Analysis Date2015-05-11 20:13:42
MD5b2c1626264aaa4e62f451338c80af9f4
SHA179e6a661119e3af45d10ac66c228585eed63169c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: aceca51a63ee548235b3a26af4294fd8 sha1: fdc3b31c5a50ed9a3801d0625bf2edca0c5e757d size: 86016
Section.rsrc md5: 46661f6206a6ad7c2ccbfc7d603b80d2 sha1: 9ca2c3998619a00be5dd6e4bc293555385a105c4 size: 176128
Section.reloc md5: 3680e772a37f06d3a239822e5888f92b sha1: 45783cadad144408c663d0b8e219319e4beb3624 size: 4096
Timestamp2013-10-09 13:09:42
VersionLegalCopyright:
Assembly Version: 0.0.0.0
InternalName: my pic.Scr
FileVersion: 0.0.0.0
ProductVersion: 0.0.0.0
FileDescription:
OriginalFilename: my pic.Scr
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash69c01aa2236e0a8a91f5141b2b2dcba55769813c
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVAd-AwareGen:Variant.Kazy.591713
AVAlwil (avast)Bladabindi-GA [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.591713
AVAuthentiumW32/S-09b23f5c!Eldorado
AVAvira (antivir)BDS/Bladabindi.alif
AVBitDefenderGen:Variant.Kazy.591713
AVBullGuardGen:Variant.Kazy.591713
AVCA (E-Trust Ino)Win32/DotNetBinder.A!generic
AVCAT (quickheal)Trojan.Agent.r3
AVClamAVWin.Trojan.Njrat-1
AVDr. WebTrojan.DownLoader9.26652
AVEmsisoftGen:Variant.Kazy.591713
AVEset (nod32)MSIL/TrojanDropper.Binder.CZ
AVFortinetMSIL/Dropper_Binder.BS!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.591713
AVGrisoft (avg)Dropper.Msil.CN
AVIkarusTrojan-Dropper.MSIL
AVK7Trojan ( 003ca8581 )
AVKasperskyTrojan.Win32.Generic:Trojan.MSIL.Agent.ffjt
AVMalwareBytesBackdoor.Bot.MSIL
AVMcafeeBackDoor-FBHS!B2C1626264AA
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.591713
AVPadvishno_virus
AVRisingno_virus
AVSophosTroj/dnsauce-B
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterTrojan.0000000000@2FF001.mg
AVVirusBlokAda (vba32)Trojan.Agent.ackqz

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application DataoSxlplHSXX.jojo
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application DatatSaRJNDwsA.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Application DatatSaRJNDwsA.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Application DatatSaRJNDwsA.exe"

RegistryHKEY_CURRENT_USER\Software\16a3ce885b20bc48535b1b5f1aff040c\US ➝
@\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
Creates FileC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\data temp.exe
Creates FileC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\data temp.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\data temp.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\16a3ce885b20bc48535b1b5f1aff040c ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\data temp.exe" ..\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\16a3ce885b20bc48535b1b5f1aff040c ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\data temp.exe" ..\\x00
Creates FileC:\WINDOWS\system32\.tmp
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\16a3ce885b20bc48535b1b5f1aff040c.exe
Creates File\Device\Afd\Endpoint
Creates Processnetsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\data temp.exe" "data temp.exe" ENABLE
Creates Mutex16a3ce885b20bc48535b1b5f1aff040c
Winsock DNSthenumberone.no-ip.org

Process
↳ netsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\data temp.exe" "data temp.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\data temp.exe ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\data temp.exe:*:Enabled:data temp.exe\\x00
Creates FilePIPE\lsarpc

Network Details:

DNSniray.com.cn
Type: A
DNSthenumberone.no-ip.org
Type: A

Raw Pcap

Strings
|.
.
'2o.U
.
.

0.0.0.0
000004b0
Assembly Version
FileDescription
files
FileVersion
InternalName
KBnO_VyiUr
kwpjfIXJeH
LegalCopyright
my pic.Scr
OriginalFilename
oSxlplHSXX.jojo
ProductVersion
StringFileInfo
Translation
tSaRJNDwsA.exe
VarFileInfo
VS_VERSION_INFO
							
										
												
