Analysis Date2015-03-30 17:30:39
MD5d900984ef70d9aed833aaf94148a1fac
SHA19791cb736c81fcd4398f2400d119b2cb9fb4e1b7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 10aa3a52088a3722e11e14b153bfbefd sha1: aaba0b8bf6b992941d642f125bea3817fc84a643 size: 15872
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.xcpad md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 37b920671c776ac977166f0fca1488e9 sha1: b9175e7128cc767c6283a2da3197dc920e7c0f4a size: 1024
Section.reloc md5: 1d2826c44311e3eea7285e947f031826 sha1: 151a275336fe91e4b1ac431cddfb43c73c5b6186 size: 512
Section.rsrc md5: 7b62a48249e6ef5e7b677ebe029c8015 sha1: 49e9931d566991d306f1275e705bc3910b9a1dc7 size: 1024
Timestamp1970-01-01 00:00:11
VersionLegalCopyright:
PackagerVersion: 7.0.162
InternalName:
FileVersion: 1.0.0.0
CompanyName:
Comments:
ProductName:
ProductVersion: 1.0.0.0
FileDescription:
Packager: Xenocode Postbuild 2009 for .NET Beta
OriginalFilename:
PackerBorland Delphi 3.0 (???)
PEhashb389f6713f7a5e635cc62dd109e46b4513874ad6
IMPhash4582ffdd7eb98cb63a937096204182b7
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Poison.K.gen!Eldorado
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardno_virus
AVCA (E-Trust Ino)Win32/Poison.BT
AVCAT (quickheal)no_virus
AVClamAVTrojan.Poison-611
AVDr. WebTrojan.DownLoader.64331
AVEmsisoftno_virus
AVEset (nod32)Win32/Bifrose.ACI
AVFortinetW32/Bifrose.ACI!tr.bdr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)BackDoor.Generic11.ANCN
AVIkarusBackdoor.Poison
AVK7Backdoor ( 04c4c6e51 )
AVKaspersky 2015Backdoor.Win32.Bifrose.aci
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-DKI.gen.ak
AVMicrosoft Security EssentialsBackdoor:Win32/Bifrose.HM
AVMicroWorld (escan)no_virus
AVRisingTrojan.Win32.Generic.144AF506
AVSophosno_virus
AVSymantecBackdoor.Trojan
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVCA (E-Trust Ino)Win32/Poison.BT
AVF-Secureno_virus
AVDr. WebTrojan.DownLoader.64331
AVClamAVTrojan.Poison-611
AVArcabit (arcavir)no_virus
AVBullGuardno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyBackdoor.Win32.Bifrose.aci
AVZillya!Backdoor.Bifrose.Win32.37319
AVEmsisoftno_virus
AVIkarusBackdoor.Poison
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Poison.K.gen!Eldorado
AVMalwareBytesBackdoor.Bot
AVMicroWorld (escan)no_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Bifrose.HM
AVK7Backdoor ( 04c4c6e51 )
AVFortinetW32/Bifrose.ACI!tr.bdr
AVSymantecBackdoor.Trojan
AVGrisoft (avg)BackDoor.Generic11.ANCN
AVEset (nod32)Win32/Bifrose.ACI
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AV360 Safeno_virus
AVAd-Awareno_virus
AVAvira (antivir)TR/Dropper.Gen
AVMcafeeBackDoor-DKI.gen.ak
AVRisingTrojan.Win32.Generic.144AF506

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process"C:\server.exe"
Creates Mutex_xvm_mtx_other_0x2A7A89E6
Creates Mutex_xvm_mtx_reg_0x2A7A89E6
Creates Mutex_xvm_mtx_file_0x2A7A89E6

Process
↳ "C:\server.exe"

Creates Mutex_xvm_mtx_other_0x2A7A89E6
Creates Mutex_xvm_mtx_reg_0x2A7A89E6
Creates MutexDBWinMutex
Creates Mutex_xvm_mtx_file_0x2A7A89E6

Network Details:


Raw Pcap

Strings