Analysis Date2014-04-14 07:46:47
MD5139cacf3ff4c59cb5e0401df81d9feb3
SHA144f3072ef02e8fcc6283f5c04f3ea3dcf9540472

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: df685f3391ff4f515d84e45b43c8f319 sha1: ae027bedac5b2da0c651b3418596d9afcfd64103 size: 45568
Section.rsrc md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.reloc md5: 80290c0391d741b95c8c222111787692 sha1: 58bb3388af9a1395238650404d125af67b18b7d0 size: 512
Timestamp2014-03-29 04:18:05
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash105bcea868accd8729279ec4598d9c1196b29572
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVavgPSW.MSIL.NTN
AVaviraTR/Spy.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tempManager ➝
C:\Documents and Settings\Administrator\Application DatatempManager.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Application DatatempManager.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Processdw20.exe -x -s 548
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME

Process
↳ dw20.exe -x -s 548

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\172AA.dmp

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.172.254
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.172.254:587

Raw Pcap

Strings

COR_ENABLE_PROFILING
COR_PROFILER
Debugger detected (Managed)
Loop broken
Profiler detected
1aXZ 63D
1+HV*.8
4System.Web.Services.Protocols.SoapHttpClientProtocol
4zXaX ]/
8.0.0.0
{ab`og
Activator
add_ResourceResolve
AppDomain
Application
ApplicationBase
A_r!n=
Assembly
AsyncCallback
Attribute
 bAl`!*
BeginInvoke
BinaryReader
BitConverter
BlockCopy
	 $ !B!O
 B\oD!>
Buffer
bV!pBH
bX f#s[aa^
Callvirt
Castclass
.cctor
ClearProjectError
ClipboardProxy
CloseHandle
CompareString
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
CompressionMode
ComputeHash
Computer
ComVisibleAttribute
Concat
ConfusedByAttribute
Confuser v1.9.0.0
ConstructorInfo
Control
Conversions
Convert
ConvertFromUtf32
_CorExeMain
Create
CreateDecryptor
CreateDelegate
CreateInstance
Create__Instance__
CryptoStream
CryptoStreamMode
CurrentUser
DateTime
d_aYnZX
Debugger
DebuggerHiddenAttribute
DeflateStream
Delegate
DelegateAsyncResult
DelegateAsyncState
DelegateCallback
Delete
Dictionary`2
Dispose
Dispose__Instance__
dpYYXb`
DynamicMethod
EditorBrowsableAttribute
EditorBrowsableState
Encoding
EndInvoke
Environment
Equals
Exception
Exists
ExitProcess
FailFast
FieldInfo
FromBase64String
GeneratedCodeAttribute
get_Assembly
GetAsyncKeyState
get_BaseAddress
GetBytes
get_Capacity
get_Chars
get_Clipboard
get_CurrentDomain
GetCurrentMethod
GetCurrentProcess
get_CurrentThread
get_DeclaringType
GetEnvironmentVariable
GetExecutingAssembly
GetFieldFromHandle
get_FieldType
get_FileName
GetFolderPath
GetForegroundWindow
GetHashCode
GetILGenerator
get_IsAlive
get_IsArray
get_IsAttached
get_IsInterface
get_IsStatic
get_Keyboard
get_Length
get_MainModule
GetManifestResourceNames
GetManifestResourceStream
get_MetadataToken
get_Module
GetModuleFileNameA
get_Name
get_NewLine
get_Now
GetObjectValue
GetParameters
get_ParameterType
get_Registry
get_ReturnType
get_ShiftKeyDown
GetString
GetText
get_To
GetTypeFromHandle
get_UTF8
GetWindowTextA
GetWindowTextLength
HashAlgorithm
HelpKeywordAttribute
HideModuleNameAttribute
hObject
IAsyncResult
ICredentialsByHost
ICryptoTransform
IDisposable
ILGenerator
IndexOf
IntPtr
Invoke
IsDebuggerPresent
IsKeyLocked
IsLogging
 IW,1!
 IWO(!
kernel32
kernel32.dll
Keyboard
Ldarg_S
lParam
MailAddress
MailAddressCollection
MailMessage
Marshal
MemberInfo
MemoryStream
MethodBase
MethodInfo
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.MyServices
Microsoft.Win32
:mjYb`og
Module
<Module>
MoveFileExW
m.!}*q#
+ mQh6!n
mscoree.dll
mscorlib
MulticastDelegate
My.Application
My.Computer
MyGroupCollectionAttribute
MyTemplate
My.User
MyWebServices
My.WebServices
NetworkCredential
Newobj
 Nkws!
ntdll.dll
NtQueryInformationProcess
NtSetInformationProcess
Object
OpCode
OpCodes
OpenSubKey
Operators
op_Explicit
output
OutputDebugString
ParameterInfo
ParameterizedThreadStart
Process
ProcessHandle
ProcessInformation
ProcessInformationClass
ProcessInformationLength
ProcessModule
ProjectData
ReadBytes
ReadInt32
Registry
RegistryKey
RegistryProxy
RegistryValueKind
@.reloc
ResolveEventArgs
ResolveEventHandler
ResolveMethod
ResolveSignature
ReturnLength
RijndaelManaged
`.rsrc
RuntimeCompatibilityAttribute
RuntimeFieldHandle
RuntimeHelpers
RuntimeTypeHandle
sender
ServerComputer
set_Body
set_Credentials
set_EnableSsl
set_From
set_IsBackground
set_Item
set_Port
SetProjectError
set_Subject
SetValue
SetWindowsHookExA
SizeOf
SmtpClient
SpecialFolder
StandardModuleAttribute
STAThreadAttribute
Stream
String
StringBuilder
Strings
#Strings
Substring
SuppressIldasmAttribute
SymmetricAlgorithm
System
System.CodeDom.Compiler
System.Collections.Generic
System.ComponentModel
System.ComponentModel.Design
System.Diagnostics
System.IO
System.IO.Compression
System.Net
System.Net.Mail
System.Reflection
System.Reflection.Emit
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Cryptography
System.Text
System.Threading
System.Windows.Forms
TargetMethod
TargetObject
!This program cannot be run in DOS mode.
thread
Thread
ThreadStart
ThreadStaticAttribute
ToArray
ToByte
ToChar
ToInt32
ToLower
ToString
ToUInt32
ToUpper
TryGetValue
 ue%T!
user32
user32.dll
v2.0.50727
ValueType
V{ Be]
WaitForExit
wParam
WrapNonExceptionThrows
WZXX Dl)
XaYnZX
$YXaaX_
=YXaaY 
)YXnZX
)YXXnZX
{"- z&
zU<XbUc