Analysis Date2014-11-04 05:28:32
MD502b969d969c475098f9d435a5766efd6
SHA1a6cdf69acd035108fa867e0bc5f2aa38ea15e729

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f2507b0db62d2941e731cb3dde4d2ac1 sha1: 5dd4c7fa5b4960560bb807fd21bb8d32669b3c5c size: 139264
Section.rdata md5: bc20ecfc5c58f58ab2639d49d38b9259 sha1: 3afa744d7e190301fc52dd8b46602f7036ba3ad5 size: 24576
Section.data md5: f463f84c13717c6ece54c187bcbd4a15 sha1: fbb95a3efb1ce75caddf34a141cf03891060c381 size: 4096
Section.rsrc md5: a3879151318d159eacea2a8909dc5930 sha1: 2e6a9e209cc8760eca910e6eda9013282754177a size: 12288
Timestamp2010-06-23 10:43:48
PackerMicrosoft Visual C++ v6.0
PEhash0c8756f3f30f6f25bbe5e69bca6bb33ae6d80cb8
IMPhash11e1150409a279d7bd40a6e8642cabec
AV360 SafeVirus.Win32.Banito.Q
AVAd-AwareGen:Variant.Unruy.5
AVAlwil (avast)Unruy-W [Trj]
AVArcabit (arcavir)Banito.Akr
AVAuthentiumW32/Backdoor.K.gen!Eldorado
AVAvira (antivir)W32/Agent.EA
AVBullGuardGen:Variant.Unruy.5
AVCA (E-Trust Ino)Win32/Banito.EW!genus
AVCAT (quickheal)W32.Agent.EA
AVClamAVno_virus
AVDr. WebBackDoor.Bandito.1082
AVEmsisoftGen:Variant.Unruy.5
AVEset (nod32)Win32/Kryptik.AJXD
AVFortinetW32/Generic.D!tr
AVFrisk (f-prot)W32/Backdoor.K.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/FakeAlert.NV
AVGrisoft (avg)Downloader.Generic10.BK
AVIkarusTrojan.Win32.Agent
AVK7Trojan ( 00050a041 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.ExeReplRename
AVMcafeeDownloader-BZH.gen.a
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Unruy.I
AVMicroWorld (escan)Gen:Variant.Unruy.5
AVNormanGen:Variant.Unruy.5
AVRisingBackdoor.Win32.Deflate.f
AVSophosMal/Unruy-D
AVSymantecTrojan.Artilyb
AVTrend MicroTROJ_UNRUY.SMKV
AVVirusBlokAda (vba32)BScope.Trojan.TE.01527

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Network Details:

DNSns.dns3-domain.com
Type: A
5.34.183.138
Flows UDP192.168.1.1:1031 ➝ 5.34.183.138:53
Flows UDP192.168.1.1:1031 ➝ 5.34.183.138:8000

Raw Pcap

Strings
B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:
B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:.
................. !"#$89'()*+,-../01234567
|
..
...
@
`@
.

