Analysis Date2013-11-07 21:22:55
MD5eee1b7ab05ee59be247ca4341adf41f1
SHA18b356988bfd18e79f701be0fe70a2aea8f178875

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: ed1d104ceda7fb2df7b390857b0d382f sha1: fe78eabb878661fd16bd5d6881cfda455c70bf0e size: 252928
Section.rsrc md5: ebde6e2c7416339f51d0fe29ecc63871 sha1: 281761812744026b0f51c8bbf629f3118abfcc9c size: 4096
Timestamp2012-06-08 11:12:27
VersionLegalCopyright: Copyright (C) 1999
InternalName: MSRSAAPP
FileVersion: 1, 0, 0, 1
CompanyName: Microsoft Corp.
Comments: Remote Service Application
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0
FileDescription: Remote Service Application
OriginalFilename: MSRSAAP.EXE
PackerUPX -> www.upx.sourceforge.net
PEhasheb877b81d09dcc22655605531c52463ab050aa4f
AVclamavWIN.Trojan.DarkKomet
AVavgBackDoor.Generic15.CFFJ
AVaviraBDS/Backdoor.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit ➝
C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Administrator\My Documents\MSDCSC\vk.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate ➝
C:\Documents and Settings\Administrator\My Documents\MSDCSC\vk.exe\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\My Documents\MSDCSC\vk.exe
Creates ProcessC:\Documents and Settings\Administrator\My Documents\MSDCSC\vk.exe

Process
↳ C:\Documents and Settings\Administrator\My Documents\MSDCSC\vk.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate ➝
C:\Documents and Settings\Administrator\My Documents\MSDCSC\vk.exe\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates MutexDC_MUTEX-DB61LF1

Network Details:

DNSstorm60rus.zapto.org
Type: A

Raw Pcap

Strings
040904b0
1, 0, 0, 1
4, 0, 0, 0
Comments
CompanyName
Copyright (C) 1999
DCDATA
DVCLAL
FileDescription
FileVersion
InternalName
LegalCopyright
lyNa
Microsoft Corp.
MSRSAAP.EXE
MSRSAAPP
OriginalFilename
PACKAGEINFO
ProductName
ProductVersion
Remote Service Application
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
=>? <(
 !"#$<
@< : =
\:--|`
	$&-[-
,,0044AN
011L:NtDDNdi
$0]3@_
)0B,E?
?0.`ExA
0F8de"
0fmBC"B$
`0g|(&R
0idOpn
0IS\ p
0jl6$X
0J&XosR
/0jzXl
0>kQI0|
0Nb30n
;0u1Ab
0z#& d
"'17Kw
1;'a-B+
1c%5NG
1..fa${	_
1FILEt
$1KiVQ
 1M`9;
1,O6Pix
 %1,RM
`1;sDt~
>1/sume
1w,7G@'@)
1-;XD/)r!
1` xo"/
1YMLCX6
 2004,
22PTUploadFTP
27BQ)%
'2hub#!
2h x2\^
2 mL	f
<2{od_nOr
[2QfUC4N
&>2#S0
?)2uc'fu
2' (w4
#32770
$34567890ABC
37R:sDC
3`86F5F3C
+3AH'V
'-3GG[^
3@;p8@
3_VprT
4,''''$
 4.0/T
4605E90BE4665C9814
4	8	@7
4@/BdJ+
4DjX4L
4DWMAPIwDwm
4LIENT
/4 <-> os4
4/:P!o
4$^>:R
4u&&t&
58~DUMPgu-
5A\of|
5<CJQX
|5FD8F
%5KCH+
5~rBd1
5/@~XL
5;%xX8}6ag
#60Nwjl
63m1@9Q
-64 bit
`6adc*t 
	@6*Ht
6,nX=fod
<6*r$Jh
6> ;s0
`6s`2xF
\&6V42
6X7)m#3
	6Xe`L
6XyNpc
70C,5(95B7D
7 F2d2@
7HA4x4
7H\kFreeSp
7.h"P'
#7`.iT
7L7b9Y
7NkpCcL
7p_kbh
7P!$l	
7r0r=<9w9i
7tb\Hs
7"	w%9
)7z$J9
840,NNNN($ 
840vrrr,($ 
+8'(6&
=88p/h.
&8AV~C
8FDA8B$
8,fk<dl
8*i*ey
\+8{'P
8-p{$7
&8r`-N
8SHYQ/
8t(xJ0
99A6922f
9D6350
9E2 5kOp
 -9i^#>
9K[B=ZLx
9OegaQ
9-p+CO
9pmqi*
9r9=	$
9TylvX
*9*uF"
9;wlt4
a%20&G
	Aa$_!
