Analysis Date2015-03-28 20:03:18
MD5cf2b736483108aa78dceacf9e56612dc
SHA1859093d5d6b2305f4aeb3304932eb4377adbebe9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ceb6d3b4edb1455920c550ff013ff8d7 sha1: 3bc701e9a154432eeaf581a561c7cb191585150a size: 188416
Section.rdata md5: e45d5f04460fbd3dc233d2f0f078738c sha1: a041d370852bba6a500fd366b5fb3648b543af7a size: 24576
Section.data md5: 94a38ebd12eeaff0a53b5126f2e63640 sha1: 48879b88ddeb6c50ff2ceee789cb6f878dbe0377 size: 53248
Section.vrehskh md5: 8817b551f71797f60c34e8e38046f6ed sha1: 1fe537505e09583bedf5f39b7abd648413d8c727 size: 16384
Section md5: 0aac2aa70a6be936e1b1ebfe7274a829 sha1: 1fc753642201e8a40d30ca5de8aa91a52c219e4d size: 12288
Timestamp2106-02-07 06:28:15
PEhash0bd49b1227068718d1f70e769322c33614a490da
IMPhash88b4b608aa3ea9b49dd9e6cfaae4f961
AV360 Safeno_virus
AVAd-AwareGeneric.Sdbot.D3A63F8D
AVAlwil (avast)HBPECrypt [Wrm]
AVArcabit (arcavir)Generic.Sdbot.D3A63F8D
AVAuthentiumW32/Agobot.gen
AVAvira (antivir)Worm/AgoBot.LY
AVBullGuardGeneric.Sdbot.D3A63F8D
AVCA (E-Trust Ino)Win32/Agobot
AVCAT (quickheal)no_virus
AVClamAVWorm.Mytob.GE
AVDr. WebWin32.HLLW.Agobot
AVEmsisoftGeneric.Sdbot.D3A63F8D
AVEset (nod32)Win32/Agobot
AVFortinetW32/AgoBot.fam!worm
AVFrisk (f-prot)W32/Agobot.gen
AVF-SecureGeneric.Sdbot.D3A63F8D
AVGrisoft (avg)Exploit.CVE-2009-3129
AVIkarusBackdoor.Win32.Agobot
AVK7Backdoor ( 04c4d47a1 )
AVKaspersky 2015Backdoor.Win32.Agobot.gen
AVMalwareBytesno_virus
AVMcafeeW32/Polybot.gen!irc
AVMicrosoft Security EssentialsWorm:Win32/Gaobot
AVMicroWorld (escan)Generic.Sdbot.D3A63F8D
AVRisingWorm.Mytob.hf
AVSophosError Scanning File
AVSymantecW32.Gaobot.gen!poly
AVTrend MicroWORM_AGOBOT.GEN
AVVirusBlokAda (vba32)Backdoor.Agobot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\winsvc32.exe
Creates ProcessC:\WINDOWS\system32\winsvc32.exe -meltserver "C:\malware.exe"

Process
↳ C:\WINDOWS\system32\userinit.exe

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
1

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Process
↳ C:\WINDOWS\system32\winsvc32.exe -meltserver "C:\malware.exe"

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Generic Services ➝
winsvc32.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows Generic Services ➝
winsvc32.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\malware.exe

Network Details:

DNSverio.fr
Type: A
213.198.86.8
DNSwww1.belwue.de
Type: A
129.143.232.10
DNSwww.stanford.edu
Type: A
54.68.215.134
DNSwww.stanford.edu
Type: A
54.149.81.175
DNSwww.stanford.edu
Type: A
54.200.229.9
DNSburst.net
Type: A
108.162.200.229
DNSburst.net
Type: A
141.101.127.228
DNSyahoo.co.jp
Type: A
182.22.59.229
DNSyahoo.co.jp
Type: A
183.79.135.206
DNSirc.superjew.org
Type: A
DNSwww.belwue.de
Type: A
DNSwww.burst.net
Type: A
DNSwww.st.lib.keio.ac.jp
Type: A
HTTP POSThttp://verio.fr/
User-Agent:
HTTP POSThttp://www.belwue.de/
User-Agent:
HTTP POSThttp://www.stanford.edu/
User-Agent:
HTTP POSThttp://www.burst.net/
User-Agent:
HTTP POSThttp://yahoo.co.jp/
User-Agent:
Flows TCP192.168.1.1:1034 ➝ 213.198.86.8:80
Flows TCP192.168.1.1:1035 ➝ 129.143.232.10:80
Flows TCP192.168.1.1:1036 ➝ 54.68.215.134:80
Flows TCP192.168.1.1:1037 ➝ 108.162.200.229:80
Flows TCP192.168.1.1:1040 ➝ 182.22.59.229:80

Raw Pcap

Strings
.................................................
.....
.....................
...
................)................$..
.................
..................
...............
.....
.
.
...........................
...
.
..
..~...........................................
.
....
.......
.......
........
....
.
...
...
..........................................................................................
.....................
..
..
.............
...x..........
..................
.........
................................................................................
....
.................................
...................................................................
.............
.......
...
.
.
...........................
.H......................@..............
 
