Analysis Date2015-02-19 23:09:43
MD54dc9b06717c71f55bf0d892e043ba482
SHA17533d5b9bb333b32d92616f9a1aabb2ac176efc9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0b5a93a553c2dfaf247aef28e4d001e1 sha1: 12b068d788e02d6639908472a51268f48169f8a0 size: 15872
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.xcpad md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 0b6d2c49a0c581aac667520fe1d64be9 sha1: a586ae8e761b7a3c2dcf7c09daecc422b50c4229 size: 1024
Section.reloc md5: 1d2826c44311e3eea7285e947f031826 sha1: 151a275336fe91e4b1ac431cddfb43c73c5b6186 size: 512
Section.rsrc md5: a687e23da3596b07910f9289787f6f82 sha1: 5f64df3e5e1acd3260b5ec4085bdfb48e2de55c8 size: 2048
Timestamp1970-01-01 00:00:16
VersionLegalCopyright:
PackagerVersion: 7.0.162
InternalName:
FileVersion: 1.0.0.0
CompanyName:
Comments:
ProductName:
ProductVersion: 1.0.0.0
FileDescription:
Packager: Xenocode Postbuild 2009 for .NET Beta
OriginalFilename:
PackerBorland Delphi 3.0 (???)
PEhashca2f38d651b62f46326479b1e270c4c27800e77e
IMPhash4582ffdd7eb98cb63a937096204182b7
AV360 Safeno_virus
AVAd-AwareGen:Backdoor.Heur.Bifrose.wy3@b45exApG
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Backdoor.Heur.Bifrose.wy3@b45exApG
AVAuthentiumW32/Backdoor2.GCDV
AVAvira (antivir)TR/Crypt.CFI.Gen
AVBullGuardGen:Backdoor.Heur.Bifrose.wy3@b45exApG
AVCA (E-Trust Ino)Win32/Poison.BT
AVCAT (quickheal)no_virus
AVClamAVTrojan.Poison-419
AVDr. WebTrojan.DownLoader.64331
AVEmsisoftGen:Backdoor.Heur.Bifrose.wy3@b45exApG
AVEset (nod32)Win32/Bifrose.ADR
AVFortinetW32/BDoor.DKI!tr.bdr
AVFrisk (f-prot)W32/Backdoor2.GCDV
AVF-SecureTrojan:W32/Agent.DRDU
AVGrisoft (avg)BackDoor.Generic12.CEDX
AVIkarusBackdoor.Poison
AVK7Riskware ( 0040eff71 )
AVKasperskyTrojan.Win32.Agent.bcn
AVMalwareBytesno_virus
AVMcafeeBackDoor-DKI.gen.ak
AVMicrosoft Security EssentialsBackdoor:Win32/Bifrose.gen!C
AVMicroWorld (escan)Gen:Backdoor.Heur.Bifrose.wy3@b45exApG
AVRisingno_virus
AVSophosno_virus
AVSymantecBackdoor.Trojan
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process"C:\server.exe"
Creates Mutex_xvm_mtx_file_0x04525FB7
Creates Mutex_xvm_mtx_reg_0x04525FB7
Creates Mutex_xvm_mtx_other_0x04525FB7

Process
↳ "C:\server.exe"

Creates Mutex_xvm_mtx_file_0x04525FB7
Creates Mutex_xvm_mtx_reg_0x04525FB7
Creates MutexDBWinMutex
Creates Mutex_xvm_mtx_other_0x04525FB7

Network Details:


Raw Pcap

Strings
.@
`@
                          
000004b0
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
0x00020: 
0x00021: 
0x00022: 
0x00023: 
0x0003: 
0x00040: 
0x00041: 
0x00042: 
0x00050: 
0x00051: 
0x00052: 
0x00053: 
0x0006
0x0011
0x0012: 
0x0013
0x0014
0x0015
0x00E00
0x00E01
0x00E1
0x00E2
0x00Z1
0x00Z2
1.0.0.0
!1Aa
#+3;CScs
7.0.162
Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
OriginalFilename
Packager
PackagerVersion
ProductName
ProductVersion
StringFileInfo
There has been an error starting this virtual appliance.  Error code: 
VS_VERSION_INFO
Wuser32.dll
Xenocode Postbuild 2009 for .NET Beta
Xenocode Virtual Appliance Runtime
_xvm_mem_application_info_0x
_xvm_mem_process_info_0x
;/0|	,"
00*)`O
0	1,2g2
09*e+q
)0_B#qm^
0F/~(S
0'IX:)
^0ky@|<
/0-[l#4(
:($0pT
0`}U6Q
_0Y$jC
0Z-1X4
0Z^22*
<0|Z?f
;"=118
1<2S2g2y2
159=s3R
16eunq
1cg0| 
1d}L3HdDE
1\Hn B
1H\V<A
1MV\uBL
1n-mhA
1<N&?R
1OyBeBq$0
1"q$NX
%1}ure
1v{:CMdj
1WM3v?