`#AaiSX
AAsAdm
A\b7"G
{A*BD#
.ABPWD
acmStreamSize
acTnDw
A;dG7:
a#d}%GSID7
advapi32.dll
aGIwr/
A,?Hy8
AIr%8`e
aKdWi4!0i
Al ',>
ALIVE#:
+aLVB<
AN2LD8P
@?Anye
A"rl*j
 -a+SL
At&b!5
AVICAP32.DLL
b1'X/F.
B:C@eif
bdLeftToR
@bFBvm|
BINARY
blu$=b
B*\<N("$
BoKGW 
BOLc_MACW
Boolean
Boross&%MD
	BQu&`@
bS6-"!h
b	TIp'
/BtnFU
.BV8Gf
ByWl'Word
C0h>v;
C:7JLH
c#9"6:
C@'97WH
calevI
&^CaO_p
capGetDriverDescriptionA
C/BALTw 
*C~)Div
CD-ROM
CESS DENIED (x64)+
CG	MydoV
CHARSET
>Ch|GD
Ch:Typ
;ChwpV
c%IEhyu
Cj7!ec
cj<&nL
CKeP0z)`[
Ck[H85
"C#_LM
clMaroonGG
#_Cmp4FromSt*
CNE"BIG5
c]o1N%-
comctl32.dll
COMSPEC
,CP03(
CPsgi20
)(C{t\;
CU7J%07g
`CUl]$
(Cu'/q
#C W !
cX ;3t
c+X{Gx
`D'?`!
D{0hh z
D\0IOL
D57ABA58
 |D5SS
^d8@@k+
`D8PXy
"Da6ld!
Daia4H
D|aNmu 
D`a|o0
DATAFLUX
 D(*B<
@d B&z
DC+0KlZ
DCWebCam'
D=*dM5
?Decix
DEL]INS]
\Delphi\RTL
dF2AD23
<dFeZ2
d@fW|'
$&`Dfz
DFZC@n
dheYsmall bl{
d.Hw=(
#DI\-g
|d	jr>
-D ((K
$d('K' h
`Dm"|/
d$	n-+
>D`nb~<
+;^DND
d:N:H=
Dnp8on
Doc!\4
	DOh>\
dS,-5L
D=vCDnS
\$D"wc
#d"XX#d"
[|"DyH
E0,_p]q
E1PePT!y
E6O4Q>
EAbort
EARCH'SO
e&At"L
EDITSV
%(ed memoryZa
e> dumpZ
/][eF7
E>\i5g
ekQ "!
,eKZt7
el2h}$
E$lcam
EM`/a7$Q|Wu
 EMFtRrTo
ENc>Eh
!(E\>O
EOutOfQ
ep J(i
E]Pu$hP
escriptR6h
es?gEdg
essR~ S
(eTY;<S
eWv!aGd
	Excep
EXCEPbFO 
ExitProcess
EXPAND
Ex$$r||
F0AFF67
-f0X5 %t
F1|/OA
f>3#!@
F(34S(
F3s"E)y
f88;t.
(\F`cF
.FDiag
F~ DOWN
fd(wP`q
f$g%.T
fh?HPf-
figs@3
fIns;p
/fJ8D|h
FL=a Y?H
FO2BHL
FocusDefaul
Fo@t	e8)
'  FourCC
FPUMask
+~FPYM
FreBoth
fs/7oBW=
f{T4Gt
Ft?Htb
FtpPutFileA
/FuchsiaAqua
G4@V/cp
GAG{+Vp
GB2312G{
gdi32.dll
GdipFree
gdiplus.dll
GetLo<"
GetProcAddress
GHIJKLMNO
gIC(-T
-`gj`?
Gn/a7d
Gs|"Cb
gSilver
 gSNAPSHOT
	GS X0
G_SZ?O	m
G$t*=!
GTTm 	
GuesMU
G"'ulu2
gW9r5&
gX+<<Hy
h4&"p'
,$*H8@
HbF>\F@<DT
(HBITMAP9"
HCS-%"
':\hct\h
,HDC*mp
HD@<NNNN840,NNNN($ 
HD@rrrr<840i4
hD;S@A:
He.uH@
Hf n-c{JV
HGAu1x
h&g.e%a
hGFHI@
hh/ aT	
hhW*7\S
%?HIDEF
HIFTJIS
HIh;J4u
}?.HKS
Hl$CrHD#I
H*oF``=Pj
HOWSEWE
ho'zhcAd
{h!P4j
hPGHdi"
@HPX`h<
'HSplit
H_#SUPPORT_(_.SC3*
h:tf\Q
Ht!OWdh
HTTP Nod|x
HVPHG0
&h<W,FE
HWMBO#JbTC
H,:xL`
i6t-g,B
I7KO J[
=.~i7S#sc
)i8^*7T
Iabcdefghijklmnopq
i,{B.G
	IDispatch4
IF`s#O
/-i"Gw
i'	IHV
I}ioic
+iKZ>V
IM8Hx8
ImageList_Add
IM^imm.Z
insufXc
Integer
INTModuleInfo
IPersist
%iPIV.
