Analysis Date2014-12-04 04:40:38
MD5004d3a8a4e83ba6cb30aab9934e704f9
SHA1b6963cf9233d886b910066546e01cc861f15e578

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4cc125c0d0c2015ba6b0e624593badfe sha1: e8639c8b4e789608b62d8a5a284bc2879b53f638 size: 217088
Section.rdata md5: 8119be11f6ef17e7103f3a30876ca9ca sha1: f0ac01e34c9cabfc2ee331f95367a4133c0e99b4 size: 24576
Section.data md5: 6bb0d019c024d69e3716b9a1f62ae3c5 sha1: 0054c48211a6426ccc99ddfe29f3d0d8cde677c0 size: 4096
Section.rsrc md5: e7a8b228d4278bcfdf5b53fe75df5799 sha1: 87cf0cd2f2c400aaa3072ec39bf031fe5c42a1bf size: 12288
Timestamp2010-05-22 11:19:09
PackerMicrosoft Visual C++ v6.0
PEhash8ea935557b672cb0ebea1817e14e28ed4ffb8c5e
IMPhashe0f1b1d313d3c6a5e83691691e7e084a
AV360 SafeVirus.Win32.Banito.K
AVAd-AwareGen:Variant.Unruy.5
AVAlwil (avast)Unruy-W [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Backdoor.K.gen!Eldorado
AVAvira (antivir)W32/Agent.EA
AVBullGuardGen:Variant.Unruy.5
AVCA (E-Trust Ino)Win32/Unruy.WP
AVCAT (quickheal)W32.Agent.EA
AVClamAVno_virus
AVDr. WebTrojan.Siggen3.16772
AVEmsisoftGen:Variant.Unruy.5
AVEset (nod32)Win32/Kryptik.AJXD
AVFortinetW32/Unruy.BU!tr.dldr
AVFrisk (f-prot)W32/Backdoor.K.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/FakeAlert.NV
AVGrisoft (avg)Downloader.Generic9.CCFA
AVIkarusTrojan-Downloader.Win32.Unruy
AVK7Trojan ( 00050a041 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeDownloader-BZH.gen.a
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Unruy.I
AVMicroWorld (escan)Gen:Variant.Unruy.5
AVNormanGen:Variant.Unruy.5
AVRisingBackdoor.Win32.Gpigeon2010.yf
AVSophosMal/Unruy-D
AVSymantecW32.Unruy.A
AVTrend MicroTROJ_UNRUY.SMKV
AVVirusBlokAda (vba32)BScope.Trojan.TE.01527

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Network Details:

DNSns.dns3-domain.com
Type: A
5.34.183.138
Flows UDP192.168.1.1:1031 ➝ 5.34.183.138:53
Flows UDP192.168.1.1:1031 ➝ 5.34.183.138:8000

Raw Pcap

Strings
B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:
B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:.
................. !"#$89'()*+,-../01234567
|
..
...
@
`@
.

