
ThreadSafeObjectProvider`1
ThreadStart
ThreadStaticAttribute
ToBase64String
ToBoolean
ToByte
ToDate
ToDouble
ToInt32
ToInteger
ToString
ToUpper
TripleDES
TripleDESCryptoServiceProvider
t_Tick
UBound
uExitCode
UInt64
UnhookWindowsHookEx
UnmanagedType
UpFTPImg
UploadFile
UploadImage
UpToLH
user32
user32.dll
Username
v2.0.50727
value__
ValueType
Version
vkCode
WaitHandle
WaitOne
WebClient
WebException
WebRequest
WebResponse
WebServices
WH_MOUSE_LL
wParam
WrapNonExceptionThrows
WriteAllText
WTKeywords