Analysis Date2015-02-19 18:31:42
MD5d09c1b53b9b02837bee4d49b00d63dc9
SHA1651cdaf2c864d590d50851eec0b3cec6c2f787e3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7bd855906f1a5753d2c798fff7ba0af8 sha1: 5864a37af7f33bf221dd5b28895099d58fdc68c2 size: 15872
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.xcpad md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: b15b615a21bf5ca0c8c493bbb344b92f sha1: 277f9adc790b21eb3ca0663757a7b2588790fb36 size: 1024
Section.reloc md5: 1d2826c44311e3eea7285e947f031826 sha1: 151a275336fe91e4b1ac431cddfb43c73c5b6186 size: 512
Section.rsrc md5: 2ea126bea27a9ef946c8db2940747ec9 sha1: 26bac6f044bc9a4c16d19fdcc6170dbcae1eca4d size: 1024
Timestamp1970-01-01 00:00:30
VersionLegalCopyright:
PackagerVersion: 7.0.162
InternalName:
FileVersion: 1.0.0.0
CompanyName:
Comments:
ProductName:
ProductVersion: 1.0.0.0
FileDescription:
Packager: Xenocode Postbuild 2009 for .NET Beta
OriginalFilename:
PackerBorland Delphi 3.0 (???)
PEhash761621ceae5a314d12c35773882ad8851627654e
IMPhash4582ffdd7eb98cb63a937096204182b7
AV360 Safeno_virus
AVAd-AwareGen:Variant.Barys.2469
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Barys.2469
AVAuthentiumW32/Poison.K.gen!Eldorado
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardGen:Variant.Barys.2469
AVCA (E-Trust Ino)Win32/Tnega.ARTT
AVCAT (quickheal)no_virus
AVClamAVTrojan.Bifrose-13190
AVDr. WebTrojan.DownLoader.64331
AVEmsisoftGen:Variant.Barys.2469
AVEset (nod32)MSIL/Bladabindi.F
AVFortinetW32/Generic!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Barys.2469
AVGrisoft (avg)BackDoor.Generic12.IUG
AVIkarusTrojan.SuspectCRC
AVK7Backdoor ( 04c4c6e51 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Barys.2469
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)BackDoor.Poison

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process"C:\Server.exe"
Creates Mutex_xvm_mtx_other_0xAEA22FE3
Creates Mutex_xvm_mtx_reg_0xAEA22FE3
Creates Mutex_xvm_mtx_file_0xAEA22FE3

Process
↳ "C:\Server.exe"

Creates Mutex_xvm_mtx_other_0xAEA22FE3
Creates Mutex_xvm_mtx_reg_0xAEA22FE3
Creates Mutex_xvm_mtx_file_0xAEA22FE3
Creates MutexDBWinMutex

Network Details:


