Analysis Date2015-05-06 13:29:14
MD541761a5582a37566be9be504e3e0d7b5
SHA143ddaabf1e481bcbf385238a17b44c9886c77563

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: d32c59a8d244cb517d9a064f71679bfa sha1: fd4a27aaf81fa8ac6c878d772388bfe3cf676c26 size: 111104
Section.rsrc md5: ffe90a5f8c9446d9ffc462d32465ec05 sha1: c046707c7d3e24f23590b3a9fce77e262ed49800 size: 16384
Section.reloc md5: cecb464cc078145b52fdd51a3d412720 sha1: 97432cda7b2fbdf6864f3aa38f0aedac9a29124b size: 512
Timestamp2015-04-13 19:43:48
VersionLegalCopyright: Voidswrath
Assembly Version: 1.0.0.0
InternalName: Voidswrath.exe
FileVersion: 1.0.0.0
LegalTrademarks: Voidswrath
Comments: Voidswrath
ProductName: Voidswrath
ProductVersion: 1.0.0.0
FileDescription: Voidswrath
OriginalFilename: Voidswrath.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash3e514fd46e8fff51ae8949a86f9a238f03dc877d
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVAd-AwareGen:Variant.Kazy.529243
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Kazy.529243
AVAuthentiumno_virus
AVAvira (antivir)TR/Spy.Gen
AVBitDefenderGen:Variant.Kazy.529243
AVBullGuardGen:Variant.Kazy.529243
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Agent-867105
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.529243
AVEset (nod32)MSIL/PSW.Agent.OMJ
AVFortinetMSIL/Agent.OMJ!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.529243
AVGrisoft (avg)PSW.MSIL.AITI
AVIkarusTrojan.Win32.Diztakun
AVK7Password-Stealer ( 00499dba1 )
AVKasperskyno_virus
AVMalwareBytesBackdoor.Agent.STM
AVMcafeeRDN/Generic PWS.y!bd3
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.529243
AVPadvishno_virus
AVRisingno_virus
AVSophosTroj/MSIL-SE
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\DisableCMD ➝
1
Creates FilePIPE\ROUTER
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemprox.log
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex1.49201324568191E+17
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Starts ServiceRASMAN

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1100

Network Details:

DNSicanhazip.com
Type: A
166.78.246.145
DNSicanhazip.com
Type: A
104.130.28.231
DNSicanhazip.com
Type: A
23.253.254.67
DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.live.com
Type: A
HTTP GEThttp://icanhazip.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 166.78.246.145:80
Flows TCP192.168.1.1:1032 ➝ 65.55.163.152:587

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a206963 616e6861 7a69702e   Host: icanhazip.
0x00000020 (00032)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x00000030 (00048)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings
