Analysis Date2014-06-16 11:58:34
MD53a3f3cd2fd5f9f45436f73568aa2437d
SHA183fcfc07731b41233398960e53be4afe7a7e4e9a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 999278d97b0b1744a139df434a2f825d sha1: 5b835dbf015f00cc04ec5070e8d5efa29f4e976e size: 42496
Section.rsrc md5: e6bddab8cfc5a0b85c6b2404ef045c60 sha1: 8d79534c4ad75b869f40d7a706a5ca386c714e52 size: 1024
Section.reloc md5: 75abd9d43cd0ebbfe45379ad57ccb844 sha1: d56e6cfc704e2fb2fbbce18a977e96d1ff5b224b size: 512
Timestamp2013-11-13 16:17:08
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashe2600d1e2d08448bdd09999e157e28ccc242d945
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AV360 SafeGen:Variant.Barys.15242
AV360 SafeGen:Variant.Barys.13841
AVAd-AwareGen:Variant.Barys.13813
AVAd-AwareGen:Variant.Barys.13813
AVAlwil (avast)Agent-ANE [Trj]
AVAlwil (avast)Agent-ANE [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/MSIL_Troj.AP.gen!Eldorado
AVAuthentiumW32/MSIL_Troj.AP.gen!Eldorado
AVAvira (antivir)TR/Spy.Gen8
AVAvira (antivir)TR/Spy.Gen8
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Bladabindi.A3
AVCAT (quickheal)Backdoor.Bladabindi.A3
AVClamAVWIN.Trojan.Bladabindi-1
AVClamAVWIN.Trojan.Bladabindi-1
AVDr. WebWin32.HLLW.Autoruner.25074
AVDr. WebWin32.HLLW.Autoruner.25074
AVEmsisoftGen:Variant.Barys.13841
AVEmsisoftGen:Variant.Barys.13841
AVEset (nod32)MSIL/Bladabindi.O
AVEset (nod32)MSIL/Bladabindi.O
AVFortinetMSIL/Agent.PPW!tr
AVFortinetMSIL/Agent.PPW!tr
AVFrisk (f-prot)W32/MSIL_Troj.AP.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/MSIL_Troj.AP.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Variant.Barys.14767
AVF-SecureGen:Variant.Barys.15242
AVGrisoft (avg)MSIL.AP
AVGrisoft (avg)MSIL.AP
AVIkarusTrojan.Agent
AVIkarusTrojan.Agent
AVKasperskyTrojan.Win32.Generic
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot.MSIL
AVMalwareBytesBackdoor.Bot.MSIL
AVMcafeeTrojan-FAUE!3A3F3CD2FD5F
AVMcafeeTrojan-FAUE!3A3F3CD2FD5F
AVMicrosoft Security Essentialsno_virus
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi.AA
AVMicroWorld (escan)Gen:Variant.Barys.13841
AVMicroWorld (escan)Gen:Variant.Barys.9285
AVNormanwinpe/Bladabindi.HY
AVNormanwinpe/Bladabindi.HY
AVRisingno_virus
AVRisingno_virus
AVSophosMal/MSIL-FE
AVSophosMal/MSIL-FE
AVSymantecTrojan.Gen
AVSymantecTrojan.Gen
AVTrend MicroBKDR_BLADABI.SMC
AVTrend MicroBKDR_BLADABI.SMC
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\ecc7c8c51c0850c1ec247c7fd3602f20\US ➝
!\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe
Creates FilePIPE\lsarpc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe"

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe" ..\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe" ..\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ecc7c8c51c0850c1ec247c7fd3602f20.exe
Creates File\Device\Afd\Endpoint
Creates Processdw20.exe -x -s 260
Creates Processnetsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe" "windows.exe" ENABLE
Creates Mutexecc7c8c51c0850c1ec247c7fd3602f20
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Winsock DNSshady22012.on-ip.biz

Process
↳ netsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe" "windows.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe:*:Enabled:windows.exe\\x00
Creates FilePIPE\lsarpc

Process
↳ dw20.exe -x -s 260

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1365D.dmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\1365D.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSshady22012.on-ip.biz
Type: A
208.73.211.236
Flows TCP192.168.1.1:1032 ➝ 208.73.211.236:1177