Raw Pcap

Strings
.@
`@
                          
000004b0
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
0x00020: 
0x00021: 
0x00022: 
0x00023: 
0x0003: 
0x00040: 
0x00041: 
0x00042: 
0x00050: 
0x00051: 
0x00052: 
0x00053: 
0x0006
0x0011
0x0012: 
0x0013
0x0014
0x0015
0x00E00
0x00E01
0x00E1
0x00E2
0x00Z1
0x00Z2
1.0.0.0
!1Aa
#+3;CScs
7.0.162
Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
OriginalFilename
Packager
PackagerVersion
ProductName
ProductVersion
StringFileInfo
There has been an error starting this virtual appliance.  Error code: 
VS_VERSION_INFO
Wuser32.dll
Xenocode Postbuild 2009 for .NET Beta
Xenocode Virtual Appliance Runtime
_xvm_mem_application_info_0x
_xvm_mem_process_info_0x
;/0|	,"
0	1,2g2
0C[/5w
>`^0o"
:($0pT
0Vm97B
_0Y$jC
0Z^22*
1<2S2g2y2
16eunq
"1<7x~v
1_8 bq
1\Hn B
1MV\uBL
%1}ure
1$ut'R
1WM3v?
*, 2B<M
[+2d}	
2DUF6'
-2f7on
2GaW!*
`\2H+3"
!2k)uS0q
&2n/""&
2(OS7=
2P5d5t5
)2Pj?\c
&2+Rm`
_2S+>d8
3%3K3j3
33vOC=U
35J1o6
3_5!u3
*3#8yX5
3gzKj^9
>3nEP/
/3pI] %
3>RJ%6
"-*3=UF
/^43V-59
\ 4dFHI
4eP]]9i
4/GwBc
4>"h?L
+4m3V}
4n3!X(
,4R;3~
4RKc39
4W5a5s5
4^WGuMV
$4+'Xhw
>4_{?Y
/5;BI0o/
'$5D\Au
(<!{5i
5m$4nN]
5~NAW_(w
5'QTW,kN
'5$qY;
5'svck
5]Y]`'
<65|2p
6MDrte
6NpS# a
6\;O[~
6Weyp 
6yj L\)
7<43OZ
|-76Qf
7&71767>7C7K7P7X7]7e7j7q7}7
#7(D-P*,
7L'CB	pX
7Uvq5G
'{7X+}
7({Xef
80,;7~
8?4J:$2
882i~NB 
8.8:8?8N8x8
-8[f,_
\8fY=%
8G5(xo
8JA1ku
8Jx1*d3
{8RQ<b
8UQEp!_P
8xxJZ'
9":):6:=:
#[(]9Ee_
}9]'F.
	`9%G)
9HO0Nr
9H|teSV
[9~)I!
9koZ.)tN
9o-]&^Y
9S/.g\
9T$ t$P
9W1OWZ
9w=]e<
A4jlW4b
a8wn>J
a96I jY
Ab)G_n
ac S^tV
adlbE?
`}a_$"g
AJ-3Gl
aJ^	fj
(a+Ner
=/AOar	
&A~ob2
A!oYV>`
A$p(9H
AQ[g&7
@'-ar1%AG
#|AsU2
ateYRs
AWQwCDD
AYewD~p
a	@yYm
@b{{{<
B|6GJt
#b]8uZ\
b*A?{h
bE]5od
B:?ETU
$Bf<+['
BGi.:F
b?gTzB
)~b~jF
b `nXZ
B-=pqd	
(B r0sa
B.rsrc
buffer error
<bV77AF
bx4(Z/
+b:y B
bYr}$263k
.^BzUW
c'39OCM
:C=3iWq
c4rr*~&
C#5j{3
c.8:;qAE>2C
CcdX%p
&cd}	^
c/		*D
)\CE#{
!c?}f4
cHQ$TRp
C"|&j*
<c<K 4
)c"kTn
{C*:l~f
CloseHandle
C@MW05h
c*Ne-o
C$N~]t[
CreateFileMappingW
CreateFileW
Cs*0N9H
/$-Cti
c}X\,"
c:\XRoot_Build\X7.0\Vm\Release\x86\StubExe.pdb
'&d1w7
d2TICDz~
d5*'m3P
DAsV{+
`.data
