Analysis Date2014-12-09 23:37:38
MD527386a408f4a153ce67011a3bead4f7c
SHA1646a38844a2141ecb433d85796835f5ac9e4f078

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 40a8d7b3aeb6e99ca89dd4168a992a6d sha1: 1f0f6795621a1af9e21c450a15d9b28d95abebf6 size: 15872
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.xcpad md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 0ac97c770bd48f518f9547d6403bfe30 sha1: a88887a5d3a1440c79697fb41d4748b9d2c0a293 size: 1024
Section.reloc md5: 1d2826c44311e3eea7285e947f031826 sha1: 151a275336fe91e4b1ac431cddfb43c73c5b6186 size: 512
Section.rsrc md5: 352729b2e26c00e33d5f8a40395e2ad1 sha1: b31a2e6f182d023d43249f5f40ad23edea38a303 size: 1536
Timestamp1970-01-01 00:00:59
VersionLegalCopyright:
PackagerVersion: 7.0.162
InternalName:
FileVersion: 1.0.0.0
CompanyName:
Comments:
ProductName:
ProductVersion: 1.0.0.0
FileDescription:
Packager: Xenocode Postbuild 2009 for .NET Beta
OriginalFilename:
PackerBorland Delphi 3.0 (???)
PEhashf47711401396df4dfe66967722117c2aa58006dc
IMPhash4582ffdd7eb98cb63a937096204182b7
AV360 SafeBackdoor.Generic.252555
AVAd-AwareBackdoor.Generic.252555
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Backdoor.RVHF-7613
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardBackdoor.Generic.252555
AVCA (E-Trust Ino)Win32/Poison.BT
AVCAT (quickheal)Backdoor.Poison.aec
AVClamAVTrojan.Poison-443
AVDr. WebTrojan.DownLoader.64331
AVEmsisoftBackdoor.Generic.252555
AVEset (nod32)Win32/Poison.NAI
AVFortinetW32/Poison.AMKO!tr.bdr
AVFrisk (f-prot)W32/BackdoorX.DDUD
AVF-SecureBackdoor.Generic.252555
AVGrisoft (avg)BackDoor.Generic11.AGZM
AVIkarusBackdoor.Poison
AVK7Backdoor ( 04c4c6e51 )
AVKasperskyBackdoor.Win32.Poison.aec
AVMalwareBytesno_virus
AVMcafeeBackDoor-DKI.gen.ak
AVMicrosoft Security EssentialsBackdoor:Win32/Poisonivy.E
AVMicroWorld (escan)Backdoor.Generic.252555
AVRisingno_virus
AVSophosno_virus
AVSymantecBackdoor.Trojan
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process"C:\koukou.exe"
Creates Mutex_xvm_mtx_file_0x26B27EEC
Creates Mutex_xvm_mtx_other_0x26B27EEC
Creates Mutex_xvm_mtx_reg_0x26B27EEC

Process
↳ "C:\koukou.exe"

Creates Mutex_xvm_mtx_file_0x26B27EEC
Creates MutexDBWinMutex
Creates Mutex_xvm_mtx_other_0x26B27EEC
Creates Mutex_xvm_mtx_reg_0x26B27EEC

Network Details:


Raw Pcap

Strings
.@
`@
                          
000004b0
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
0x00020: 
0x00021: 
0x00022: 
0x00023: 
0x0003: 
0x00040: 
0x00041: 
0x00042: 
0x00050: 
0x00051: 
0x00052: 
0x00053: 
0x0006
0x0011
0x0012: 
0x0013
0x0014
0x0015
0x00E00
0x00E01
0x00E1
0x00E2
0x00Z1
0x00Z2
1.0.0.0
!1Aa
#+3;CScs
7.0.162
Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
OriginalFilename
Packager
PackagerVersion
ProductName
ProductVersion
StringFileInfo
There has been an error starting this virtual appliance.  Error code: 
VS_VERSION_INFO
Wuser32.dll
Xenocode Postbuild 2009 for .NET Beta
Xenocode Virtual Appliance Runtime
_xvm_mem_application_info_0x
_xvm_mem_process_info_0x
[?}=>=
%$<_;<
;/0|	,"
0	1,2g2
0+1b"92
0`+g5L
0h6'-X
0j@jyV{Y5m~
:($0pT
<0Y)e|
_0Y$jC
/,0YM]
0Z^22*
1<2S2g2y2
{1	 ^5
154.mg
16eunq
1'C6dZ
(<@1cA
1)!"Cp
1\Hn B
1J_<[9
1MV\uBL
}1nD>8
@1qOfs
%1}ure
1WM3v?
1 (wp|
27 Wng
2a,<[`
2EG.GI
!2k)uS0q
2/LE8bFK
&2n/""&
2oDXl[
2o(/~r*<
2oR,Ak
/2P3]_
2P5d5t5
!2?pEqa
)2Pj?\c
_2S+>d8
??2tev
3%3K3j3
*3#8yX5
]`3Ha1
3i[f'h+
:3JFY?
3j~)I9
3m+ScG
3>RJ%6
40}Y7z
48$~eC
4$axL*
4+B22$q
\ 4dFHI
4D|Q~m"
4eP]]9i
_4}e|U
4}m\GU
4n3!X(
4o((bw
4RKc39
_	4+Sj
4U-Wz1
4W5a5s5
)4X-77
>4_{?Y
(5 8y*BJ
'$5D\Au
5dcZ\HY
5dU_=Q
5;FH!/
5fp{_-L
5hR7I>E70$
5k62Qt
^5l,_k
5'svck
5z<}%/
(6:5b}
&6)eE" 
@6.w3x]
;6%,X;<}"
6yj L\)
7 0Qnr?
_71pJv
7<43OZ
75cT$@
7&71767>7C7K7P7X7]7e7j7q7}7
79b/1E
7ag{cx
^7}PMA
8}!065T9
*8.+*2
	82k}S
882i~NB 
8.8:8?8N8x8
*89m:-
-8[f,_
!+`@8G
8Jx1*d3
{8RQ<b
8UQEp!_P
8V=a6v
 8yX9'
:8%Z#/Gtn
9&1QCH2C
9!`5YE
9":):6:=:
99shXs
{|9\B%=U
9H|teSV
,9#k^"
9|P7=s
9T$ t$P
9W1OWZ
;_9{X'R
9zuF,ii
a7A/pFk
;~A9zD
:A#a95
ac S^tV
AdrRmP[
:A(HVGL
_;Ahz]
aiq)R /
aM$qSS
A!oYV>`
A$p(9H
@'-ar1%AG
ARg)B{
arVqXC
a]ry{m
}Ash+&^P
#|AsU2
aVHQZY{D
AwC`SJ<
AZ*5;UB
B(35B'
#b]8uZ\
B+Cq4F
$Bf<+['
\bH7_4
)~b~jF
	BKh}(C
_B\lP/|
(&B*Mj]
Bmw77W
B);q;K
B.rsrc
%Br.VZc
B!T<3[
buffer error
BuL%Aj1
.B	V3y
<bV77AF
bYr}$263k
.^BzUW
c'39OCM
:C=3iWq
c4rr*~&
_C/52m
C7H:68
CcdX%p
!c?}f4
cHQ$TRp
 c'K9*
CloseHandle
\?cNavQ
c*Ne-o