p

000004b0
0zesxg+ONq7ueqHHP04P4w==
1.0.0.0
1.49201324568191E+17
3iQb860DoSpt6blDzg346A==
88888
8888888888
888888888888
Anti-Virus: 
Assembly Version
CF@TZ>PMM@IOZPN@MWNjaor\m`WKjgd^d`nWHd^mjnjaoWRdi_jrnWNtno`h
Comments
Computer Name: 
Country: 
Create
D?G@?X
Dim aLELpD
Dim BegNhm
Dim buBJxd
Dim crKexr
Dim ctUtFyRBX
Dim doiBjH
Dim DZvUaW
Dim edtwzr
Dim FOPNSp
Dim fPcCCd
Dim ftarei
Dim FTdxMy
Dim fuCENk
Dim GLZVER
Dim GNUkLK
Dim gpkOdw
Dim GrvWKH
Dim hnjvyN
Dim HQcFYD
Dim hVSMeb
Dim HXYtvF
Dim IJHMxq
Dim ILCbqj
Dim iScieq
Dim IxoDNv
Dim IzYCgQ
Dim jdvsPk
Dim Jjiyor
Dim kDzXHR
Dim KlIUiQ
Dim KOQIhw
Dim LGHFKv
Dim LrMRZPuEE
Dim MDRbKK
Dim MJfCaS
Dim MkcYkC
Dim MmNYSk
Dim mTZsBp
Dim mxPezm
Dim MZNyaw
Dim nmqcVcHTT
Dim NrpXMg
Dim NxfhCe
Dim nXiokv
Dim oEwhPR
Dim PjOmFe
Dim pJRHmh
Dim pLMVfa
Dim PPqyMn
Dim PYvqUW
Dim QaJJwi
Dim QDeBNbJaMQqebVnkIdC
Dim QGJzZC
Dim rJuyYy
Dim rncwne
Dim rOMoWnZdD
Dim Rwrsqv
Dim RZOtpp
Dim sNpuIT
Dim spBSgo
Dim SUdBiL
Dim SycsZf
Dim TJoxyw
Dim TrHzjR
Dim UbGTSi
Dim UIIirE
Dim vBOLtHggI
Dim vkFulz
Dim VOxfiDfjx
Dim VpUsKW
Dim VqPHEPguQ
Dim WBbNdg
Dim wLTUeCwab
Dim wPoPaU
Dim XczHOs
Dim XkjzDGxWl
Dim XnrtlL
Dim XVaMFM
Dim YXygxj
Dim zCLVPsJbv
Dino\gg`_
D_jiobdq`\ncdo,
?dn\]g`O\nfHbm
External IP: 
FileDescription
FileVersion
===== Filezilla Recovery =====
Firewall: 
Framework: 
Gjbb`m
Gjbn
===== Google Chrome Recovery =====
heej
Hjidojm
image/jpeg
InternalName
Kmjbm\hn*Njaor\m`n
LegalCopyright
LegalTrademarks
]mj^f`m,-.;jpogjjf)^jh
M`^jq`mt
=mjrn`m
===== Mozilla Firefox Recovery =====
Njaor\m`WHd^mjnjaoWRdi_jrnW>pmm`ioQ`mndjiWKjgd^d`nWNtno`h
Njaor\m`WHd^mjnjaoWRdi_jrnW>pmm`ioQ`mndjiWMpi
N^m``incjo)kib
O+hwgGRPoav0Qq4SRniagw==
o\nfhbm)`s`
Operating System: 
OriginalFilename
[p35]
[p36]
[p37]
>PMM@IOGT
Processor: 
ProductName
ProductVersion
smtp.live.com
STOR
StringFileInfo
System32
System date and time: 
tFMtZOYfDfYloaHp7HtHWQ==
Translation
.txt
UMIjco0HEsm28ESt9dnywycm4/9/oj+TJjivobHo8FU=
U`mj
U`mjGjbb`m
US5EdFyGp7B1YYEprI7+nA==
Username: 
VarFileInfo
V>JHKPO@M
Voidswrath
Voidswrath.exe
VS_VERSION_INFO
WNjaor\m`WHd^mjnjaoWRdi_jrnW>pmm`ioQ`mndjiWKjgd^d`nW@skgjm`mW?dn\ggjrMpi
xdDJhCZFxh83rtjcEMDUKg==
1.0.0.0
=>@#1255jms
345.rty
37Bc=CR
-4?lZct
,/57z|
789:orx
89=<NS`
9=E,=?GX?CO
AccessedThroughPropertyAttribute
AceFlags
AceQualifier
add_KD
add_KU
AddObject
AddrOfPinnedObject
add_Tick
advapi32.dll
AppData
AppendLine
Application
ApplicationContext
arenaOpt
ArrayList
Assembly
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
astable_name
AsyncCallback
Attachment
AttachmentCollection
AuthenticateSql
baseName
BDIYCDH+beo
BeginInvoke
BitConverter
Bitmap
