Analysis Date2015-05-06 13:57:03
MD5a1e349d6e92d8ccd802652c4fbbd4623
SHA1b5a130685d385ad4933ad6bb46a973c32a3add27

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 11016c301b1e4fb0581b5649b131a963 sha1: e85b3115d6e4ebd2e9f6aab78cf1778953f1afac size: 28672
Sectioncode md5: 427b1fe57b3b0a37a8fc4c3247916ebe sha1: 7a15c53e18e12606cb0964672e4fef51487d7aaa size: 8192
Section.rdata md5: a176caac26139097855417c6e95ead6e sha1: 10371845d56eee0c07b4626986a0f368ac401a1c size: 8192
Section.data md5: 8314f2e345b49749fb35e1c2f74edd5a sha1: 7d2d6deac3f8b4614cbb97043c344f9932caa197 size: 12288
Section.reloc md5: 80035c54fbbb51c318ec20489727c492 sha1: 9dcdc9cc52255222c23150b66e4354ea6b00d489 size: 4096
Section.imports md5: 87dd19383804f78e6302ebf77279e6ea sha1: 617d60052dc7ece369447d7f65f690e11a10834a size: 4096
Timestamp2015-05-04 08:16:38
PackerBorland Delphi 3.0 (???)
PEhashd82f8d118e9a6d25b28c5f24319f40aff8e0d2c4
IMPhash773a8dfa384fcc4b27dfe1a3396cb63a
AVAd-AwareGen:Variant.Kazy.595353
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Kazy.595353
AVAuthentiumno_virus
AVAvira (antivir)TR/Proxy.Gen
AVBitDefenderGen:Variant.Kazy.595353
AVBullGuardGen:Variant.Kazy.595353
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Inject1.55283
AVEmsisoftGen:Variant.Kazy.595353
AVEset (nod32)Win32/Dorkbot.J worm
AVFortinetW32/Dorkbot.HX!worm
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.595353
AVGrisoft (avg)BackDoor.SmallX.BSN
AVIkarusWorm.Win32.Dorkbot
AVK7Trojan ( 003db13d1 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!drf
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.595353
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/Zbot-HX
AVSymantecno_virus
AVTrend MicroMal_DLDER
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
.
.
l
82z2z2s2d2g4j6k4l62d
\advapi32.dll
advapi32.dll
alg.exe
\apiSoftCA
calc.exe
C:\Documents and Settings\All Users\mscpmu.exe
crypt32.dll
csrss.exe
dnsapi.dll
explorer.exe
iexplore.exe
\Internet Explorer\
iphlpapi.dll
jjjj
KOPWELERGKR23930DW
lsass.exe
netapi32.dll
netutils.dll
notepad.exe
\ntdll.dll
ole32.dll
%rand%
rpcrt4.dll
rundll32.exe
samcli.dll
secur32.dll
SeDebugPrivilege
services.exe
shell32.dll
shlwapi.dll
smss.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Uazi Soft
spoolsv.exe
--startup
svchost.exe
System
[System Process]
UaziVer
%uniq%
%uniq%.exe
urlmon.dll
user32.dll
userenv.dll
w.exe
WindowsAudio
\WindowsAudio\
wininet.dll
winlogon.exe
ws2_32.dll
wtsapi32.dll
:Zone.Identifier
0 0$0(0,0004080<0@0D0L0P0T0\0`0d0h0l0p0t0x0|0
0$0*040:0G0n0t0
0040<0@0X0\0p0x0
0:0D0I0S0]0
0/0F0Z0p0v0
02373=3D3
> >$>(>,>0>4>8><>@>D>H>P>T>X>\>`>d>h>l>p>t>x>|>
:);0;D;K;d;k;q;x;
:0:]:j:
:%:0:@:T:Z:a:u:|:
?!?'?0?:?u?{?
101@1M1^1m1t1
1 1$1(1,1014181<1@1D1H1L1t1x1|1
131K1_1f1s1z1
151>1D1O1b1k1q1}1
>1?D?l?q?{?
1T1q1w1
1z2z3reas34534543233245x6
2"2'222<2i2t2{2
2!2'232|2
2&3,383=3J3O3U3]3g3l3r3z3
2<3A3F3L3S3X3p3x3~3
=!=2=7=H=M=d=
? ?&?,?2?8?>?D?J?P?V?\?b?p?t?x?|?
3 3,383t3x3
;3;8;B;G;Q;W;k;~;
?!?&?3?8?=?J?O?
