Analysis Date2015-08-02 02:31:56
MD54015ee5441ed9aa8e4f2b24510e01338
SHA162089d3b06c81d3139a0ccfb8c667cc3e1b2dec5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: 9f6ef77db522e3fcb7eeda79e4a149da sha1: e0cd6e5e72e85bd57fc3fd880256182511ed4175 size: 466944
SectionUPX1 md5: 6a5665f466034c9fa138e7249e8af0c3 sha1: 431dfab55bf0a312e64bbbe5e9059560142dfa23 size: 732160
Section.rsrc md5: deb531bfcc2f215630bfade933174b45 sha1: a37cf81a577ac5a1e90c64b4fc636c9cbba8ddd7 size: 5120
Timestamp2012-06-07 15:59:53
VersionLegalCopyright: Copyright (C) 1999
InternalName: MSRSAAPP
FileVersion: 1, 0, 0, 1
CompanyName: Microsoft Corp.
Comments: Remote Service Application
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0
FileDescription: Remote Service Application
OriginalFilename: MSRSAAP.EXE
PEhash46007b349ed53ef4eda699ae20ba1d799f8fe8cb
IMPhash9d617e643d715888a08eb0e79581244c
AVCA (E-Trust Ino)Win32/Fynloski.DY
AVF-SecureTrojan.Inject.AUZ
AVDr. WebBackDoor.Comet.2020
AVClamAVWIN.Trojan.DarkKomet
AVArcabit (arcavir)Trojan.Inject.AUZ
AVBullGuardTrojan.Inject.AUZ
AVPadvishBackdoor.Win32.DarkKomet.xyk.Generic
AVVirusBlokAda (vba32)Backdoor.DarkKomet
AVCAT (quickheal)no_virus
AVTrend MicroTROJ_FORUCON.BMC
AVKasperskyBackdoor.Win32.DarkKomet.aagt
AVZillya!Trojan.Fynloski.Win32.3190
AVEmsisoftTrojan.Inject.AUZ
AVIkarusBackdoor.Win32.DarkKomet
AVFrisk (f-prot)W32/Banload.A.gen!Eldorado
AVAuthentiumW32/Banload.A.gen!Eldorado
AVMalwareBytesBackdoor.Bot.DarkKomet
AVMicroWorld (escan)Trojan.Inject.AUZ
AVMicrosoft Security Essentialsno_virus
AVK7Backdoor ( 003b505d1 )
AVBitDefenderTrojan.Inject.AUZ
AVFortinetW32/DarkKomet.ID!tr.bdr
AVSymantecBackdoor.Graybird
AVGrisoft (avg)Delf.AQXD
AVEset (nod32)Win32/Fynloski.AA
AVAlwil (avast)Agent-ASXK [Trj]
AVAd-AwareTrojan.Inject.AUZ
AVTwisterVirus.8BECB9@13006A006A0.mg
AVAvira (antivir)BDS/DarkKomet.GR
AVMcafeeGeneric BackDoor.yk
AVRisingBackdoor.Win32.DarkKomet.c

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit ➝
C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate ➝
C:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\SCREENSHOT_1.PNG
Creates FileC:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe
Creates FilePIPE\lsarpc
Creates Processcmd.exe /k attrib C: +s +h
Creates ProcessC:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe
Creates Processcmd.exe /k attrib C: +s +h

Process
↳ cmd.exe /k attrib C: +s +h

Creates Processattrib "C:\malware.exe" +s +h

Process
↳ cmd.exe /k attrib C: +s +h

Creates Processattrib "C:" +s +h

Process
↳ C:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate ➝
C:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\explorer.exe
Creates Processnotepad
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates MutexDC_MUTEX-95WSBJV

Process
↳ attrib "C:\malware.exe" +s +h

Process
↳ attrib "C:" +s +h

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Process
↳ C:\WINDOWS\explorer.exe

Process
↳ notepad

Creates MutexDCPERSFWBP
Creates MutexDC_MUTEX-95WSBJV

Network Details:

DNSblackwizardt.no-ip.org
Type: A
186.236.46.63
Flows TCP192.168.1.1:1037 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1038 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1039 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1040 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1041 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1042 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1043 ➝ 186.236.46.63:1111

Raw Pcap
0x00000000 (00000)   44353733 42413541 34454646 43334642   D573BA5A4EFFC3FB
0x00000010 (00016)   36323933 3038                         629308

0x00000000 (00000)   44353733 42413541 34454646 43334642   D573BA5A4EFFC3FB
0x00000010 (00016)   36323933 3038                         629308

0x00000000 (00000)   44353733 42413541 34454646 43334642   D573BA5A4EFFC3FB
0x00000010 (00016)   36323933 3038                         629308


Strings