Analysis Date2016-11-16 01:36:46
MD5e2641f39b8b8cc93eb823860ef045211
SHA15429609b288aa2d5c09df095badb1205db3a6ecf

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e7661ae63ad695508ac35cbc6dbe10f7 sha1: 5f3e5ba005d72d8270d5bfb918256cc097b07968 size: 15872
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.xcpad md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: be3aa5d1d5dac55fad08d57e2854160c sha1: 0143806583a40894c2ed472565df13418b29ad7a size: 1024
Section.reloc md5: 1d2826c44311e3eea7285e947f031826 sha1: 151a275336fe91e4b1ac431cddfb43c73c5b6186 size: 512
Section.rsrc md5: 4af53af7c0313e54fdf1d97cbfdbb1da sha1: d61a7c4085a7a993553edc926fc7e1b2b0ef97d6 size: 1024
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerBorland Delphi 3.0 (???)
PEhash
IMPhash4582ffdd7eb98cb63a937096204182b7
AV360 SafeNo Virus
AVAd-AwareGen:Variant.Barys.2939
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Barys.2939
AVAuthentiumW32/Injector.FA.gen!Eldorado
AVAvira (antivir)TR/Dropper.Gen
AVBitDefenderGen:Variant.Barys.2939
AVBullGuardGen:Variant.Barys.2939
AVCA (E-Trust Ino)Gen:Variant.Barys.2939
AVCAT (quickheal)No Virus
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader.64331
AVEmsisoftGen:Variant.Barys.2939
AVEset (nod32)MSIL/Spy.Agent.AES
AVF-SecureGen:Variant.Barys.2939
AVFortinetW32/Generic.AC.237BCE!tr
AVFrisk (f-prot)No Virus
AVGrisoft (avg)BackDoor.Generic11.ARFY
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Backdoor ( 04c4c6e51 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Pony
AVMcafeeNo Virus
AVMicroWorld (escan)Gen:Variant.Barys.2939
AVMicrosoft Security EssentialsTrojanSpy:Win32/Skeeyah.A!rfn
AVRisingNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecNo Virus
AVTrend MicroNo Virus
AVTwisterBackdoor.EF48C6BBCFE52365
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderTrojanSpy:Win32/Skeeyah.A!rfn
AVZillya!Backdoor.Bifrose.Win32.30488

Runtime Details:

