Analysis Date2016-01-29 05:59:01
MD5bd6714c7ae8f64d2a4f682aef8279684
SHA1accaf235bbe51bf0f78c551728d8c36c253e7bbd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 226a262749a456d23cd3c1d7f8b0e846 sha1: 5a1e35fd58dd58e591b62b2f7372430f4c42a2ed size: 86016
Section.rsrc md5: b9ad44ed90545d43e9c8ef0e51fc898f sha1: b1f7b57dfbf30432bef1bb6702b0707d039980e5 size: 4096
Section.reloc md5: 8857359d4d0f3369f32fb6c2e4bb2f29 sha1: a6fbe2e63be25ed1ee8bb6a76c42e79416354309 size: 4096
Timestamp2016-01-24 03:56:23
VersionLegalCopyright:
Assembly Version: 0.0.0.0
InternalName: 1555.exe
FileVersion: 0.0.0.0
ProductVersion: 0.0.0.0
FileDescription:
OriginalFilename: 1555.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash4ab24380781d38deda9c575f8c49a191fef597ce
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)BDS/Bladabindi.98304.5
AVTwisterNo Virus
AVAd-AwareTrojan.GenericKD.3005612
AVAlwil (avast)No Virus
AVEset (nod32)MSIL/Bladabindi.BH
AVGrisoft (avg)Packed3_c.JBB
AVSymantecNo Virus
AVFortinetW32/Disfa.BH!tr
AVBitDefenderTrojan.GenericKD.3005612
AVK7Trojan ( 00493a0c1 )
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi
AVMicroWorld (escan)Trojan.GenericKD.3005612
AVMalwareBytesBackdoor.Bladabindi
AVAuthentiumNo Virus
AVEmsisoftTrojan.GenericKD.3005612
AVFrisk (f-prot)No Virus
AVIkarusTrojan.MSIL.Bladabindi
AVZillya!No Virus
AVKasperskyTrojan.MSIL.Disfa.bqg
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardTrojan.GenericKD.3005612
AVArcabit (arcavir)Trojan.GenericKD.3005612
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader18.23009
AVF-SecureTrojan.GenericKD.3005612

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\5910ec37b3ad75234def1e83973302f0 ➝
"C:\malware.exe" ..\\x00
RegistryHKEY_CURRENT_USER\Software\5910ec37b3ad75234def1e83973302f0\[kl] ➝
[ENTER]\\r\\n\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\5910ec37b3ad75234def1e83973302f0 ➝
"C:\malware.exe" ..\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
Creates File\Device\Afd\Endpoint
Creates Processnetsh firewall add allowedprogram "C:\malware.exe" "malware.exe" ENABLE
Creates Mutex5910ec37b3ad75234def1e83973302f0
Winsock DNSfkfkak.codns.com

Process
↳ netsh firewall add allowedprogram "C:\malware.exe" "malware.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:malware.exe\\x00
Creates FilePIPE\lsarpc

Network Details:

DNSfkfkak.codns.com
Type: A
127.0.0.1

Raw Pcap

Strings