Analysis Date2014-01-09 20:34:34
MD53c421ea47175526ec4bb3289dcc5f793
SHA137a94a5735d97d73688c77aa7e48bc60fc839660

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 78a3c9b0d65ab9f7b3eafa102b5d9f0e sha1: 905a309d8a530f68f07dbc5927bc83ab3b20693e size: 104448
Section.rdata md5: ab5ff432716e2f74473fd1068288356d sha1: 328ac400c7ec2760ad4c16ea884e1ab26786221b size: 28160
Section.data md5: 942f5f2128c12f4b3985de3827e0d8f6 sha1: c7758e909f974530a88e76e9a0240972f4d1f68e size: 4608
Section.rsrc md5: 3dc5645065f8afed2c143b25f4a4caa1 sha1: 78eb9fe1cd648f3d623f0d4415ab6f3e20d43f2d size: 162816
Timestamp2012-08-21 16:04:13
VersionLegalCopyright: TP16mdMffzK9vF3
Assembly Version: 2.7.5.9
InternalName: C:\Documents and Settings\Mr.ml7Os502\Desktop\stup.exe
FileVersion: 7.3.5.1
CompanyName: LcD96ARDlhUVNc0R4979LbMdapUQ758VmS2qkPGqHsrbDY4IV7
ProductName: OhJVttx47Tb1kC0uE21vkF6ZjL54G6A5QmQuif5sIp0QkS
ProductVersion: 2.7.5.9
FileDescription: zIrn810c
OriginalFilename: C:\Documents and Settings\Mr.ml7Os502\Desktop\stup.exe
PackerMicrosoft Visual C++ ?.?
PEhashabb326234790abd0188fbf2cf57ddb1801481475
AVclamavWin.Trojan.Agent-55448
AVmcafeeBackDoor-CEP!bjt
AVaviraTR/Dropper.Gen
AVmsseBackdoor:Win32/Bifrose.AE

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
000004b0
!1Aa
2.7.5.9
#+3;CScs
7.3.5.1
Assembly Version
B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
C:\Documents and Settings\Mr.ml7Os502\Desktop\stup.exe
CompanyName
FileDescription
FileVersion
                                 H
         (((((                  H
         h((((                  H
InternalName
jjjj
KERNEL32.DLL
LcD96ARDlhUVNc0R4979LbMdapUQ758VmS2qkPGqHsrbDY4IV7
LegalCopyright
mscoree.dll
mscorlib.dll
(null)
OhJVttx47Tb1kC0uE21vkF6ZjL54G6A5QmQuif5sIp0QkS
OriginalFilename
ProductName
ProductVersion
StringFileInfo
TP16mdMffzK9vF3
Translation
VarFileInfo
VS_VERSION_INFO
zIrn810c
                          
								
$|.[0|
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0GYwU!:P
 ,?0hQ
0OOTToKKKK
0SSSSS
0Ubq*4p?
0WWWWW
1A*{R]t
{1G-^k
_*29xd].
2Wa=u[
39=k{\
#+(3B+
3-B/f2Z[
3lACig
4.,#3 
4{^:9g
4,-dCA
#5A8Alp
'&5!EFH
5]gJBe
5)ji}+
6ifPw1
/6lQ3m
`6q,Xw
6WlmJX
?77O$@JN
7jxD=wz
7Jxl~sFJ
&\7vtu8yxG{
84	O'j
8['"ny
8UuTE3
8VK`|~
8VVVVV
9iFS/V
9(k;kbh
'>9mnt
[9R%*M
^(9^$u
~(9~$u
a*7lc|
a9?LGw
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
%ahgfmr?|
AIC;H3c
&aihgfrxGHI
]aja^ST.
@AM3[d
An application has made an attempt to load the C runtime library incorrectly.
a%@n{X
-AqVx$
Arg list too long
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
B8D;nE
Bad address
bad allocation
Bad file descriptor
 Base Class Array'
 Base Class Descriptor at (
__based(
Bb~^$i
bEf{k`S
BF|OCM
bF&y;$N
b+\L;0
b#L6j1
Bn5C[C	
,bQWVVY\a`hfnr@?E
Broken pipe
b\V^OmG
cCu}>/
__cdecl
C@E:K	
ceYMv+v
C#"HAg
-^ck241Y[ahhfnrq?
