Analysis Date2014-11-06 01:48:19
MD50f38ff2a25f32c734ce40f4dcbf187ab
SHA126f1298b24d50a62f61ed25f34758f03bdcbe540

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 49c499472071b1c3b1f7279635d77c9b sha1: 2d4bf8462967fab7c6d5be9f0e519b5347762227 size: 104448
Section.rdata md5: ab5ff432716e2f74473fd1068288356d sha1: 328ac400c7ec2760ad4c16ea884e1ab26786221b size: 28160
Section.data md5: 942f5f2128c12f4b3985de3827e0d8f6 sha1: c7758e909f974530a88e76e9a0240972f4d1f68e size: 4608
Section.rsrc md5: 599955a4bc879818646423ca629faccf sha1: 4064a355cee00c4fa5afe7e7b3e6b06ff45a5ab4 size: 124416
Sectionotbnngp md5: 50615dd05bb46aafc9490a7c48391314 sha1: d955e44ff63fda3f9b18f19aa72cbba43a5d8e44 size: 31744
Sectionxpzajyp md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2007-02-02 02:26:30
PackerMicrosoft Visual C++ ?.?
PEhash24c0b1ac098c720307f96ec00a4d837184c7f0ce
IMPhash720f62ecaae027b5c3ec6686644322e9
AV360 SafeGen:Variant.Symmi.43388
AVAd-AwareGen:Variant.Symmi.43388
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/ATRAPS.Gen
AVBullGuardGen:Variant.Symmi.43388
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.43388
AVEset (nod32)MSIL/Bladabindi.P
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.43388
AVGrisoft (avg)PSW.ILSpy
AVIkarusno_virus
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.MSIL
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi.B
AVMicroWorld (escan)Gen:Variant.Symmi.43388
AVNormanGen:Variant.Symmi.43388
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\125d3f6ae0a53efa91122391603b15de\US ➝
!\\x00
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Winrar.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Winrar.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Winrar.exe"

Network Details:


Raw Pcap

Strings
..;.*.**A. d
..=....h.v.4...x..o.
.'...."W.!W:..[...{
.v.4...x..o.
.8...0eG.);V..[...{
.v.4...x..o.
.
.u.DK#.E;V..[...{
.v.4...x..o.
.'...!.
.)WV..[...{
.v.4...x..o.
...6.!*W.
U%..5...{
.v.4...x..o.
.1.6...Z.1^;..)....}.v.4...x..o.
xaf3.t.b
..
w
..@
`@
CC
00-+ 
.
\
 
.
..
.
..
V
.
.
h..
>
11FF
!1Aa
#+3;CScs
B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                                 H
         (((((                  H
         h((((                  H
jjjj
KERNEL32.DLL
mscoree.dll
mscorlib.dll
(null)
                          