>)>3>9>A>H>N>U>[>b>g>n>t>}>
4!454B4O4T4]4c4w4
4+595Q5
:$:(:,:4:8:<:@:D:H:L:P:T:X:t;
<,<4<@<F<L<R<X<^<d<j<p<v<|<
</<4<l<w<
4X4\4d4h4
5 5$5(5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5
5)555N5\5o5
5$5)585?5E5O5V5d5n5t5|5
5|9E:X:
5I6V6j6
6,63696H6O6T6^6d6o6w6~6
6P7T7\7`7x7|7
7&7-7<7C7I7Y7_7e7l7
7(7A7N7U7
7,9Z9|9
<&<,<7<=<H<N<Y<_<l<q<
7X8n8x8
8&8-848J8n8
8 8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8
8)8B8K8Q8c8
969I9%:2:=:U;b;m;*<
9"989\9m9
9!9+979>9F9W9i9q9{9
9"9(9.949:9H9L9P9T9X9\9`9d9h9l9p9t9x9
9#9(9.9j9w9|9
AdjustTokenPrivileges
advapi32.dll
ADVAPI32.dll
arvsjluojtcscswmhirncxrsftkacwrwhpy
B0M0W0\0i0
B.imports
CharLowerW
CloseHandle
closesocket
CoCreateGuid
CopyFileW
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingA
CreateFileW
CreateIoCompletionPort
CreateMutexA
CreateProcessW
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
@.data
debug_cache_dump_2384394.dmp
DeleteFileW
?*?/???D?J?W?^?
%dMutex%dExplorer%dMutex%d
dnsapi.dll
DNSAPI.dll
DnsQuery_A
DnsRecordListFree
downloader 
downloader2 
DuplicateHandle
E#+E/^ZY
EnterCriticalSection
<:=@=E=Q=^=c=i=q=
ExitProcess
ExitThread
>F>]>m>{>
=:=G=a=v=
GetComputerNameW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetFileSize
GetLastError
GetLongPathNameW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessImageFileNameW
GetProcessVersion
GetQueuedCompletionStatus
GetShellWindow
GetSystemTimeAsFileTime
GetSystemWow64DirectoryW
GetTempPathW
GetTickCount
GetUserNameW
GetVersionExA
GetVersionExW
GetWindowThreadProcessId
HttpAddRequestHeadersA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
InitializeCriticalSection
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
InternetSetOptionA
;\;i;o;u;~;
IsWoW64Process
kernel32.dll
KERNEL32.dll
kernelbase.dll
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LockFile
LookupPrivilegeValueW
=l=p=x=|=
lstrcatA
lstrcatW
lstrcmpiA
lstrcmpiW
lstrcpyA
lstrcpyW
lstrlenA
lstrlenW
<,<M<}<
MapViewOfFile
:M:c:s:
MessageBoxA
MultiByteToWideChar
MUTEX_NAME_
<&=m=z=
ntdll.dll
NtQueryDirectoryFile
NtQueryInformationThread
NtQueueApcThread
NtResumeThread
ObtainUserAgentString
ole32.dll
OpenProcess
OpenProcessToken
Process32FirstW
Process32NextW
psapi.dll
Qkkbal
QueryPerformanceCounter
Range: bytes=%d-%d
`.rdata
ReadFile
reboot
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegEnumValueW
RegNotifyChangeKeyValue
RegQueryValueA
RegQueryValueExW
RegSetValueExW
.reloc
ResetEvent
SetCurrentDirectoryW
SetEvent
SetFilePointer
SetHandleContext
SetLastError
SetUnhandledExceptionFilter
shell32.dll
SHELL32.dll
SHGetFolderPathW
shlwapi.dll
SHLWAPI.dll
StrChrW
StrRChrW
StrStrW
>)>?>t>
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
uninstall
UnmapViewOfFile
update 
update2 
urlmon.dll
user32.dll
USER32.dll
User Agent
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualQuery
>V>`>q>v>|>
WaitForSingleObject
white.eebgghfs.ru
white.jwzuyjyk.ru
white.natntbuo.ru
white.vfukgsuopav.ru
white.xonpqigw.ru
WideCharToMultiByte
wininet.dll
WININET.dll
WriteFile
WriteProcessMemory
ws2_32.dll
WS2_32.dll
WSAGetLastError
WSARecvFrom
WSASendTo
WSASocketW
WSAStartup
wsprintfA
wWXZOlIzwOwzIlOZXWw
<$=Z=n=
ZwQueryDirectoryFile
ZwQueryInformationThread
ZwQueueApcThread
ZwResumeThread
ZwSetLdtEntries