Analysis Date2015-05-06 20:24:11
MD508338bf34e96c52028c421194f26b79e
SHA1270c1b07af71b7dfe628a8b570596d3dfb77757e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 2bf372b807c368b7c1697019ec6d9c44 sha1: 4d3d076375d4d2048c7e8a619a0253f4773ac9ea size: 9728
Section.rsrc md5: 09ac7ed95a710e66d6d4777b01710195 sha1: 25b0c43aa1c51b40b200f866efc4004d03e6466f size: 1536
Section.reloc md5: 8badab4aa1a804da9b9310ed5bba45ab sha1: 60d1fed484cf1ebba2a1f27daf33f065d6a7fe9b size: 512
Timestamp2015-04-20 05:31:01
VersionLegalCopyright:
Assembly Version: 2.0.0.0
InternalName: N.exe
FileVersion: 2.0.0.0
ProductVersion: 2.0.0.0
FileDescription: N.exe
OriginalFilename: N.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash59e59585f31bcf7bbc3d00c85a40cd4d3fdb806b
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVAd-AwareGen:Variant.Kazy.448163
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Error Scanning File
AVAuthentiumno_virus
AVAvira (antivir)TR/ATRAPS.Gen
AVBitDefenderGen:Variant.Kazy.448163
AVBullGuardGen:Variant.Kazy.448163
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Inject.5077
AVEmsisoftGen:Variant.Kazy.448163
AVEset (nod32)no_virus
AVFortinetDx.DQL!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.448163
AVGrisoft (avg)no_virus
AVIkarusWin32.SuspectCrc
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!dql
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.448163
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterTrojan.MSIL.Agent.fgzy.bssd
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\System.exe
Creates Process"C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\System.exe"

Process
↳ "C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\System.exe"

Creates FilePIPE\lsarpc

Network Details:


Raw Pcap

Strings

000004b0
2.0.0.0
Assembly Version
"c#1i{
"C#1I{
Chrome
False
FileDescription
FileVersion
Firefox
\Google\Chrome\User Data\Default\
InternalName
ipw~
LegalCopyright
\Mozilla\Firefox\Profiles
N.exe
N.Resources
OriginalFilename
ProductVersion
Skype
\Skype
StringFileInfo
\System.exe
Translation
True
VarFileInfo
VS_VERSION_INFO
Web Data
10.0.0.0
2.0.0.0
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
4System.Web.Services.Protocols.SoapHttpClientProtocol
8.0.0.0
$868B729D-2D6D-48B2-89D0-4C2EEAD7502C
Activator
Application
ApplicationSettingsBase
</assembly>
Assembly
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
.cctor
ClearProjectError
CloseMainWindow
CompareString
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
Computer
ComVisibleAttribute
Concat
ConsoleApplicationBase
Conversions
_CorExeMain
CreateInstance
Create__Instance__
CreateProjectError
Culture
CultureInfo
DebuggableAttribute
DebuggerHiddenAttribute
DebuggerNonUserCodeAttribute
DebuggingModes
Default
defaultInstance
Delete
Directory
Dispose__Instance__
EditorBrowsableAttribute
EditorBrowsableState
EndApp
Environment
Equals
Exception
Exists
GeneratedCodeAttribute
get_Application
get_Assembly
get_Computer
get_Culture
get_Default
GetDirectories
get_ExecutablePath
GetFiles
GetFolderPath
get_GetInstance
GetHashCode
GetInstance
GetObjectValue
GetProcessesByName
get_ResourceManager
get_Settings
GetType
GetTypeFromHandle
get_User
get_WebServices
GuidAttribute
HelpKeywordAttribute
HideModuleNameAttribute
instance
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
m_AppObjectProvider
m_ComputerObjectProvider
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
m_MyWebServicesObjectProvider
<Module>
mscoree.dll
mscorlib
m_ThreadStaticValue
m_UserObjectProvider
MyApplication
My.Application
MyComputer
My.Computer
MyGroupCollectionAttribute
MyProject
MySettings
My.Settings
MySettingsProperty
MyTemplate
My.User
MyWebServices
My.WebServices
N.My.Resources
N.Resources.resources
Object
Operators
PADPADP
Process
ProjectData
ReferenceEquals
@.reloc
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
resourceCulture
resourceMan
ResourceManager
Resources
`.rsrc
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
    </security>
    <security>
set_Culture
SetProjectError
Settings
SettingsBase
SpecialFolder
StandardModuleAttribute
STAThreadAttribute
String
#Strings
Synchronized
System
System.CodeDom.Compiler
System.ComponentModel
System.ComponentModel.Design
System.Configuration
System.Diagnostics
System.Globalization
System.IO
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Threading
System.Windows.Forms
!This program cannot be run in DOS mode.
Thread
ThreadSafeObjectProvider`1
ThreadStart
ThreadStaticAttribute
timer_run
ToInteger
ToString
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
v2.0.50727
WebServices
WrapNonExceptionThrows
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>