Analysis Date2015-04-09 08:54:39
MD54dbdd61dc5ebad691ad5e8e4748b0d23
SHA14a0fe201b757954be6c3918694066a8e8b7a194e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 67d5135be6321fa7a3e47077439be703 sha1: fe3a6bd28ade08ad2ac9cbfeae60f887d6be2f46 size: 15872
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.xcpad md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 2c89e2f80bf58d460cbb00566bc9930e sha1: bbaed499111d5ebf8c843d958d7fca95d401bdd8 size: 1024
Section.reloc md5: 1d2826c44311e3eea7285e947f031826 sha1: 151a275336fe91e4b1ac431cddfb43c73c5b6186 size: 512
Section.rsrc md5: c010cfbdd87632a010bd800110bdb4a2 sha1: bb6ac49f79b96bde95aee2cffbf367d5bab6835c size: 1024
Timestamp1970-01-01 00:00:49
VersionLegalCopyright:
Assembly Version: 0.0.0.0
InternalName: w5pqrrvk.exe
FileVersion: 0.0.0.0
PackagerVersion: 7.0.162
ProductVersion: 0.0.0.0
FileDescription:
Packager: Xenocode Postbuild 2009 for .NET Beta
OriginalFilename: w5pqrrvk.exe
PackerBorland Delphi 3.0 (???)
PEhash761621ceae5a314d12c35773882ad8851627654e
IMPhash4582ffdd7eb98cb63a937096204182b7
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.2198814
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2198814
AVAuthentiumW32/Poison.K.gen!Eldorado
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardTrojan.GenericKD.2198814
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Generic.r6
AVClamAVTrojan.Dropper-28386
AVDr. WebTrojan.DownLoader.64331
AVEmsisoftTrojan.GenericKD.2198814
AVEset (nod32)MSIL/Injector.BML
AVFortinetW32/Generic!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2198814
AVGrisoft (avg)Crypt.ANOZ
AVIkarusBackdoor.Win32.Bifrose
AVK7Backdoor ( 04c4c6e51 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeRDN/Generic BackDoor!bbx
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi.AR
AVMicroWorld (escan)Trojan.GenericKD.2198814
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process"C:\jhonhv.exe"
Creates Mutex_xvm_mtx_reg_0x19888AB9
Creates Mutex_xvm_mtx_file_0x19888AB9
Creates Mutex_xvm_mtx_other_0x19888AB9

Process
↳ "C:\jhonhv.exe"

Creates Mutex_xvm_mtx_reg_0x19888AB9
Creates Mutex_xvm_mtx_file_0x19888AB9
Creates MutexDBWinMutex
Creates Mutex_xvm_mtx_other_0x19888AB9

Network Details:


Raw Pcap

Strings
.@
`@
                          
0.0.0.0
000004b0
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
0x00020: 
0x00021: 
0x00022: 
0x00023: 
0x0003: 
0x00040: 
0x00041: 
0x00042: 
0x00050: 
0x00051: 
0x00052: 
0x00053: 
0x0006
0x0011
0x0012: 
0x0013
0x0014
0x0015
0x00E00
0x00E01
0x00E1
0x00E2
0x00Z1
0x00Z2
!1Aa
#+3;CScs
7.0.162
Assembly Version
FileDescription
FileVersion
InternalName
LegalCopyright
OriginalFilename
Packager
PackagerVersion
ProductVersion
StringFileInfo
There has been an error starting this virtual appliance.  Error code: 
Translation
VarFileInfo
VS_VERSION_INFO
w5pqrrvk.exe
Wuser32.dll
Xenocode Postbuild 2009 for .NET Beta
Xenocode Virtual Appliance Runtime
_xvm_mem_application_info_0x
_xvm_mem_process_info_0x
#`<&],
;/0|	,"
0	1,2g2
'05&&|
0FE_fj7
0j#{uf
|<0MINc/
:($0pT
0t["}Um
_0Y$jC
0Z^22*
1<2S2g2y2
14:~A<y
16eunq
]1FS)V
1\Hn B
1MV\uBL
1OWL)B
}|1PI=:
%1}ure
#*.@1W
1WM3v?
.1!y%x
20DJBr
2 8K6@
!2k)uS0q
&2n/""&
2P5d5t5
2p'F4aS5
)2Pj?\c
_2S+>d8
2se4O\m2lo
2wgM-t
3%3K3j3
35t7sN
*3#8yX5
~3@,c!
