Analysis Date2015-05-09 22:07:11
MD560965ab231a40cb27ea1de6b5f5a7226
SHA1812b12ceab5836cb5fa3068c8fcea191e874b5ef

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 66228cbbbfee3ec25f1291bcc1e1682b sha1: 1bfe8cfdace40e5c72291f4dc9d3527715e9eef5 size: 45056
Section.rsrc md5: 18169f34ab8758acee06f5c451936179 sha1: 07bbbaedaa2b6634f180e2d7d8e644ff979d0406 size: 4096
Section.reloc md5: 6530745e3684d3fc2639c3db61c1a4fe sha1: 94af74b2574dd75453c0724bbfe5f253bec196a6 size: 4096
Timestamp2015-02-02 23:12:30
VersionLegalCopyright: s7FAd58E
Assembly Version: 80.70.60.50
InternalName: 12l3bnae.exe
FileVersion: 80.70.60.50
CompanyName: Ww83Ftj
LegalTrademarks: d7MYj0q2
Comments: Zd27Jrf9
ProductName: d3EQy0s
ProductVersion: 80.70.60.50
FileDescription: Jn4p9TSf7k
OriginalFilename: 12l3bnae.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashce88fe2d1c40b1678dcb85960140ba8aed65f3dc
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVAd-AwareGen:Variant.Kazy.191149
AVAlwil (avast)GenMalicious-CQL [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.191149
AVAuthentiumW32/Trojan.KYXZ-9177
AVAvira (antivir)TR/Dropper.Gen
AVBitDefenderGen:Variant.Kazy.191149
AVBullGuardGen:Variant.Kazy.191149
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Generic.r3
AVClamAVWin.Trojan.Bladbindi
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.191149
AVEset (nod32)MSIL/Injector.AEC
AVFortinetW32/Generic!tr
AVFrisk (f-prot)no_virus
AVF-SecurePacked:MSIL/SmartIL.A
AVGrisoft (avg)MSIL6.BWSI
AVIkarusTrojan-Downloader.MSIL.Tiny
AVK7Trojan ( 700000121 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.XTRat
AVMcafeeRDN/Generic.tfr!eh
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Gen:Variant.Kazy.191149
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe"
Creates Mutex5cd8f17f4086744065eb0992a09e05a2

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe"

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" ..\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" ..\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Processdw20.exe -x -s 272
Creates Processnetsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" "Trojan.exe" ENABLE
Creates Mutex5cd8f17f4086744065eb0992a09e05a2

Process
↳ netsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" "Trojan.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe:*:Enabled:Trojan.exe\\x00
Creates FilePIPE\lsarpc

Process
↳ dw20.exe -x -s 272

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\14021.dmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\14021.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:


Raw Pcap

Strings
>.
^
.
000004b0
12l3bnae.exe
80.70.60.50
Assembly Version
Comments
CompanyName
d3EQy0s
d7MYj0q2
FileDescription
FileVersion
FP2<FP2<?
HYaNYgNYwNY[NQ
$IK.Q
InternalName
Jn4p9TSf7k
LegalCopyright
LegalTrademarks
OriginalFilename
PF<2
ProductName
ProductVersion
s7FAd58E
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Ww83Ftj
Zd27Jrf9
0X-~A_Y
12l3bnae
12l3bnae.exe
/\1^3E5
1c3f5F7	9|;	=S?
1w3@5r
1Y3b5|7
24i+~J
2f4c6r8
3 ik&t
5,!9My{
.(5:B-
5e4C."8
6ex.0@
,<6wP=
7VUj `
80.70.60.50
&8B{<<Y
%9<52&
9^;j=z?
A5CyE{
add_ResourceResolve
AppDomain
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
AsyncCallback
}_AvZP
b00a6cb37d2e4a8da89dd8d0f8b3d630
BeginInvoke
BitConverter
BlockCopy
bo+%;wM
Buffer
b!z#Q%
.cctor
ClearProjectError
Cm(dtZ
CompilationRelaxationsAttribute
CompressionMode
Concat
Contains
Conversions
Convert
_CorExeMain
CreateDecryptor
CreateProjectError
CryptoStream
CryptoStreamMode
d3EQy0s
d7MYj0q2
$d9bf4ce8-8cf3-4cea-aeb5-884941d36356
DateTime
dBY'\O
Decimal
DeflateStream
DelegateAsyncResult
DelegateAsyncState
DelegateCallback
DESCryptoServiceProvider
dmRZ\H
dyd\4^
eB*"CMW#
Encoding
EndInvoke
Environment
eqghom
Exception
Exists
'^)F+h-|/
F/!NU51
ForLoopControl
ForNextCheckDec
FromArgb
FromBase64String
\*g63	>
g d"N$\&b(_*
:^_g|E
GetBytes
get_Chars
get_CurrentDomain
GetDelegateForFunctionPointer
GetDirectories
GetEntryAssembly
get_EntryPoint
GetExecutingAssembly
get_Length
get_Location
GetManifestResourceNames
GetManifestResourceStream
GetModuleHandle
get_Name
get_Now
GetObject
GetParameters
GetProcAddress
GetProcessById
GetString
get_SystemDirectory
GetTypeFromHandle
get_UTF8
* g"O$
GuidAttribute
	H*6<3
ht$Jjgj
Hvf18*
$]&I(|*
IAsyncResult
ICryptoTransform
Intern
IntPtr
i^qStL
IxK5M$O?Q9SgU5
,i.z0	2u4Y6b8
j898l0
jA_m6.
Jl3hBd]
Jn4p9TSf7k
kernel32.dll
K-,+kQ
 k:M6js
k+pRR<
K"Zi~}#B
^#'"L!
lEm<e#7
lH`CWV
L!O#I%I'D)P+
{Ly(]t%
\ L"Z$K&
({*M,}.]0c2D4z
Marshal
MemoryStream
MethodBase
MethodInfo
Microsoft.VisualBasic
Microsoft.VisualBasic.CompilerServices
>{Mj6 
m!O#c%K'Y)l+
mscoree.dll
mscorlib
MulticastDelegate
n d"M$\&
ObfuscationAttribute
ObjectFlowControl
(.o~kY
 *\om(
op_Equality
p47B'aQ
ParameterInfo
ParameterizedThreadStart
PkwDHh
Process
ProjectData
Q/AC9c
Q?B(SzF
@.reloc
ResolveEventArgs
ResolveEventHandler
ResourceManager
R/qn:r
`.rsrc
RuntimeCompatibilityAttribute
RuntimeTypeHandle
s7FAd58E
SetApartmentState
SetProjectError
sjhwm9
StandardModuleAttribute
STAThreadAttribute
#Strings
StripAfterObfuscation
SymmetricAlgorithm
System
System.Diagnostics
System.Drawing
System.IO
System.IO.Compression
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Cryptography
System.Text
System.Threading
SZ!H,zC
;T]1>`
t4d9sg
!This program cannot be run in DOS mode.
Thread
ToArgb
ToArray
ToChar
ToCharArray
$!ToFJ
ToGenericParameter
ToInt16
ToInt32
ToLower
ToString
U*he:v"
UInt32
US`nC4
v2.0.50727
Version
#w%^'E)|+J-h/
wI&<z%
WrapNonExceptionThrows
Ww83Ftj
x[\F\,
(X*n,G.
YanoAttribute
 |Y>vh
z3t7sx
#Z8>d0
Zd27Jrf9
Z_w(BAa