data error
d\[B]h
D$ +D$
\dDIAv
d;dPxD
{Df{y>
d-*H~Y
]d"k#}
[dl.\{a
	&DMrS
.d?&O1G
DPj_XVY
dPS/\S
dr]qnr
D$Tt*;
dz.wgI
E[5=W'
!E[_am
e'Bm8\
e,IkT=
E-i;[P
ElBQ%OSJ
EMMw5f
eO5oaEm
eOlT(t
Eo>?M)
e&Q3^G
	erTcy~
etyw|rV
&Evboq
`F1Pr	
f2?6z;
F2X_-k
.F$34{So
f5w)tW
F71:r$
(F766S
~FA>S`S/
"fD{[Y
f@:/e}Izt^
Ff"fjm
fHDhgI9
f_I89s]-P\
[f=I9w=
file error
f:j`e=
F/k5[Q
$fl;Cm
f"#&mB
fnG NJ
fOY#Ad
fp~$4 6H
fPdgyn
Fsxd,_
	"f:t|
fT=`u,
F/$vHt
FWsVe,
&	fXTm
*,FzI	
;fz)xq
&G04Jn
G0eb	=lO
$g4|$:@
ga/AfiJ
&G@#d8
<GDH( Q1
GetCurrentProcessId
GetFileInformationByHandle
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetTickCount
G%&F1D
Gh9Ghr
`<#GH!ly
gP@JX%
_G)Rgr
gr{Re/
\/gRVX
gw]~*^
gwC;w)
GW-yKc9
h4';y<!
=H!_9?
`!HaVc|K.
H%d\2u
hD?7/cc
hdFfO2
HeapAlloc
HeapFree
hfb)6f
hG/((U.S
hk=lZo
=#h!Qq8M
=&.hR;
,hR{k:
Hs9.PK
!,HupK
HWCJu	
H=WtRV4+=
hy2'VrJa
H&ZkpM
i=ck3Yq
?I'CTUX@z
.idata
i%	]E#
IeU;Z`
ifX5%p
i-H9.9
i{h`g)
IHNbsU5
i}IE^ft
iIuVV"
iJYB=c
Iku)2~
IMO.2=
incompatible version
incorrect data check
incorrect header check
 inflate 1.2.3 Copyright 1995-2005 Mark Adler 
insufficient memory
invalid bit length repeat
invalid block type
invalid code lengths set
invalid distance code
invalid distances set
invalid distance too far back
invalid literal/length code
invalid literal/lengths set
invalid stored block lengths
invalid window size
i`RP\,
iT9~FP
Iz=L& F
J1.d }7;>
J3Q`hL
?j6$\p
"jbwA(
;jJU=B
jL=cH/
jLY^=W
'@JN3OZ|
Jo(/9 L
jOM}[i
JO,^z1
JQ=g!H%
Jr5`j}=
J T7/h
jtO4m6
J:VRzbm
k8u{N5D
KERNEL32.dll
;.[|kJ
KmX*A|
k Pl6E:
KT*y>a
k,U'Z[4f
kvJTW{@
KvNca6n2
KXsXI#
)kZTsr\/Xf
*L1e5h
%L21IN
l36"d:
L$4;D$Ts<)D$T
L$ 9ODv
'Lb-;iP
l|Bw#b
>;?@?L?c?r?y?
(!L,(D
LdrGetProcedureAddress
\LH+x(
L$ +L$
lL>k(Qp
L$&,<n
LoadLibraryW
 lP*:)l
l~tGk'\
;l$TsY)l$T
!l,(ye
lyEmnu
(M1nmxu
ma|JPY
MapViewOfFile
m_BU6~Bn4
m_clLn@
mD2F|%
M}do(K
ME)Cu=
MessageBoxW
M|g5#h
m&Hfni9
mI@N8iv
M[i|w@
mkt.~#
ML} }PK
m,n@"W
Mp(	7%
'M rXC
M	vSzm
[%mXY/
|-]%mz
[n2{mg
N,_^]3
;N7Kg$
/n9nm&
N9YmK(
%N^'[B
n>BeJK
N]BjE^
!N,}C\
need dictionary
N]'E^r
>[NgJ9\
~~n$i`
+N>L"'k
`nncJ"&
n.;nksa
nNvqw*
NP@>Q1
>nqgjH
}nUtxG
& )nVH>
n`x:+'6j
%o<009Qew
