Analysis Date2015-02-27 07:50:43
MD50fe3aaeac0f3bd288f1cf5778267bc25
SHA1420b62238ce1a874c7ea1212825205a1c9a2f155

Static Details:

File typeMS-DOS executable
Section_FLAT md5: 0e25ee34002769e4db4237e01a1be1ce sha1: 71d7528e829f9588177dc503a27ff039b3ebcfbb size: 147456
Section.imports md5: 79b01fd98e89d81ccd12bae9ad8712be sha1: dcaf209f9e513d6307d775ec09f61595336305ec size: 8192
Timestamp1970-01-01 00:00:00
PackerBorland Delphi 3.0 (???)
PEhash39caae376cb1a19f4597aecc120df98012c27dd3
IMPhash15dba9697994d7852acafba8197ca961
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.551846
AVAlwil (avast)no_virus
AVArcabit (arcavir)Gen:Variant.Kazy.551846
AVAuthentiumW32/Kazy.CW.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Variant.Kazy.551846
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.551846
AVEset (nod32)Win32/Korplug.BX
AVFortinetW32/Korplug.BX!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.551846
AVGrisoft (avg)no_virus
AVIkarusTrojan.Win32.Korplug
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.A
AVMicroWorld (escan)Gen:Variant.Kazy.551846
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Network Details:


Raw Pcap

Strings
\??\
1234
1282083646F81419
%16.16X
%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d
%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d: 
%ALLUSERSPROFILE%
%ALLUSERSPROFILE%\AVck
%ALLUSERSPROFILE%\USSys
AVck
boot.cfg
\bug.log
CLSID
CMD.EXE
CompanyName
CONIN$
CONOUT$
ConsentPromptBehaviorAdmin
CRYPTBASE.DLL
\Device\Floppy
DISPLAY
EnableLUA
FileDescription
FileVersion
Global\DelSelf(%8.8X)
HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0
LNULL
l%s\sysprep\CRYPTBASE.DLL
Mc.exe
McUtil.dll
McUtil.dll.url
~MHZ
Mozilla/4.0 (compatible; MSIE 
NvSmart.hlp
\Parameters
PI[%8.8X]
\\.\pipe\a%d
\\.\pipe\b%d
\\.\PIPE\RUN_AS_USER(%d)
ProductName
ProductVersion
RUNAS
r%WINDIR%\SYSTEM32\SERVICES.EXE
S-1-16-12288
%s %d %d
%s\%d.plg
SeDebugPrivilege
ServiceDll
SeShutdownPrivilege
SeTcbPrivilege
%s\msiexec.exe %d %d
%s\msiexec.exe UAC
sNT AUTHORITY
Software\CLASSES\FAST
Software\CLASSES\FAST\PROXY
SOFTWARE\Microsoft\Internet Explorer\Version Vector
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Run
%s\sysprep
%s\sysprep\sysprep.exe
static
\StringFileInfo\%4.4X%4.4X\%s
\SxS
System
SYSTEM
System\CurrentControlSet\Services
SYSTEM\CurrentControlSet\Services\
\SystemRoot\
%SystemRoot%\system32\svchost.exe
tSystem Idle Process
UAC.TMP
USSys
\VarFileInfo\Translation
%windir%\explorer.exe
; Windows NT %d.%d
Windows WYSys Services
WINSTA0
;	<.<_<
0 0(000@0P0`0f0z0
0&0/0;0@0K0T0`0e0z0
0#000D0N0l0v0
0 0)060w1
0,050A0F0
0$060?0L0W0`0m0z0
0$070B0
0#0D0c0
0!1(1-1B1
020=0E0J0W0d0k0t0z0
*030?0D0}0
<$<0<5<
(050A0F0
050A0F0$1-191>1T1]1i1n1
;$;*;0;6;<;B;H;N;T;^;d;o;z;
081A1M1R1
090U0e0
0C1q1w1|1
=0=E=Y=k=
<0=M=U=
0t<It#ItFIu
0V0a0p0}0
>0>>>[>x>
1"1+10161>1
1%11161U1^1j1o1z1
1)121?1c1l1y1
1"2+282l2w2~2
127.0.0.1
1`2i2u2z2
>%>1>6>
171F1R1W1q1z1
> >,>1>9>B>H>M>#?,?8?=?]?i?u?z?