 
 

#,'!#,#,'!#,#,#,#,
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@ABV0@@Z
:1_\)!
??1exception@@UAE@XZ
??1type_info@@UAE@XZ
??2@YAPAXI@Z
3:8641
??3@YAXPAX@Z
474688
4::8897
494::8
.~4B>!
)+4wc 
52(tO	
++5$4 
5:,HHHH
5i8EA,
79 9:2
_acmdln
_adjust_fdiv
AdjustTokenPrivileges
ADVAPI32.dll
advapi_get_proc_address
afffff
afffffffff
afffffffffffff
aHHHHHHHHHHHHHHHHHHH
AllocConsole
_ascii_name_match
B`_\)!
B`:<4 
B`:<4,
B`:<4:
_both_names_match
"b(t35
calloc
ChangeServiceConfig2A
CloseHandle
CloseServiceHandle
cmp_kernel32
_controlfp
ControlService
CopyFileA
Cp]^YX
CreateEventA
CreateFileA
CreateFileMappingA
CreateNamedPipeA
CreateProcessA
CreateServiceA
CreateThread
__CxxFrameHandler
_CxxThrowException
@.data
_dd_FindClose	__ff_exit
_dd_GlobalFree
DeleteFileA
DeleteService
__d_exit
disasm_opcode
__dllonexit
DNSAPI.dll
DnsQuery_A
_do_stealth
__ds_seh_done
__ds_seh_error
__ds_seh_init	__ds_exit
Ec$:#$:
_EH_prolog
__enum_cycle
__enum_exit
__enum_found
EnumProcesses
EnumProcessModules
__enum_retry_hideserv
EnumServicesStatusA
__enum_skipcpy
_errno
ex_addresstablerva
_except_handler3
ex_datetime
ex_flags
ExitProcess
ExitWindowsEx
ex_major_ver
ex_minor_ver
ex_namepointersrva
ex_namerva
ex_numoffunctions
ex_numofnamepointers
ex_ordinalbase
ex_ordinaltablerva	ex_struct
ExpandEnvironmentStringsA
fclose
ff_attr
ffffff
fffffff
ffffffff
ffffffffff
fffffffffff)
ffffffffffff
fffffffffffff
ffffffffffffff
ff_fullname
fflush
ff_shortname
ff_size
ff_size_hi
ff_struc
ff_time_create
ff_time_lastaccess
ff_time_lastwrite
find_base_cycle
fprintf
FreeConsole
FreeLibrary
fwrite
get_any_dll_addr
get_any_dll_addr_cycle	find_base
GetComputerNameA
GetCurrentProcess
GetCurrentThread
get_kernel_base
GetLastError
__getmainargs
GetModuleBaseNameA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetStdHandle
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetUserNameA
GetVersionExA
ggd	SM1
G<!ld(m^\
GlobalMemoryStatus
__ha_disasm_cycle	__ha_exit
:	HHHH
!HHHH!
"HHHH**5
HHHHE>
HHHHE*
HHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHt
`:!HHHHK
hook_api
InitializeSecurityDescriptor
_initterm
iphlp_get_proc_address
isdigit
k32_calc_hash
k32man_get_proc_address	k32man_x1
k32_name_found
k32_return
k32_return_0
k32_search_cycle
kernel32
KERNEL32.dll
__k_exit
kHHHHHHHHHHHHHHHHHHHH
__k_not_found
__k_seh_exit
__k_seh_init	__k_cycle
Lgele{}y
load_ADVAPI
load_IPHLP
LoadLibraryA
load_NTDLL
LookupPrivilegeValueA
malloc
MapViewOfFile
_match_eax
_match_retn
mbstowcs
_memccpy
memchr
memcmp
memcpy
memmove
memset
_mem_write
MPR.dll
MSVCP60.dll
MSVCRT.dll
MultiByteToWideChar
__mw_exit_err
__mw_exit_whatever
mz_cs	mz_relptr	mz_ovrnum
mz_csum
mz_hdrsize	mz_minmem	mz_maxmem
mz_last512	mz_num512	mz_relnum
mz_neptr
mz_struc
NETAPI32.dll
NetApiBufferFree
NetRemoteTOD
NetScheduleJobAdd
NetShareEnum
NetUseAdd
