Analysis Date2013-10-27 04:10:18
MD576ef61fe025bb32cfed4eb3972df4541
SHA17c108c7dc1d7124fb58aaae75d2256977dc46fd4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: e41b21026ad7caeec358e3a64e437180 sha1: 32df316ba18fcfae5e841658cd6f92ac0932c15b size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
AVavgWorm/Generic2.BLRH
AVaviraBDS/Backdoor.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{D21FBA4A-A9DD-6B8E-ACEE-BBB7BFCBBDEE}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\Botmngr.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Dir_drive_boot ➝
C:\Documents and Settings\Administrator\Application Data\Botmngr.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D21FBA4A-A9DD-6B8E-ACEE-BBB7BFCBBDEE}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\Botmngr.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dir_drive_boot ➝
C:\Documents and Settings\Administrator\Application Data\Botmngr.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\CJRMQL9OFD ➝
October 27, 2013\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\CJRMQL9OFD ➝
Blackshades\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dir_drive_boot ➝
C:\Documents and Settings\Administrator\Application Data\Botmngr.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\kymng.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Botmngr.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\Botmngr.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\Botmngr.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates MutexCJRMQL9OFD

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\Botmngr.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\Botmngr.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\Botmngr.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\Botmngr.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\Botmngr.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\Botmngr.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Network Details:

DNSqw5.no-ip.info
Type: A
83.109.252.93
DNS1qw5.no-ip.info
Type: A
Flows TCP192.168.1.1:1033 ➝ 83.109.252.93:3333
Flows TCP192.168.1.1:1034 ➝ 83.109.252.93:3333

Raw Pcap

Strings
PERS
SETTINGS
^^ >(>
^<$`&%
(@>:>$
0 Osi^
 0OtBp
0sL*#X
15dF8F91AEE<A
1E? ?#I!
1lT3gF
1-` mX
20C<|0d
2!@@2!
22A368949C0&
2\4a`N
|2$5%0j
2]	9r0
<2AP_u
2ccl=.
2>e%Xdq
2$S}|[\
`.@]2X
32EDE121D9E2m
3&	%3q
3456\r
$345)&Z
3>>F0d
3#hh+$
3l/A,7
 3ug3[%
%&'()*456789:CDEFGH
};4716
4%ATXfb
4[cv4=bGa
4H4sg%
4ot=B \l#
4(,$RD
4@r%WX
.4TM83$- 
4y,$FYl
!4yvT")
501E:9~
5Async?PWs
5D77PR	}
,5t)e,5]0
63^NJ5
647A4B6739316C4F5B5C5*14
6c1@ S
]>6 >d
6iH(Ldc
6o2&9X
6	u$Q,
6V2Ziz
^6 )w@#N
7033413Am
_	7.`2
774NE55*237X2
7b8x3 L
7EJ< MB
7_FACEBOOK_START
#7K_sy
7niffOS4
";`7YU
8&.-|2
@8BfsT
(8Hh)x
8[ R;Wlp
8tryl	
%'9`eD[
9i.3``h\n
9liWGr
a4.U}N
_.A5Q1
ab/pF)9
AddMsg
AddRef
adi)%Wr
AdjuFPi6{(jN
aE&`CL
A},H;,
*A'i-,*
ais{pQ
AiX8Kp^
alUpda
@ap)!R
Audio.
awuois=
={B <(
b07,k$
B2Ch=<H
b86mswin
bbx$3x[/
Bf>Z/._N
:`~*'bk
BlinkXk
`B]P:3>
+$]bQp
bss_ser'
BtKill
_ByF~)
c5;e`Q
c78t!G!9
;]C9HYH.
ca _2t
CallBaK
C^fADClifSteamGe
~>c G3
C@[I8P7
<Ciuqa
_cmdtf
C,mw>,t
Cnw^T)M_S
+C	=O/
Compzb
C:\Prog
CPvHf	+L
c(q[W-
((C$RH
CrypcImage
cSubClHi
C +/@U
cV$gDjp`
c{WD.0K:3
CZBj\TPpRiF(
d8>&8}4
D8HHeRSi
<Db2!'0E
d&Bzx\
D`d(,o
D@!<:F
d:f.C)G<
df"FC^Y
 ,<DL;
d@Ndll
:`dp`3
DragQuery
\d(#t\.