C^_o|C
Cq2Js	
CreateFileMappingW
CreateFileW
(C:S{&
/$-Cti
cUF#]\	
c}X\,"
cXBik:V
c:\XRoot_Build\X7.0\Vm\Release\x86\StubExe.pdb
c.Y8aS
CYG]d7
%-c.z$
C)Z9m+3?8A
[D!14+
'&d1w7
d2TICDz~
D5#.WE
`.data
data error
D/bK@j
D$ +D$
`*DG_o
D]hJ(n
Djyla"
d&LY}'r
:dn=*'
.d?&O1G
DPj_XVY
dT;<B(P
D$Tt*;
D" =wPd
DY(6f(v
dZ41x;
dz.wgI
E&04en
e0D|0dh
E2@7tp
e'Bm8\
EbxL62
$Eee+E
>EHkj~
EkwtJa
?em^e7o
EMMw5f
eOTw4u
eQ0['m
er4OCDe
^e[rQ7
	erTcy~
etX_2rd.
&Evboq
*#&e(W
e.& wF?z
`F1Pr	
~f2H!i
F2X_-k
f5w)tW
FAOY*B
Fbt#d;
fDKX#c
FF:k?T
F><fzg+@
fH7_ff
FhS] k
fHxA<,
file error
F/k5[Q
FK>'=L
f+Rf	f
\-:ft<
FWfO@O
fz~@#'
>f_=.Z
%FzBv]
*,FzI	
f\zO;wk
+G0#4}v
}g*6Ni
&G@#d8
GetCurrentProcessId
GetFileInformationByHandle
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetTickCount
Gh9Ghr
gP@JX%
;gprMH
gr{Re/
#gTrK&$
GW!>*A
GW-yKc9
=H!_9?
`!HaVc|K.
'@HcO~
HeapAlloc
HeapFree
hery6}
 hgODU"
h#!*H,
HJ,v[{
H;JX%&&-
HNAHZ{
hSXqG[
H=WtRV4+=
+.|]i*
I_/5kP
i	79f	
],iC8\
.idata
IeU;Z`
('iF[fRx
i+*h61ch
i-H9.9
ih-ssX
i}IE^ft
iI\}gW
ike{H+
IMO.2=
incompatible version
incorrect data check
incorrect header check
 inflate 1.2.3 Copyright 1995-2005 Mark Adler 
insufficient memory
invalid bit length repeat
invalid block type
invalid code lengths set
invalid distance code
invalid distances set
invalid distance too far back
invalid literal/length code
invalid literal/lengths set
invalid stored block lengths
invalid window size
\I.O;12X
I>'o@v
Iu|w`#
'*ixIZ
)j"`;^
<~~*J-
J1.d }7;>
$]j$2B
J3Q`hL
?j6$\p
.j7	6,g
"jbwA(
J].]H~
j`Hv70
Ji	V;K]
jLY^=W
jOM}[i
Jr5`j}=
JsIl( z
J T7/h
jtO4m6
J:VRzbm
jX0-R (}
KbW>Rx
KERNEL32.dll
.kK#OdO~`
'kmG].
k Pl6E:
-Kpmog~
kvJTW{@
k^y-qB
L$4;D$Ts<)D$T
<`(:l5l
L$ 9ODv
lCQ*]lN
>;?@?L?c?r?y?
LdrGetProcedureAddress
@|L**H
L$ +L$
LoadLibraryW
L?>)Qz
lRnyVI
l~tGk'\
;l$TsY)l$T
lXg?D@
M9At 9
#m~aCg/:r?
MapViewOfFile
m_BU6~Bn4
|mbx-,R
mEs@f1
MessageBoxW
MFcC>3
m&Hfni9
ML} }PK
?mOUV!Kk_jP
m!QavJ
'M rXC
mtwfE$
M vD!@
M{>#W[
My^JMI
;^/>|N
N,_^]3
;N7Kg$
n!"9w{y>
N9YmK(
Nb,d j
.N<(cQ9&
ND)c=3$
need dictionary
nEYk*	i
/NMFW5(
nNvqw*
NP@>Q1