 IP : j;
"i\(`Q"i.<d/
ique%Yh
IsEqualGUID
IsNJ88
ISPLA*O
IsValidSid
IsWow64
i\t12I
ity a0
+,~I\V
j7`k_+5
!J<A0;
]JALhZ;
J`|&B\
J`<.|d
JdX!+4
_{je4C
j\etc\Z
Jl5	Hw
(j/o1{[
JP8-%T
Jt'Jt5
JUCSMQ
JV~]PC
Jx|hrG
j	Zb]=
J<zBDS2
JZx%6@Iu
}K4G@k
-'k5j,
k-B@\3)
 K=B*B,
KCuCeP
KERNEL32.DLL
keysK<
|KG|PF3
k has occu|d.
K/!m\l7
kmS:kg%
KnduS[,
?^Kre#
kSs5Is
kT`-%=
\;K|wYwS
k;)(Y7
+k"\zh
l$<(06
L4>$Vx
l8/Aj6
L!_!=8B
 Layouts\w
l. -C};P
LeftTop
lExxj J
)Lh14P
Librar
L/j+7A
ljL8!t
L{k4 . 
lkWBei
lnR)bE
l'/'	O
LoadLibraryA
lp8d@.p
lrbUDe
 ;$Lr<LA<
LUAoXr
 lusZW
/Luy9a
lyTznsp
	M2mU_}
m5a=9V
@	m"5.M9
m73#Pu
MAINICON
Main}W
mA=M`9
m/ C)8
Med..|@
%)Mekw!zT
MFrDvoim
MF.y7*
'MGwHhT,`
M^i8A2
Middle
MJPGte
m#Lh)ByZb%
Mozilla
m%_P`Rb
#?mQW3PE
mRxtheme
msacm32.dll
MS Shr Dlg 2n
 MSWHEEL
_MUCz/0
MU#Qb2,
muy4NP
,%"mxa
m xpE3
'M"y5Zx
m\:zh2
%n7%	<=%.2o
N887/!
N9 _Sh
]nAav ^
	nBDPf
@nBm\2%
netapi32.dll
Netbios
?Neub@8
\newl\
ngPathNameA$
n;Gu%+
nG`x2!-
nh%0WYoYK
/?N_n'
$ NNNN
NNNN|xtpNNNNlhd`NNNN\XTPNNNNLHD@NNNN<840
 -n .> NUL && "
NONEdX
notepad
[/N=t&
\% NT\
ntdll.dll
NtQuerySystemInformation
_NT_SIp
NtUnmapViewOfSection
[NUM_LOCK]G\
Nu#SOw
nw{(()@-3$-	*-&*$
NwOCU3
o3IMAGE,
>o'=4)
o4&KiA
&[#Oa]*D`
..o$c@d`U6V
ODO\\o
odSel3
%O"DZk
oEC7ED3(E0271A42X.68
oGTeal
OIdloAwa$
oI+",e
,|ok1995-Y
o@KIB0s
O{Kp8I
Old<cg
ole32.dll
oleaut32.dll
omboBo
&O$(rr
otAddS
oUDBq?,
ou`%wLGx
OwQJ@]
OZOUT'o,*
\#,~>p@
P1sPC@P)p
p2+QRbC
<p5[jG
;P8u+~
,PaC9e
PAX)'Q
P*Ba`A
pC 7SebE
p?=D`~|
:`	PddNU
pDHKu	7J
PDt1!F
=pEIFn
pFixup
[ph88bjdT(D[>
!]/PiL?
PL''''04|X
PL4qvI<a
PL9999HD
P,$=@o
,;.PP7a
%PPi+~a:
pRH1a,
Primary
p[ROP2
psh07H4"k
+PS=tZ
PublishW
p(UD$q
PUGXP#
Purple)
#@PVgN;[f4k
pXjvn"
P%XNe,
=?p"x!z.,
Py08u4,Wp
pz|;Cpu'
#,q"6H4
Q6lGNU7%
q8hmu 
QDWORD?'
QIGL##
Q%pxwC.
Q%^=	;S
qs8VSD9
q%T`3R
Q<TH0[9rm3
QUICKUP
%>Q\vB
@^r@}8}L}
RA^8]EwIu
~Range
RB>,4Z
 Rb{(;P
;`rCGx
(rCV&(
_-Rf;` 
rfacek;8
r$G0@j
RgnBol
RIGH ?