1A2O2[2`2z2
<1=:=G=
:+>1>:>G>S>\>i>u>~>
<1<H<T<w<
1I1R1^1c1
1J2S2_2d2o2x2
1M1r1x1
2*212B2W2\2o2
2!2-222U2^2j2o2z2
2(2-262<2Q2Y2^2g2t2z2
2&2@2H2N2c2l2x2}2
2"272<2O2
2-282A2
2-2O2q2"343	5
2?3[3c3i3
=&=2=7=M=m=x=
2a3j3p3u3~3
:$:2:C:J:^:f:t:
3'303<3A3d3q3}3
3 3,31393r3}3
3'3/353;3A3H3N3|3
3 3)363b3n3{3	454A4F4
3#3(3J3S3_3d3x3
3!3C3J3)525>5C5N5W5c5h5{5
3<3L3k3
3 3N3Y3^3x3
3	484@4L4X4
3(484]4q4
<'<3<8<C<Y<`<q<
=3><>H>M>
;3<P<[<c<k<y<
:":.:3:>:S:u:~:
3W4`4l4q4
424:4B4
4"4'4:4C4O4T4^4t4{4
4)474R4n4v4~4
4:4j4r4w4
4!4s4.5F5
4*535?5D5t5}5
4:5h5r5w5
494>4W4\4o4
4d4n4x4
>#>/>4>?>H>T>Y>m>v>
=4===I=N=
?#?/?4?T?]?i?n?
?4?Z?c?o?t?
5'53585C5L5X5]5s5|5
5)555:5x5
5"5)5:5O5T5g5
5!5*565;5E5N5Z5_5j5x5}5
5&5_5h5u5c6l6x6}6
5!5)5m5
5&5A5P5V5]5d5k5r5y5
5@6L6X6]6w6
>5>=>C>
>#>*>5>C>N>W>b>m>v>
;&;+;5;>;J;O;h;q;};
=%=*=5=>=J=O=W=`=f=k=t=}=
?!?'?,?5?>?J?O?Z?c?o?t?
>%?5?M?b?l?t?
5O6Z6f6k6
;5;V;\;d;};
6#606>6J6W6q6z6
6%61666]6
6"6.636>6G6S6X6c6l6x6}6
6 6+646@6E6P6Y6e6j6u6~6
6#6/646L6U6a6f6
6 686=6U6Z6r6w6
6;6S6[6p6y6
6#7+717
6;7H7T7Y7z7
6X7e7q7v7
71979@9M9X9a9n9|9
7&7/7;7@7k7t7
7	7!7&7N7|7
7$7-797>7I7T7]7f7l7q7v7}7
777E7J7\7
788A8M8R8\8e8q8v8
7_8k8p8v8}8
7$8Y>k?
>,?7?C?P?^?c?~?
809p9%:0:<:A:u;~;
818Z8c8p8
8)858:8t8
8"858W:m:t:
8#8'8+8/83878;8N8^8e8l8s8
8)8:8D8N8q8
;(;-;8;A;M;R;e;n;z;
>8>B>{>
8B9I9R9_9r9
8GULPY
8GULPYt
8GULPYu
8H9T9Y9):K:T:`:e:
<8<@<H<U<
9%:8:>:D:I:N:T:Z:`:e:j:o:t:y:
9$90959A:J:V:[:f:o:{:
9 919B9S9d9u9
9.9:9?96;C;O;T;5<><J<O<
9\$Dt	
9f9o9{9
9\$Ht	
9\$ t	
9\$,t	
9\$(t	
9\$@t	
9\$$t	
AdjustTokenPrivileges
advapi32
advapi32.dll
ADVAPI32.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
AllocateAndInitializeSid
AllocConsole
Ar4-"y
AttachConsole
BitBlt
bootProc
C4jxXf
CallNextHookEx
ChangeServiceConfig2W
ChangeServiceConfigW
CloseDesktop
CloseHandle
CloseServiceHandle
closesocket
CloseWindowStation
CoCreateInstance
CoInitializeEx
CommandLineToArgvW
connect
ConnectNamedPipe
CONNECT %s:%d HTTP/1.1
Content-length: 0
Content-Type: text/html
ControlService
ConvertStringSidToSidW
CoUninitialize
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCW
CreateDesktopW
CreateDIBSection
CreateDirectoryW
CreateEnvironmentBlock
CreateEventW
CreateFileMappingW
CreateFileW
CreateIoCompletionPort
CreateMutexW
CreateNamedPipeW
CreateProcessAsUserW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateWindowExW
D$4Ph(
DefWindowProcW
DeleteCriticalSection
DeleteDC
DeleteFileW
DeleteObject
DeleteService
DestroyEnvironmentBlock
DestroyIcon
DisconnectNamedPipe
DispatchMessageW
d~$jPXjdf
dnsapi
DnsFree
DnsQuery_A
DoImpUserProc
dt1Ht'Ht
D$tPSW
DuplicateTokenEx
EName:%s,EAddr:0x%p,ECode:0x%p,EAX:%p,EBX:%p,ECX:%p,EDX:%p,ESI:%p,EDI:%p,EBP:%p,ESP:%p,EIP:%p
EnterCriticalSection
EnumProcesses
EnumProcessModules
EnumServicesStatusExW
EqualSid
?\?e?r?
