Analysis Date2014-02-12 05:16:09
MD503da986032f369c1e2805c28f74cc7f4
SHA18a9e24dc5e49965cd4cab5e1a3bb01934ac01dfb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: d64f528a9540a52015cbefbc9e361be6 sha1: 100145bdcd10751cb4b3e8aa366d82ad826a6e86 size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
IMPhash3243b13e562279ab7fbe2f31e45d3a95
AVavgWorm/Generic2.BLRH
AVaviraBDS/Backdoor.Gen
AVmcafeeW32/Generic.worm!p2p
AVmsseWorm:Win32/Ainslot.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\svchost.exe ➝
C:\Documents and Settings\Administrator\Application Data\bot.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{FD6E884C-BFAC-BAEB-85DD-D8C6DEFACBDA}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\bot.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe ➝
C:\Documents and Settings\Administrator\Application Data\bot.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\34KHWF58MW ➝
February 12, 2014\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\34KHWF58MW ➝
blackshades\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FD6E884C-BFAC-BAEB-85DD-D8C6DEFACBDA}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\bot.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe ➝
C:\Documents and Settings\Administrator\Application Data\bot.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\bot.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\WindowsDefender
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\bot.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\bot.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates Mutex34KHWF58MW

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\bot.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\bot.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\bot.exe ➝
C:\Documents and Settings\Administrator\Application Data\bot.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\bot.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\bot.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\bot.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\bot.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 500 -e 1928 -g

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\\malware.exe ➝
C:\\malware.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 500 -e 1928 -g

Network Details:

DNSgutegute.no-ip.biz
Type: A
92.224.22.120
DNS1gutegute.no-ip.biz
Type: A
Flows TCP192.168.1.1:1031 ➝ 92.224.22.120:3333
Flows TCP192.168.1.1:1035 ➝ 92.224.22.120:3333

Raw Pcap

Strings
X_
'
o
..
.
@
.
G
[V.i.
.
3
)
.
X_
'
o
..
.
@
.
G
[V.i.
.
3
)
.