Screenshot

Process
↳ C:\logger.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\logger.exe.config
Creates FileC:\logger.exe
Creates FileC:\logger.exe.config
Creates FileC:\WINDOWS\system32\l_intl.nls
Creates FileC:\logger.exe
Creates FileC:\WINDOWS\assembly\pubpol1.dat
Creates FileC:\Documents and Settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Creates FileC:\Documents and Settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Creates FileC:\WINDOWS\FONTS\MARLETT.TTF
Creates FileC:\WINDOWS\FONTS\ROMAN.FON
Creates FileC:\WINDOWS\FONTS\SCRIPT.FON
Creates FileC:\WINDOWS\FONTS\MODERN.FON
Creates FileC:\WINDOWS\FONTS\SMALLE.FON
Creates FileC:\WINDOWS\FONTS\ARIAL.TTF
Creates FileC:\WINDOWS\FONTS\ARIALBD.TTF
Creates FileC:\WINDOWS\FONTS\ARIALBI.TTF
Creates FileC:\WINDOWS\FONTS\ARIALI.TTF
Creates FileC:\WINDOWS\FONTS\COUR.TTF
Creates FileC:\WINDOWS\FONTS\COURBD.TTF
Creates FileC:\WINDOWS\FONTS\COURBI.TTF
Creates FileC:\WINDOWS\FONTS\COURI.TTF
Creates FileC:\WINDOWS\FONTS\LUCON.TTF
Creates FileC:\WINDOWS\FONTS\L_10646.TTF
Creates FileC:\WINDOWS\FONTS\TIMES.TTF
Creates FileC:\WINDOWS\FONTS\TIMESBD.TTF
Creates FileC:\WINDOWS\FONTS\TIMESBI.TTF
Creates FileC:\WINDOWS\FONTS\TIMESI.TTF
Creates FileC:\WINDOWS\FONTS\WINGDING.TTF
Creates FileC:\WINDOWS\FONTS\SYMBOL.TTF
Creates FileC:\WINDOWS\FONTS\SYMBOLE.FON
Creates FileC:\WINDOWS\FONTS\VERDANA.TTF
Creates FileC:\WINDOWS\FONTS\VERDANAB.TTF
Creates FileC:\WINDOWS\FONTS\VERDANAI.TTF
Creates FileC:\WINDOWS\FONTS\VERDANAZ.TTF
Creates FileC:\WINDOWS\FONTS\ARIBLK.TTF
Creates FileC:\WINDOWS\FONTS\COMIC.TTF
Creates FileC:\WINDOWS\FONTS\COMICBD.TTF
Creates FileC:\WINDOWS\FONTS\IMPACT.TTF
Creates FileC:\WINDOWS\FONTS\GEORGIA.TTF
Creates FileC:\WINDOWS\FONTS\GEORGIAB.TTF
Creates FileC:\WINDOWS\FONTS\GEORGIAZ.TTF
Creates FileC:\WINDOWS\FONTS\GEORGIAI.TTF
Creates FileC:\WINDOWS\FONTS\FRAMD.TTF
Creates FileC:\WINDOWS\FONTS\FRAMDIT.TTF
Creates FileC:\WINDOWS\FONTS\PALA.TTF
Creates FileC:\WINDOWS\FONTS\PALAB.TTF
Creates FileC:\WINDOWS\FONTS\PALABI.TTF
Creates FileC:\WINDOWS\FONTS\PALAI.TTF
Creates FileC:\WINDOWS\FONTS\TAHOMABD.TTF
Creates FileC:\WINDOWS\FONTS\TREBUC.TTF
Creates FileC:\WINDOWS\FONTS\TREBUCBD.TTF
Creates FileC:\WINDOWS\FONTS\TREBUCBI.TTF
Creates FileC:\WINDOWS\FONTS\TREBUCIT.TTF
Creates FileC:\WINDOWS\FONTS\WEBDINGS.TTF
Creates FileC:\WINDOWS\FONTS\ESTRE.TTF
Creates FileC:\WINDOWS\FONTS\GAUTAMI.TTF
Creates FileC:\WINDOWS\FONTS\LATHA.TTF
Creates FileC:\WINDOWS\FONTS\MANGAL.TTF
Creates FileC:\WINDOWS\FONTS\MVBOLI.TTF
Creates FileC:\WINDOWS\FONTS\RAAVI.TTF
Creates FileC:\WINDOWS\FONTS\SHRUTI.TTF
Creates FileC:\WINDOWS\FONTS\TUNGA.TTF
Creates FileC:\WINDOWS\FONTS\SYLFAEN.TTF
Creates FileC:\WINDOWS\FONTS\WST_CZEC.FON
Creates FileC:\WINDOWS\FONTS\WST_ENGL.FON
Creates FileC:\WINDOWS\FONTS\WST_FREN.FON
Creates FileC:\WINDOWS\FONTS\WST_GERM.FON
Creates FileC:\WINDOWS\FONTS\WST_ITAL.FON
Creates FileC:\WINDOWS\FONTS\WST_SPAN.FON
Creates FileC:\WINDOWS\FONTS\WST_SWED.FON
Creates FileC:\WINDOWS\FONTS\COURE.FON
Creates FileC:\WINDOWS\FONTS\SSERIFE.FON
Creates FileC:\WINDOWS\FONTS\SERIFE.FON
Creates FileC:\WINDOWS\FONTS\TAHOMA.TTF
Creates FileC:\WINDOWS\FONTS\MICROSS.TTF
Creates FileC:\WINDOWS\FONTS\GLOBALMONOSPACE.COMPOSITEFONT
Creates FileC:\WINDOWS\FONTS\GLOBALUSERINTERFACE.COMPOSITEFONT
Creates FileC:\WINDOWS\FONTS\GLOBALSERIF.COMPOSITEFONT
Creates FileC:\WINDOWS\FONTS\GLOBALSANSSERIF.COMPOSITEFONT
Creates FileC:\Documents and Settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Creates FileC:\logger.exe
Creates FileC:\logger.exe
Creates FileC:\WINDOWS\symbols\dll\mscorlib.pdb
Creates FileC:\WINDOWS\dll\mscorlib.pdb
Creates FileC:\WINDOWS\mscorlib.pdb
Creates FileC:\WINDOWS\symbols\dll\System.Windows.Forms.pdb
Creates FileC:\WINDOWS\dll\System.Windows.Forms.pdb
Creates FileC:\WINDOWS\System.Windows.Forms.pdb
Creates Mutex
Creates Mutex
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\.net clr networking

