Analysis Date2014-11-26 12:32:41
MD5268a11f4b45a516782980feca06e5182
SHA1680d51d24451ad5e0792a2016eb6840a513a808b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c8dda558e43cb60676184f7b9564ddcb sha1: 029b7264f6cc93d96e9400dd8dd1917485b6411d size: 126464
Section.rdata md5: 9c348d1b189ef09c8625e378cb5eef44 sha1: fe2fe11ba3653646d06fbd4d11d1605bf3e56cb9 size: 10752
Section.data md5: 1c9d23bab18e653f7aea2a4750f874ff sha1: 1ded6670bbd51c9dd7095a63987760c093386c5f size: 59392
Section.rsrc md5: 65854dba5f86dc2e1e5a988abe010d36 sha1: b6d395649318abcf594e4aec04eadf9d7272d33b size: 80384
Timestamp2010-03-19 07:02:55
VersionLegalCopyright: © Marsukafe Corporatien. All rights reserved.
InternalName: bindacosh.exe
FileVersion: 3.47.9978.16702
CompanyName: Anubirel Corporatu
ProductName: Anubirel
ProductVersion: 3.47.9978.16702
FileDescription: Anubirel Visatl Studie 2020
OriginalFilename: bindacosh.exe
PEhash9aa05f5b8901ccdaec3d3c23c65c6ea0d4b5aede
IMPhash1e5b5b7cc5c62492b249889963cc6fd4
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.500418
AVAlwil (avast)Dropper-gen [Drp]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.ZPACK.109533
AVBullGuardGen:Variant.Kazy.500418
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)FraudTool.Security
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.500418
AVEset (nod32)Win32/Kryptik.CQYB
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Win32/Cryptor
AVIkarusno_virus
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Zemot
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
.
...@
R
.Ib
.
Z
M
.
..
.
.
c
&.T..
x.
F
.
.
j.)
040904b0
3.47.9978.16702
Anubirel
Anubirel Corporatu
Anubirel Visatl Studie 2020
bindacosh.exe
CompanyName
FileDescription
FileVersion
InternalName
lcOmsVcs.dll
LegalCopyright
 Marsukafe Corporatien. All rights reserved.
OriginalFilename
ProductName
ProductVersion
StringFileInfo
terrapatrick
Translation
VarFileInfo
VS_VERSION_INFO
!x-sys-default-locale
0dpz'&L
0/H,c 
0Iw^Oa/
0N`Nil2
[0T=& 
0%teyJ
0t=Un!
$1`_9#
!1D78_tV
?1Gzgcc
}<1h'cM{
1ncyP,
@1qG{|L
-2049310971.dll
-24kwj
24M\Ri
2?@Ec[
'2I'0P
2O_2b;r
)2|y{7
??2@YAPAXI@Z
?!34Rc
3'*c^%
3H;OQ2}D
3[`Qnvd
3WPN0G
??3@YAXPAX@Z
3&yy/J
45]T?B[
>49r!WK
4(c>?	
4cquO3
4\TibE
5/?aF6
^(5$sp
5vQ8DpmG
6GP=oc
6o_Kvn[
6Uce{/~
7`-(>:f
7I,#@g
7kG>u[
@_>7K[U$T
86c)Xy
88t/=Y
8K$*ce
9[]Cej:
9cFDDEhS
9!cOqz
&^|9fWG
9]J2y_
9z||<;e9cM7
A4\Kdy"	
\A(~,8
Abh=lg
Achn7@
ACJRQS
ACLUI.dll
AcxqW`M
AddAccessAllowedAce
_adjust_fdiv
AdjustTokenPrivileges
ADVAPI32.dll
].A#h|
A^HhSA
ajcDh>
~akBcW
A	@KRHRYRZ
AllocateAndInitializeSid
AllocConsole
*aO4uZ
^asNp(c
  </assembly>
        <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"/>
  <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AsTP\Q`
\A<=v!O
\AYTo9
B6Q?I]Y
b7rkalp8h6qivhbz
[		BCI
BdhlGA
	BHSHZQR
BH@SXR
,	BlO0
BM^N#4
'\B`N;
B p2c-
\B.Rsc
BRSHJBI
>B!UwS
BW]%-y
	c0);p
c#6q9,n+
CA@BARBABX
calloc
CancelIo
^?cAsc
cbDzo%5
]C"c/2
Cc8`rt
CCCHZJAP@	ZX
cc kN 
c[E8]]T
_cexit
_c_exit
cF	c&k
?C=;?fW
)c+_'G0
c)GDh 
CgkNTc
cgq'wha)
~|chO@
,c<H{>y
CJH	R[B
#Ckc9KS
CKR[RRIK
CloseHandle
~	+?c>LxXXC
'c#mZ`]
CN 0SE
c@ok*c#
_controlfp
	CPH	IA
CreateEventW
CreateFileA
CreateFileW
CreateNamedPipeW
CreateProcessAsUserW
CreateSecurityPage
CryptAcquireContextW
CryptGenRandom
CryptReleaseContext
cr#Yq-
C@SC@	J
]c}T	a
{cV;S9
&c:`Vw
CXC	RZ
c-=zy6
(D  (@
@.data
Dbcill
@dCdJA
dD	@ \
dd;rr7
DdtD&@
    </dependency>
    <dependency>
      </dependentAssembly>
      <dependentAssembly>
DeregisterEventSource
D{fP(#{w
dh"A#5
%D@=Ix
DJ8Uc6
dJV_p[h
@DkLq'
dob93|
"dpAH (
Dt tu#mK
DuplicateHandle
DuplicateTokenEx
"  E!	