PERS
SETTINGS
00G0rE
01E:9~
03> *sX
07H2 @K
0a.l).
:~0~%D&
`0 ?}H
+0)Hva+
0|@&ph
0r(If8
0UFBN4
0W2H4a
0Y.D'%
15dF8F
19XAIb?
1cnN</
1DlFun
1Iwr^Y
1Xf"l9
22A368949C0&
'22I\dV
27OnQui
28Pb!G
2>a`Q6A
2B?CG'w
2>e%Xdq
2p30u2
2xDNl>
32EDE121D9E2F062D2BD
3ded)s2
3pFor+
3'#Pp.
3TIOcm%
&'()*456789:CDEFGHIJSTUVWXYZcdef
4[cv4=bGa
4F5B5C5*14
4H4sg%
4'lNo}
4.tA/\
5;4QLI
567tB:
5a7Zw-d<l0
5Async?PWs
>61/T64
6ENC^fADC
~6G$qP#
6n1?e:-VS
6nb#^Z
6.OLPX
-6R??y
6V2Ziz<p]
6w	-T}j
6@X?@b|
6xjhx,
7033413A647A4B6739316C
],70&h.
72w22r
@7/(7"
774NE55
78jdjA
.=7Kajt8
<7O2r /
7.pc(E
^__^7u
7@' w6
	\|@/8
8!Dw2T
8'E f\\
(8Hhtp
&8%.INYY
8Pdxt>
91AEE<A
9\BBN2d
9&EtDt}i
9@N2<DVG
(9OT,M
]	9r0(u
&9%'$$se\2
9xtKl%
#/9	\zh
a4.U}N
"A4*Vu
abIm,y
Acce+_q
AddMsg
AddRef
Adju6{(QFPjN
adyStvief
all0;<@
alUpda
]Ao %D 
Aom	}?F
Audio.
-AUi}6
#]=		(b
<*B <(
\]&B_*
b86mswin .
B8lTBn\
b8x3 L,
B%A\Jir
BE:{FF(
	b:}>f
[BG*~*
BITMAP
`blL'T
b'	od"
bss_ser'
BtKillo
b"XLCWB
by.ToPl
;]C9HYH.
CallBaK
cePTt{q
C<F6E4ZF7C8
CGp`%@
Ch`7d7
/Chat'
CIG@f]l
<Ciuqa
CL#6l$C
'	cn<Ac
Cog	b;
`,COnl/
+C	=Oo
C:\Prog
CrypcImage'
cSubClHi
c;[ubEOW
cvN\Dq
cwp{tF
D`9"a~e
`d$9$b
D<<Ap2!
;<<dB&d@@D&dB&DHHI&dBLL
\dd C 
dDG=B 
df"FC^YO
+d@Fvg
\Dgd]2
dh06Hp
<#DhDdMdu
DI/.`/7
@&|Dl&
d|lhNG
	\DlKl
,<DLX`
DNr&<(
DragQuery
\d(#t\.
/\dT4J
D;uO[)
dWr[{C
E4:|	"0
?$E$ 9
~ebBrow
ect?Torren
eF"F~3
E\FwPN
`E\%],%Gl
eHF1Gn
E,I4WC
E/L7mki
Eo2&As$
e/SrcLef]
eTiM`ElI
etQJR@
EtWk_U"
EVENT_SINK_Ge
E`$vh}
'EV?L_]
ExitProcess
$&'''$$#F
>>F0a=
f4:9h9l
F 7l)",r
fbYLLH8I
f_h'n;
 Files (x86)\Mic*soft Visual
Fk?xn#
#)$<Fo0
FrBf>Z/.
frmMain
@>FrpJ
fSK2>H
FT003[
:Ft]TxA
f"x/(_
Fy.#fbv
g0D+k0
?g3%*^bch
(g##;A
gcmdRk
GetProcAddress
ghDCR[
~GHO6&
!Gk_SW
*(^gLT
gONNd$
gwbAuz
gWdglvt
gWi*u	o`
{h0SQ[
&%h4M@
H4T}`F
&H6(H5
|H7?%'
h^b8$kf
hCBhr 
Hd&Bzx\
<HeH/8
heInvokeV4M
[heQT%
Hf4rHgA
 hGed /X 
;Hgt&x(D
/(Hh)(
Hh,)Kc
hK1$r?
HOc3fg
h'#ON$
HO^T)96
 Hq7O\
hunk5G
@HvLD0
`hx5L+
i%9Mau
ICK_DELAF
ICk)S%
iffOS4
ifyuw9
~ijnGl
i<kLPU
il'67Wa
].i/lN(0A
iMgi#.
InfoTO
Io6IR1Vpt
`,iP2,
iqRH.9*
i~@Y$"
j1gH1jQT)o{
`J58tR
J	Cr2$K	L
%J|&rIs
JUX8Kp
$Jw{lO
jx(V%	q
K^0aWI
K]>1h-
k33VRH>
+k	3U2!kk4
k50Q.$B
'|KCn+
KERNEL32.DLL
kI@Q*[PO
KIs\'rr/.
@@Kjka)
kkW\8fI