!1Aa
#+3;CScs
Bjjj
								
??1type_info@@UAE@XZ
	4uA8T
7jsj%j\js
9O$tKSV
~(9~$u
_acmdln
_adjust_fdiv
.?AVtype_info@@
buffer error
_controlfp
C,u	^]
__CxxFrameHandler
_CxxThrowException
D$0jbP
D$0jrP
D$0jsP
D$0]UjNj2j3jsjsUjcjojrjPP
D$0UjrjuSjpjajCUSjaUjrjCjpja
D$4_^][
D$4jhP
D$4jnP
D$4jsP
D$4jSP
D$4`kB
D$(8D*
D$8jBP
D$8jlU
D$8jmji
D$8jmP
D$8jsP
D$8jwP
@.data
data error
D$DjCP
D$DjFP
D$djGP
D$DjGP
D$DjWP
 deflate 1.2.2 Copyright 1995-2004 Jean-loup Gailly 
D$hjCP
D$HjCP
D$hjEP
D$HjFjH
D$hjGP
D$HjGP
D$HjOP
D$hjPP
D$HjRP
D$hjSP
D$HjWP
D$(jajNUjljijFUjljujdjojMSU
D$(jAjS
D$<jcP
D$|jcP
D$`jCP
D$@jDP
D$\jDP
D$`jGP
D$\jGP
D$@jIP
D$`jOP
D$<j_P
D$,jpP
D$$jrjp
D$@jrP
D$`jRP
D$@jRP
D$<jsP
D$@jsP
D$`jSP
D$@jSP
D$`jTP
D$\jTP
D$@jWP
D$\jWP
D$LjcP
D$LjCP
D$LjDP
D$LjFP
D$ljGP
D$LjgP
D$LjGP
D$ljMP
D$LjOP
D$LjRP
D$ljWP
__dllonexit
D$PjCP
D$PjDP
D$pjEP
D$pjGP
D$PjGP
D$pjLP
D$PjPP
D$PjSP
D$PjwjojdjnjijWSU
D$$SUV
D$tjAP
D$tjDP
D$TjDP
D$TjEP
D$TjFP
D$tjGP
D$TjgP
D$TjGP
D$tjLP
D$TjRP
D$TjSP
DVhQPj
D$xjCP
D$XjCP
D$XjFP
D$XjGP
D$Xjijd
D$XjPP
D$XjSP
D$xjWP
D$ XPjljaPSPjnPjnjUjo
ewh/?y
_except_handler3
F 9F$uR3
Fdf+Fh
file error
F|jija
F`jnji
F@jojl
F(jpju
F jPSjnUjrjrjujCSU
Fljija
FPjAjhSjajPjpjmUjTSU
Ftjijr
F\UjsjojljCjdjnji
Fxf9F|u
GetCurrentDirectoryA
__getmainargs
GetModuleHandleA
GetProcAddress
GetStartupInfoA
H*0"ZOW
header crc mismatch
HtRHtDHHt
HtyHtZHt;Ht
IiGM>nw
incompatible version
incorrect data check
incorrect header check
incorrect length check
 inflate 1.2.2 Copyright 1995-2004 Mark Adler 
_initterm
insufficient memory
invalid bit length repeat
invalid block type
invalid code lengths set
invalid distance code
invalid distances set
invalid distance too far back
invalid literal/length code
invalid literal/lengths set
invalid stored block lengths
invalid window size
jAjCjDUSja
jajcjiSjijrjCUjvjaU
jAjgjnjojLjwjojdjnjijW
jAjnjojiSjajmjrjojfjnjIUjmjujljojV
jAjnjojiSjajrUjpjOUjlji
jAjnjojiSjpjijrjcjsUjDjrUjvjijrjDSUjG
jajnSjsjojhSU
jAjsjsUjcjojrjPUSja
jAjsUSjujbjijrSSjAUjljijF
jAjwjojdjn
jAjwjojdjnjijW
jAjxjEjyUjKjnUjpjOjg
jAjxjEUjm
jAjyjrjoSjcUjrjijDjmUSjsjyjS
jAjyjrjoSjcUjrjijDjsjwjojdjnjijW
jAjyjrjoSjcUjrjijDUSjaUjr
jAjyUjKjojfjnjIjyjrUjujQ
jASjnUjvjEjn
jASjnUjvjEUSja
jASjxUjTjwjojdjnjijW
jAUjgjajsjsUjM
jAUjgjajsjsUjMjd
jAUjgjajsjsUjMjdjaUjrjhjTS
jAUjgjajsjsUjMS
jAUjljijFSjsjrjijFjd
jAUjljijFSjxUjNjd
jAUjljijFUSja
jAUjljijFUSU
jAUjmjajNjh