nQ1Dnb
{*NR,bw
NsnlHj
|*N)wE
n(/&Wr
n-{^zl]Wt
!o?0BN
o{0$GE
o4_~`	j
ob1'U.s=
\	OB(5
*o<GEu
Oh;O\sR
OjPq1-
oKjc-ny
o}K#!n
'*o{La
\oMFzV;
%oN;Xh
OpenFileMappingW
^{O#pG%}
OUj?a{4&
OV 7xe
:[O<w~
?-o=xu
p02SUOm
+-p6My
Pa*'d6x
PA=G\B{C.
PAtl=}
p/BF&3
p^bPl%
p$ccyt
pD'\f#
<p	Dv"
:pFWKx8
#~pG3<
pG-weuhC?
|pGy071
P"=H8b
PHZTZ4
_PIWg)X
,p?jg`8O=
\PmOfB
p[n;F:
pnY'lx
)polgmok
#Pr?U(
&pSC!aq
pxmjc1xl
Pxx~% ~Z<
P&"~Y03
 #[PyP
p[yrP%
<PZie/
p]ZTpS%
=q2,^k
Q;6<a>8
QClconC
q-COfN
q[El{1
QgH*]o
Qh405'(ew
QhBC~t
/{QiBjF
{QK %`9'
Q.lrPJ
QLzQAk
q^mu,wm%C
qnW%%it
QqvqGo
QRfzH:r;a
QSd=a@
qtCnnk
QTp.tg
qwS{eDS
Qz6bc4
%qZ?9L5)
R2s?p%
 r6,VV
R7+:yW
R%+~bS
Rb[)vL
@.reloc
R.e`?Q65
`reZ}]
rj&!1AW
r:(/j W
RkjmA/
R-'LCGGB
/^RL`T0
RmQ!t{
.Rnl&	
ro#K_M/
rO-[W[
+{=]rR
!rSR900GDIE=
Rs*Wf=
R@vV{#
R"yaI#t
R/)y>N
S0[9~mZ
S6VK*F=
SD@%|`
SE0"l4
seWo/=;
@S$_[F
S^(+hq
')sHt}va
SIUlco(
SIUzqK
s|k>kE
<SPtb!
S/Q]GB
S@#ro9
SRP:s^
S]{svG
stream end
stream error
SW)UO,
>s:Z*_k
SZu^m@
T0"Qg+-@
T2&_TZ
t3,6IRt-
t	@AAf
t}$>@c
 t!C!p
<*t\D^
tEjY{v'
tEL_.%
^-T E_m
T,E|R\
!This program cannot be run in DOS mode.
t$H;t$8
t.H%W-t
t_jhd,#t
too many length or distance symbols
tp}2, 
-TqA\G
tQlB	>$
ts=P'/*
Tuw9a$QD19
tyPO4_
_U2LZR
u~)`]A
Ua;9;)
Ua;\Js
	u(H')
Uh\R0c
*/*`&Ujb
	U`j?B
UJOjzT
unknown compression method
UnmapViewOfFile
U]OK6X
Uok	YCu
uOO/{K
U~)P_e
URrUbj
Us,';q
UVqH\r%
uV`%qn
UXrM5Y
uxRQe<
Uz/+3c5,
v :$](
@<}V\,
V:0o0y
v`[3G%
v:[5S_
VAY~D8
V,c+%`
<<%v{?d^&3
vD9z+7
VF]uHs
Vi_2UO
VirtualAlloc
VirtualFree
>`Vk ~
vQQ1P og
vs?j7t
>v'.U~	+
vwbM{ 6
{-v|Z>
W05u8L
W)5oHt
W62H%~
=W 8We
<w\9%$
WBfM7Q
WB"Ogf
wch+>x)
~Wg,2b
W=po*>
]/^W-q
W=Qw:?
wt73Zp
w	tg=c
W{&u7v
w]~z[ 
'\Wzl!
wzmHeZM
x42X/<
X88vv[.
\x9|g6d
=XB^t6
xC|NS9
.xcpad
xD4t'F'J
xfeb`s
+@+x}Iv
X#j"F1
=XOL }
XT1w.X
xWyeV0
x]YBoc
Y0]e,g
:}y3!|7
y3*BXI
y5?TS`
yaFegu
yh3;sH
YI3*fa
$yKuj/
YoaIpj
#=yqw	
>/;YUL
Y{upve
'YUYmv
yz&pt,
-z[!_-
Z+0=Zb
*z69]T
Z-	9&'
z@"C^G
z%:D0_s
zD.L3x
z(FcKG#
z=:J!)
>z-MAV
z;N9'9Xi
zO/|MJ
:@//zr
zSp"^l
Zux!Q`
[Z/VIR
?Z$V,%j
%Zvq#u
((zvx0j
Z+x)<5
zX\s w
z[YfP"
'Z{)yt_
\zYxlayer