O{#^=5Vd
o>C*V%
_,Oe}\"
oFgK!	
*o<GEu
ogIO.R(]
O|<Gqq
Oh;O\sR
OpenFileMappingW
O~rGkP
oR)/:V
OUj?a{4&
O.}v<D
:[O<w~
OyNY9.
P((3TZ
+-p6My
P8Lu6.
(P9nzA
p9< SV
pBXx*]
\;[pe	
pF:=H?
=P*fP%
#~pG3<
Pg%T ]-
P"=H8b
P@H!Q5[
,p?jg`8O=
pj^~%W
pnY'lx
)polgmok
&pSC!aq
PtE	Y|l
Pxx~% ~Z<
P&"~Y03
p[yrP%
{Q2&)nO>
q3?	2aypK
q[El{1
QgH*]o
QhBC~t
=Q	*iK
qj_[Y3
Q.lrPJ
QLzQAk
q^mu,wm%C
qNBO=Vbn
~^Q>o3R
QOJQ)S
Q?Olwu
:QoV`a
qs}_j2
qV_=QZ S
qW.jx"
QxN&e\
%qZ?9L5)
QZ9_Z@
r0'Bw]|
r1~8cuV
R2s?p%
R4QIdm#
r4XT,5
R7+:yW
R%+~bS
?rC~02
=RC 4^S
@.reloc
R`!E{n
)rgD@5
r>.IjC
rI_Jm4
RimEQu|9
Rj" B/1fu
RkjmA/
)rkK=;
RmQ!t{
+{=]rR
:r)rU$Tl
*)RS9P
.RSiW7
R}w.q`&
R^xy@!
!]|`s!
S0[9~mZ
!=S;4E
s65/]M
%S668I
SD@%|`
SE0"l4
,S!e%T9@
sev=E)
@S$_[F
SIUzqK
skVjxj
s >|pG
@sqCpb"
stream end
stream error
	_svncy
S_-WO5g1
SW)UO,
SZu^m@
/+t}'/
T0"Qg+-@
#T2}ep
T2&_TZ
T3@$d'
t	@AAf
tEL_.%
^-T E_m
T,E|R\
T}gNF9
tHe*[{DY
!This program cannot be run in DOS mode.
t$H;t$8
t_jhd,#t
tk2NYi6
too many length or distance symbols
T&pDhYC
-TqA\G
T;)q:i
tQlB	>$
TR0?~lhP+
*TS#?A
TSgP9]O
ts=P'/*
Tuw9a$QD19
_TW?xN-
:/Tx('
TxYo!A
TY"WwP];,4
tZ8vb_g
/TZYW:
^'U"<%
?u3l-Q
u~)`]A
]uaEn'
Ua;\Js
/u*BFn
uf>^S	vy
	u(H')
uHny2j
uM	sK|
unknown compression method
UnmapViewOfFile
uOO/{K
'U;r)>
Us,';q
ut-qSr
/=$,UV
Uvv8,|OM
uw>mn{
UX7W1e
uxRQe<
U=^	zB
Uzy_!|
@<}V\,
V0hp9nIV
$,V&0O
V:0o0y
V{0o#s^
v`[3G%
V3M@Bo
v:[5S_
?;V5Xw
VAY~D8
vbFghQ
vD9z+7
vexLP]
VFf~OJ
v^\Fm)n
V(fpxP
vh@@[+
V\HPj]
VirtualAlloc
VirtualFree
]]VjGa
>`Vk ~
Vn{hyf
*V*r,E
#$v/UX:
vwbM{ 6
VWYX$+z
vXFVuA
{-v|Z>
W05u8L
/+w2b8
W)5oHt
=W 8We
=(W(A_
WBfM7Q
wB-q"9%
wch+>x)
.w,GJ*
WHaVvK
wIZ6`=
wK6e=1kq
WKqI>6?"Q/
/woiKl
w'Os&*Z
W=po*>
W=Qw:?
w	tg=c
.WU4b/
wzmHeZM
/WzZ)b
X0s]"=3sW
X\4Y.i1
X88vv[.
XA9ngJ
=XB^t6
X/=BU|4
.xcpad
xEm#+Q
xg$[em
}@XH<+4
x"J_1y
X"j]ZuC
x+kUEV
xlayer
x	O5%+r
XOyo{G>
XQ/8DU
|`Xr6"
x%sw!&
XTdCud]#2
^>XwhBJ7
xWyeV0
&	xX=HB_
x]YBoc
y3*BXI
^|y,]4
Y5XeV%
$Y5y^$
YbLL-x
^Y*C_W
yd3'"*
yDL0+\
y.(f9T
y+QH]]
#=yqw	
ysznp"
Y+xisC
$Yz:u.
z_08sw
Z9=|i]"
#Z9kJm}]
+@<zAV
z-:C}k(XA]
z%:D0_s
z+eG@D
z(FcKG#
ZgzX`.
+Z;&Mo
zO/|MJ
:@//zr
z. sV$
((zvx0j
Z+x)<5
zX\s w
ZxtMRY
z[YfP"
*zZov*$y: