Analysis Date2015-05-01 19:52:11
MD5e0c9bd9bbd1022f9081d0d518dec8e49
SHA1a9fcb3844991bbbe25fc7b3de4f077e69e4cc218

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 9bfd4303029a0b2e5efe9d7c1460b3a2 sha1: 23cb0a33e51a9e55b8d85cbbe01088a4865a420c size: 22016
Section.rsrc md5: 0243c9a7f8755f2c2b18037cdad6cc91 sha1: 1ffa22fd5de34253aa3b8ffab97ec5c401513128 size: 1024
Section.reloc md5: e5019272bda4387bd749dc51ec7f5bdf sha1: 5774a920e12b14916780e3b6c0ae2da9e9e0cf37 size: 512
Timestamp2015-04-18 00:21:06
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash2d36371c80c47caea3790aeefab740753fc75db5
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVAd-AwareGen:Variant.Barys.10219
AVAlwil (avast)GenMalicious-DQS [Trj]
AVArcabit (arcavir)Gen:Variant.Barys.10219
AVAuthentiumW32/MSIL_Bladabindi.I2.ge!Eldorado
AVAvira (antivir)TR/Dropper.Gen7
AVBitDefenderGen:Variant.Barys.10219
AVBullGuardGen:Variant.Barys.10219
AVCA (E-Trust Ino)Win32/DotNetDl.A!generic
AVCAT (quickheal)Backdoor.Bladabindi.AL3
AVClamAVWin.Backdoor.Bladabindi-1
AVDr. WebBackDoor.Bladabindi.1056
AVEmsisoftGen:Variant.Barys.10219
AVEset (nod32)MSIL/Bladabindi.BC
AVFortinetMSIL/Bladabindi.SMC!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Barys.10219
AVGrisoft (avg)PSW.ILUSpy
AVIkarusBackdoor.MSIL.Bladabindi
AVK7Trojan ( 700000121 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.NJBot.MSIL
AVMcafeeBackDoor-NJRat!E0C9BD9BBD10
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi.AJ
AVMicroWorld (escan)Gen:Variant.Barys.10219
AVPadvishno_virus
AVRisingno_virus
AVSophosTroj/DotNet-P
AVSymantecBackdoor.Ratenjay
AVTrend MicroBKDR_BLBINDI.SMN
AVTwisterTrojan.0000000000/480000.mg
AVVirusBlokAda (vba32)Backdoor.MSIL.Agent

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\All Users\Task Manager.exe
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates Process"C:\Documents and Settings\All Users\Task Manager.exe"
Creates Mutexd63d22bda9e0fe316326fb456ceab29f

Process
↳ "C:\Documents and Settings\All Users\Task Manager.exe"

RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Processnetsh firewall add allowedprogram "C:\Documents and Settings\All Users\Task Manager.exe" "Task Manager.exe" ENABLE
Creates Processdw20.exe -x -s 284
Creates Mutexd63d22bda9e0fe316326fb456ceab29f
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Winsock DNSwahib99.on-ip.biz

Process
↳ dw20.exe -x -s 284

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\15C25.dmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\15C25.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ netsh firewall add allowedprogram "C:\Documents and Settings\All Users\Task Manager.exe" "Task Manager.exe" ENABLE

Network Details:

DNSwahib99.on-ip.biz
Type: A
208.73.210.218
DNSwahib99.on-ip.biz
Type: A
208.73.211.177
DNSwahib99.on-ip.biz
Type: A
208.73.211.242
DNSwahib99.on-ip.biz
Type: A
208.73.210.210
Flows TCP192.168.1.1:1031 ➝ 208.73.210.218:1177

Raw Pcap
0x00000000 (00000)   313731                                171


Strings
.I
|'|'|
??-??-??
" ..
0.7d
1177
AllUsersProfile
clear
cmd.exe /c ping 0 -n 2 & del "
d63d22bda9e0fe316326fb456ceab29f
Download ERROR
" ENABLE
[ENTER]
.exe
Executed As 
Execute ERROR
Execute ERROR 
False
getvalue
[kl]
Microsoft
netsh firewall add allowedprogram "
netsh firewall delete allowedprogram "
prof
SEE_MASK_NOZONECHECKS
SGFjS2Vk
Software
Software\
Software\Microsoft\Windows\CurrentVersion\Run
start
SystemDrive
[TAP]
Task Manager.exe
True
Update ERROR
Update ERROR 
Updating To 
wahib99.on-ip.biz
 Win
Windows
 x64
 x86
xadefg
yy-MM-dd
yy/MM/dd 
add_SessionEnding
Application
AppWinStyle
</assembly>
Assembly
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
avicap32.dll
BitConverter
Bitmap
Boolean
capGetDriverDescriptionA
cbName
.cctor
ChangeType
ClearProjectError
Command
CompareMethod
CompareObjectEqual
CompareString
CompDir
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
CompressionMode
ComputeHash
Computer
ComputerInfo
Concat
ConcatenateObject
ConditionalCompareObjectEqual
ConditionalCompareObjectNotEqual
connect
Connect
Contains
Conversion
Conversions
Convert
CopyFromScreen
CopyPixelOperation
_CorExeMain
CreateInstance
CreateSubKey
Cursor
Cursors
DateAndTime
DateTime
DebuggerStepThroughAttribute
Delete
DeleteSubKey
DeleteValue
DirectoryInfo
Dispose
DoEvents
DownloadData
DrawImage
Encoding
EndApp
EndsWith
Environ
Environment
EnvironmentVariableTarget
Exception
Exists
FileInfo
FileMode
FileStream
FileSystemInfo
FromBase64String
FromImage
get_Assembly
GetAsyncKeyState
get_Available
get_Bounds
GetBytes
get_CapsLock
get_Chars
get_Client
get_CtrlKeyDown
GetCurrentProcess
get_CurrentUser
get_Date
get_Default
get_Directory
GetEntryAssembly
GetFolderPath
GetForegroundWindow
get_FullName
get_Handle
get_Height
get_Info
get_Jpeg
get_Keyboard
GetKeyboardLayout
GetKeyboardState
get_LastWriteTime
get_Length
get_LocalMachine
get_Location
get_MachineName
get_MainWindowTitle
get_Message
GetModules
get_Name
get_Now
GetObjectValue
get_OSFullName
get_OSVersion
get_Parent
get_Position
get_PrimaryScreen
GetProcessById
get_ProcessName
get_Registry
get_ServicePack
get_ShiftKeyDown
GetStream
GetString
GetTempFileName
GetTypeFromHandle
GetTypes
get_UserName
get_UTF8
GetValue
GetValueNames
GetVolumeInformation
GetVolumeInformationA
get_Width
GetWindowText
GetWindowTextA
GetWindowTextLength
GetWindowTextLengthA
GetWindowThreadProcessId
Graphics
GZipStream
HashAlgorithm
hProcess
ImageFormat
Interaction
IntPtr
kernel32
Keyboard
_Lambda$__1
_Lambda$__2
LastAS
LastAV
lastcap
lastKey
LateCall
LateGet
LateSet
lpFileSystemFlags
lpFileSystemNameBuffer
lpMaximumComponentLength
lpRootPathName
lpszName
lpszVer
lpVolumeNameBuffer
lpVolumeSerialNumber
MapVirtualKey
MaxLength
MD5CryptoServiceProvider
MemoryStream
Microsoft.VisualBasic
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.MyServices
Microsoft.Win32
Module
<Module>
Monitor
mscoree.dll
mscorlib
NetworkStream
NewLateBinding
nFileSystemNameSize
NtSetInformationProcess
nVolumeNameSize
Object
OpenSubKey
op_Equality
OperatingSystem
Operators
op_Explicit
OrObject
ParameterizedThreadStart
PixelFormat
Plugin
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
Process
processInformation
processInformationClass
processInformationLength
ProjectData
ReadAllBytes
ReadByte
Receive
Rectangle
RegistryKey
RegistryKeyPermissionCheck
RegistryProxy
RegistryValueKind
@.reloc
Remove
Replace
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
`.rsrc
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
Screen
    </security>
    <security>
SelectMode
ServerComputer
SessionEndingEventArgs
SessionEndingEventHandler
SetEnvironmentVariable
set_MinWorkingSet
set_Position
SetProjectError
set_ReceiveBufferSize
set_ReceiveTimeout
set_SendBufferSize
set_SendTimeout
SetValue
Socket
SocketFlags
SpecialFolder
StandardModuleAttribute
STAThreadAttribute
Stream
String
StringBuilder
Strings
#Strings
System
System.Diagnostics
System.Drawing
System.Drawing.Imaging
SystemEvents
System.IO
System.IO.Compression
System.Net
System.Net.Sockets
System.Reflection
System.Runtime.CompilerServices
System.Security.Cryptography
System.Text
System.Threading
System.Windows.Forms
TcpClient
!This program cannot be run in DOS mode.
Thread
ThreadStart
ToArray
ToBase64String
ToBoolean
ToInt32
ToInteger
ToLong
ToLower
ToString
ToUnicodeEx
ToUpper
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
user32
user32.dll
v2.0.50727
VKCodeToUnicode
wDriver
WebClient
WinTitle
WrapNonExceptionThrows
WriteAllBytes
WriteByte
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>