jAUjmjajNjhSjajPSjrjojhjS
jAUjmjajNUjljijFUjljujdjojM
jAUjujljajVjmjujnjE
jAUjujljajVUjgUjljijv
jAUSjujcUjxjEjljl
jCjDUjljbjiSjajpjmjojCUSja
jCjDUSU
jcjojrjPjnUjp
jcjojsSU
jcjrjsjr
jdjaUjrjhjTUjdjojCSjijxjE
jdjaUjrjhjTUSja
jdjaUjrjhjTUSjajnjijm
jdjIjsjsUjcjojr
jdjIjsjsUjcjojrjPjdjaUjrjhjT
jdjijujGUSjaUjr
jDj.j2j3j_j2jS
jfSjnji
jijrjPjpjujkjojo
jijWjdjnji
j}j4_Wj3XPj6j1jC[Sj8j5jDj9j6jBj7j-^VjFjFjBjAVjfj6WWVj2j8Wj9VjAPjFPPjDPj8
j>jajrjejmjajC
j*j.j*j\js
j>jnjejejrjcjSjtjnji
jLjLjDj.j2j3
jLjLjDj.j2j3jEjL
jLjLjDj.j2j3jIjPjA
jLjLjDj.j2j3jPjAjC
jLjLjDj.j2j3jR
jLjLjDj.jIjP
jLjLjDj.jMjM
jLjLjDj.jSjUjLjPjIjD
jLjLjDj.jTjRjCjV
jlSjcjojI
jmjojrjfjv
jnjoji
jnjojiSjcUjSjl
jnjojiSjcUjSjljajcjiSjijrjCjrU
jnjojiSjcUjSjljajcjiSjijrjCUSU
jnjSj2j3jpjlUjhjljojojTUSjaUjr
jnjwjojdS
jnjwjojdSjujhjSjsjujljp
jnUjkjojTjsjsUjcjojrjPjn
jojpjmjojCjpjojtjkjs
jojpjsjijDjpjijd
joSjdjnU
jpjajmSjijBUjljbjiSjajpjmjojCUSjaUjr
jpjmjbj.j}j6ZRj1YQRjBQj7Rj2jBQj3jDj-XPjEjAj7jAPj4j8jfj4PjEjBjCQPRj5jFj4j2j7jFjE
jpjmjbj.j}jAj5jCXPPj6j2j6j9Pj2j4ZRPj-YQj1j5j8j9Qj8jej7RQjFRj2j0QRjDj8j7jAPjBjF
jpjmjc
jpjojtjkjsje
jpjujnjaUjljC
jpjuSjrjaSjS
jrjajhjCUjdjijWjojTUSjyjBjiS
jrjhjc
jrjhjcjrjr
jrjojrjrjESjsjajL
jrjojrjrjESjsjajLSUjG
jrjpjujr
jrjwjljr
jrUSjnjijojPUjljijF
jsjcjijrSUjMjmUSjsjyjS
jsj%j\js
jsj%js
jsjrUjdjojcjnjEUjgjajmjISUjGjp
jsjsUjcjojrjPSjnUjrjrjujC
jsjsUjcjojrjPUjdjojCSjijxjE
jsjsUjcjojrjPUSjajnjijm
jsjuSjaSjSjnjojiSUjljpjmjojCjdUjuUjujQ
jsjuSjaSjSjnjojiSUjljpjmjojCjdUjuUjujQS
jsSjcUjjjbjOUjljpjiSjljujMjrjojFS
jsSjijBjIjD
jsUjgUjljijvjijrjPjnUjkjojTSjsju
jsUjljujdjojMjsjsUjcjojrjPjm
jtjajdj.j}Sj2XPj7PSPjESj1jDj5j1Vj0j1SjAVjejdjcWVj8WjEjEVjAj9jFSWPjFjF
jwjojdjnji
jwjojdjnjijW
jwjojdjnjijWjpjoSjkjsUjD
jwjojdjnjijWjyjojrS
jxjEjsjwjojdjnjijWS
jyjpjc
jyjTUjvjijrjDSU
jyUjKUjsjojljCjgU
KERNEL32.dll
l!;b	F
L\Hf9t\H
[-&LMb#{'
LoadLibraryA
L$\t8;
malloc
memcpy
MFC42.DLL
mj>zjZ
MSVCRT.dll
need dictionary
Npf+F\
_onexit
OpenEventA
OZw3(?
__p__commode
PDSj}j2j2j5XPj6jEj9j8j1j0jAjCZRjFj-YQj4j3j0jAQj1jaPj4QPRj9RQRjBj3j9j3jBPP
__p__fmode
PhVj}j4
PjfSjijhjtjtS
Pjojijdjujtjsj jljajujsji
PjrSjdjnjijbSjx
PjxjojfSjrjijf
PSjxSj.jmjijijlja
PTSjs_
PTSjsj%js
PTVjsj%js
PTWjsj%js
PulseEvent
_purecall
PVj0j6j3
PVjajrjijvja
PVjgjnjajwjgjnjajwjijlja
PVjgjnjijsjijr
PVjpjijzjnjijw
PVjrjajrjnjijw
PVjrjojtjcjojdjqjq
PVjrSjdjnjujhjt
PVjrSjgjnSjsjsSjmVSjvjijlj jsjwjojdjnjijw
PVjrSjrjojljpjxSj jtSjnjrSjtjnji
