Analysis Date2015-12-01 21:33:31
MD597e7c332da1a1324f4f56b4346e015a5
SHA16a2afd1f14fd7d37815aeed28b31db3b9385b483

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bbf4d1c6e41cd1816a53e91de8ac5554 sha1: 638884009b75748c1814c7280394afe6e21cb1c5 size: 104448
Section.rdata md5: ab5ff432716e2f74473fd1068288356d sha1: 328ac400c7ec2760ad4c16ea884e1ab26786221b size: 28160
Section.data md5: 942f5f2128c12f4b3985de3827e0d8f6 sha1: c7758e909f974530a88e76e9a0240972f4d1f68e size: 4608
Section.rsrc md5: a3684e370b8f7e0f3d43835040e875e2 sha1: 72ac406a729578b73cc0a623b06aac65fea3c0ed size: 171008
Sectionwsylxoc md5: 9cc544b7333c1f741765ce8afc8b8f27 sha1: 4175c1af6c9193132b1d413478e2872388da4097 size: 31232
Sectionwqunqwi md5: 540cac69cd8a592e498822e3c4b0a6a8 sha1: 3b7a3cd58efa857acfdaf39353e684f5637dd3e1 size: 141824
Sectionmllwaag md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1997-08-21 15:04:12
PackerMicrosoft Visual C++ ?.?
PEhashe1783e552b043529fd20f069c9cebde6a1cda1eb
IMPhash720f62ecaae027b5c3ec6686644322e9
AVCA (E-Trust Ino)Win32/Tnega.QDDOAVD
AVMcafeeRDN/Generic BackDoor
AVMalwareBytesno_virus
AVF-SecureGen:Variant.Symmi.43388
AVFrisk (f-prot)no_virus
AVTwisterno_virus
AVEset (nod32)MSIL/Bladabindi.L
AVMicroWorld (escan)Gen:Variant.Symmi.43388
AVTrend Microno_virus
AVDr. WebTrojan.Winlock.8775
AVCAT (quickheal)Trojan.MSILCryptor.MUE.A4
AVEmsisoftGen:Variant.Symmi.43388
AVBitDefenderGen:Variant.Symmi.43388
AVAd-AwareGen:Variant.Symmi.43388
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVFortinetW32/Generic.L!tr
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi
AVIkarusBackdoor.MSIL
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)Hoax.Blocker
AVClamAVWin.Trojan.Agent-790885
AVArcabit (arcavir)Gen:Variant.Symmi.43388
AVBullGuardGen:Variant.Symmi.43388
AVZillya!Trojan.Blocker.Win32.4914
AVAuthentiumW32/A-27762b68!Eldorado
AVK7Trojan ( 003f3a341 )
AVSymantecBackdoor.Trojan
AVGrisoft (avg)Generic31.BEIT
AVRisingBackdoor.Win32.Bindi.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\2b84a7ed33f26a9ef98ff459e1950594\US ➝
!\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\WINDOWS.exe
Creates FilePIPE\lsarpc
Creates Process"C:\Documents and Settings\Administrator\Application Data\WINDOWS.exe"

Process
↳ "C:\Documents and Settings\Administrator\Application Data\WINDOWS.exe"

Network Details:


Raw Pcap

Strings