Process
↳ C:\5429609b288aa2d5c09df095badb1205db3a6ecf.exe

Creates FileC:\5429609b288aa2d5c09df095badb1205db3a6ecf.exe
Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\WINDOWS\System32\cscui.dll
Creates FileC:\WINDOWS\Registration\R000000000007.clb
Creates Fileshadow
Creates FileC:\WINDOWS\system32\shell32.dll
Creates FileC:\WINDOWS\system32\shell32.dll
Creates Mutex
Creates Mutex_xvm_mtx_file_0x4611E4E9
Creates Mutex_xvm_mtx_reg_0x4611E4E9
Creates Mutex_xvm_mtx_other_0x4611E4E9
Creates Mutex
Creates Mutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex
Creates MutexZonesLockedCacheCounterMutex
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass ➝
Drive\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass ➝
Drive\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents ➝
C:\Documents and Settings\All Users\Documents\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop ➝
C:\Documents and Settings\All Users\Desktop\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1

Network Details:


Raw Pcap

Strings
RunVM
MessageBoxW
LdrGetProcedureAddress
ntdll
incorrect header check
unknown compression method
invalid window size
invalid block type
invalid stored block lengths
too many length or distance symbols
invalid code lengths set
invalid bit length repeat
invalid literal/lengths set
invalid distances set
invalid literal/length code
invalid distance code
invalid distance too far back
incorrect data check
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
need dictionary
RSDS
8T}UE
c:\XRoot_Build\X7.0\Vm\Release\x86\StubExe.pdb
D$d3
LLL@;
TTlf
TTl@;
D$0@
A_^]
L$@u
T$,*
D$<+
DTLf
u";T$
t$@#
t$H;t$8
D$<u
L$ +
T$8f
D$@#
;D$8t
<SUVW
+T$TN
T$HH
L$ #
D$Tt*;
T$$#
L$$J#
+D$8
;l$<
D$DI
D$(+
;l$T
)l$T
T$(+
;l$TsY)l$T
L$4;D$Ts<)D$T
;l$Ts
)l$T
;t$,
L$P+
D$,+
x<_^]
9^4u(
9^(u
F(+}
V,^]3
F,^]3
N,_^]3
u	9j
^[_]
;O$v
L$<3
Oh;O\sR
;O\r
9Ghs%
Gh9Ghr
GTPQ
GpPj
G`9Gh
OLH#
L$$;
L$$J
D$$f
WhHf
G`9Gh
GTPQ
OpQj
GXPQ
DWpPj
L$$H#
L$(J
L$$E
D$$;
;wHr
L$$H#
L$(J
L$$E
D$$;
;wHr
O,+L$
L$ 9ODv
L$ +L$
L$0;
L$0+
D$ +D$
9T$ t$P
D$ +F
N h0%
9H|teSV
Wt-f
WWWj
D$0;
WWWj
D$4;
WWWj
5  B
D$tP
WPPj
PPPj
t$8Qj
D$(;
t$,j
D$<P
D$(3
WWWj
D$4PV
t	@AAf
AFH;
HeapAlloc
GetProcessHeap
HeapFree
GetTickCount
GetModuleFileNameW
GetCurrentProcessId
OpenFileMappingW
GetLastError
MapViewOfFile
CloseHandle
CreateFileW
CreateFileMappingW
UnmapViewOfFile
GetFileInformationByHandle
VirtualAlloc
VirtualFree
GetModuleHandleA
GetProcAddress
LoadLibraryW
KERNEL32.dll
KERNEL32.dll
HeapAlloc
GetProcessHeap
HeapFree
GetTickCount
GetModuleFileNameW
GetCurrentProcessId
OpenFileMappingW
GetLastError
MapViewOfFile
CloseHandle
CreateFileW
CreateFileMappingW
UnmapViewOfFile
GetFileInformationByHandle
VirtualAlloc
VirtualFree
GetModuleHandleA
GetProcAddress
LoadLibraryW
s2{2
?"?E?
0	1,2g2
2P5d5t5
=(=<=
>;?@?L?c?r?y?
1<2S2g2y2
3%3K3j3
4G4V4
4W5a5s5
7&71767>7C7K7P7X7]7e7j7q7}7
8.8:8?8N8x8
9":):6:=: