Analysis Date2015-05-06 20:33:12
MD50bf9ed260ccc12f21e1f07cd88aab938
SHA1496ec80d4acbfb908f6929c102a5de7c03455dba

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: d9443411519bd528fa94a7ae4400ba53 sha1: d495649734e6e57790a8d1c1397b86b5bb648ff1 size: 596480
Section.rsrc md5: 651eba43e3492d2929c085437acfb4ed sha1: 39c0cb720fec801bcd0ba8ab051d6612f1f4f409 size: 1024
Section.reloc md5: 492f2aa5a432265b8a4e3450d62a01e2 sha1: 9bd6f033e9a103edc38c1c2bea670ad0d32fe583 size: 512
Timestamp2015-04-18 18:47:43
Pdb pathC:\Users\Islamya\Desktop\Server1.pdb
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashc306d8061aad85859645fb1747bb2d06a76fa53a
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVAd-AwareGen:Variant.Kazy.274665
AVAlwil (avast)GenMalicious-NX [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.274665
AVAuthentiumno_virus
AVAvira (antivir)TR/Spy.Gen8
AVBitDefenderGen:Variant.Kazy.274665
AVBullGuardGen:Variant.Kazy.274665
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.274665
AVEset (nod32)MSIL/Bladabindi.DW
AVFortinetMSIL/Bladabindi.DW!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.274665
AVGrisoft (avg)Bladabindi.BRHN
AVIkarusTrojan.MSIL.Bladabindi
AVK7Trojan ( 700000121 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!dql
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.274665
AVPadvishno_virus
AVRisingno_virus
AVSophosTroj/Bbindi-T
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

Network Details:


Raw Pcap

Strings
w..
...

::	)
+*,*-*.*/*0*1*3242526272
{07d28634-bd6a-467f-b68c-01c7dddaef37}, PublicKeyToken=3e56350693f7355e
1MH1O
1O51Q&1:
aspnet_wp.exe
{f425623c-4079-4361-8c24-36472c334f83}
M:	/
:O	 
O:	/
:Q	 
QM	2
Unknown Header
w3wp.exe
Wrong Header Signature
+:+;+@
+.+3+8o*
+/+4~,
{64b040bf-6dfd-4e40-9679-cf40ff82735f}
	6.9.0.114
*6+L)M
add_AssemblyResolve
add_Click
AddDays
add_ErrorDataReceived
add_Exited
add_Idle
add_OutputDataReceived
AddRange
add_ResourceResolve
add_SessionEnding
AppDomain
Append
Application
AppWinStyle
ArgumentOutOfRangeException
</assembly>
Assembly
AssemblyFileVersionAttribute
assemblyFullName
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyName
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AsyncCallback
Attribute
AttributeTargets
AttributeUsageAttribute
avicap32.dll
BadImageFormatException
BeginErrorReadLine
BeginInvoke
BeginOutputReadLine
Binder
BindingFlags
BitConverter
Bitmap
Boolean
Button
ButtonBase
ca+IGZ
callback
Callvirt
capGetDriverDescriptionA
.cctor
+C+K{N
ClearProjectError
Command
CompareMethod
CompareObjectEqual
CompareString
CompilationRelaxationsAttribute
Component
CompressionMode
ComputeHash
Computer
ComputerInfo
Concat
ConditionalCompareObjectEqual
ConditionalCompareObjectNotEqual
Connect
Contains
ContainsKey
Control
ControlCollection
Conversion
Conversions
Convert
CopyFromScreen
CopyPixelOperation
_CorExeMain
CreateDecryptor
CreateDelegate
CreateDirectory
CreateEncryptor
CreateGetStringDelegate
CreateInstance
CreateMemberRefsDelegates
CreateSubKey
Cursor
Cursors
C:\Users\Islamya\Desktop\Server1.pdb
DataReceivedEventHandler
DateTime
Delegate
Delete
DeleteSubKey
DeleteSubKeyTree
DeleteValue
DESCryptoServiceProvider
DialogResult
Dictionary`2
Directory
DirectoryInfo
Disconnect
Dispose
DoEvents
DoNotDistributeAttribute
DownloadData
DynamicMethod
EmptyWorkingSet
Encoding
EndApp
EndInvoke
EndsWith
Environ
Environment
EnvironmentVariableTarget
eUJ<z2
EventArgs
EventHandler
Exception
Exists
{f425623c-4079-4361-8c24-36472c334f83}
FieldInfo
FileInfo
FileLoadException
FileMode
FileStream
FileSystemInfo
FileVersionInfo
FlatStyle
Format
FormatException
FormBorderStyle
FormStartPosition
FromBase64String
FromImage
get_Assembly
GetAsyncKeyState
get_Available
get_Bounds
GetBytes
GetCallingAssembly
get_CapsLock
get_Chars
get_ClassesRoot
get_Client
get_Controls
get_CurrentDomain
GetCurrentProcess
get_CurrentUser
get_Default
get_Directory
get_ExecutablePath
GetExecutingAssembly
GetFields
get_FieldType
get_FileDescription
get_FileName
get_FileVersionInfo
GetFolderPath
GetForegroundWindow
GetFrames
get_FullName
get_Handle
get_Height
get_Id
GetILGenerator
get_Info
get_IsStatic
get_Item
get_Jpeg
GetKeyboardLayout
GetKeyboardState
get_LastWriteTime
get_Length
get_LocalMachine
get_LocalTime
get_MachineName
get_MainModule
get_MainWindowTitle
get_Major
GetManifestResourceNames
GetManifestResourceStream
get_Message
get_MetadataToken
GetMethod
GetMethodFromHandle
GetMethods
get_Module
get_ModuleHandle
get_ModuleName
GetModules
get_Name
GetName
get_Now
GetObjectValue
get_OSFullName
get_OSVersion
GetParameters
get_ParameterType
get_Parent
get_Platform
get_Position
get_PrimaryScreen
GetProcessById
GetProcesses
get_ProcessName
GetPublicKey
get_Registry
get_ReturnType
get_ServicePack
get_ShiftKeyDown
get_StandardInput
get_StartInfo
GetStream
GetString
GetSubKeyNames
GetTempPath
GetThumbnailImage
GetThumbnailImageAbort
get_Ticks
GetTypeFromHandle
GetTypes
get_UserName
get_Users
get_UTF8
GetValue
GetValueKind
GetValueNames
GetVersionInfo
GetVolumeInformationA
get_White
get_Width
GetWindowTextA
GetWindowTextLengthA
GetWindowThreadProcessId
#`gm=%G
Graphics
GZipStream
HashAlgorithm
*I2FN7 
IAsyncResult
IButtonControl
ICryptoTransform
IDisposable
.#+I{E
ILGenerator
ImageFormat
IndexOf
InitializeArray
Interaction
Intern
IntPtr
InvalidOperationException
Invoke
InvokeMember
IsWebApplication
JBuilt using an evaluation version of SmartAssembly. Cannot be distributed.
k=|a>x
kernel32
Keyboard
LateCall
LateGet
LateIndexGet
LateSet
LateSetComplex
Ldarg_0
Ldarg_1
Ldarg_2
Ldarg_3
Ldarg_S
Ldc_I4
LFob%Q
List`1
LoadFile
LocalMachine
,(. m*
MapVirtualKey
MD5CryptoServiceProvider
MemberInfo
MemberRefsProxy
MemoryManager
MemoryStream
method
MethodBase
MethodInfo
Microsoft.VisualBasic
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.MyServices
Microsoft.Win32
MissingMethodException
Module
<Module>
ModuleHandle
Monitor
MoveFileEx
=m+~P,
mscoree.dll
mscorlib
MulticastDelegate
NetworkStream
NewLateBinding
NtSetInformationProcess
object
Object
OpCode
OpCodes
OpenExisting
OpenSubKey
OpenWrite
op_Equality
OperatingSystem
Operators
op_Explicit
op_GreaterThan
op_Inequality
op_LessThan
OrObject
ownerType
ParameterInfo
ParameterizedThreadStart
PictureBox
PlatformID
PoweredByAttribute
"Powered by SmartAssembly 6.9.0.114
p{PDp#
+P+Q{>
Process
ProcessModule
ProcessStartInfo
ProcessWindowStyle
ProjectData
QB	./>
Random
Randomize
ReadAllText
ReadByte
Receive
Rectangle
Registry
RegistryKey
RegistryKeyPermissionCheck
RegistryProxy
RegistryValueKind
@.reloc
Remove
Replace
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
ResolveEventArgs
ResolveEventHandler
ResolveMethodHandle
ResolveTypeHandle
result
ResumeLayout
RijndaelManaged
`.rsrc
_;ru+J
RuntimeCompatibilityAttribute
RuntimeFieldHandle
RuntimeHelpers
RuntimeMethodHandle
RuntimeTypeHandle
Screen
    </security>
    <security>
Server
ServerComputer
Server.exe
SessionEndingEventArgs
SessionEndingEventHandler
set_AcceptButton
set_AutoScaleBaseSize
set_BackColor
set_CancelButton
set_ClientSize
set_CreateNoWindow
set_EnableRaisingEvents
SetEnvironmentVariable
set_FileName
set_FlatStyle
set_FormBorderStyle
set_Image
set_Item
set_Location
set_MaximizeBox
set_MinimizeBox
set_Position
SetProcessWorkingSetSize
SetProjectError
set_RedirectStandardError
set_RedirectStandardInput
set_RedirectStandardOutput
set_Size
set_StartPosition
set_TabIndex
set_TabStop
set_Text
set_TopMost
set_UseShellExecute
SetValue
set_WindowStyle
ShowDialog
SmartAssembly.Attributes
SmartAssembly.Delegates
SmartAssembly.HouseOfCards
SmartAssembly.MemoryManagement
Socket
SocketFlags
SpecialFolder
StackFrame
StackTrace
StartsWith
STAThreadAttribute
StrDup
Stream
StreamWriter
String
StringBuilder
Strings
#Strings
Substring
SuppressIldasmAttribute
SuspendLayout
+S+X+]
SymmetricAlgorithm
System
System.Collections.Generic
System.ComponentModel
System.Diagnostics
System.Drawing
System.Drawing.Imaging
SystemEvents
System.IO
System.IO.Compression
System.Net
System.Net.Sockets
System.Reflection
System.Reflection.Emit
System.Runtime.CompilerServices
System.Security.Cryptography
System.Text
System.Threading
System.Windows.Forms
Tailcall
TcpClient
TextWriter
!This program cannot be run in DOS mode.
Thread
ThreadStart
ToArray
ToBase64String
ToBoolean
ToInt32
ToInteger
ToLower
ToString
ToUnicodeEx
ToUpper
TransformFinalBlock
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
TryGetValue
typeID
U-CnDc
user32.dll
v2.0.50727
ValueType
VBMath
Version
vzy7(vX
,%&+%{W
$w]8xY	
WaitForExit
WebClient
WrapNonExceptionThrows
WriteAllBytes
WriteAllText
WriteByte
WriteLine
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
z/HVlS