Analysis Date2014-07-14 21:02:53
MD57283e1a5c20c8aaac286a6a98d945168
SHA1a0dd89c2bba615dab45da0d036d7ddbd9ae7cca0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 92caa32e7bc110030f83ed57bdc4688c sha1: f8b973b93b6eb8308bededa0bcfd214bb049a40f size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
IMPhash3243b13e562279ab7fbe2f31e45d3a95
AV360 SafeTrojan.Keylogger.MWP
AVAd-AwareTrojan.Keylogger.MWP
AVAlwil (avast)KeyLogger-ARY [Spy]
AVArcabit (arcavir)Heur.RoundKick
AVAuthentiumW32/VBInject.AM.gen!Eldorado
AVAvira (antivir)BDS/Backdoor.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Worm.Ainslot.A.mue
AVClamAVno_virus
AVDr. WebWorm.Siggen.6967
AVEmsisoftTrojan.Keylogger.MWP
AVEset (nod32)Win32/Ainslot.AA worm
AVFortinetW32/Cospet.HA!tr
AVFrisk (f-prot)W32/VBInject.AM.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Keylogger.MWP
AVGrisoft (avg)Worm/Generic2.BLRH
AVIkarusTrojan.Win32.VB
AVK7EmailWorm ( 003a1cd61 )
AVKasperskyTrojan.Win32.Generic:Worm.Win32.Shakblades.bdc
AVMalwareBytesTrojan.Agent
AVMcafeeW32/Generic.worm!p2p
AVMicrosoft Security EssentialsWorm:Win32/Ainslot.A
AVMicroWorld (escan)Trojan.Keylogger.MWP
AVNormanwin32:win32/Ainslot.A
AVRisingWorm.Win32.Anisolt.a
AVSophosMal/VB-GI
AVSymantecW32.Shadesrat
AVTrend MicroWORM_SWISYN.SM
AVVirusBlokAda (vba32)Malware-Cryptor.VB.gen.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1FCEEDCD-89DA-ADD4-EAD3-7C08DEFD2B03}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\bott.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1FCEEDCD-89DA-ADD4-EAD3-7C08DEFD2B03}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\bott.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Windows Host ➝
C:\Documents and Settings\Administrator\Application Data\bott.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host ➝
C:\Documents and Settings\Administrator\Application Data\bott.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\IG8PLND2AQ ➝
July 14, 2014\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\IG8PLND2AQ ➝
bot\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host ➝
C:\Documents and Settings\Administrator\Application Data\bott.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Blackshades
Creates FileC:\Documents and Settings\Administrator\Application Data\bott.exe
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\bott.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\bott.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates MutexIG8PLND2AQ

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\bott.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\bott.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\bott.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\bott.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\\malware.exe ➝
C:\\malware.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\bott.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\bott.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\bott.exe ➝
C:\Documents and Settings\Administrator\Application Data\bott.exe:*:Enabled:Windows Messanger\\x00

Network Details:

DNSlogo.no-ip.biz
Type: A
DNS1logo.no-ip.biz
Type: A

Raw Pcap

Strings
L
.
...
.
v
.
HN
T
.L.
..P
.,.
.
N>
L
.
...
.
v
.
HN
T
.L.
..P
.,.
.
N>

PERS
SETTINGS
"`*!)^
[+,{[\
00G0rE
06;7*P
`0ddPno
0d/J!U
0|@&ph
0r(If8
0t#9i Vi
'0u+`0
	0W W 
0zh"93
-1:!1]
15dF8F91AEE<
1("]bL`
1-@GF^
%1SC-Ua2
^1t(/(
1T0EDm
}1/T64
<1w n$
1WR/-$
20C<|0d
21D9E2F062D2BD
22A3689kv3
|2$55L
2>e%Xdq
2/)gDJ
2rtDt}T
(2X*XY
3222ddTTH
32EDE1
-36H+A
\3_%9<
3o!O[M
3(Q#fwy'
{3T(q0
4^<=	<&
%&43QiJZ\
%&'()*4567
47HCV`@
4'aQ8py
4MTP@@X
4-s,.\
4Vhr)y
!4yvT")
501E:9M
5 1ka[
5ad<Fn
5Async?PWs
5G(>*1sA%F
6ENC^fADCl
6)H.aw/
6,K[f;
6n1?e:-VS
'$6!pL
6V2Ziz<p]
6WWQrO
6xjhd>
7033413A647A4B6739316C4F5B5C5
72w22r
7;4715H{
774NE55*23
7b8x3R
7*Bs"|
7J0FD&F
?.=7Kajt8
<7@O}4
7OnQui
( "7p'4L
7S^ONv
8@7,k~
87Tj*%'`-+ 
89:CDEFGHIJSTUVWXYZcdefg
(8Hhtp
)8jdjA
!8&MZnGo
}8WAcquR
`8),=\x
9^\#5~
$9g%rIs
)9HD`Lk
9rd.@@
a4.U}N
"A4*Vu
A7Dw4x
A7s1vt
AddMsg
AddRef
aD!Icf@
AdjuFP
adyStviefr
a,G\?dE
ais{pQ
alUpda
ame.dl
.aO >2
A)ox^=
aR;JyL
aSBlj(
'ASol2
Audio.
<-AUi}l>
`av$cnN
a(v|So
awuois=
<*B <(
b7_FACEBOOK_START
b86mswin .
B8$k[za
b!) <C
BG*~*)
bnsd@F
bss_ser'
BtKill
Bwao>g
BXV_\X~<
b#^ZFQ
c4\Lpg
;]C9HYH.
CallBaK
C<F6E4ZF7C8
/Chat'
&`CLdP	
+C	=Oo
cPEs/\4!)
C:\Prog
cR^p2a 
CrypcImage' 
cSubClHi
$C;:'`XN
 ((],d
D*3Z0Ad
d<`\8\
D@<840
_Da# 3C
dC[@-jN
d]>C@ Pk
df"FC^YO
<.d&hA
DI/.`^n
djA(l^
dL4R F<@
DlFunk@
<<DLX`y
\d(#t\.
Dx?*	(
E4:|	"=
<e4ym5
e+$]b 
_~ebBrow
^)E|CO
ect?Torrent2
ed /X 
EeQ6*5
EFB$9$xU
E\FwPN
es (x86)\Mic*soft Visual St
Et0''#O
E	-T};2
'EV?L_]
ExitProcess
fA2$a`
fblW.t
f:CJOw
^>FeAX
F> FDD
fH+MC\r
Fht?:C
FlCp`i
$,FLLe
#)$<Fo0
frmMain
^:Ft]:/
Fy.#fbv?
)G0HP>
#(g##;A
+G\bo`
g&cF(U<s
gCmp9B
g!ct3iYKe
GetProcAddress
\gG^r	\zh
ghDCG\
g`IV) 
G$@-L 
Gp`l^J
G>t3YTP
$|h{# 
]h3``h
H6_@aX
hatm@!
Hd&Bzx\
_HEP@z
[heQT%
>hfUYl1X
h' #FX
h.\gXML!1 
}Hm"\K
HO^T)MLrl
%'hu/D
@HvLD0C
=hWWdv
H|x-t_ffv
I 0	;|
,I86>H
icalDr
ICK_DELAF
ifSteamGook?
iJN2 X&a
=~ijnGl
I:Kd;4
Im:DaI
InfoTO
\.i.o%
 @`~i*P`@`` i
I\rd;0
It:gRZ,-
i$tSd `
j08lqUJ
J1:}~6G$
J6hH*m
j729"Q
J{\dT4J%
j,,(*=e
{jfbbl
jh4O/(gy%
jH^dC3g
jo&a?u
Jr ^L/
+;'jrq
jx(V%B
K]>1h-
K6&?SCO+U