3NX!d	
3>RJ%6
48L g%
\ 4dFHI
'4 dR#*n=c>
4eP]]9i
4`lbrO8Z
4n3!X(
4RKc39
@#4w	(
4W5a5s5
>4|xeL
>4_{?Y
'$5D\Au
5HYsvgF
5IKL}cp3
~5[n7 
5OVMt7
5'svck
}5/#y"
5Y:Ef&
6E*Pt%/K{
6.(N@|
6thMU#
6yj L\)
7<43OZ
7&71767>7C7K7P7X7]7e7j7q7}7
79j+vT
7|BB>-
7Hvp9"H
7}i 9P
;7(OaM
{7UP[[z&
7X<7=s
82m@%n
882i~NB 
8.8:8?8N8x8
>8B2F<|o>D
}+8dW*
-8[f,_
8F x8{
"8i<>A
8Jx1*d3
_8kuk8
[8O~d`w
{8RQ<b
}8\Sz@
8UQEp!_P
[| 8Xf
9":):6:=:
9>>[<D[/
9f}nO&
&9G({Oze
9H|teSV
9%,l8E
9T$ t$P
9W1OWZ
9y7g1ql5
A0wNQ<^
&A 2JEk
a2@x&#
>A8'5`!y
a9, YR
"ab^iwR
ac S^tV
"AE}eb
"+.[A;f 
aGCc	[
a[IfW1
ALjw$_+
an3'"O
A!oYV>`
A$p(9H
_*AQl,\1
@'-ar1%AG
#|AsU2
a[*;U8
a"v W>
{b1VY< 
#b]8uZ\
B?]|ap
Bb	FBh:
!\|~BC
$Bf<+['
B<,Giw]
)~b~jF
Bl_]UO
bQ]BFk
&^BR>S~h
B.rsrc
buffer error
<bV77AF
BVeAV~A
by1_u%
bYr}$263k
-Bz8?g
Bz8|x<[TN
.^BzUW
^/C07s
c2.>8F
c'39OCM
:C=3iWq
C;4B&Ro`
c4rr*~&
C6g)}O
C`/./a
caV:;y
CcdX%p
!c?}f4
cHQ$TRp
)c<$^J
C!@k`qnZt
CloseHandle
c*Ne-o
C+O3=m
CreateFileMappingW
CreateFileW
/$-Cti
^cU*\x
=C;V[{
c VG/7)
^_cWC$
c}X\,"
c:\XRoot_Build\X7.0\Vm\Release\x86\StubExe.pdb
cY_|Qw
_D1#}r
'&d1w7
d_2{fh;#s
d2TICDz~
D@65&[<
`.data
data error
DBS4Dh
D.bU1N
D$ +D$
DdvxZk
dEBTKx%Nf
|=&D<F
d"gWnd
dh+e(1;9
dk3pf<
/:,]DL5
dM*"6Z1
.d?&O1G
DPj_XVY
>DPx|,
DQe;jh
d>q_W1$
^^Dt!4|u
D$Tt*;
)Du\Ee
D	uj*k
dw!0s\-
dW?C:/
d]x"f=Y)0
dz.wgI
E:4mFd
E4VsN}
&e8>-4
E\8R]6*
e'Bm8\
_e\?e0
ej%BWT}
]E-jMP
;?@$el
EMMw5f
EoQ*+D]9>
	erTcy~
ETd[qiQWC
&Evboq
?|ew}V
E?Z*/f
f0Oz3J
`F1Pr	
F2X_-k
f5w)tW
&=	[Fe
FEBXanl/
f)*fuB.
f-IJ{_
file error
F/k5[Q
fNB#qK5
#		f|TFg
f"X&(M
*,FzI	
Fz;Stj
,:"]^g=
g%6{`m
-gAG4/; sG
$g)Bq$
&G@#d8
gd/(U<0>M4f
GetCurrentProcessId
GetFileInformationByHandle
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetTickCount
.gEv#Y
++-GF3wWT{N
g`.FF*
`^]g/F[G#
Gh9Ghr
">(G&i
Gj9g"F
gKRS+*
gmnQ4	]A
g Nca#
gOWEm:
|g@pIy7
gP@JX%
!,_=gR
	G Rb:r
gr{Re/
+gS>d>
g>&uw1wy
GW-yKc9
H3?339
=H!_9?
`!HaVc|K.