>BJ/CHU
Boolean
]_c5YZ]
CallNames
CallNextHookEx
cbData
cbSize
.cctor
ChangeType
CheckIfContains
CheckIfEmpty
CipherMode
ClearProjectError
@@C!lou
Collect
Collection`1
Combine
CommonAce
Compare
CompareMethod
CompareObjectEqual
CompareObjectGreater
CompareRows
CompareString
CompareTo
CompilationRelaxationsAttribute
ComputeHash
ComputerInfo
Concat
ConcatenateObject
ConditionalCompareObjectEqual
ConditionalCompareObjectGreater
configdir
Console
Contains
content
ContentType
Conversions
Convert
ConvertToInteger
CopyArray
CopyFromScreen
_CorExeMain
Create
CreateDecryptor
CreateDirectory
CreateProjectError
CreateSubKey
Crypt32.dll
CRYPTPROTECT_PROMPT_ON_PROTECT
CRYPTPROTECT_PROMPT_ON_UNPROTECT
CryptUnprotectData
CurrentUser
database
DateTime
Decimal
Decrypt
Delegate
DelegateAsyncResult
DelegateAsyncState
DelegateCallback
Delete
DeleteFileA
DialogResult
Directory
DirectoryInfo
DisableCMD
DisableMSConfig
DisableRegedit
DisableTaskMan
Dispose
@DO5CHW
DownloadString
Dpk11SdrDecryptDelegate
dwFlags
dwPromptFlags
Encoding
EndApp
endIndex
EndInvoke
EndsWith
Environ
Environment
EventArgs
EventHandler
Exception
Exists
ExtrInf
FakeMessageBox
FileAttributes
FileClose
FileGet
FileOpen
FileStream
FileSystem
FileZilla
FlagsAttribute
FromBase64String
FromImage
FTPUpload
FtpWebRequest
GCHandle
GCHandleType
GenericAce
GenericSecurityDescriptor
GetAntivirus
get_ASCII
get_Attachments
get_BigEndianUnicode
GetBinaryForm
get_BinaryLength
get_Bounds
GetBrowsers
GetBytes
get_Chars
GetChrome
GetCommandLineArgs
get_Count
get_Current
GetCurrentProcess
get_CurrentRegion
GetDatabaseSize
get_Default
GetDelegateForFunctionPointer
GetDirectories
get_DiscretionaryAcl
get_EnglishName
GetEnumerator
GetEnvironmentVariable
get_ExecutablePath
GetExecutingAssembly
GetFileName
GetFiles
GetFirewall
GetFolderPath
GetForegroundWindow
GetFramework
get_GetTimer
get_Handled
get_Height
GetHostName
GetInstalledPrograms
get_Item
GetKernelObjectSecurity
get_KeyboardDelay
get_KeyboardSpeed
get_KeyCode
get_KeyValue
get_Length
GetLength
get_Location
get_MachineName
get_Major
GetMozillaFirefox
get_NewLine
get_Now
GetObject
GetObjectValue
get_OSVersion
get_Png
GetPointerAsString
GetPointerLength
get_PrimaryScreen
GetProcAddress
GetProcessor
GetProcessSecurityDescriptor
GetRequestStream
GetRowCount
GetSlot
GetString
GetSubKeyNames
get_SystemDirectory
GetTable
GetTableNames
GetTempFileName
GetTimer
get_TimerFront
get_To
GetTypeFromHandle
get_Unicode
get_UserDomainName
get_UserName
GetValue
get_Version
get_Width
GetWindow
GetWindowText
GetWindowTextA
GetWindowTextLength
GetWindowTextLengthA
GetWindowThreadProcessId
GetWindowTimer
Graphics
Handle