 |K7b$8X
K{_9XjB
KERNEL32.DLL
[k^~H<
KH5G\7V
%?kHC+
@@Kjka)
{kljhPp
KO/@&?
|*}<kV
}kW\+H
kY{OtBo
L3hiop
%~Lby:M#
lE.4TM83$3
"LfoPw
]l$@Gt
LheInvokeV
lhe;R-
|lhNGZd{+
lJN2 t
LkCd$O
Lla+(B
L' lL.
l-n/on
Lntlt	a
LoadLibraryA
loseHandJ
>LRe]E
lUHX-+B
\!lX&a
lX[Lw}
!}ly_;
L)^Y"aA
m	5N{a
mC":N>^
M%>E	\T
m[G?Drr
![MI6X
^__^Mkok$P
mm9UCn
	mMl%6`
mnK{Vf
$MNNN$$#
modFucr
m$ O^k
\msvbvm60
MSVBVM60
MSVBVM60.DLL
MultiK.{
mvbv)#v"JpkCR
|-(n_0
@n0Nu&
"N2]F|
/"!n+$7
N)9N:wN
N<dp.V
NEjZUS
>%n@,F
<N.Lx&
>nn.hX
N#ONF\
npLlE;
nsHdR[}7
NT_SINK_Ge
'.$nu1	
N&u^8uF^51
{NV:8H
>N)W_A
'n#YHw
*o`.@]
O0L~y^
"o6D"I
<O#7K_
*O8^.N
<O8Pdxt>
obalAl
-obh.&
Obr"[i
oCHAT_ADDMSG
Ocm%_&
#O@:<F(:
OgH1j{#
=oHW?r@
O@h$Z"
O`/\l"=
o#OfGLX
oof`M1P
O;OIMk:k
 OO&ucAlx
os#+Om
+oTw.!'
O^Xa5_
P-$"2~
p5HBITMA
P-_d/y%
Peek{kn
-pGPH!
phZRJ<
picThumb
!-!'pj\
p.&l&N(q6
p{n()[
pP&,.O
PRINT_
'>Q;^9
q^!CK]
q@I;*i
QlTu/?BmXI
q$nUHVS
q?oJLD
?QTl|7
qt!Wl<7
queezer
QZ&4}k
r\'//]_
r!11r!
r!22r!
r456tr!
`r4B`(0	
r*"9z5
ra`fXbl
raTagg
rAUb9]^9t]
rBf>Z/._
RdK1I*^#
Rd:\SysWOW64
Rh+:'Z'
rJvj_Vd
rp7(P?`
rPB~$_
rs7&I`
RS`curity
ry7Rze
rZA5HX
's7p}!
)s9>m/
:ScanLz
scii'h
SCManPr
s:.cpV
Screensho
SDragQuery
SER_FB77
's<e/Sr)
SHDVVwCtl
s.j"nWq
S`lmrJN
Socket
sOf&pa
s.op-/
>spu"G
%>("SS\.i.=#;R
SS#PUL
s the p
STRUCTIO
stV&y<
'Sx+Jz
_SY)`q
SZoM7Pn`
T4gzF>
t)5H%a
:T6Y,hG
TaenmP]7
\.tA/us
TA~X(0
TEgw *
T@!$G^
!This program cannot be run in DOS mode.
Th':'tR
'Ti3C>
:;tkEe}
t"l8(F
tmrLivLogg+
],t~ n
#(Tn(_&/
}tNABMO
TniM_G
)T&p	|c
TP^gLT
`tPp=+7Z
-tQ`]P
*/TrX%
u02GO_
U8{2>!
#uI?x)
um5H"E r
Un@cvssPATH
upQValu
&uq>F_^G&
UrlCache
us:1]K_
 usiid
@:utQD
V4(Ia,a
v5X;uO
v+9Y`Ni
v.Bf&|
@v@F*@
vGppum$O
VirtualAlloc
VirtualFree
VirtualProtect
v|,kv.<*
V$wN$;
V	yDYC
Vz,)p$a
wapMo~
w`aUd,
_WebHide
(.WGcS
wgt&x(&
_WINLOGON/_B
w.jj-j
-_WMqo
^)w*n]
wo</"R@
WP0!=/E
#W`Rva+
wuC&]v
WW0wF.pp
W?Zvs0
\x!&0O3
x0:w"t
x33[vF`l<8
,xAd~G
xDG=B \lg
X'j'b3
xL2 '|
xlh^NJ5
Xn-eA1
XO&g<W
x<#ON4
X#`PT\ 
XPTPSW
 x>q($
!	~XTS
xu5sx4
@Y'a6t
+ygHij
yGrabbOg	V
y*HHH*
Y@J\cD.
[ Yk/ 9
YP+:S@@
y.ToPlPb 
YX"")fv.:
YXF?xw
Z|+:4	
Z4o8u:
}ZD)cd&
Z{Fl1]
z~GH&P 
zSY3X/=s 
Z$}tw3
ZWdv $
ZW[_Ftp