RIPTION\
r}kODc
R@NING?PAUS;O
%_ROLL
#=RP	9
^RPDNS94
rP/tx9
r (QCL
RqIO+Q
$R;R <
rr;*qlLL
@rrr;<
RU?6;a A.h
RUSSIAN
rW3r_n
rY:]*s@
s.4ERROR
S'7H|UP
[s`)_8
?\S8:l(
Safecal
SaveDC
s#.~Bd	
SB'Up0f
sC:\7-
SCXX:C0_
\.'SDH
SdWsW`
;sEx*WW
SgMELT
&SGMODS`
s:gUnknown
shell32.dll
ShellExecuteA
SHFolder.dll
SHGetFolderPathA
~sK;dd
s{kernel32.dll
sL cdAud: p
S~NN{0
*SOFTWARE\
\space
SROOT<
 s`Rp[
.(;S$s
sSlhIj
:STUVWXYZ
SX0/I"
 S ((z2
?  t,;
"~!}T;
*.t'0@
t1	?d"F
T1l`_H
]'&T1Y
+t_${77WxtZXtU0u
t8hI420t
T8x8'8[
+$Ta%:
tA@3u(
TACM]or_<
t#;ADti
Tahoma
TB: ca	v
	TBiDi
TBjicAc$L
t&Cl6;
TCu.(jo
t;^d)d
tD_KEY4
*tF8n1
#tgAdy
|@T.:H
t|HBBY
This program must be run under Win32
t.(hp!
tJMULT
*TJ'Ql
@_TLB"6v
tlW0BP
_((:T^M
:]:tMp
|$TMulR
tO>4FT
TObject
t ^ojf
? TOo	
TOwnND0wStaJ
Tp	CI;
Tp#&hD
tPHotLigh
TRANSFER
@tRh56
TSearc
TThread'
TUnitHashAr
TURKISHm
t{ U Y
Tvek<,@
twa@Devel
T	w\KlWd
t&WROWS
<TX\`d
T`>XDRf
TXp/m56\
ty! D2
tz W&}
u0NHJ%NH
^@u41h]
U(8 jp
U9<8ww2
@u"B8lT
ub/MulDivIdiv
\-;UC9
UGc;ss
Uh|4Zv
u ?H+5q
u']hG;
u>hHn~\sF
$UhyN7a8-WH
u}j8[+
UNKNOW
UntRC4A
up2gw4\
+^Upzwnen
Url_/)%
! URL|]
URLDownloadToFileA
URLMON.DLL
urmn/_d
USE_GROUP OR 
user32.dll
uTbq,a
U$tion 
\uTok 
uvwxyz
>U/ V xu
u?W6vt
uwG *-I
]&Ux=Aa
u"yfju
$=	+uZ)
`|v0HWd6
v1D4pp
/_v5(,<J
v|8D_X
V 9!GV
vAI?wH
	v$aNhb*7
VariantCopy
;v}%DG
Vd;VXr
VDXS(H+
VE)CRy
	Ve- J0
verflowd
VerQueryValueA
version.dll
}Viewe
"VIEWF
VirtualAlloc
VirtualFree
VirtualProtect
Vista	
vJ+$7n
v!o8><
+Vol~cK
V!{~;p
VPOST /ex.php/.
!]VU|U
vvNSt2)
-v)yK7
w/*-+.=
W0:%cWU&
w1i2_@a
W3v''I5a
W]{5GuKl
W6An unexpU
Wae33DE
waveInOpen
w-C7Lo
wCOrg|
wE!o,"-
;WHTL9L
Windows
wininet.dll
winmm.dll
WINNLSC
?;wkB<
wK_LINES/7
W_OV!^
w:'p&6
W<	PB/
'w~$Prx
WS2_32.DLL
WSAIoctl
wscsvc/
wsock32.dll
WUBMS/
[wwm*-	;
X3my~.
-)[=X5a
@X?a`b
x\Byf@T}{TG
x^D:eX
XDhvI}L
Xegul6
X#i7`tH
Xj)$PU
Xm$CipL8&
!<xNBh*y"
XNIdfM8
XPL=PO
XPTPSW
<XR6SFJ
|xr;99tplOhrrrrd`\X9
|''''xtpl''''hd`\''''XTPL''''HD@<''''840,''''($ 
xV PUn
xV,X5Lh
xwK0XN }J
X,X,d,
XZ(>Av
y2Dz{e
$~?y94
[yC3D>
Yellow
yEvehL
^/YG/h
)yhcQ\|
?YJ?:S?
	y;KLR9
yo0o0W~h
?~+yPz
{<:y&q?	
YRz#@F
+YSU<HtH
y>T4aD
<&$=yU
%Y||v-
YZtbX<
@z(;0v
Z1<CNu
z2luUt
z2t$D(
[+z3#2
z3GnU@u*
Z5qjsR\wR
 z8Xc$
ZCDffo
ZERSFWB
Z':Ew'6
z&Hdll/
Zh;ovh
Z);,/L
(>zL<l
zpX&F2
Zt_sicm
ZTUWVS
+Z`u86
ZUfnON@
ZXH;[V
ZXpHh}
ZXuS(S