Analysis Date2014-12-17 20:51:31
MD54ad0e921e6d7dce7f38d438ec2406eed
SHA18e267e790fc8ed9691242206580b86550811df04

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 7c817b30dafbae3e3caf409312eefb86 sha1: 9f04bf42eaad11502282a872b603ee1797295f16 size: 185856
Section.rdata md5: 28038ee1f13b82cb1a74320f99f6e760 sha1: d066e0263c5e3cdc2867720b90f5fb459cf14d27 size: 3072
Section.data md5: 6e94665c6bfbf7521495d5af7fb46a7e sha1: d20aa593a95c7ba68776a2d6784246e221603a65 size: 16384
Section.lib md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp2005-10-19 15:06:49
PEhash25143d3fb7a4f817ddac15156f04554967b533f8
IMPhashc02f3f8e58b5d25f73b9bddc1776f341
AV360 SafeGen:Variant.Kazy.12933
AVAd-AwareGen:Variant.Kazy.12933
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.12933
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Kazy.12933.psa
AVBullGuardGen:Variant.Kazy.12933
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-13
AVDr. WebTrojan.Packed.1903
AVEmsisoftGen:Variant.Kazy.12933
AVEset (nod32)Win32/Kryptik.KVW
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado
AVF-SecureGen:Variant.Kazy.12933
AVGrisoft (avg)Generic_r.FN
AVIkarusno_virus
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Diple.das
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.12933
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\26bb_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 180
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1228 -e 136 -g

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 180

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1228 -e 136 -g

Network Details:


Raw Pcap

Strings
..
.j.I?
X.s.}.>\.5...
..s...{...
..
.
.
..+ .P0..M,+%V
2B.
sv
...
....H
..
..D.
.+..".
,.>...@4N.
pv9
.+E..$Dib...A.v.....$..
...Oj...tB..
x
7.j.).}[.
...v:qy............
4=LLhP
|7LZM?
9^uJU=
9u~M>&
A(j}%j
CallNextHookEx
ChildWindowFromPoint
ClipCursor
CLSIDFromProgID
CLSIDFromString
CoCreateGuid
CoCreateInstance
CoFreeUnusedLibraries
CoGetClassObject
CoGetMalloc
COMCTL32.dll
comdlg32.dll
CompareStringW
CoTaskMemAlloc
CoTaskMemFree
CreateFiber
CreateILockBytesOnHGlobal
CreateStreamOnHGlobal
@.data
DefWindowProcW
DestroyCursor
DestroyIcon
DrawEdge
EmptyClipboard
EnumResourceNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
FindResourceExA
FlushFileBuffers
GetFileAttributesA
GetFileTime
GetFileTitleA
GetFileType
GetHGlobalFromILockBytes
GetHGlobalFromStream
GetProfileStringW
GetSysColor
GetSysColorBrush
GetSystemDirectoryW
GetSystemTime
GetUserDefaultLangID
GetVersionExW
GetVolumeInformationW
GwyZZ.%
i-7LV`
.i8[}`
im7JNH
ImageList_Add
ImageList_Create
ImageList_Destroy
ImageList_DrawEx
ImageList_GetIconSize
IsClipboardFormatAvailable
IsDBCSLeadByte
iyI_L=
J][8X9_
jMTt>`
JRichu
K5Mv8vHa
_K.:)b
KERNEL32.dll
k;j56'
<Ljk[B
l)JkOIe
LocalAlloc
LockFile
LyVhub
L*z~n.
=!~M)1
mIMu	z
MonitorFromWindow
^m.:\v
Mx\,W7
m:|[Y>t
NdrClientCall
^NIxlP
ole32.dll
OleDuplicateData
OleGetAutoConvert
OleRegGetUserType
OleRun
PathCanonicalizeW
PathCombineW
PathIsRelativeW
PathIsRootW
PathIsURLW
PathStripToRootW
ProgIDFromCLSID
`.rdata
RegisterClassW
RegisterDragDrop
ReleaseStgMedium
RevokeDragDrop
RpcBindingFromStringBindingA
RpcBindingSetAuthInfoA
RPCRT4.dll
RpcStringBindingComposeA
RpcStringFreeA
SearchPathW
SetClipboardData
SetEndOfFile
SetScrollRange
SetWindowPos
SetWindowsHookExW
SHLWAPI.dll
StgCreateDocfileOnILockBytes
StgOpenStorageOnILockBytes
StringFromCLSID
!This program cannot be run in DOS mode.
T}NjYC
ToAscii
T)O.|L
,TtY;?
UH	O_Kz
uN]{=/
UnhookWindowsHookEx
UnlockFile
USER32.dll
?+V4u9
VerLanguageNameW
v^uJ>n#
WinHelpW
w,^L,W
WriteFileGather
w:>t{K
{Wtk8e
X^knHQ
X]owu`
x|/u+W
+yo<\j
Zl,ZX9e
ZoVhWE