NetUseDel
NetUserEnum
_new_EnumServicesStatusA
_new_EnumServicesStatusW
_new_FindFirstFileExW
_new_FindNextFileW	__fn_exit
_new_LdrGetDllHandle
_new_NtQuerySystemInformation
_new_NtResumeThread
"n(+t'
ntdll_get_proc_address
__ntq_cycle
__ntq_exit
__ntq_found
__ntq_lastentry
__ntq_next
__ntq_next2
__ntq_x1
__ntq_x2
ODBC32.dll
oe_flags
oe_name
oe_phys_offs
oe_phys_size
oe_struc
oe_virt_rva
oe_virt_size
oe_xxx
_onexit
op{b"=
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenServiceA
OpenThreadToken
_orig_EnumServicesStatusA
_orig_EnumServicesStatusW
_orig_FindFirstFileExW
_orig_FindNextFileW
_orig_LdrGetDllHandle
_orig_NtQuerySystemInformation
_orig_NtResumeThread
"p(4?3
patch_table
__p__commode
pe_baseofcoderva
pe_baseofdatarva
pe_checksum
pe_cofftableptr
pe_cofftablesize
pe_cputype
pe_datetime
pe_debugtablerva
pe_debugtablesize
pe_dllflags
pe_entrypointrva
pe_exceptiontablerva
pe_exceptiontablesize
pe_exeflags
pe_exporttablerva
pe_exporttablesize
pe_filealign
pe_fixuptablerva
pe_fixuptablesize
pe_headersize
pe_heapcommitsize
pe_heapreservesize
pe_iattablerva
pe_iattablesize
pe_imagebase
pe_imagesize
pe_imgdescrrva
pe_imgdescrsize
pe_importtablerva
pe_importtablesize
pe_linkmajor
pe_linkminor
pe_loadcfgrva
pe_loadcfgsize
pe_loaderflags
pe_machinerva
pe_machinesize	pe_tlsrva
pe_ntheader_id
pe_ntheadersize
pe_numofobjects
pe_numofrvaandsizes
pe_objectalign
pe_osmajor
pe_osminor
pe_resourcetablerva
pe_resourcetablesize
perror
pe_securitytablerva
pe_securitytablesize
pe_sizeofcode
pe_sizeofinitdata
pe_sizeofuninitdata
pe_stackcommitsize
pe_stackreservesize
pe_struc
pe_subsysmajor
pe_subsysminor
pe_subsystem
pe_tlssize
pe_usermajor
pe_userminor
__p__fmode
pop_enum_orig
printf
PSAPI.DLL
_purecall
__r_close_and_next
.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegisterServiceCtrlHandlerA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
_replicate
__r_free_and_exit
rHHHHHHHHHHHHHHHHHHHH2
__r_next
__r_quit_now
__r_seh_done
__r_seh_error
__r_seh_init	__r_cycle
__set_app_type
SetSecurityDescriptorDacl
SetServiceStatus
__setusermatherr
SHELL32.dll
ShellExecuteA
sprintf
Sp[Y%ym
SQPYWQ
sscanf
StartServiceA
StartServiceCtrlDispatcherA
_stealthcode_end
_stealthcode_start
strcat
strchr
strcmp
strcpy
_strdup
strerror
_stricmp
strlen
strncat
strncmp
strncpy
strstr
strtok
St;Sd}HB
system
"`(+t0
  (t8r
"~	ta9
TerminateProcess
TerminateThread
?terminate@@YAXXZ
!This program cannot be run in DOS mode.
"~(to~
toupper
TransactNamedPipe
"t (tO
_unicode_name_match
UnmapViewOfFile
USER32.dll
:v(4()!
.vrehskh
_vsnprintf
WaitNamedPipeA
wcscat
wcscpy
wcstombs
WNetAddConnection2A
WNetAddConnection2W
WNetCancelConnection2A
WNetCancelConnection2W
WriteFile
WS2_32.dll
WSAIoctl
WSASocketA
wsprintfA
&x+4D	
_XcptFilter
?_Xlen@std@@YAXXZ
?_Xran@std@@YAXXZ
&x(t,&
[[[YX_^
[[YX_^
#">ZF?
ZVWPQS