Analysis Date2014-03-11 03:35:14
MD50a0d350b7ad0599df2f4641ade62578c
SHA1906407583b305ccd364573ce4bfd16259466e7c3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 7bec894a4443fdab822760c67152b320 sha1: 4294c3f9eaf921e581f09e7a12d940e9580f193b size: 40960
Section.rsrc md5: c415a920e0e45d5294f583fc1f89d8f3 sha1: 804db6ed862d529da0da72afa85c077ec0522bcb size: 1024
Section.reloc md5: 44d3425df2eb61873dac965ecea01e50 sha1: ad59de66d747b6d3088ae0c6a5c4e65dfe920563 size: 512
Timestamp2013-01-12 13:51:08
VersionLegalCopyright:
Assembly Version: 1.0.0.0
InternalName: prideLdr.exe
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
FileDescription:
OriginalFilename: prideLdr.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash82c8947bd06430427a1f99ea3b3c6efe460f5741
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVmcafeeTrojan-FCTX!0A0D350B7AD0
AVavgILAgent

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\system32\prideLdr.exe
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates Process"C:\WINDOWS\system32\prideLdr.exe"

Process
↳ "C:\WINDOWS\system32\prideLdr.exe"

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ ➝
C:\WINDOWS\system32\prideLdr.exe\\x00
Creates FilePIPE\lsarpc
Creates MutexLErNDtISBB

Network Details:


Raw Pcap

Strings

---------------------------
#0.00
000004b0
0 Bytes
1.0.0.0
127.0.0.1 
6++8e8gn+rsTh9ibdwvJkg==
Assembly Version
Available Physical Memory: 
Available Virtual Memory: 
BCDFGHJKMPQRTVWXY2346789
 Bytes
Click Log: 
Clipboard: 
code
Content-Disposition: form-data; name="{0}"{1}{1}{2}
CurrentUser
C:\Windows\System32\
+DelOff+
DigitalProductId
DisableTaskMgr
\drivers\etc\hosts
Email information invalid: 
Email information is valid and working!
.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
file
FileDescription
filename
FileVersion
ftp://
ftp.exampleserver.com
FTP information is invalid: 
FTP information is valid and working!
GetValue
.gif
Hello, this is a message letting you know that your keylogger has been freshly installed on 
Hide
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System 
.html
http://upload.bayimg.com/upload
http://www.exampleserver.com/directfile.exe
+Ico+
image/png
InternalName
LegalCopyright
LErNDtISBB
LocalMachine
Local Time: 
Machine Name: 
Melt
+MsgFalse+
+MsgMsg+
multipart/form-data; boundary=
Neptune - 
OriginalFilename
OS Version: 
POST
prideLdr.exe
ProductVersion
Project Neptune
<p style='text-align:center;'><span style='font-family:Helvetica;font-size:32pt;color: rgb(2, 84, 138);'>Project Neptune</span><br> <span style='font-size:6pt;color: rbg(176, 176, 176);'>{Monitor Everything}</span></p><br><br>
removal
Screenshot: 
+SDDate+
setup.exe
smtp.gmail.com
SOFTWARE\Microsoft\Windows NT\CurrentVersion
StringFileInfo
tags
text" value="
.  The local time is 
.tmp
Translation
.txt
uhJerGnFqu
Unable to Retrieve Key
upload.png
Username: 
VarFileInfo
VS_VERSION_INFO
Windows 2K3
Windows 7
Windows 95
Windows 98
Windows Key: 
Windows ME
Windows NT
Windows Task Manager
Windows Vista
Your timed screenshot has arrived: 
1.0.0.0
4System.Web.Services.Protocols.SoapHttpClientProtocol
8.0.0.0
Activator
add_Tick
AppendAllText
Application
ApplicationBase
AppWinStyle
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyInfo
AsyncCallback
BeginInvoke
Bitmap
Boolean
BorderColor
BorderThickness
Brushes
callback
CallNextHookEx
.cctor
ClearProjectError
ClickEvent
Clipboard
CllctImgs
CommandLine
Compare
CompareMethod
CompareString
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
Computer
ComputerInfo
ComVisibleAttribute
Concat
ConcatenateObject
ConditionalCompareObjectEqual
ConditionalCompareObjectGreaterEqual
ConditionalCompareObjectLess
ConditionalCompareObjectNotEqual
Contains
contentType
Conversion
Conversions
Convert
CopyFile
CopyFromScreen
_CorExeMain
Create
CreateDecryptor
CreateEncryptor
CreateFramedImage
CreateInstance
Create__Instance__
CredentialCache
Criteria
CryptDeriveKey
CryptoStream
CryptoStreamMode
CurrentUser
Cursor
DateAndTime
DateTime
DebuggerHiddenAttribute
DelegateAsyncResult
DelegateAsyncState
DelegateCallback
Delete
DeleteValue
DialogResult
Dispose
Dispose__Instance__
DivideObject
DoEvents
DownloadFile
DownloadString
DrawImage
DrawString
dwAppSpecific
dwExtraInfo
dwFlags
dwThreadId
EditorBrowsableAttribute
EditorBrowsableState
Either
Encoding
EndApp
EndInvoke
EndsWith
EnumChildWindows
EnumDelegate
Environment
Equals
EventArgs
EventHandler
EventResetMode
EventWaitHandle
Exception
Exists
ExitProcess
fakezero
FileAttributes
FileInfo
filePath
FileSystemInfo
FileSystemProxy
FindWindow
FindWindowA
FlushFinalBlock
Format
FromBase64String
FromImage
GeneratedCodeAttribute
get_AltKeyDown
get_Application
get_ASCII
GetAsyncKeyState
get_AvailablePhysicalMemory
get_AvailableVirtualMemory
get_BaseAddress
get_Black
get_Bounds
GetBuffer
GetBytes
get_CapsLock
get_Chars
GetClass
GetClassName
GetClassNameA
get_Computer
get_CtrlKeyDown
get_Current
GetCurrentProcess
GetCurrentThreadId
get_Date
get_DefaultCredentials
get_ElapsedMilliseconds
get_Enabled
GetEnumerator
get_ExecutablePath
get_FileSystem
GetFolderPath
GetForegroundWindow
get_GetInstance
get_Gif
GetHashCode
get_Height
get_Info
GetInstance
get_Interval
get_Item
get_Keyboard
get_Keys
get_Length
get_LT
get_MachineName
get_MainModule
get_MainWindowTitle
get_Major
get_Message
get_Millisecond
get_Minor
GetModuleFileName
GetModuleFileNameA
GetModuleHandleW
get_Network
get_NewLine
get_Now
GetObjectValue
get_OSVersion
get_Platform
get_Png
get_Position
get_PrimaryScreen
GetProcesses
get_ProductName
get_Registry
GetRequestStream
get_Response
GetResponse