(e3c3X
ebq\\"Sw$
E{</c:
EditSecurity
E;<HkH
+~	El%lc_
?enVk-
~enwn(
EqualSid
E'XA]c
_except_handler3
ExpandEnvironmentStringsA
ExpandEnvironmentStringsW
EY]|Q"
@?E|#z
f&315a_
f7nCD)N
Fc#DUd
Fcr^wM
Ff<^VR
F NP9[
FormatMessageA
FormatMessageW
!F|@P_
FreeConsole
FreeLibrary
FreeSid
}F@yQb
,Fz&{f
G79[b:1
%@}>Gc
G[C2Uv
GCGZQy
GenerateConsoleCtrlEvent
GetAce
GetACP
GetComputerNameW
GetConsoleCP
GetConsoleMode
GetConsoleScreenBufferInfo
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetExitCodeProcess
GetLastError
GetLengthSid
GetLocaleInfoW
GetLocalTime
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetSecurityDescriptorLength
GetSidIdentifierAuthority
GetSidSubAuthority
GetSidSubAuthorityCount
GetStartupInfoA
GetStdHandle
GetSystemDefaultLCID
GetSystemDirectoryA
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount
GetTokenInformation
G'\*hxv
!g{k6c
g`@,L 
GlobalAlloc
GlobalFindAtomA
GlobalFree
g&Qc=:
GUp1E2
/gW'@_
H9+""p2
h9uWAV
h9WQaz
@HACAJH
hc/M],
H(c:tWy
HCZYHR[
HeapAlloc
HeapFree
hgK1c\Tw
HJCRCRR
h_l7cH
h^OJ^ P
hp2Qd 
"H PB'
'hQd&w
HRXBHC
 HTHB@
H_WoQ@
~HXi,x
H'X:R*}9c
HXXX@RRI
HXZRX	PH
HZICAI
hZ`uKc^
$ I(@!
	+(I'3
I<]8OzEP!
_I}9?vd6
i}$?c+
ICKSZR
}ic)r,_
#IEMly	
I_Ggj[
i/g*JJg
IHC	C@
i'hyK\
I		@I	
iI-$6sO
IID_ISecurityInformation
Ii>Hy#
@@IIKRSQ	QJQBS
II		ZP
IKKKCC[RSZ	
ImpersonateLoggedOnUser
__initenv
InitializeAcl
InitializeSecurityDescriptor
_initterm
IsDBCSLeadByte
isdigit
IsValidSid
Iw37=r
i~z$R@
IZXARSY	YY
IZZZJH
J1PIK$ 
J`2FQ|
j4F&Kh{[
J@ABBB
Jc<&Ro
><*j>cX
JD^0'A{L
JfkHcv
 #JG@s
:_jL*!
jN(kP0
J<p0c$
>JQ-~dI
?-jrR\2#
JSRJSSIZR
[JY@S@	
JZA		@Y
k5NG|D
_K65V+
@K}B$jc
Kc6Qt=nb
KERNEL32.dll
K	IYKA
kp?EQv
KQRJRCKZ
KQw-\S
[KR[AA
KRARB[	RRJ
KRR@SC
KSSHZJ
KXc.40|)
@KXJSBHB
kX)Y\c
kYP*X#
KZXPCY
_&/[l'
L00D^0
l50%Wz
 @L$Ae@
	=Lc\~
lJ9C^t
lkWR#Y
:LLxc-
L#!nm`Y
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
LogonUserW
LookupAccountNameW
LookupAccountSidW
LookupPrivilegeValueW
l<pVJc
'_L!R@D
LsaClose
LsaFreeMemory
LsaOpenPolicy
LsaQueryInformationPolicy
lstrcatA
lstrcpyA
lstrcpyW
lstrlenW
]}LW9$
lX/{c{
ly71Kg
Lyc_?]
"m0Gc[
M#4V"9
MakeSelfRelativeSD
malloc
m|Ce+"
Md|cvxI
memchr
memmove
m!Mebm
MPR.dll
MSVCRT.dll
MultiByteToWideChar
*m,YWE
	mZ37a
n3czwZ
n%3mu_
;!N7Ed
N\B6T)@
ncfd+"
,N(c@S
N>=c&V@}"
 nDcfc
NETAPI32.dll
NetApiBufferFree
NetGetAnyDCName
NetUserGetInfo
\)nG| ]
NgT/K%
N-I}g*
_No~oy
NQVc|u
NS3S[c
$<\\N\S~ci4
*NW!,8;S
Nzc{W5
o~*c/<
-oc{CE
OpenProcess
OpenProcessToken
OpenThreadToken
OpW1.E
O[Rw+W.
?p8l3c
'p}/.a
Pc11zLp
P.c.7y
pCmcz7
!PfErf2
__p__fmode
p\H\acK*e
 PJ@``A
|PLe^W
p-mxf>
p=rnrK
.Pyc*w
"Q)Eo[
q*hKB9
qJgbF]
QueryPerformanceCounter
Q"WQMc
QXr!aW
R2&JzT
RBCBJQ
r&{:c|
`.rdata
ReadConsoleOutputA
ReadConsoleOutputW
ReadFile
RegCloseKey
RegCreateKeyA
RegCreateKeyExW
RegisterEventSourceW
RegLoadKeyA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyW
RegQueryValueExA
RegQueryValueExW
RegSetKeySecurity
RegSetValueExW
ReleaseMutex
ReportEventW
          <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
        </requestedPrivileges>
        <requestedPrivileges>
RevertToSelf
\Rgw>K
RHAXCKY
$Rich@
Ri.d Y
(R]l x
r:&O'%
R}?_P>
RPHRHR
_r}qncf
Rq !_T
RRIRC	R
RRKBX[R[
rR)UCo
R@SIHS	
RSJJ	YA
-r[?X[G
RXIRRX
R@ZQJXC@
RZRCRKRICIC[
s5@5Cc
scPxqbn
S/c&t:AM
S\Dc,`
      </security>
      <security>
SetConsoleCtrlHandler
SetConsoleScreenBufferSize
SetConsoleWindowInfo
SetEnvironmentVariableA
SetEnvironmentVariableW
SetErrorMode
SetHandleInformation
SetLastError
?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
SetSecurityDescriptorDacl
SetUnhandledExceptionFilter
__setusermatherr
sH3ZbY
SHELL32.dll
SHGetFolderPathW
'S[	igrG
sN&Ber"
_snprintf
_snwprintf
sprintf
SPSXIZ
SR@Y@H
SSJCAIR[HKI
S@SRXIHA
strchr
_strcmpi
_stricmp
strncpy
strrchr
strtoul
S`V"*c
SZH@RZ[AK
t1-UD_
"@\tb	
Td@XBBZ
!This program cannot be run in DOS mode.
toupper
towlower
{tP}E}
$T|Q-9B
    </trustInfo>
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
>'|TX8
\&\TxCv
u35]hJZ(
u5+S$b"
u_,bcU'ou?
u%gBPdc
ujr^QM
UN^095z_
|uZ$X4
V+3'NF
V4ctsi
#v987(,
~\VBB^$
]vB[)M
VDaQ-}
$vdk.c
VirtualFree
=!V\=O
>VQ\47/I_
`#vqna
VTc<UXn5
VTPAkz
Vw^~?8h
W@-("0
WaitForMultipleObjects
WaitForSingleObject
wcnEp'4
wcscat
wcschr
wcscmp
wcscpy
_wcsicmp
wcslen
wcsncat
wcsncpy
_wcsnicmp
wcsrchr
|wF\A+
:!W]Gu
WideCharToMultiByte
WNetAddConnection2W
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
Wory'R
WriteConsoleInputA
WriteConsoleInputW
WriteConsoleW
WriteFile
%?Ws1i
WS2_32.dll
WSASocketW
W$TTs'3
WV\3om
W}V(mm
wX>c*O
x47Tc_
x7t,}45
x!^bN:
xcOr|C
_XcptFilter
XINsZO
XI[SHKPS	Q
XIZIBS
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XNN9N;
xpg/C2
XRKJS[RHAS
XrZF(4
\X:V8{
X	[XHH
 @	Xx`*	Qx
XYZHHH
[@YCBJ
YC[CRHH
!+Y=cd
YH<gmC
YHZCCBHK	S
Yk	cT:I8 fc
YO4ciN
_ypp2-
YRCSS	
Y	RJRJX
YRRRHR	A
		[YSBR
)YTIRX2K
+ywiS%Y
 	Y~z.
z4.\nqS9
>Z]9o>
Z#_aBA
zbBD1B
ZI@AJCI
ZIZSQC
zJQUcy>
#zN31/
_zNu` kD
zQ$e>\E'
Z@RI@R	SJ
ZS3f$D
Z	SKRRXZKYK	C[[
^$z%w:I
ZXc#OK
Zxe\{g
ZXQZXIR
ZXZBHR
ZYRICJZ
/z:=)|Z