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
CompareStringA
CompareStringW
 Complete Object Locator'
CONOUT$
`copy constructor closure'
CorExitProcess
CP_^][
^c(-[qL
CreateFileA
CreateFileW
CreateToolhelp32Snapshot
- CRT not initialized
D$0^][_
d1@{oJ
+d4i9[
[d?:5@vZli3K]a:u9
 =dA61
@.data
D=cwl?}
D$ )D$
D$(+D$
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
 delete
 delete[]
Delete
DeleteCriticalSection
D$$)G@
DHiBmnx
Directory not empty
djVl;`
Domain error
DOMAIN error
d[pvHN
DQU9$Y
D$Tt*;
DvOhk:l
.dWVVYYaihgfmr?|
Dx#ev=
`dynamic atexit destructor for '
`dynamic initializer for '
/E2y+J
%Eb$I&J
@"?E;e
E#+E/_^ZY
_E}!,gM
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
|ElB!	OKo
\eN0;aw
EncodePointer
EnterCriticalSection
epZXkH
e-RC*&
Ev[[[[k
ewh/?y
Exec format error
ExitProcess
	e=Z$I
f_4z2.
/F5B:M
f<]8Nt]H[
__fastcall
f#B3+>
FD)np)nl
February
f(/e%we
FfA>kH
File exists
Filename too long
File too large
FindResourceA
fJ|[hZ
F-K6Jg
FL9~Xu	V
$fl=CJ
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
ForceRemove
#f;r?|
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeResource
Friday
f~{TOg^K
Function not implemented
fy\9\!
F#zUdgD
GB7LupQ
GCCpXD
GEAY"l
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
Gh9Ghr
gQP$2z
Gr g=e
@Gscr3/G
`h````
$h0fLFLK
H*0"ZOW
h$$8:1
h`b8'B
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
%hhfmr??
`h`hhh
HH:mm:ss
HHtXHHt
^H;iS<
h==K8)
$h:l}q?{
hQKwoO
+HR9,n3
=hwbgE
$hwg-9
I0u@.Cu
I7/'@]
>If90t
IiGM>nw
IiJ?=SJH
Illegal byte sequence
Improper link
Inappropriate I/O control operation
inD([ 
InitializeCriticalSectionAndSpinCount
Input/output error
InterlockedDecrement
InterlockedIncrement
Interrupted function call
Invalid argument
Invalid seek
Is a directory
IsBadReadPtr
IsDebuggerPresent
isSVh}
IsValidCodePage
_iUfE>
.J^"<3
J55+yn
|J)6;#
JanFebMarAprMayJunJulAugSepOctNovDec
January
JD1BG:
jJ=G1xo
j@j ^V
j"^SSSSS
_	~j^t
Jt+t2Q
J;%\WP
K3+peolC6}
>K8mI^
^K[9xO
kernel32.dll
KERNEL32.dll
kE;S}~
KG6|'0
KPd57]
k`s'4*
k\].Skj
kuTwf+
kW$Q(0;
l3|[W6w
L$4;D$Ts<)D$T
L$(9ODv
l!;b	F
L@b-io
l;Cb +
LCMapStringA
LCMapStringW
LeaveCriticalSection
lFt82<
Lg`Crc<LK
L[hLF:
_l(/J}
^lJi#k
L$(+L$
l~LW>k
[-&LMb#{'
LoadLibraryA
LoadResource
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
LockResource
lo@e"2
l#OF\.l
~lQ_k$
lrEIWV
lstrlenA
lstrlenW
;l$TsY)l$T
 lU\XD>
lx-=.}
lX,lx6
LYE6%-y~
m1o 9fU
m94;pI
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
)Ma=&Q
!mDJJI
mE%<Ck
MessageBoxA
mF.*Rtu Al
mh}#j=
Microsoft Visual C++ Runtime Library
mj>zjZ
mlt2T=
MM/dd/yy
m]Mh'#ZV=
Module32First
Module32Next
Monday
MqM_B9i?eV
m>\?rPe=-M
mTO0}l
MultiByteToWideChar
m]>Vo+c
M#Z7:Y
#M~Zs&`H
n2m77;7
N)3jFt
ND.r!k
)Nd)Vh
 new[]
N'IS4L]
[~/nj;BJ
+N]jc24VYYaihgTee
%}n.K'
n/k6"P
N)?l>j&^lJ"V0`c)
nMO*_'
NOA*>zm
No child processes
No error
No locks available
NoRemove
No space left on device
No such device
No such device or address
No such file or directory
No such process
Not a directory
Not enough space
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
 n= {SH
N(Uh0%
(null)
nx@mD_
}+O `$0}a
O(9O$u
October
Oh;O\sN
OHQLUfAF
O@;H s
O@;H(s
OL9)x`
`omni callsig'
Operation not permitted
operator
/OPPbQWVVYTe
&oqpsuE}
OZw3(?