&dt&Le
?DUYl1X46&
dwh;&U
d@$X O
D$Z*VA
E4:|	"=
<e4ym5
`\ea*-
EFB$9$xU
E|ff&0
\eJstT
E/L7wW
E*n8<,
enmP]So
ep>2 '
e;Rq0Z
euH?,!t
EVENT_SINK_G
'EV?L_]
?e:-VS
ExitProcess
"E/$yEz
@:<F(:,
F062D2BD
{{F6E4ZF7C8
$F6I 8
fdddTTD|
F> FDD
fffxjhd>
ff`l<8
:FGL~m@
"f_h/)
 Files 
fkA7Dw
FK*hmC
fK+SF^
$,FLLe
#)$<Fo0
-f)pP&
f#(<pT6
fpy<JQ
frmMain
Fucrons
Fy.#fbv
f&yLlE
Fz'$jD
g	)$6_>
#(g##;A
\G\bo`
GcorWxD
gdyO"K
GetProcAddress
.;gf& 
*#GjMu
GLJ!ev
GO_r#	
GT!?	D:O
g`|^`U
GV)Dn]
GWSOCK
H0{g\2
|H7PB?%'
@HDd7/5
h' #FX
 hGed /$
hgp-*j`
Hor. ^
Hs/I\J
h{:tHzo
~hunk:
@HvLDC=B
H,V%p!<V
<HX5n2
HX[CZ4Y
.hXfX8
ibl2 '
icalDr'
ICK_DELA
ICk)S%
\I,f6s
~ijnGl
IJSTUVWXYZcdefg
_imgv`
InfoTO
in,&FS
?InvokeV
i^@p 7
IPqZLi
iqR=SU
iw .N`
\.i.Z$
jd?#b\
'+Ji/z
jO1ano
Jovbv)
J&tHSBC[
{jXKA^G
'J^&.Z
%&JZJhf
K]>1h-
@k>*1s
KERNEL32.DLL
KevA&	
 KI5GC
@Kjka)
kkW\+L8fI
koK6&?SCi
K+O']P
-k$(.S
:kw/AH%
L2 #<DD
Lau&hF/[
L&d/O<pm
>lEngheMk
LHOc3f
L/jmm! 
lKr*X-
Lla+(B
l!!m"`:6PH
	l n8s
l-n/on
LoadLibraryA
LT6"%'@
ly_;}-
L)^Y"aA
=#/`-m
M120A,
m1' lL'
m\2^l]
_@$_m4
m	5N{a
mC';w(
Me_."B
^__^Mkok$P
mm9UCn
	mMl%6`
!MOppzC
mOX9Ex
mR.aw/
mr{r<0/_.
M=Rvri
MS SaX
$MsU?hdT
\msvbvm60
MSVBVM60
MSVBVM60.DLL
Multi.{
Mv#(i(
%Mw Y3
M&Xu%:]
N' ~0~%
"N2]F|
*N2  p
&#<-N4i
NG5L@7
"NGZdN[
NJ:'`rJ
N=>KEM
NLOGON/_B
/N+M}.