HashAlgorithm
)Hf"Cx
hInstance
HJP4>BO
hwndApp
IAsyncResult
ICredentials
ICredentialsByHost
ICryptoTransform
IDisposable
IEnumerable
IEnumerator
ImageFormat
IndexOf
InitializeMutex
InlineAssignHelper
InsertAce
Install
Interaction
IntPtr
intptr_0
intptr2
intptr3
Invoke
IOException
IsNullOrEmpty
IsTrue
item_name
item_type
kernel32
kernel32.dll
KeyEventArgs
KeyEventHandler
LastPage
LateCall
LateGet
LateIndexGet
LateSetComplex
loadCerts
LoadLibrary
LocalMachine
location
long_0
long_1
lParam
lpdwProcessID
lpExistingFileName
lpNewFileName
lpnLengthNeeded
MailAddress
MailAddressCollection
MailMessage
ManagementBaseObject
ManagementObject
ManagementObjectCollection
ManagementObjectEnumerator
ManagementObjectSearcher
Marshal
MaxLength
MD5CryptoServiceProvider
MemoryStream
MessageBox
MessageBoxButtons
MessageBoxIcon
Microsoft.VisualBasic
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.Win32
<Module>
MoveFileEx
MoveNext
mozillaPath
mscoree.dll
mscorlib
MulticastDelegate
Multiply
MyDocuments
NativeWindow
NetworkCredential
NewGuid
NewLateBinding
nLength
NssBase64DecodeBufferDelegate
Nss_Init
NssShutdownDelegate
ntdll.dll
NtSetInformationProcess
Object
Offset
OpenAccess
OpenMode
OpenShare
OpenSubKey
op_Equality
OperatingSystem
Operators
op_Explicit
op_Inequality
opsEor{
OrObject
outItemOpt
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
ParamArrayAttribute
pbData
pDataIn
pDataOut
Pk11AuthenticateDelegate
Pk11FreeSlotDelegate
Pk11GetInternalKeySlotDelegate
pOptionalEntropy
pPromptStruct
Process
processHandle
profilePath
ProgramFiles
ProjectData
ProtectProcess
pSecurityDescriptor
PtrToStringAnsi
PtrToStructure
pvReserved
qru:qt}
"+,r^^
"+,r^/
"+,r^@
"+,r^$
"+,r~=
"+,r~_
"+,r~(
"+,r<<
"+,r>]
"+,r>+
"+,r:^
"+,r:%
"+,r.)
"+,r.\
"+,r"=
"+,r"|
"+,r"-
"+,r(;
"+,r@ 
"+,r*.
"+,r&(
"+,r&{
"+,r*0
"+,r0@
"+,r~1
"+,r.1
"+,r2`
"+,r2/
"+,r2[
"+,r2$
"+,r22
"+,r2O
"+,r2T
"+,r2x
"+,r^3
"+,r"3
"+,r:4
"+,r&4
"+,r49
"+,r>5
"+,r*5
"+,r~6
"+,r.6
"+,r6>
"+,r6_
"+,r6*
"+,r63
"+,r6I
"+,r6P
"+,r6w
"+,r6Z
"+,r8E
"+,r 9
"+,r\9
"+,r.a
Random
RawAcl
RawSecurityDescriptor
"+,r*b
"+,rb]
"+,rb*
"+,r*B
"+,rB:
"+,rB&
"+,rB1
"+,rb4
"+,rB6
"+,rbN
"+,rbS
"+,rBt
"+,rBW
"+,rbX
"+,r&c
"+,r>C
"+,r"d
"+,rd>
"+,r$D
"+,rDA
"+,rdI
"+,rDM
"+,rDR
"+,rdv
"+,r.e
ReadAllBytes
ReadAllText
ReadMasterTable
ReadRow
ReadRow2
ReadTable
ReadTableFromOffset
Rectangle
RegionInfo
Registry
RegistryKey
RegistryValueKind
@.reloc
Remove
remove_KD
remove_KU
Resize
result
"+,r.f
"+,rf%
"+,rF,
"+,rF2
"+,rf5
"+,rFd
"+,rfE
"+,rfO
"+,rFs
"+,rfT
"+,rFV
"+,rfW
"+,r.g
"+,r.h
"+,r~H
"+,r"H
"+,rH9
"+,rHN
"+,rHS
"+,rhu
"+,r.i
RijndaelManaged
"+,r.j
"+,rj<
"+,rj+
"+,rJ?