+HDbBu[P
HeapAlloc
HeapFree
heN85X
hE["p:j
HH'o{ 
( HjUPu
/H*^n(2~
_HsK{d
HSvW,.
*HT 3yx
`hwo[I
H=WtRV4+=
h/W!Wd
H	ym"(y}N*
i.)@?	
I9!,bOn
?<{i?A
>ibf%O
.idata
IeU;Z`
i-H9.9
i}IE^ft
IK6Fp)4^L
i{;L-'
IMO.2=
incompatible version
incorrect data check
incorrect header check
 inflate 1.2.3 Copyright 1995-2005 Mark Adler 
insufficient memory
invalid bit length repeat
invalid block type
invalid code lengths set
invalid distance code
invalid distances set
invalid distance too far back
invalid literal/length code
invalid literal/lengths set
invalid stored block lengths
invalid window size
I*oiww
,I|^P~
Ivb/"}
iVQ,cmS
iYM49!)b
.Iz/QyP
][j](}
J1.d }7;>
'J1qL3RPP
J{2120
J3Q`hL
J6hck,X
?j6$\p
*;J7BX
j9-=C~
j+av3tm
JAz{{S
"jbwA(
^&jC7y
jGI"x=
jg]k1z
jJ<}r'j
j$k~/N
jLY^=W
j'MDP#.
}Jnl:K
jOM}[i
Jr5`j}=
J T7/h
jtO4m6
JVIVvQ1
J:VRzbm
J!W1f_{
k|0h#~U
K/0oQ;u
k1,"$\
./k6wX
?[K7DI
K8A}+Fv
K]\#9L{
`}k9'vuc
KERNEL32.dll
k^I<F=
[kK"l8
[KLUJSm
.K>nPh
k Pl6E:
K"qJLe_i
K\'+Rx
kSlP;B
KTsp)~n
kvJTW{@
k$WjI8
)+L,4/
L$4;D$Ts<)D$T
L$ 9ODv
>;?@?L?c?r?y?
lcUmN{
LdrGetProcedureAddress
.?LgD]
L[I jM
Lk[f(}E
L$ +L$
LoadLibraryW
lRyVKt
l~tGk'\
\l]t!Q
;l$TsY)l$T
^lv<MJ
`lw#s@3
lX9RY ub'3Cm
L{\XLq
*lXZu&
L-!ZGwr8
$m|8rA
{M+[A/
MapViewOfFile
mb`5UGZX
m_BU6~Bn4
mcETWm_tXj9
_"mdbp
M>Df*p?
MessageBoxW
Mfq=ZZ
m&Hfni9
MlM52J
ML} }PK
mM!t!2r
MpZLd@e
'M rXC
MS1P'Q
]{mSbW
MTf3_L
 "(m#V
mx:+qW
|&|%|N|
N,_^]3
n;)67s
'_N:6W
;N7Kg$
n83V);
]N8k$Ebald
N9YmK(
'n.Bd\
Nd1iOj_
ndgY'f
need dictionary
n$fI."T
nims4"
n}IZ=0
nMEg6b
]Nm	o-
nNvqw*
NOU<6#o
NP@>Q1
Nqde($d
-nQjOLq
NQ,PFF
NQztIR
nvc/=Q
^O_.\[
-o3C`Bc
 O\638!I
o_86dE>*oe
:o'@BeX
oBfx9-x
OB ID@
*o<GEu
Oh;O\sR
oJ|'$"
o=k-jq
O|lR{z
	;OMM3
/&O_NF
OpenFileMappingW
O\UcV0
ou&G:I
OUj?a{4&
O(vD<%0
OVz!?<om02
:[O<w~
ozF0.I
+-p6My
p\aeb+-
#~pG3<
P"=H8b
pI+!PH
,p?jg`8O=
PJ	wk3
P[ka!Y
pn*~"(P7hGu
pnY'lx
)polgmok
&pSC!aq
PVet7!