P@1bXx{
@PAQBR
__pascal
-P^bWWVUY[ahgfmr?
Permission denied
pFV#\^
P#|k-&
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
pM5k)A0
p<O#|$
Pp31;<o
PpH](r#
PPPPPPPP
>P\q+#
Program: 
<program name unknown>
\Pss"*
__ptr64
!Pt=\s
pu(jfn|@r
- pure virtual function call
<QA>g7w
q#_BSRa
q=cViy
q "~(E
Q`%eKP
?Q~&kb3ma
Qkkbal
\q-O'G
(@-qOt
Q;:|S-/
<qsrrvv
#qtsrrvv
Qu8Gj|
QueryPerformanceCounter
q>xH[lo
q>y$|>)4
Qymn<"Rs
qZx&vK
*R_356v9>8zxGE
R8M;pFc@
RaiseException
~R[BOM
`.rdata
ReadFile
Read-only file system
Resource deadlock avoided
Resource device
Resource temporarily unavailable
__restrict
Result too large
>}rku6
.R=<=P=
rr?)9{
RtlUnwind
runtime error 
Runtime Error!
rYxUOU
S1=kBS^pkC
.]s2h`IC
s5D6rBNb
S7|Ee|
sA	MW&
Saturday
`scalar deleting destructor'
*Sd@^3
sE\mI(
September
SetEndOfFile
SetEnvironmentVariableA
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SING error
SizeofResource
\*S_"m
~\SM9C
<ssrBC
^SSSSS
__stdcall
`string'
Sunday
SunMonTueWedThuFriSat
*SZXY[ahhfnrq?
t*9Qlu%
t.9Vlt)
taZ!xw
Td~pr0
teh=8A
TerminateProcess
tGHt.Ht&
T$h9T$
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
t$H;t$8
Thursday
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t)mf>R=
(TMoj/c
Too many links
Too many open files
Too many open files in system
T$<PQR
T$$QUR
%{T`r{
tr9_ tm9_$th
t"SS9]
'TT+5P
Tuesday
;t$,v-
_TvWFR/
t:<wuE
t+WWVPV
TyoF%6
 Type Descriptor'
`typeof'
-U"1;ew
u1>lt%pr
*,@U!2
)U56pvt8w=GA
/U9GhV
uBj|{]i<Y
$)ud?3
`udt returning'
UJkR\	q=g
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
Unknown error
Unknown exception
U-n|rD
UNwRGoz
UQPXY]Y[
U'r.}"
URPQQh
USER32.DLL
UTF-16LE
[UTFy_
U\T*,Th
v$;5$0B
`vbase destructor'
`vbtable'
`vcall'
)Vd)Nh
V _DQAy
[vdQ>uGD
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
VirtualProtect
Visual C++ CRT: Not enough memory to complete call to strerror.
Vlf+Vd
Vlf+Vp
v	N+D$
V$_pO_A
 VS#Rp
v@TEA-
,$VU^N
V_:X1:
v[Y!+;|
'VY\aihgfrBGHIL
W8T&q_4b
w<9G,s
WaYp|~
;WD$nD
Wednesday
WideCharToMultiByte
w+@]IY
W&m_M'
w+OQvr
WpdwzE
WriteConsoleA
WriteConsoleW
WriteFile
:WScw%
|$ WSPV
W.`uA={
W;uEcJ
~\wu(j
WVfh,Y
.WWVUY[ahgfmr?F
Wy0Z&.[L
)@X3DT
X6<{*V
xAbr&C
	x%Bj3
xHZ%|1
xIO{A'
X%Mc\(
-XM=mt
xppwpp
X]pwMw
xpxxxx
xrE:Gn
XT^)K\
`Xz:h.4%
y)8>~f
&"Y8{[f.
(Y[ahhfns<GI
>*Y;-c;
[)!Yk;
YlKqX#
Yp1creyu'
yr,$p3
~)ysa"
>=Yt1j
/Z4HNN
z/4X+TW
z/503j
z)7#0U
z7vQG5
z8Lf1bp~
\ZBbpX
z)C{:9(
)\ZEo^m/
z)I%Vaf
zIVvdhq\
Zm1TeKvQ
z;<>o6
ZQT/hL
>/zr-`
zs7i"Y9
z(s(na
ZSqIzb