Raw Pcap

Strings

1177
Arguments
Available
BeginErrorReadLine
BeginOutputReadLine
CapsLock
ClassesRoot
Client
cmd.exe
cmd.exe /k ping 0 & del "
Connect
Connected
Contains
CreateInstance
CreateNoWindow
CreateShortcut
CreateSubKey
/c start 
CurrentUser
Data
`+Dc
;@+DC
\DefaultIcon\
DeleteSubKey
DeleteSubKeyTree
DeleteValue
Directory
Disconnect
Dispose
DownloadData
ecc7c8c51c0850c1ec247c7fd3602f20
 ENABLE
EnableRaisingEvents
.exe
 & exit
" & exit
&explorer /root,"%CD%
False
FileName
FullName
GetSubKeyNames
GetValue
GetValueKind
GetValueNames
IconLocation
Info
Kill
length
Length
.lnk
LocalMachine
MainWindowTitle
Microsoft
Name
netsh firewall add allowedprogram "
OpenSubKey
OSFullName
Poll
Position
ProcessName
Read
Receive
ReceiveBufferSize
ReceiveTimeout
RedirectStandardError
RedirectStandardInput
RedirectStandardOutput
Registry
Replace
Save
Send
SendBufferSize
SendTimeout
SetValue
SGFjS2Vk
shady22012.on-ip.biz
ShiftKeyDown
S`kt{
Software\
Software\Classes\
StandardInput
start
Start
StartInfo
SystemDrive
TargetPath
temp
TEMP
ToArray
True
U0VFX01BU0tfTk9aT05FQ0hFQ0tT
Users
UseShellExecute
WaitForExit
 Win
Windows
windows.exe
WindowStyle
WorkingDirectory
Write
WriteLine
WScript.Shell
4System.Web.Services.Protocols.SoapHttpClientProtocol
8.0.0.0
Activator
add_ErrorDataReceived
add_Exited
AddObject
add_OutputDataReceived
add_SessionEnding
AndObject
Application
ApplicationBase
AppWinStyle
</assembly>
Assembly
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
avicap32.dll
BitConverter
Bitmap
Boolean
capGetDriverDescriptionA
.cctor
ChangeType
ClearProjectError
Collection
Command
CompareMethod
CompareObjectEqual
CompareObjectLessEqual
CompareString
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
CompressionMode
Computer
ComVisibleAttribute
Concat
ConcatenateObject
ConditionalCompareObjectEqual
ConditionalCompareObjectGreater
Contains
Conversion
Conversions
Convert
CopyFromScreen
CopyPixelOperation
_CorExeMain
CreateInstance
Create__Instance__
CreateObject
Cursor
Cursors
DataReceivedEventHandler
DateTime
DebuggerHiddenAttribute
DebuggerStepThroughAttribute
Delete
Directory
DirectoryInfo
Dispose
Dispose__Instance__
DriveInfo
DriveType
EditorBrowsableAttribute
EditorBrowsableState
EmptyWorkingSet
Encoding
EndApp
EndsWith
Environ
Environment
EnvironmentVariableTarget
Equals
EventArgs
EventHandler
Exception
Exists
FileAttributes
FileInfo
FileSystemInfo
FromBase64String
FromImage
GeneratedCodeAttribute
GetAsyncKeyState
GetAttributes
get_Bounds
GetBytes
get_Capacity
get_Chars
get_Count
get_Current
GetCurrentProcess
get_CurrentThread
get_Default
GetDirectories
get_Directory
GetDrives
get_DriveType
GetEnumerator
get_ExecutablePath
GetExecutingAssembly
GetExtension
get_FileName
GetFiles
GetFolderPath
GetForegroundWindow
get_GetInstance
get_Handle
GetHashCode
get_Height
get_Id
GetInstance
get_IsReady
get_Item
get_Jpeg
GetKeyboardLayout
GetKeyboardState
get_LastWriteTime
get_Length
GetLocaleInfo
get_LocalTime
get_Location
get_MachineName
get_MainModule
get_MainWindowTitle
get_Message
get_Name
GetObjectValue
get_OSVersion
get_Parent
get_Position
get_PrimaryScreen
GetProcessById
GetProcesses
get_ProcessName
get_ServicePack
GetString
GetThumbnailImage
GetThumbnailImageAbort
get_TotalFreeSpace
GetType
GetTypeFromHandle
get_UserName
get_UTF8
GetValue
GetVolumeInformationA
get_Width
GetWindowTextA
GetWindowTextLengthA
GetWindowThreadProcessId
Graphics
GZipStream
HelpKeywordAttribute
HideModuleNameAttribute
IDisposable
IEnumerable
IEnumerator
ImageFormat
IndexOf
instance
Interaction
IntPtr
kernel32
kernel32.dll
Keyboard
LateCall
LateGet
LateIndexGet
LateIndexSetComplex
LateSet
LateSetComplex
List`1
LocalMachine
MapVirtualKey
MemoryStream
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.Win32
MoveNext
mscoree.dll
mscorlib
m_ThreadStaticValue
My.Application
My.Computer
MyGroupCollectionAttribute
MyTemplate
My.User
MyWebServices
My.WebServices
NewLateBinding
NtSetInformationProcess
Object
OpenExisting
OpenSubKey
op_Equality
OperatingSystem
Operators
op_Explicit
OrObject
ParameterizedThreadStart
Process
ProcessModule
ProcessWindowStyle
ProjectData
Random
Randomize
ReadAllText
Rectangle
Registry
RegistryKey
@.reloc
Remove
Replace
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
`.rsrc
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
Screen
    </security>
    <security>
SelectMode
SessionEndingEventArgs
SessionEndingEventHandler
set_Attributes
SetAttributes
SetEnvironmentVariable
SetProjectError
SocketFlags
SpecialFolder
StandardModuleAttribute
StartsWith
STAThreadAttribute
StrDup
Stream
String
StringBuilder
Strings
#Strings
Substring
SubtractObject
System
System.CodeDom.Compiler
System.Collections
System.Collections.Generic
System.ComponentModel
System.ComponentModel.Design
System.Diagnostics
System.Drawing
System.Drawing.Imaging
SystemEvents
System.IO
System.IO.Compression
System.Net
System.Net.Sockets
System.Reflection
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Text
System.Threading
System.Windows.Forms
TcpClient
!This program cannot be run in DOS mode.
Thread
ThreadSafeObjectProvider`1
ThreadStart
ThreadStaticAttribute
ToArray
ToBase64String
ToBoolean
ToInt32
ToInteger
ToLower
ToString
ToUnicodeEx
ToUpper
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
user32
user32.dll
v2.0.50727
VBMath
WebClient
WrapNonExceptionThrows
WriteAllBytes
WriteAllText
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>