 ######
 #######!
######
#######
								
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
%0332,
03330%#
#033333323333'
0A@@Ju
0P2cZT
0SSSSS
0WWWWW
#'133333+%
\1[	F,
1g%?hd
1IHhD? [V
1nc"Nm
'230,2330&#
#'2330)#
#%2330
'23300330,332,
'2333,##
'2333'
#%2333'
%2333)
'23+%/333+#
)23333332,#
'2333#'33+#,333/#
(2333333333-%
*2f	Z#
,2G>2M
2M`}fL
;2ojR%]
2WG^nL
##,31)
)3300333,
#+332-%#
%,332/
%/333/#
'3330'
#-3330##
#,3330%#
*3332%
#)3332'
'3333&#
)33330&
/33332%
,33333&
)33333,
#-333),330'2333'
'333331%
'333333+#
%,3333330'
)3333332&
/333333333'
4444444444
48}Ku_
4`_/H"
&\4RILI
5Pq[D)
*>5~r?)
64I3	?
>.6DqL+
6$P8q3
6QLQO'g
6"so~Y
%6T1&|C
6W+lKw
*7iipY
]8b,`V
;'8*ul
8VVVVV
8ZGmSN
96kqTy$
96mN-q
^(9^$u
~(9~$u
A'1=qY
a2hac$[he
a8{:A$
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
aB%	jW
Ah_x<}
An application has made an attempt to load the C runtime library incorrectly.
Arg list too long
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
B_&$@3
Bad address
bad allocation
Bad file descriptor
 Base Class Array'
 Base Class Descriptor at (
__based(
bl-xEl
Broken pipe
c2sd3zg`W
C{(7A:=
C,=7NL
c,.<cq>+
__cdecl
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
CompareStringA
CompareStringW
 Complete Object Locator'
CONOUT$
`copy constructor closure'
CorExitProcess
CP_^][
CreateFileA
CreateFileW
CreateToolhelp32Snapshot
- CRT not initialized
CuvZpx
cyG^GI
D$0^][_
@.data
_dct-,
D$ )D$
D$(+D$
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
 delete
 delete[]
Delete
DeleteCriticalSection
D$$)G@
'dh+w]/
Directory not empty
DOcN$l
Domain error
DOMAIN error
D$Tt*;
dYfF%?
`dynamic atexit destructor for '
`dynamic initializer for '
ea54_M
 eA+F^
E#+E/_^ZY
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
e|IuW6!
EncodePointer
EnterCriticalSection
e$R6?~
Erq'j*x
ewh/?y
Exec format error
ExitProcess
f&5} `F
__fastcall
FD)np)nl
February
@fg&);i
File exists
Filename too long
File too large
FindResourceA
FL9~Xu	V
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
ForceRemove
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeResource
Friday
FTJ6ZE
f:T;y=B
Function not implemented
FwJ*A:#
f%WYC(
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
Gh9Ghr
Gh_</pAl
gp;[xC
"'g_,Z#
`h````
H*0"ZOW
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
hE]g7y
`h`hhh
HH:mm:ss
HHtXHHt
H@rt)xL>
H<t$f&+
hX?pEU
iA,".)
>If90t
i|fkqp
IiGM>nw
Illegal byte sequence
Improper link
>#I@Mz
Inappropriate I/O control operation
InitializeCriticalSectionAndSpinCount
Input/output error
InterlockedDecrement
InterlockedIncrement
Interrupted function call
Invalid argument
Invalid seek
Is a directory
IsBadReadPtr
IsDebuggerPresent
IsValidCodePage
i@Tlc(
	I?X].Q
JanFebMarAprMayJunJulAugSepOctNovDec
January
j"d.iH
j@j ^V
JN}tq4
j"^SSSSS
!j~Sy"L
=K27 !	
kernel32.dll
KERNEL32.dll
kH/%	uj6
;,K+U9
L$4;D$Ts<)D$T
L$(9ODv
(l A$~
l!;b	F
LCMapStringA
LCMapStringW
l}d"9\i
LeaveCriticalSection
L$(+L$
[-&LMb#{'
LoadLibraryA
LoadResource
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
LockResource
$l`Qx:F
LR?TaL
lstrlenA
lstrlenW
;l$TsY)l$T
"Luk}vm
:MAGEm
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxA
MGdI$e
MGZU|5
MH}VVi?;
Microsoft Visual C++ Runtime Library
mj>zjZ
MM/dd/yy
Module32First
Module32Next
Monday
mPLzv-
MultiByteToWideChar
)Nd)Vh
 new[]
No child processes
No error
No locks available
NoRemove
No space left on device
No such device
No such device or address
No such file or directory
No such process
Not a directory
Not enough space
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
\Nouveau
November
N(Uh0%
(null)
O(9O$u
.,\[o'A!
October
}[\o~ft
Oh;O\sN
O@;H s
O@;H(s
`omni callsig'
oNPZ^7@
Operation not permitted
operator
otbnngp
OZw3(?
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
@PAQBR
__pascal
Permission denied
PFil!^
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
pN-Nfk
p<O#|$
!POe<P
PPPPPPPP
Program: 
<program name unknown>
__ptr64
- pure virtual function call
P]wG{=
^PWS3E5
`qa~,^
Qkkbal
)Q_^np
 +QOdP
'qu=>;9?
QueryPerformanceCounter
RaiseException
.rdata
R)DxE_
ReadFile
Read-only file system
Resource deadlock avoided
Resource device
Resource temporarily unavailable
__restrict
Result too large
RH^IIa/zs
RtlUnwind
runtime error 
Runtime Error!
 Rx*2lc
Saturday
`scalar deleting destructor'
September
SetEndOfFile
SetEnvironmentVariableA
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
S"\=g>7"v
	sh@lG
SING error
SizeofResource
*?sknK
s	l:Yg0
%SsmDV
^SSSSS
__stdcall
`string'
{su0Da
Sunday
SunMonTueWedThuFriSat
s ?~VHf
:t4'?X
t*9Qlu%
t.9Vlt)
&tAJAA9
&	Tb~G
tbK@W)
TDY/sS
teh=8A
TerminateProcess
tGHt.Ht&
T$h9T$
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
t$H;t$8
Thursday
TK|/;[
< tK<	tG
TLOSS error
tlR\yn
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
Too many links
Too many open files
Too many open files in system
T$<PQR
T$$QUR
tr9_ tm9_$th
t"SS9]
Tuesday
tUKx+l
;t$,v-
t:<wuE
t+WWVPV
 Type Descriptor'
`typeof'
`udt returning'
U#:@e3
)uH$"0
U ;(H-o
Uk;P<Y
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
Unknown error
Unknown exception
UQ$I/O
UQPXY]Y[
URPQQh
USER32.DLL
UTF-16LE
v!2a	X
V43@<XfEI
v$;5$0B
V8**+P
`vbase destructor'
`vbtable'
`vcall'
)Vd)Nh
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
VirtualProtect
Visual C++ CRT: Not enough memory to complete call to strerror.
Vlf+Vd
Vlf+Vp
v	N+D$
Vr$(9-
vU=ctz
V_:X1:
w2XHK8]=
w<9G,s
w)'c{gO
Wednesday
we$W"o
W*<f%G
WFleW#
wFn{".:h
W^gX!A
WideCharToMultiByte
w+OQvr
WriteConsoleA
WriteConsoleW
WriteFile
|$ WSPV
~\wu(j
x:jDgWo>
XO6z<@
xppwpp
xpxxxx
xpzajyp
>xU[ij
Y']32Q
/Y-=akp
>=Yt1j
YUy~`S
Z2~JCZ
_z.7uF
zaFxj\T
)\ZEo^m/
Z J55h]
z/.P7s