Analysis Date2015-09-30 14:04:58
MD5dc7e0af117c546b8e35453c76dcebca4
SHA1ad1c4c554186456607713f09a050270905d7c0df

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 901fa74d3d5960b6a94600e504a95ffc sha1: 671f970d55dfd012f6e327d8e01934e1f03f60c2 size: 139264
Section.rsrc md5: 2f1cf8ac829ef2a3ca43e364c8ca3cb3 sha1: 22af0b55b104678539b32b7a7aee82c29204061e size: 4096
Section.reloc md5: 15770b52ae0e4778e0f07d87033ac09e sha1: c44d54f11ad1b92e1285921bbdf16c5f1225983b size: 4096
Timestamp2015-06-22 17:56:39
VersionLegalCopyright:
Assembly Version: 1.0.0.0
InternalName: phpKrUQWg_cr.exe
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
FileDescription:
OriginalFilename: phpKrUQWg_cr.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash5d0d5aed121eaeb5a0f767f90c2bcf791d471cf2
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.GenericKD.2508088
AVDr. WebTrojan.DownLoad.64914
AVClamAVno_virus
AVArcabit (arcavir)Trojan.GenericKD.2508088
AVBullGuardTrojan.GenericKD.2508088
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Cutwail.rw3
AVTrend MicroTROJ_FORUCON.BMC
AVKasperskyTrojan.Win32.Cutwail.vnj
AVZillya!Trojan.Cutwail.Win32.1138
AVEmsisoftTrojan.GenericKD.2508088
AVIkarusTrojan.Win32.Wigon
AVFrisk (f-prot)W32/Trojan2.OVIJ
AVAuthentiumW32/Trojan.WOJO-5531
AVMalwareBytesTrojan.Agent.ED
AVMicroWorld (escan)Trojan.GenericKD.2508088
AVMicrosoft Security EssentialsTrojanDropper:Win32/Cutwail
AVK7Trojan ( 004567271 )
AVBitDefenderTrojan.GenericKD.2508088
AVFortinetMSIL/Injector.KHX!tr
AVSymantecTrojan.Gen
AVGrisoft (avg)Crypt_c.AOGI
AVEset (nod32)Win32/Wigon.PI
AVAlwil (avast)Dropper-gen [Drp]
AVAd-AwareTrojan.GenericKD.2508088
AVTwisterno_virus
AVAvira (antivir)TR/Dropper.MSIL.24286
AVMcafeeGeneric.wv
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\ROUTER
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\website.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\website.exe
Creates ProcessC:\malware.exe
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Creates MutexNVahOmrMmA
Starts ServiceRASMAN

Process
↳ C:\malware.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\wkssvc
Creates FileWANARP
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates MutexGlobal\RAS_MO_01
Creates MutexRAS_MO_02

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1836

Process
↳ Pid 1096

Network Details:

DNSdeterminate.ru
Type: A

Raw Pcap

Strings