Analysis Date2015-05-08 12:36:06
MD5e41f8a7f6ee7b980d75498d3cfa6966d
SHA1a69a5e1a2ec9a79484215e2b4eab3df94ae2354c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 8ba83da8fb31e1209b160af9374cbf04 sha1: f4d04a79972ab7ea5c3987cedb0814e7b87e9d38 size: 61440
Section.rsrc md5: a9ee6b4b61f8cf35dfd355ffa29cd9ba sha1: 2972ba91a5186b9dd926015673d5a7ae60ca3934 size: 4096
Section.reloc md5: 5b9e8333d4d80186c24ba9c3b7257ee7 sha1: 010bbc0e2a2f5e734c925d954ee4c89005db5cd1 size: 4096
Timestamp2015-02-02 22:47:00
VersionLegalCopyright:
Assembly Version: 0.0.0.0
InternalName: zmmm1.exe
FileVersion: 0.0.0.0
ProductVersion: 0.0.0.0
FileDescription:
OriginalFilename: zmmm1.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashacbab8ad068e05f0f028958f40ec55ba821c8989
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVAd-AwareGen:Variant.Kazy.360122
AVAlwil (avast)Crypt-NT [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.360122
AVAuthentiumW32/Trojan.VVBA-1981
AVAvira (antivir)TR/Dropper.MSIL.Gen
AVBitDefenderGen:Variant.Kazy.360122
AVBullGuardGen:Variant.Kazy.360122
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Generic.r3
AVClamAVWin.Trojan.Bladbindi
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.360122
AVEset (nod32)MSIL/Injector.CQJ
AVFortinetW32/Generic!tr
AVFrisk (f-prot)no_virus
AVF-SecurePacked:MSIL/SmartIL.A
AVGrisoft (avg)MSIL6.BWRK
AVIkarusTrojan.MSIL2
AVK7Trojan ( 700000121 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.tfr!eh
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi
AVMicroWorld (escan)Gen:Variant.Kazy.360122
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe"
Creates Mutex5cd8f17f4086744065eb0992a09e05a2

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe"

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" ..\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" ..\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe.tmp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Processnetsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" "Trojan.exe" ENABLE
Creates Processdw20.exe -x -s 284
Creates Mutex5cd8f17f4086744065eb0992a09e05a2
Winsock DNS3omare101.no-ip.biz

Process
↳ netsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" "Trojan.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe:*:Enabled:Trojan.exe\\x00
Creates FilePIPE\lsarpc

Process
↳ dw20.exe -x -s 284

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\146A9.dmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\146A9.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNS3omare101.no-ip.biz
Type: A

Raw Pcap

Strings
.
F
..
.
9
.
*.
0.0.0.0
000004b0
1.0.15.0
AayH)
Assembly Version
 ENY
FileDescription
FileVersion
InternalName
LegalCopyright
OriginalFilename
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
zmmm1.exe
05`7(v
;	0ABB
0/uEju%d a
1m[V.*
2!B5mK
2C:\Users\ZORO1\Desktop\Mr.Hackers DZ DEV-POINT.snk
\3dWw}
3jP6MY
%3MN~OB
4System.Web.Services.Protocols.SoapHttpClientProtocol
5Qr+,kZ
7b90944d815f4cfe9f202718e5735896
7kF9Ty
+|9AHW
9;]!v$g
?a,37;]
ABtD'F~HyJrLyN{P5RkTdVbX?Zo\>^9`
A'C'E)G&I.
Activator
add_ResourceResolve
a$_{mO	Y
AppDomain
ApplicationBase
AssemblyKeyFileAttribute
b0BF$I
B0D+F?H!J LcN+P=R?
Binder
BindingFlags
BitConverter
BlockCopy
Boolean
Buffer
bup}43$
b^wF-9
.cctor
/cgUF%~
ClearProjectError
CompareString
CompilationRelaxationsAttribute
CompressionMode
Computer
ComVisibleAttribute
Concat
_CorExeMain
CreateDecryptor
CreateInstance
Create__Instance__
CryptoStream
CryptoStreamMode
C,ZPG_
^d:^~[
DeflateStream
DESCryptoServiceProvider
/dHYP;7
Dispose
Dispose__Instance__
do^saX
D?sx]k
EditorBrowsableAttribute
EditorBrowsableState
E/G:I9K8
Encoding
EndsWith
Equals
: etLu
Exception
f/gekN
F&H$J1L,
F#*JQS
:f l:/c
fUhYjYlZn^pIr
FzErp}
G1I>K)M=
g+$^{7K
g8k*`K
'gAGG"_
gb4a4k
GetBytes
get_Current
get_CurrentDomain
GetCurrentProcess
get_Default
GetEnumerator
GetExecutingAssembly
get_FullName
GetHashCode
get_IsClass
GetManifestResourceNames
GetManifestResourceStream
get_Message
get_ModuleName
get_Modules
get_Name
GetObject
GetObjectValue
GetTypeFromHandle
GetTypes
G:I%K/M+O#Q!S
&gN22pV
)G-;rV
|Gw.Ec
GZipStream
h00 nQ
H0J?L(N<
HideModuleNameAttribute
H%J?L(N=P?R2T!V>X/Z>
H<J%L#N&P?R4
H}[lG8
hSh>T&O
$^$iaL,
ICryptoTransform
IDisposable
IEnumerator
~iI5!%
}imd21
Interaction
Intern
InvokeMember
+i	Rfo
JK=u	Qs
=jNlm.z
{jR'JM:Xz
K+0	q[
k7q;Z6L
K9cc|V
K/9W\A
KBc^Rj
~k{iZVE
+KW(L<J
LateGet
Ln#Cmy
l#QzDE
:L_um=
/`~`m]
m&42y*miM/
m9XM;n
MemoryStream
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
MoveNext
mscoree.dll
mscorlib
MsgBox
MsgBoxResult
MsgBoxStyle
MyGroupCollectionAttribute
Na[W8%
Ndm/i&
NewLateBinding
:Nl6	}
no.0q}
NO'M7U
ObfuscationAttribute
 oO^3H
op_Equality
Operators
P^4~qO
pL"])>a
P-QiFH
ProcessModule
ProcessModuleCollection
ProjectData
QrA~fsv
q[Wlv	jV
Q!X@]j
ReadOnlyCollectionBase
@.reloc
ResolveEventArgs
ResolveEventHandler
ResourceManager
]RQY/h
`.rsrc
rTG1+u
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
s|E!h}
set_Position
SetProjectError
S*SE}UK)
StandardModuleAttribute
STAThreadAttribute
#Strings
StripAfterObfuscation
SymmetricAlgorithm
System
System.Collections
System.ComponentModel
System.Diagnostics
System.IO
System.IO.Compression
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Cryptography
System.Text
T@[6Z^p
T{797-
-.T9in
TBt`zP
!This program cannot be run in DOS mode.
ThreadStaticAttribute
ToArray
ToCharArray
{toj&UK
ToString
$@tTR9
t@v@xJzN|E~F
=|u0JE
U7W5Y?[y
>uDsA.
 U|go-?
v2.0.50727
v8g=>S
Version
V-FG.x
w4LfzX
wqsN&g\@
WrapNonExceptionThrows
W#W'JBH
\X3}ar
xReF[,z>
YanoAttribute
:>]-Yg
YZ O5v)
zmmm1.exe