!&1/y]
.1Y!"o9
%1yQs]~
26aGuQ
28+6aLi
2;9+:(
2Fr#Xq
\2{h[<
!2k)uS0q
&2n/""&
2P5d5t5
)2Pj?\c
2\!^.q7
_2S+>d8
3%3K3j3
{37yxc
*3#8yX5
3'au/V
3dh']8
3h$I)'q
3jt=^Q
3>RJ%6
3w-'[|=
~423y7
\ 4dFHI
4eP]]9i
4h{iFL
`4;J?.
4n3!X(
4RKc39
4W5a5s5
@4Xrun
>4_{?Y
|\_5}`
5b}%4k
5b)vh!
'$5D\Au
~{^5dc
5DYi?r
]5HWH3
5Iv|S&
>5*q4udmx
5Q}:V~F
5[\SK:
5'svck
5,>#T_O
{5/	;X
6>c[-m
#!6Et-
6gCF4=
_6M>P/
6oK#6*
6yj L\)
6Z*%*^
7<43OZ
76OZA}
7&71767>7C7K7P7X7]7e7j7q7}7
|7?8xk2
7A8<27
-7ByE%
@|7e8K
!7^(ee
7pk]o.
{7&<(pW
+}{7rU
-7sC6}4
7Y2[4W
!7Ynzk]
80}&Gz
8!29yS
882i~NB 
8.8:8?8N8x8
=8|9B0|
8b.Nc0
8EPQ,z
-8[f,_
8G7Y\W
8Jx1*d3
`8N|:Y
8Ov2~oW
{8RQ<b
~8&UnGS0
8UQEp!_P
8u?!Y5ie=Y
8%=yPl
92aoLj
9":):6:=:
9	{-b9
9d6cZ[Yqt
9Em2mmG
:9GBk%K
^9HDj"&p-
9H|teSV
9IVJO8i
9T$ t$P
9W1OWZ
a}@0:&
a|;62e
aal*i	
A+\+{c
ac S^tV
@<_A\D
a/~d.4
AgR"z4
,<Al)'"
^.An3JG
A!oYV>`
A$p(9H
@'-ar1%AG
#|AsU2
aT3rE,
~aw[ zH
Ay.iFN
ay/+VDb>
B:8	b73
#b]8uZ\
bBay1r
B|'*E)
beV_(b
$Bf<+['
BFkIBN$
b?'G&r
)~b~jF
B)JRYz
B$-:L~L
/bO>{D
)bqf)'
BRl[FQ
B.rsrc
BTo*s|
buffer error
<bV77AF
BxX=88
bYr}$263k
.^BzUW
C+.,'<
c0H+W)
c'39OCM
:C=3iWq
)C_3n40
c4rr*~&
%C:5[3
C9Z!'[
C.	A3xA_
CcdX%p
-c?de 
CEDB;bg
c,]f|!
!c?}f4
<cfnV#
%cglat
cHQ$TRp
ciV1*kPH
CloseHandle
c*Ne-o
c:(n/y
CreateFileMappingW
CreateFileW
/$-Cti
Cus}V5L
c}X\,"
[C~X_Db
c:\XRoot_Build\X7.0\Vm\Release\x86\StubExe.pdb
^cZ3_g
'&d1w7
d2TICDz~
)d%3VV
(d6)AhQ
|d]6i^
`.data
data error
D$ +D$
_^De,ii
D;-EWv
dk$1}Z
Dk|SYD
#DLHmL}
.d?&O1G
DPj_XVY
D\qw&X
D$Tt*;
D?V@uu
DXg%_*
dz.wgI
;e(a(F
e'Bm8\
El|<Gj
EMMw5f
\(,>eN
?E^N&v
@Ep'J7#s
ErlFC-
E/@RoR
	erTcy~
eU+$W,
&Evboq
ev`FxUj0aH
ez\Z/[zu-f
`F1Pr	
F2X_-k
f3!lJ.Z
F-5'P"
f5u[pF
f5w)tW
F)aFSc
F$c~2	
+-"fHix
Fhr1UJ
`f{@i3
file error
F/k5[Q
\f/lh_
fN~QIMj
Fs<?[v
'f\U7z
fwpWG6*
fx4+]?*K
FXFO|XW
}fy@Ve/=
*,FzI	
G027Y.