"+,rJ'
"+,rj1
"+,rJ3
"+,rj6
"+,rJc
"+,rjd
"+,rJJ
"+,rjP
"+,rJr
"+,rJU
"+,rjV
"+,r.k
"+,r<K
"+,r"K
"+,r.l
"+,rl 
"+,r@L
"+,r&L
"+,rL|
"+,rlC
"+,rLF
"+,rLO
"+,rlt
"+,rLT
"+,r.m
"+,r^M
"+,r*M
"+,r.n
"+,rn&
"+,r|N
"+,r.N
"+,rN-
"+,rn2
"+,rN4
"+,rNb
"+,rnc
"+,rne
"+,rNe
"+,rnf
"+,rNf
"+,rng
"+,rNg
"+,rnh
"+,rNh
"+,rni
"+,rNi
"+,rnj
"+,rNj
"+,rnk
"+,rNk
"+,rnl
"+,rNl
"+,rnm
"+,rNm
"+,rnn
"+,rNn
"+,rNq
"+,rnU
"+,r,o
root_num
RotateRight
row_id
row_num
"+,r|p
"+,r(p
"+,rp:
"+,rP=
"+,rP{
"+,rPH
"+,rpK
"+,rPP
"+,rps
"+,r$q
"+,r Q
"+,r r
"+,rr,
"+,r^R
"+,r*R
"+,rR(
"+,rR0
"+,rr3
"+,rR5
"+,rrA
"+,rRa
"+,rrb
"+,rRD
"+,rRp
"+,r|S
"+,r.S
`.rsrc
"+,rtL
"+,rtr
"+,rTz
"+,r>u
"+,r&U
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
"+,r:v
"+,rv|
"+,rv'
"+,r"V
"+,rV`
"+,rV;
"+,rV.
"+,rV[
"+,rV1
"+,rv4
"+,rV6
"+,rva
"+,rVK
"+,rVo
"+,r`w
"+,r\x
"+,rx?
"+,r>X
"+,rXB
"+,rxJ
"+,rxM
"+,rxq
"+,rxR
"+,rXy
"+,r.y
"+,r^Y
"+,r:Y
"+,r~z
"+,r*z
"+,rz`
"+,rz-
"+,rz[
"+,rz{
"+,r~Z
"+,rZ_
"+,rZ)
"+,rz0
"+,rZ2
"+,rz5
"+,rZL
"+,rZZ
sBuilder
Screen
ScreenSave
SecurityIdentifier
securityInformation
sender
SendLogs
SetAttributes
set_Body
set_Credentials
set_EnableSsl
set_From
set_GetTimer
set_Host
set_Interval
SetKernelObjectSecurity
set_Key
set_Method
set_Mode
set_Port
set_Position
SetProcessSecurityDescriptor
SetProjectError
SetStart
set_Subject
set_TimerFront
SetValue
SetWindowsHookEx
SmtpClient
SpecialFolder
sql_statement
StandardModuleAttribute
startIndex
StartOnWindows
STAThreadAttribute
StrDup
Stream
StreamWriter
string
String
string0
string_0
string1
string_1
string_2
string_3
StringBuilder
StringComparison
Strings
#Strings
Substring
Subtract
SubtractObject
SymmetricAlgorithm
System
System32
System.Collections
System.Collections.ObjectModel
System.ComponentModel
System.Diagnostics
System.Drawing
System.Drawing.Imaging
System.Globalization
SystemInformation
System.IO
System.Management
System.Net
System.Net.Mail
System.Net.Mime
System.Reflection
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.AccessControl
System.Security.Cryptography
System.Security.Principal
System.Text
System.Threading
System.Windows.Forms
szDataDescr
szPrompt
TableName
target
TargetMethod
TargetObject
!This program cannot be run in DOS mode.
Thread
TimerFront
ToBoolean
ToDouble
ToInt32
ToInt64
ToInteger
ToLong
ToLower
ToStream
ToString
ToUInt16
ToUInt32
ToUInt64
ToULong
TransformFinalBlock
TrimEnd
TrimStart
tsecitem0
tsecitem1
T_Tick
twoswagforyouPAD
UInt64
UIntPtr
ulong1
unhook
UnhookWindowsHookEx
Upload
user32.dll
UserDefined
v2.0.50727
value__
ValueType
	&	?	V	[	e	k	x	
Version
Voidswrath
Voidswrath.exe
WebClient
WebRequest
Welcome
WellKnownSidType
WestPage
Win32Exception
WinTitle
WithEventsValue
-WoI*S
wParam
WrapNonExceptionThrows
WriteLine