																
'0(3~t
0%8VrP
0Copyright Bartosz W
1.0.0.0
2.0.0.0
 2010 www.pelock.com
3}3}2J(7
3?h3e>8w
3System.Resources.Tools.StronglyTypedResourceBuilder
3v51Xw
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
4iG {C'
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
5Gak^#
5?}h@oJ7
!5y$:e
666@EEEh;;;x888
:::!777"777"777"777"777"777"777"666"666"666"666"666"777"777"777"777"777"777"777"777"777"777"777"777"777"777"777"777"666"666"666"666"666"666"666"666"666"666"666"666"666"666"666"666"666"666"666"666"666"666"555 )))
	777)YYY[PPPsMMMwMMMwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwLLLwNNNr...Q
8JN+P~
9.0.0.0
9'C=-^7
9:/%Ky
9r.?[P
$ac045e25-5d9e-42b8-a1ce-4c3a95960eae
add_AssemblyResolve
add_ResourceResolve
AddrOfPinnedObject
AppDomain
ApplicationException
ApplicationSettingsBase
+ArAdge
</assembly>
Assembly
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyName
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
Attribute
b=5B$?q
c6T;*o
ccc%```0^^^1^^^1^^^1^^^1^^^1^^^1]]]1]]]1]]]1]]]1^^^1^^^1^^^1]]]1^^^1]]]1]]]1]]]1]]]1]]]1]]]1]]]1]]]1]]\1\\\1\\\1\\\1\\\1\\\1\\\1\\\1\\\1\\\1\\\1\\\1[[[1[[[1[[[1[[[1[[[1[[[1\\\1[[[0MMM#---
.cctor
C%d]2?
CloseMainWindow
Compare
CompilationRelaxationsAttribute
CompressionMode
ComVisibleAttribute
Concat
Console
ContainsKey
_CorExeMain
CultureInfo
Default
DeflateStream
Dictionary`2
Dispose
DtQL	(
DWp#aK
?ehAJ8i
Encoding
Environment
Evidence
Exception
f4k:	m
files.resources
G	BpAG[e
GCHandle
GCHandleType
GeneratedCodeAttribute
get_Assembly
get_CurrentDomain
GetCurrentProcess
GetData
get_Default
get_EntryPoint
get_Evidence
GetExecutingAssembly
GetFolderPath
get_Length
get_MainWindowTitle
GetManifestResourceNames
get_Message
get_Name
GetObject
GetParameters
GetProcesses
get_ProcessName
GetString
GetTypeFromHandle
get_UTF8
GuidAttribute
<<<*>>>H999O999O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O888O999O555G
hAg}>7
H)JPel}
 -I0y.|@
IDisposable
InitializeArray
Invoke
IsMatch
~J6"P2
>J6T{0
)JS Fs
j	za3-G
k~~~k~~~k~~~k~~~k~~~k~~~k~~~k~~~k~~~k~~~k~~~k}}}k}}}k}}}k}}}k}}}k}}}k}}}k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||kxxxbRRR;
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
:_KMQM
`{"kSVh
kUd0rV
%kXxby
L9ka<h
?}lfML
lJ!5$L_
LJH!hXO
(#LNZR
l[r?dE
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
lYCy15[
lz36:,'
L*$ZX-
Marshal
MemoryStream
MethodBase
MethodInfo
<Module>
Monitor
mscoree.dll
mscorlib
my pic
my pic.Scr
nameGuid
.netshrink
 .netshrink exe compressor loader
.netshrink stub
%]N|rt
\O6R~I
Object
offset
PADPADP
ParameterInfo
P+B~p~)i
PELock Software
PiL6T/
PoweredByAttribute
"Powered by SmartAssembly 6.7.0.239
Process
PtrToStructure
p*v#[z
Q~\d;"),
Q^=^Sd
 QVt=+g
ReadByte
ReferenceEquals
@.reloc
Replace
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
ResolveEventArgs
ResolveEventHandler
resourceField
resourceLength
ResourceManager
;rK7Mh
`.rsrc
RuntimeCompatibilityAttribute
RuntimeFieldHandle
RuntimeHelpers
RuntimeTypeHandle
SE4sOW
    </security>
    <security>
SeekOrigin
SetData
set_Item
Settings
SettingsBase
SizeOf
SmartAssembly.Attributes
sOG!5	
SpecialFolder
SSS%JJJ/FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2FFF2HHH/+++ 
STAThreadAttribute
Stream
String
#Strings
stub_2.Properties
SuppressIldasmAttribute
Synchronized
System
System.CodeDom.Compiler
System.Collections.Generic
System.Configuration
System.Diagnostics
System.Globalization
System.IO
System.IO.Compression
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Policy
System.Text
System.Text.RegularExpressions
System.Threading
T7zrr^
!This program cannot be run in DOS mode.
Thread
ThreadStart
ToArray
ToLower
toz|s~
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
UInt32
u$%_vZ
v2.0.50727
value__
ValueType
vxi\	xp
w54sI\
wDAR_z
wk}juYc
wLoader
WrapNonExceptionThrows
WriteAllBytes
WriteLine
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XXX(kkkC]]]LYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYOYYYO^^^L>>>8
~xxxS666
<<<y%%%_
zzz-rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1rrr1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1qqq1ppp1ppp1ppp1ppp1qqq1kkk+666