ExitProcess
ExitThread
ExitWindowsEx
ExpandEnvironmentStringsW
ExtractIconExW
FindClose
FindFirstFileW
FindNextFileW
FLHHt	Ht
FlushFileBuffers
FreeConsole
FreeSid
GdiFlush
GenerateConsoleCtrlEvent
GetAdaptersInfo
GetAsyncKeyState
GetClassNameW
GetCommandLineW
GetComputerNameW
GetConsoleCP
GetConsoleCursorInfo
GetConsoleDisplayMode
GetConsoleMode
GetConsoleOutputCP
GetConsoleScreenBufferInfo
GetConsoleWindow
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDeviceCaps
GetDIBits
GetDiskFreeSpaceExW
GetDriveTypeW
GetExitCodeThread
GetExtendedTcpTable
GetExtendedUdpTable
GetFileAttributesW
GetFileSize
GetFileTime
GetFileVersionInfoSizeW
GetFileVersionInfoW
GetForegroundWindow
gethostbyname
GetIconInfo
GetKeyState
GetLastError
GetLengthSid
GetLocalTime
GetMessageW
GetModuleFileNameExW
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetModuleInformation
GetNativeSystemInfo
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetQueuedCompletionStatus
GetRawInputData
getsockname
GetStdHandle
GetSystemDefaultLCID
GetSystemDirectoryW
GetSystemInfo
GetSystemMetrics
GetSystemTime
GetTcpTable
GetThreadDesktop
GetTickCount
GetTokenInformation
GetUdpTable
GetUserNameW
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
GetWindowTextW
GetWindowThreadProcessId
GlobalMemoryStatus
GlobalMemoryStatusEx
=+=:=`=g=m=
>GULPYt
H0d0l0
HeapFree
,HHt4Ht"Ht
: :H:N:T:e:
>H>Q>]>b>p>
HtAHu}
Ht(Ht%Ht"
Ht=Huw
HTTP://
HTTP/1.0 200 
HTTP/1.1 200 
HttpAddRequestHeadersA
HttpEndRequestA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestExA
ImpersonateLoggedOnUser
.imports
inet_addr
inet_ntoa
InitializeCriticalSection
InitiateSystemShutdownA
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetSetOptionA
InternetWriteFile
iphlpapi
iphlpapi.dll
IsWow64Process
J0Q0j0w0
j8Xj.f
JoProc
JoProcAccept
JoProcBroadcast
JoProcBroadcastRecv
JoProcListen
=%=/=:=[=j=t=
JtnJtTJtAJt
jWX_^[
jWX_^[]
kernel32
kernel32.dll
KERNEL32.dll
keybd_event
KeyLog
KillTimer
KLProc
LdrLoadShellcode
LeaveCriticalSection
LoadCursorW
LoadLibraryA
LocalAlloc
LocalFree
LocalLock
LocalReAlloc
LocalUnlock
LockWorkStation
LookupAccountSidW
LookupPrivilegeValueW
L$<QWP
lstrcatW
lstrcmpA
lstrcmpiW
lstrcmpW
lstrcpyA
lstrcpynA
lstrcpynW
lstrcpyW
lstrlenA
lstrlenW
MapViewOfFile
memcmp
memcpy
memset
MessageBoxW
mouse_event
msvcrt.dll
MultiByteToWideChar
Nethood
Netstat
ntdll.dll
NtQueryInformationProcess
odbc32
ole32.dll
OlProc
OlProcManager
OlProcNotify
OpenFileMappingW
OpenInputDesktop
OpenProcess
OpenProcessToken
OpenSCManagerW
OpenServiceW
OpenWindowStationW
Option
OutputDebugStringA
OutputDebugStringW
PlugProc
PortMap
PostMessageA
PostQueuedCompletionStatus
PostQuitMessage
/%p/%p/%p