kNh\neN
~k/ qu
K&,(rKN
kSS=#;\.i.R$9g
,kUAAZ
|*}<kV
L0P$yo
L2 tdT
L5DDHK
	l7SDj(,
l8;8B&dB<<dB&d@@D
L8y9%$y0
LD'0/w(
lE.4TM8A
&lE^.'(mr
lE.@vq
lfgH^!
L G0CT
l`,G!o
LGVBOx0C
[lhefa
lifSteamGookx
L@<img|
Lla+(B
l-n/on
LoadLibraryA
lobalAl
loseHandJd 
lpmR+Z
L:sX;:^
Lus:1]K_
lXaX&h
L)^Y"aA
Lzb7_FACEBOOK_4
M`{?,.
M4>FAJ
m	5N{a
m$C3sE
mC f/H
mCWO@7
m}E$yAmIM
Mkok$P
mm9UCn
mMl%6`
mnK{Vf
modFucr@
:MP2]x>
MS SaX
MSVBVM
\msvbvm60
MSVBVM60.DLL
M_SY)`
M&Xu%:]
M^_Z{c
@n0Nu&
"N2]F|
n8>ca?
NhazK0
n@hkn[o<
/N-iwY+M
n:lng#
NpN1s!
NTDLL>
N&u^8uF
NvrhJsO
Nz4jPo
*O8^.N
-obh.&
o`?%buk%?
oCHAT_ADDMSG
OF6I zg
(Ohd09
o%S;Gt
os#+Om
)Ov(BU
ovbv)#
oWaxeD
oXCCdC3s
<o)ZEGokwD[
 @P`@`` 
(?|&^P
pA(ll9
PATH_WINLOGON/_B
>peJKN
p{FINr8
picThumb
pjjeZo
`%pK?[
Poh8.K7
POMW0!@
)pP&,.
`pP%AV
PRINT_
.pu._g:
Q~@_EWAY
q!GtsO
qJiW_A
QNqq/U
	qS+$7
_queezer
QZkX@IP
Qz[l(`
"\$r/ 
r!11r!
r!22r!
%R5QE>
= r%9<
r9jh>B
R9PZQQ	M7R?
r*"9z5
rame.dl
raTagd`'
Rd:\Sys
RE m];
!RE(Wc
Rii"RW7m
R)j [\
R}j0%h
Rr@M<7
rs7&I{
?RS`curity
<((S6dB
:ScanL
scii'h
SCManPr
s:.cpV
Screensho
sddTd&
SdwLfpS
SER_FB77
 *.S{f
sG x KN
SHDVVwCtl
sI@P,<4u
.s/JoPMX
Socket
s.op-iIM%/EvwC
>spu"G
st{%,;:
STRUCTIO
stV&y<
 Stz\\98
swct{Ao
SZoM7Pn`
T4gzF>
t)5H%a"
TaenmP
TA;KCa
TD4$%#
TEgw *
 the p@
!This program cannot be run in DOS mode.
Ti+G]1
Ti*<t8/
tjfbbl
:;tkEe}
t.&l&N(q6
tmrLivLogg+
],t~ n
Tok@nCe
tP8K6o
`tPp=+7Z
`<T(q0
t<#XfkMR
T\X|Z+
u1,6Jj
u -6?7(
Ub9]^9t]:g
u,b/X;u&
=U$F(U<.
U.kv?<
,u	moj
	#%un?
Un@cvss
upQValu2 
	@UR;/
UrlCache
 usiid,l
Ut.Z_/
\.uV0vs
v*237X2
VAM.M3V
%Va We+o
_VBA6T
v.Bf&|
vBIV9*O
":vbjdm
vc.`tM
vf`M1P
VirtualAlloc
VirtualFree
VirtualProtect
VM"L[}
v$qTh_=[
\V(TA%
VUc!V_0
V@?vWJ
vwf[OIi/
\Vw'TpOEm
w?5274
w9R/y?
=[_@wa
W\aHX)d I"
wapMo~
&Wbj7TG
#WC_H-
wCzk_G
/Wdv $k
_WebHide
wFp%.F
(.WGc|
W:? Ha:i?
-_WMqo
^)w*n]
WOW64\
-W((U/
WWQwpi4rO
x4&^Px
x@*'7{
X!bddX
}\xEm>
}=XEs~
xFR-G^
~Xiu*]0
X'j'b3ZX
XJB:KMg0,v
XL2 '(0d
xlh^NJ5
xn480f
@XN\K8RL$:
xn@,Lx0
XO) Q5
#'x%p*
XPA;aa
xphZRJ<
XPTPSW
xQ?|PC
 `\XTf}
xu5sx4
XY4U84
y2P!$ 
_%y7"3
yG!0Ex
yGrabbOg	V
yHD@<86q
Y@J\cD.
Yl1X4L;
YP+:S@kr '@
= yrhCtK 
yt1\d@N
yv4f$D
YvHs15
YX"")fv
YXF?xw
Z|+:4	
'za	pR4
zd,4RXW
:'Z'rJ
ZRrPB/
Z$}tw3
ZVH:fh
ZV$PF5
Z%z'$He