&G@#d8
,?Gek2DJ
GetCurrentProcessId
GetFileInformationByHandle
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetTickCount
G!	(GzN
Gh9Ghr
G<;IuI9
GLpg~r
gP@JX%
:=gP$kn)
gr{Re/
GW-yKc9
Gx5]>	\
@G<{YNy
^%/]Gz
g<zV7M"
H._ '#
h:0ZWS
h30<cd
H3OCO+
=H!_9?
`!HaVc|K.
HBjjg5kE'Xm
%?'?Hd
!h&|=dNe
HeapAlloc
HeapFree
Hj1!OP
	HK?Nj\
hMnZzg
.h]?r7
H(S	$_
hU6_H(
HV-xC(
hv&Y{e(
HWN14E
H)wRfF/S)
H=WtRV4+=
 i]|"@
^I5<z_
^iaK(t
.idata
IeU;Z`
ifVkM)
iG{D5"8G
i-H9.9
i}IE^ft
I<kw_Po
IMO.2=
incompatible version
incorrect data check
incorrect header check
 inflate 1.2.3 Copyright 1995-2005 Mark Adler 
insufficient memory
invalid bit length repeat
invalid block type
invalid code lengths set
invalid distance code
invalid distances set
invalid distance too far back
invalid literal/length code
invalid literal/lengths set
invalid stored block lengths
invalid window size
iOU>OF
iP;c=^T
,\.$ir
]*j)^#
J1.d }7;>
@J2iqY
J3Q`hL
?j6$\p
<j7S|0
J9CJS,,
]jaB{5E
J"!b5x
"jbwA(
j~}:d*
jk][&+.
;jLi|%
jLY^=W
jOM}[i
Jr5`j}=
JS2k	{~
j~S),j
J T7/h
jtO4m6
J:VRzbm
J:WThX
JxXX_F
J#y"72
'JY'\k>
K<;;. 
k2PIjl
*K3Drs[
!k 6]`
KAsd67
kAu"0vk
k["]b/
KERNEL32.dll
k[f'S[
,?kLnR
kOKr=&
[kP6>K
k Pl6E:
k?qmzL;
kSfvTq
<k[sy](N
\KTd~S
kvJTW{@
KXK'+$
k*Y3Lgy
"kz4*%H
$k!Z>Y
:^l"1d3
L$4;D$Ts<)D$T
l8gN#_\
L$ 9ODv
l$^a6B
Lb!y0H`L
>;?@?L?c?r?y?
LdrGetProcedureAddress
-L{FF^
l /F=q
lgV] G`X9O
LH0b3K.
l<h)Ma
L$ +L$
l?l[- b
LlszMH
LoadLibraryW
L,+%Q-
*lRaK5
l~tGk'\
;l$TsY)l$T
#Ly"Q^
m0ra6$%
M 2Kd[
M5]6Uk
MapViewOfFile
MB7QkR
m_BU6~Bn4
MessageBoxW
m&Hfni9
.Mi	Jy 
MKZ4Es/
Ml5aMJ
ML} }PK
mO%"}u[
MpOuYYY
M"qZ4C>
m&rHsT4N
+M_rIx
'M rXC
MtF\~f
;muX/Wn
,@Mx:`
?M `y&
}My<Ti
N,_^]3
!N5r.T
N6:"6J
;N7Kg$
N9YmK(
-n/CX7&
need dictionary
$Nl=43
NnbZ8E
n @nk!
nNvqw*
NP@>Q1
o2'Rhv
)O{;4J
O{6;qT$
O)\)Bj
ofZAiH4Pm
*o<GEu
Oh;O\sR
OjU2&4
OKmY:)=F
 $"Op{
'OpdV%
OpenFileMappingW
O`QWp1
OqY![R
o{<RR%
\OS/M;YM[
O!tp?B
OUj?a{4&
:[O<w~
+-p6My
P93`	h
PAc:`j
PAy;`JX
pC~~k=
#~pG3<
pH7Nd6	2*
P"=H8b
&``phg
,p?jg`8O=
:P,>nRQq
pnY'lx
)polgmok
<pq:_]
&pSC!aq
"pt1Ie<
'{PU~m
p)<U#vO4
Pxx~% ~Z<
P&"~Y03
PY(pCVK
p[yrP%
<#@/q'
.Q1, m
Q(c"(U-k
=qd)0Xn
q[El{1
QFNCyS
	+qfOF
QgH*]o
QhBC~t
$QhH86W
`|>Q k:
Q&KmhU/
Q.lrPJ
qltwOI
{~Q?lV
|}Q'-Lz
QLzQAk
q^mu,wm%C
,QOKp	
qr>f&>
QUp|D;
;$qW<T'
%qZ?9L5)
qzi&Fy
?R|:"\
R2s?p%
R5]J7a
R5wdi?