Process
ProcessIdToSessionId
Protocol:[%4s], Host: [%s:%d], Proxy: [%d:%s:%d:%s:%s]
Proxy-Authorization: Basic %s
Proxy-Connection: Keep-Alive
psapi.dll
>P>V>[>
QQSVW3
QSSSSSSh 
QSVWh,
QueryDosDeviceW
QueryPerformanceCounter
QueryPerformanceFrequency
QueryServiceConfig2W
QueryServiceConfigW
QueryServiceStatusEx
QueueUserAPC
QWWPWW
ReadConsoleOutputW
ReadFile
ReadProcessMemory
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegEdit
RegEnumKeyExW
RegEnumValueA
RegEnumValueW
RegisterRawInputDevices
RegOpenCurrentUser
RegOpenKeyExW
RegOverridePredefKey
RegQueryValueExW
RegSetValueExW
RemoveDirectoryW
ResetEvent
ResumeThread
RevertToSelf
RtlCompressBuffer
RtlDecompressBuffer
RtlDeleteCriticalSection
RtlEnterCriticalSection
RtlGetCompressionWorkSpaceSize
RtlGetLastWin32Error
RtlLeaveCriticalSection
RtlMessageBoxProc
RtlNtStatusToDosError
> ?R?X?]?
Screen
ScreenT1
ScreenT2
%s: %d
SelectObject
Service
SetCapture
SetConsoleCtrlHandler
SetConsoleScreenBufferSize
SetCursorPos
SetEndOfFile
SetErrorMode
SetEvent
SetFileAttributesW
SetFilePointer
SetFileTime
SetProcessWindowStation
setsockopt
SetTcpEntry
SetThreadDesktop
SetTimer
SetTokenInformation
SetUnhandledExceptionFilter
SetWindowLongW
SetWindowsHookExW
SfcIsFileProtected
:S;g;|;
SHCopyKeyW
SHCreateItemFromParsingName
SHDeleteKeyW
SHDeleteValueW
shell32
shell32.dll
ShellExecuteExW
ShellT1
ShellT2
SHEnumKeyExW
SHEnumValueW
SHFileOperationW
SHGetValueW
shlwapi
ShowWindow
SiProc
:#:(:S:_:k:p:
socket
SQLAllocEnv
SQLAllocHandle
SQLColAttributeW
SQLDataSourcesW
SQLDisconnect
SQLDriverConnectW
SQLDriversW
SQLExecDirectW
SQLFetch
SQLFreeHandle
SQLGetData
SQLGetDiagRecW
SQLMoreResults
SQLNumResultCols
SQLSetEnvAttr
SSSSSSS
StartServiceW
SVt#It
>s>w>{>
SxWorkProc
t0Ht"Ht
t9Ht,Ht
<?<T<e<
Telnet
TelnetT1
TelnetT2
TerminateProcess
TerminateThread
t>f9Q*u8
t,Ht)-
t/Ht!Ht
t$Ht!Ht
t:Ht-Ht Ht
t"jhPS
TranslateMessage
txHtuHt>Huh
;?<U<a<f<
uFjdXf;E
uh9\$ ub9=
:uJf9_
UnhookWindowsHookEx
user32
user32.dll
USER32.dll
userenv
Us%qot^
=">.>V>
VerQueryValueW
version
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualProtectEx
VirtualQueryEx
Vj	^f;
:V;_;k;p;x;
:w;~;4<?<K<P<e<
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WindowFromPoint
wininet
wininet.dll
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WriteConsoleInputW
WriteFile
WriteProcessMemory
ws2_32
ws2_32.dll
WS2_32.dll
WSACleanup
WSAGetLastError
WSAGetOverlappedResult
WSAIoctl
WSARecv
WSARecvFrom
WSASend
WSASendTo
WSASocketA
WSAStartup
wsprintfA
wsprintfW
wtsapi32
Wtsapi32
wtsapi32.dll
WTSEnumerateProcessesW
WTSFreeMemory
WTSGetActiveConsoleSessionId
WTSQueryUserToken
www1.eml-mail.com
WWWWWWWWWhH
X-Session
X-Size
X-Status
;Y<g<n<|<