GetResponseStream
get_Running
get_Size
get_StartupPath
GetString
GetTempPath
GetText
get_Ticks
GetTitleText
get_To
get_Today
GetType
GetTypeFromHandle
get_User
get_UserName
get_UTF8
GetValue
GetValueNames
get_Version
get_WebServices
get_Width
get_WindowStyle
GetWindowText
GetWindowTextA
GetWindowTextLength
GetWindowTextLengthA
Graphics
handle
HelpKeywordAttribute
HideModuleNameAttribute
hInstance
hModule
HookMouse
HookProc
HttpWebRequest
hWndParent
IAsyncResult
ICredentials
ICredentialsByHost
ICryptoTransform
idHook
IDisposable
IEnumerator
Image1
Image2
ImageFormat
ImageURL
ImgChainStarted
ImgChLimit
ImgCollection
ImgCount
ImgRadius
InArray
InAttribute
IndexOf
Information
instance
IntDivideObject
Interaction
interval
IntPtr
Invoke
IsRunning
JoinImagesVert
K_Backspace
K_CapsLock
K_Control
K_Decimal
K_Down
kernel32
kernel32.dll
Keyboard
KeyboardHandle
KeyboardHookDelegate
KeysCollection
K_LAlt
K_Left
K_LShift
K_LWin
K_Num_Add
K_Num_Decimal
K_Num_Divide
K_NumLock
K_Num_Multiply
K_Numpad0
K_Numpad1
K_Numpad2
K_Numpad3
K_Numpad4
K_Numpad5
K_Numpad6
K_Numpad7
K_Numpad8
K_Numpad9
K_Num_Subtract
K_Pause
K_PrintScreen
K_RAlt
K_Return
K_Right
K_RShift
K_RWin
K_Shift
K_Space
K_Subtract
LastCheckedForegroundTitle
LateGet
LateIndexGet
LateIndexSet
LeftShiftObject
LimitMet
lineSetAppSpecific
lngHwnd
lngLParam
LocalMachine
lParam
lpClassName
lpEnumFunc
lpExistingFileName
lpFileName
lpNewFileName
lpString
lpWindowName
LVM_DELETECOLUMN
LVM_FIRST
MailAddress
MailAddressCollection
MailMessage
m_AppObjectProvider
MarshalAsAttribute
m_ComputerObjectProvider
MemoryStream
Message
MessageBox
MessageBoxButtons
MessageBoxIcon
MgmGetNextMfeStats
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.MyServices
Microsoft.Win32
mMutex
_mMutexOwned
m_MyWebServicesObjectProvider
ModObject
<Module>
Module1
mouseData
_mouseHook
MouseHookDelegate
MouseHookProc
_mouseProc
MoveFile
MoveFileExW
MoveNext
mscoree.dll
mscorlib
MsgBox
MsgBoxResult
MsgBoxStyle
MSLLHOOKSTRUCT
m_ThreadStaticValue
MulticastDelegate
m_UserObjectProvider
MyApplication
My.Application
MyComputer
My.Computer
MyGroupCollectionAttribute
MyProject
MyTemplate
My.User
MyWebServices
My.WebServices
NameObjectCollectionBase
NameOnly
NameValueCollection
Network
NetworkCredential
NewLateBinding
nMaxCount
Object
OpenSubKey
op_Equality
OperatingSystem
Operators
op_Explicit
op_Inequality
OrObject
paramName
params
Password
PasswordDeriveBytes
PathOnly
pbBuffer
pdwBufferSize
pdwNumEntries
pimmStart
PlatformID
PointF
prideLdr
prideLdr.exe
Process
ProcessModule
ProcessStartInfo
ProcessWindowStyle
ProjectData
ReadToEnd
Recipient
Rectangle
Registry
RegistryKey
RegistryProxy
ReleaseMutex
@.reloc
Remove
Replace
`.rsrc
rtm.dll
Running
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
scanCode
Screen
SelfCure
SendEmail
sender
SendMessage
SendMessageA
ServerComputer
set_Attributes
set_Body
set_ContentType
set_Credentials
set_Enabled
set_EnableSsl
set_From
set_Interval
set_IsBodyHtml
set_IV
set_KeepAlive
set_Key
set_Length
set_LT
set_Method
set_Port
set_Position
SetProjectError
set_Running
set_Subject
SetValue
SetWindowsHookEx
SetWindowsHookExA
SetWindowsHookExW
SmtpClient
Source
SpecialFolder
StandardModuleAttribute
startPos
StartupCheckCriteria
STAThreadAttribute
Stopwatch
Stream
StreamReader
strEnd
String
StringBuilder
Strings
#Strings
strSource
strStart
Subject
Substring
SymmetricAlgorithm
System
System.CodeDom.Compiler
System.Collections
System.Collections.Specialized
System.ComponentModel
System.ComponentModel.Design
System.Diagnostics
System.Drawing
System.Drawing.Imaging
System.IO
System.Net
System.Net.Mail
System.Reflection
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Cryptography
System.Text
System.Threading
System.Windows.Forms
TakeSCREEN
tapi32.dll
TargetMethod
TargetObject
!This program cannot be run in DOS mode.
Thread
ThreadSafeObjectProvider`1
ThreadStart
ThreadStaticAttribute
ToBase64String
ToBoolean
ToByte
ToDate
ToDouble
ToInt32
ToInteger
ToString
ToUpper
TripleDES
TripleDESCryptoServiceProvider
t_Tick
UBound
uExitCode
UInt64
UnhookWindowsHookEx
UnmanagedType
UpFTPImg
UploadFile
UploadImage
UpToLH
user32
user32.dll
Username
v2.0.50727
value__
ValueType
Version
vkCode
WaitHandle
WaitOne
WebClient
WebException
WebRequest
WebResponse
WebServices
WH_MOUSE_LL
wParam
WrapNonExceptionThrows
WriteAllText
WTKeywords