;P>Vni
Pw$vG <
pX`rHB
Pxx~% ~Z<
P&"~Y03
PyM@UN
p[yrP%
"`#q)*])\
q6:txJ
qC9&w|
?)q!dd_
q[El{1
qFbN^ 
q/'f{p
QgH*]o
QhBC~t
Q.lrPJ
QLzQAk
`&}qm3
!Qmljsf
q^mu,wm%C
Qm\zKTQ
Q)rsjFD
qR{TJ\J
Q|W9YH
Q|Y7=i
%qZ?9L5)
Qzs/S4
R2s?p%
r5]u/}
R6mG{F
R7+:yW
R(8	De{
%rB.!eU
R%+~bS
R-|E:{7
rE8.}NG
@.reloc
R-JQ1=
RkjmA/
rmo<X&
RmQ!t{
,rmv[~i
rOa719R
RQ~UHVfO
+{=]rR
rt{71q 
@rtF4Fo
=|rV=}
rWd(G2@
S0[9~mZ
+S+29I
s70Y*}
s7h(Z?OM
saIJ%QF|
*s%c,^
SD@%|`
SE0"l4
Sew[}.
@S$_[F
SIUzqK
sK12@Z
SkP'	Ap
s~My{ma
snSUai	
sn)(W4=
S<o>'\
S:oK#q
sQdSOI
!s*r7u
S{"Rm5|
s~$SDDl
stream end
stream error
s&(UWr
sW4!S^
SW)UO,
SX@S_;z
SZu^m@
T0"Qg+-@
T2&_TZ
T{6ch!
T6tK0!
t~9]-<
t	@AAf
TaxRQH
{T!C+vR[
tEL_.%
^-T E_m
T,E|R\
~TG1Fs
!This program cannot be run in DOS mode.
t$H;t$8
tHW/_"
`TI5Y_
t_jhd,#t
TjxmmVe
TmgIxL
TN81 ut
To@o[c
too many length or distance symbols
-TqA\G
tQlB	>$
ts=P'/*
!+t T 
t uj}7l
Tuw9a$QD19
tX&DYu
*T^y(]
U8Cn|mMEX
u~)`]A
Ua;\Js
Ue9q~R(
UEh,'l
U_[F&4
?%ufR2
:ugUr&r
	u(H')
uHKwy74_
#u"hR=
#U>}L9:E(o	e#
unknown compression method
UnmapViewOfFile
uOO/{K
}Up->1
Ur!)pUW
Us,';q
(UtV)G-
U*U+&dG
UUv ;`
UwFEOd
~(u\	X
uxRQe<
UY)Ug;H
UzS0')hT
@<}V\,
v07H?E$
[V0k\P
V:0o0y
V$.\_2
v`[3G%
v:[5S_
|V7K[#
	v<8%1W
V-8Krj
VAY~D8
vD9z+7
v.d.\eqf
VDlsF%
|vG@/?
v&HBGt
V<h~.PM
VhQ#vN4
VirtualAlloc
VirtualFree
V,JE %1QE
v)JiZ'
>`Vk ~
'V]#Ki3
V:*LG3
VNPnl&L
vO^NuCD
}vp;7	
vTjq8_
VvfZ$q
vwbM{ 6
{-v|Z>
W05u8L
W3a=K7
W)5oHt
=W 8We
=Wb:/_
WBfM7Q
wBu6`e
$wcfK`
wch+>x)
wGLIMn
whQwu{g
~W]I'/
WI\LqX
w/_l	J0}
]#-W`m
)WNNE"
W_N)O1^m
$[/W@o
wp*5*|
W~p_C%
W=po*>
W=Qw:?
wSCqe2
^W+Sr8Zl
=w_{$T
w	tg=c
w.'*wf
wX0T*2*
wzmHeZM
- X|1bB
x56='\
X5}W	:
X88vv[.
X\,"b5~p"]	
=XB^t6
X{(*;C
x^CJARM
.xcpad
:+XdhM
xFK=C!
 XGzMZ}\
xi2kI}@
xlayer
;xuwnQK
$_~xVl
x?v.S1G]
"`&XwU
xWyeV0
^<^x!x
x]YBoc
#xZh}Cv
y3*BXI
Y5xDu}
?y:De%
Yfub4$
YI3XYY[V
YJ_VJX
YL$#]3
Y!LJNM
#=yqw	
Yr3U{h
;y*Rc%G
;YSYkl
yuoM0*
&z)	4[
z4J2li>c
Z/8eRw
]+z_a]?
ZB Cf5c?
 zC	'}t
Z)cvSe"
z%:D0_s
zDPSm&
z(FcKG#
Zin;13X
^>zJYL
zO/|MJ
`z[Pf[
Z]QQ!P]~
!zQ r:QC
:@//zr
z(v_*v
((zvx0j
Z+x)<5
zX\s w
z[YfP"