>nn1Z]
Nn(_;M^
N'p\lor
n_r\'//]
O!`32@(7
*o6DBD
*O8^.N
-obh.&
oCHAT_ADDMSG
Of'WJN
Okf	Q4
$$$ONn
ook?RS`curity
op-/E:
oPlPb!VA*(G
:or+oM
OSol/d
os#+Om
oT<]'W
oXCCdC?4
 OX~P8
*(?|&^P
p5HBITMAP
paupQValu
'PAwPY
pb`33;6
Peekxo
;*PF6_
picThumb
<pjGom7
!"PlXM
PMY7,9]
ppDD*	
ppIn`T
pPOp1`
PRINT_
\PS.}h
_)pXQS
`Q/,}4l^
=Q6IR1/2sm
q%$/(dK
q$fhqf"
Q+%h0SQj
q$nUHVS
QOo'/N
'q:Q3x
 Q+t:+
queezer/
$]^QZ4
Qz[=kAAl
"\$r/ 
-R%~,0
.r@_0Zr
`r4B`(0
r!67p 
r8jY?Q\g\
)$(R9d
r%9Ma<
raTagg
rAUb9]^9t]
R/D-j7
Rd:\SysWOW64\`
RH]I*A
ri0P$PHG
rI0vk1
rJvj_Vd
rLntlt
rm@{o*"9z5
<R;pja
rR9vzC
r rap 
#;R$rIs
'rrJs-%/r
<s20Hu
s/\4-CRf^
=s7&I;
SCManPr
s:.cpV
Screensho
SER_FB77i
's<e/SrcLef]
%S|G?GTI\
si.x$,
SN.Lx&
Socket
sOuQ|2E6
SrjGz'
|`'Sr@:X
>("SS=
s the p@
STRUCTIO
\.s,.ts
stV&y<
sxhD#H
`: ,,T
T2%C$O
t)5H%a"
TAad<l0
_tar@N
T	!'B@j
T&dHH8Hi
TdT4E,
TEgw *
:tf6i:a
	_Tg5Ik6O
!This program cannot be run in DOS mode.
TIyEhG8kiL
`${TjC
:;tkEe}
tmrLivLogg+
t'#ON@
?TorrentS
TPLHD@y
tp-M/,
tPp=+7Z
.T__qn
tQOh7 \a`
T r%9<
tR	-Pn
Tvs\Gi!
TWTask
t#&XP[
=t#YN=l
)uHR2\?`
uk@vG@
Un@cvssPATH_WIL
UrlCache
URLDVnl
US9j<Q&
 usiid
/u"vcG
uY_:ScanLz
va<@N>K
v.Bf&|
vBIV9*O
vf`M1P
V$[hn{
vIcwf[i/
vieframe.dl
VirtualAlloc
VirtualFree
VirtualProtect
<vJhG,
$vMX\Hh}
!`)vn_6
VPkQI%E
VUc!V_0
V$wN$N${wb;7
vzC{F2
@W0b&F
W4Xb"Jg
WAcquG
wapMo~
&WdglL
_WebHide
*WH^)\<u
Wk.Z_*6
wLBW_`6
WloseHandJ
-_WMqo
^)w*n]
Wp&p39
w>:`py
Wr%3s[
W]SodZG
W|VwCtl~ebBrow
{WWdv;
&/WX&l
w@z,v0
{X\,^($
x0Mr2;
)\,x_7
(x86)\Mic*soft Visual St
x'%capG
>)X<c	q.
Xe^gDJ
}\xEm>
X"")fv.:
<xhXH^
XJB:,v
X'jm P
XOOOX2:Y
x(!PB~SeI
XPTPSW
 x>qmPH
X_<'qUSHG
x/Rr@M<7
=xscii'h
x-t_;2
XT,iPt
xt.&l&
+XT<L*c
/X@XH11iN\$:U
 y0vWJ%q!
y<840,&
@Y'a6t
yGrabbOg	V
Y@J\cD
 Yk/ quast
YLLSYjNH8g4f
YP+:S@@"3
-!yQrv
Y:ts_CDRMi
YtSd `\
yW/JoP
Yx0:M5
YXF?xw
y|xtHP
Z0Z0[ Z
Z|+:4	
z!%)5TZ
|z\\98
zaaj{dw,]
(zB;,m
'ZOd*-
ZoM7Pn`
Zp@urYp
Z$}tw3
ZV5|He
zw&ap@