Analysis Date2015-11-23 01:08:49
MD53a45c2945cafc5d35f76924df0e73449
SHA167b79a9432e99a62d3aaf5e5989f7108698ff074

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 80ca913a0423e5e2ed95e274c3c47b6d sha1: 0ff2556855d3a7e83b584bc695f39ef6114a2120 size: 22016
Section.rsrc md5: 0243c9a7f8755f2c2b18037cdad6cc91 sha1: 1ffa22fd5de34253aa3b8ffab97ec5c401513128 size: 1024
Section.reloc md5: 36bba69bb8089b3b2a95af11f3ee5332 sha1: 9b454974cfe5ad96ff81599316f6ac3c83b0c3ed size: 512
Timestamp2015-11-05 19:25:35
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash2d36371c80c47caea3790aeefab740753fc75db5
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVRisingno_virus
AVMcafeeBackDoor-NJRat!3A45C2945CAF
AVAvira (antivir)TR/Dropper.Gen7
AVTwisterTrojan.0000000000/480000.mg
AVAd-AwareGen:Variant.Zusy.75290
AVAlwil (avast)GenMalicious-DQS [Trj]
AVEset (nod32)MSIL/Bladabindi.BH
AVGrisoft (avg)PSW.ILUSpy
AVSymantecBackdoor.Ratenjay
AVFortinetMSIL/Agent.LI!tr
AVBitDefenderGen:Variant.Zusy.75290
AVK7Trojan ( 700000121 )
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi.AJ
AVMicroWorld (escan)Gen:Variant.Zusy.75290
AVMalwareBytesBackdoor.NJRat
AVAuthentiumW32/MSIL_Bladabind.I2.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.MSIL.Bladabindi
AVEmsisoftGen:Variant.Zusy.75290
AVZillya!Backdoor.Agent.Win32.55233
AVKasperskyBackdoor.MSIL.Agent.igo
AVTrend MicroBKDR_BLADABI.SMC
AVCAT (quickheal)Backdoor.Bladabindi.AL3
AVVirusBlokAda (vba32)Trojan.MSIL.Disfa
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.75290
AVArcabit (arcavir)Gen:Variant.Zusy.75290
AVClamAVWin.Backdoor.Bladabindi-1
AVDr. WebTrojan.DownLoader11.17961
AVF-SecureGen:Variant.Zusy.75290
AVCA (E-Trust Ino)Win32/DotNetDl.A!generic
AVRisingno_virus
AVMcafeeBackDoor-NJRat!3A45C2945CAF
AVAvira (antivir)TR/Spy.Gen8
AVTwisterTrojan.0000000000/480000.mg
AVAd-AwareGen:Variant.Zusy.75290
AVAlwil (avast)GenMalicious-DQS [Trj]
AVEset (nod32)MSIL/Bladabindi.BH
AVGrisoft (avg)PSW.ILUSpy
AVSymantecBackdoor.Ratenjay
AVFortinetMSIL/Agent.LI!tr
AVBitDefenderGen:Variant.Zusy.75290
AVK7Trojan ( 700000121 )
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi.AJ
AVMicroWorld (escan)Gen:Variant.Zusy.75290
AVMalwareBytesBackdoor.NJRat
AVAuthentiumW32/MSIL_Bladabind.I2.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.MSIL.Bladabindi

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\56359baebf88b525c5893cd07af42e65\[kl] ➝
[ENTER]\\r\\n\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Processnetsh firewall add allowedprogram "C:\malware.exe" "malware.exe" ENABLE
Creates Mutex56359baebf88b525c5893cd07af42e65
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Winsock DNSpnovjdgsar.fishdns.com

Process
↳ netsh firewall add allowedprogram "C:\malware.exe" "malware.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:malware.exe\\x00
Creates FilePIPE\lsarpc

Network Details:

DNSpnovjdgsar.fishdns.com
Type: A
8.8.8.8
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:1988
Flows TCP192.168.1.1:1033 ➝ 8.8.8.8:1988
Flows TCP192.168.1.1:1034 ➝ 8.8.8.8:1988
Flows TCP192.168.1.1:1035 ➝ 8.8.8.8:1988
Flows TCP192.168.1.1:1036 ➝ 8.8.8.8:1988
Flows TCP192.168.1.1:1037 ➝ 8.8.8.8:1988

Raw Pcap

Strings