R7+:yW
r9>Ew,
RA,;*P!auE
R%+~bS
<!#rdJ
RD;jXb
RDkDFf2
RD\{TxA
@.reloc
Rfeyxc
RkjmA/
rL^Gc9
R!mLoqru
RmQ!t{
RNwl: 
R#p/l'
+{=]rR
|#.]RRd
RS$<|R
rx1,,hm/
r{X~90P
rY72N#h
S0[9~mZ
S8Uoos
`s=!a(
sBDT}^
SD@%|`
SDp?r 
SE0"l4
@S$_[F
sHfSV>Ooo
SIUzqK
=]%S.IxCK
_Sj#% 
S'J	R 
S;l1Ue
SrQk^;
	S \TM
stream end
stream error
^S`UP\O
SW)UO,
SXS$MR;K
SzR6xS
SZu^m@
 ]:[T| 
T0"Qg+-@
~T26[X
T2&_TZ
T_45\_E
t	@AAf
tEL_.%
^-T E_m
T,E|R\
tgzO	p
!This program cannot be run in DOS mode.
t$H;t$8
tjcTo*
t_jhd,#t
T\L1y)
!:!tlOC.
tnrv#9 
too many length or distance symbols
t[\PUt1
-TqA\G
tQlB	>$
ts=P'/*
Tuw9a$QD19
TxPMtQ
u?6iSd
,u6uCrVV
u~)`]A
Ua;\Js
u}gUnM
	u(H')
U-ho4E
"`u?IR
ULC,CTP
!UL_nY
unknown compression method
UnmapViewOfFile
uOO/{K
UO>=@w
/	UPbR?|
((u;RP
!.>Us"#
Us,';q
]uu^{/
uxRQe<
@<}V\,
\^[<V>
V:0o0y
,]-v2^
v`[3G%
v:[5S_
v 7j3a~
V$9	V'"
VAY~D8
vD9z+7
_viqDU
VirtualAlloc
VirtualFree
>`Vk ~
V=)K"G
&VqA<L
VS{Tn0
'`V_tMVo,
vwbM{ 6
V:XQJ_
{-v|Z>
v.ZTRB'
W?-)^+
W05u8L
W4b7V$
][W5&%
W-5#lfMc(
W)5oHt
#("w*7
W8GyP8
=W 8We
W9XFnQ
&wa88D^S(T
WBfM7Q
wch+>x)
w)}? d
WD'K k$
wE%_Wee
w,exab
	WF"tH
:Wg5}]
WIxa63
wM'RR~
#WPj^[c3
W=po*>
W=Qw:?
W*r?,};
wR {x@(e^]X
w	tg=c
wUD{tP
&W%UR<
w-ved<
wzmHeZM
%x,`@.
x2	]g}
^,*|x3
%X3&T{
X`4BY/
X88vv[.
x98\F))
&/X9xD
=XB^t6
^x'C\D
.xcpad
X{-Ewr
X]fa!a:
}x fwDk
X*had*
)*x/J0H
xlayer
x\N+.ow
}XrN]5
,XS>zFi
;X%T')
XtBPAk@
*Xu #w
xVJ)U	`
x\w/#g
xWyeV0
x]YBoc
Y2Oj\7_
Y_?2WkEj?9,
y3*BXI
-".Y4b
Y6i';c	
,-Y8n<7
y>Ac)h
`>?ycDq
`yf0/&0z<A
y(h@uF
yiOcG	
Yj|max[
y!mJ-E
Ynf~X7
# Y;(Og
{Y(O-S
#=yqw	
yrsF2U
;~y &w
(z	>3T|B
z%:D0_s
zEu}(81?K`
z(FcKG#
Zj52Yk
zL-{K	
ZL l[x
z:MFJx+
zO/|MJ
ZoTTU	(C
ZPX[J0
-:ZQ").
:@//zr
((zvx0j
Z+x)<5
zX\s w
z[YfP"