PVjrSjvjrSjsj jljqjsj jtjfjojsjojrjcjijm
PVjsjsSjrjpjxSj jkjojojljtjujo
PVjsjujrjijvjijtjnjaj j2j3jdjojnj jtSjsS
PVjsjwjojdjnjijwV
PVjtjfjajrjcjrjajwj jfjoj jdjljrjojw
PVjtSjnjyjkjs
PVSjcjijfjfjoj jtjfjojsjojrjcjijm
PVSjmjajgVjkjnjijljljajbjojljg
PVVVVh
Qj6QjFjCj0jEjFj1jCj1j-XPj8jFj3jBPjdj0j4j4Pj7j7j1QPjBj3Qj3jDj8jBjA
Qkkbal
`.rdata
ReleaseMutex
RRich'Z
S$_^]3
__set_app_type
SetCurrentDirectoryA
__setusermatherr
SjajPjgjnjojLSU
SjcUjjjbjOSjcU
SjcUjjjbjOUjljgjnjijSjrjojFS
SjcUjjjbjOUSU
SjcUjn
SjejgjejljijvjijrjPjnjwjojdjtjujhjSjejSP
Sjejxjej.WWjmWP
Sje^VjxVWjsj%P
Sj\j:jc
SjkjajbWjsj%P
Sjljljdj.jvjnjiWjyWP
SjnjujojCjkjcjijT
SjnUjvjE
SjnUjvjEjljljijKU
SjnUjvjESU
SjnUjvjESUjSU
SjnVjp
Sjojhjsjpja
Sjpjmjtj.j}j3j1j9j5jDj1j8jBj0XPjEjFjFj-YQjBj6ZRj3j9QjfRj2j4QRPjDj9QRPPPj3PPj5
Sjpjmjtj.j}j3j1j9j5jDj1j8jBj0YQjEjFjFj-XPjBj6ZRj3j9PjfRj2j4PRQjDj9PRQQQj3QQj5
Sjpjmjtj.j}jEj2j7j9jA^Vj7j2Vj4XPj8j1jFj-ZRjFj9PVRjdj8jaPRj1j5jBYQPRQQQj6VPj9jC
Sjpjmjtj.j}jEj2j7j9jAZRj7j2Rj4YQj8j1jFj-XPjFj9QRPjdj8jaQPj1j5jBQPjBjBjBj6RQj9jC
SjpjmVjtWjsj%P
SjrjaSjSjsjujljpjijd
SjsjrjijFj2j3jsjsUjc
Sjtjajdj.j}jFjFj0ZRjBjBj3j4YQjCjBj6j3j5j-XPj1j8Rj9PRjcj5QPjAj8j6jCPj9Qj3jDj1QRjA
SjujbjijrSSjAUjljijFSU
stream end
stream error
SUjkjcjojsUjs
SUjsjr
SVWVj\js
;T$0sP;t$4sJ
!This program cannot be run in DOS mode.
tJHt'H
too many length or distance symbols
toupper
ts9_ tn9_$ti
UjgjajmjIUjs
UjjjbjOSU
UjljdjnjajHUjs
UjljdjnjajHUSjajcjijl
UjljijFjd
UjljijFjmjojrjFUjgjajmjIjdjajojLjp
UjljijFjojTUjgjajmjIUjvjajSjp
UjljijFUS
Ujmjajnjk
UjmjajnjyjbSjsjojh
UjpjijPUSja
UjzjijljajiSjijn
UjzjijSjsjrUjdjojcjnjEUjgjajmjISUjGjp
UjzjijSUjljijF
unknown compression method
unknown header flags set
Vj}j9j9j1j7j8j3XPj2Pj6j2jFj2j-_Wj6j1jCj9WPjej1j4WPj4j0jFWjDjFj0j4Pj7PjA
VjnjojcjIj jyjajrjTj jCjNjVjnji
VjpjmSjtVP
Vjtjajdj.j}jCXPj2YQj7QPQjEPj1jDj5j1Wj0j1PjAWjejdjcj4Wj8j4jEjEWjAj9jFPj4QjFjF
VWSjnjejp
V_:X1:
W(9W$u
Wjejxjej.
Wjgjejpjjj/jejgjajm
Wj}j2j9Y
Wj*j.j*j\js
Wj*j.j*j\jsj%P
Wj.j.P
Wj>jtjnjejn
WjLjLjDj.j2j3jLjEjNjRjE
WjnjejpjoP
Wjsj%j\js
Wjtjajdj.j}jFjFj0ZRjBjBj3j4YQjCjBj6j3j5j-XPj1j8Rj9PRjcj5QPjAj8j6jCPj9Qj3jDj1QRjA
Wj%Wj%P
w+OQvr
|$ WUSV
WVh'kA
WVj\js
WVjYjAjLjPjSjI
_XcptFilter
XPjPjnPjiSUjljpjmPjCPjIUSjaUjr
XPPjDj.j2j3PPjEjH
XPSjcUjSjljajcPSPjrjCUjzPjljaPSPjn
YQj3XPj6j1jCj8j5jDj9j6jBj7WjFjFjBjAWjfj6QQWj2j8Qj9WjAPjFPPjDPj8
YSj}j9j9j1j7j8j3XPj2Pj6j2jFj2j-YQj6j1jCj9QPjej1j4QPj4j0jFQjDjFj0j4Pj7PjA
YSjsj%j\jsj%P
)\ZEo^m/