!1Aa
#+3;CScs
Cjjj
								
??1type_info@@UAE@XZ
	4uA8T
7jsj%j\js
9O$tKSV
~(9~$u
***$AAA=VVVSWWW`VVVbWWWZJJJI4441
_acmdln
_adjust_fdiv
.?AVtype_info@@
buffer error
_controlfp
CreateDirectoryExA
CreateDirectoryW
C,u	^]
__CxxFrameHandler
_CxxThrowException
D$0jBP
D$0jmP
D$0jsP
D$0jwP
D$0UjrjuSjpjajCUSjaUjrjCjpja
D$4_^][
D$4jcP
D$4j_P
D$4jsP
D$(8D*
D$8jDP
D$8jIP
D$8jlU
D$8jmji
D$8jrP
D$8jRP
D$8jsP
D$8jSP
D$8jWP
@.data
data error
D$DjcP
D$DjCP
D$DjDP
D$DjFP
D$djGP
D$DjgP
D$DjGP
D$djMP
D$DjOP
D$DjRP
D$djWP
 deflate 1.2.2 Copyright 1995-2004 Jean-loup Gailly 
D$HjCP
D$HjDP
D$hjEP
D$HjFjH
D$hjGP
D$HjGP
D$hjLP
D$HjPP
D$HjSP
D$(jajNUjljijFUjljujdjojMSU
D$(jAjS
D$(jbP
D$`jCP
D$<jCP
D$@jCP
D$`jEP
D$<jFP
D$`jGP
D$<jGP
D$|jGP
D$@jGP
D$\jGP
D$,jhP
D$|jIP
D$,jnP
D$@jOP
D$$jpP
D$`jPP
D$$jrjp
D$(jrP
D$@jRP
D$,jsP
D$(jsP
D$`jSP
D$,jSP
D$<jWP
D$@jWP
D$ljAP
D$ljDP
D$LjDP
D$LjEP
D$LjFP
D$ljGP
D$LjgP
D$LjGP
D$ljLP
D$LjRP
D$LjSP
__dllonexit
D$pjCP
D$PjCP
D$PjFP
D$PjGP
D$PjPP
D$PjSP
D$PjwjojdjnjijWSU
D$pjWP
D$$SUV
D$tjcP
D$TjDP
D$TjGP
D$TjTP
D$TjWP
D$(]UjNj2j3jsjsUjcjojrjPP
DVhQPj
D$xjcP
D$xjCP
D$XjCP
D$xjGP
D$XjGP
D$Xjijd
D$XjOP
D$XjRP
D$XjSP
D$XjTP
D$ XPjljaPSPjnPjnjUjo
ewh/?y
_except_handler3
F 9F$uR3
Fdf+Fh
file error
FindNextFileA
F|jija
F`jnji
F@jojl
F(jpju
F jPSjnUjrjrjujCSU
Fljija
FPjAjhSjajPjpjmUjTSU
Ftjijr
F\UjsjojljCjdjnji
Fxf9F|u
GetAtomNameA
GetCurrentDirectoryA
__getmainargs
GetModuleHandleA
GetProcAddress
GetStartupInfoA
H*0"ZOW
header crc mismatch
HtRHtDHHt
HtyHtZHt;Ht
IiGM>nw
incompatible version
incorrect data check
incorrect header check
incorrect length check
 inflate 1.2.2 Copyright 1995-2004 Mark Adler 
_initterm
insufficient memory
invalid bit length repeat
invalid block type
invalid code lengths set
invalid distance code
invalid distances set
invalid distance too far back
invalid literal/length code
invalid literal/lengths set
invalid stored block lengths
invalid window size
jAjCjDUSja
jajcjiSjijrjCUjvjaU
jAjgjnjojLjwjojdjnjijW
jAjnjojiSjajmjrjojfjnjIUjmjujljojV
jAjnjojiSjajrUjpjOUjlji
jAjnjojiSjpjijrjcjsUjDjrUjvjijrjDSUjG
jajnSjsjojhSU
jAjsjsUjcjojrjPUSja
jAjsUSjujbjijrSSjAUjljijF
jAjwjojdjn
jAjwjojdjnjijW
jAjxjEjyUjKjnUjpjOjg
jAjxjEUjm
jAjyjrjoSjcUjrjijDjmUSjsjyjS
jAjyjrjoSjcUjrjijDjsjwjojdjnjijW
jAjyjrjoSjcUjrjijDUSjaUjr
jAjyUjKjojfjnjIjyjrUjujQ
jASjnUjvjEjn
jASjnUjvjEUSja
jASjxUjTjwjojdjnjijW
jAUjgjajsjsUjM
jAUjgjajsjsUjMjd
jAUjgjajsjsUjMjdjaUjrjhjTS
jAUjgjajsjsUjMS
jAUjljijFSjsjrjijFjd
jAUjljijFSjxUjNjd
jAUjljijFUSja
jAUjljijFUSU
jAUjmjajNjh
jAUjmjajNjhSjajPSjrjojhjS
jAUjmjajNUjljijFUjljujdjojM
jAUjujljajVjmjujnjE
jAUjujljajVUjgUjljijv
jAUSjujcUjxjEjljl
jCjDUjljbjiSjajpjmjojCUSja
jCjDUSU
jcjojrjPjnUjp
jcjojsSU
jcjrjsjr
jdjaUjrjhjTUjdjojCSjijxjE
jdjaUjrjhjTUSja
jdjaUjrjhjTUSjajnjijm
jdjIjsjsUjcjojr
jdjIjsjsUjcjojrjPjdjaUjrjhjT
jdjijujGUSjaUjr
jDj.j2j3j_j2jS
jfSjnji
jijrjPjpjujkjojo
jijWjdjnji
j>jajrjejmjajC
j*j.j*j\js
j>jnjejejrjcjSjtjnji
jLjLjDj.j2j3
jLjLjDj.j2j3jEjL
jLjLjDj.j2j3jIjPjA
jLjLjDj.j2j3jLjEjNjRjE
jLjLjDj.j2j3jPjAjC
jLjLjDj.j2j3jR
jLjLjDj.jIjP
jLjLjDj.jMjM
jLjLjDj.jSjUjLjPjIjD
jLjLjDj.jTjRjCjV
jlSjcjojI
jmjojrjfjv
jnjoji
jnjojiSjcUjSjl
jnjojiSjcUjSjljajcjiSjijrjCjrU
jnjojiSjcUjSjljajcjiSjijrjCUSU
jnjSj2j3jpjlUjhjljojojTUSjaUjr
jnjwjojdS
jnjwjojdSjujhjSjsjujljp
jnUjkjojTjsjsUjcjojrjPjn
jojpjmjojCjpjojtjkjs
jojpjsjijDjpjijd
joSjdjnU
jpjajmSjijBUjljbjiSjajpjmjojCUSjaUjr
jpjmjbj.j}j6YQj1QjBj1j7Qj2j9j2j3jDj-XPjEjAj7jAPj4j8jfj4PjEjBjCj1PQj5jFj4j2j7jFjE
jpjmjbj.j}jAj5jCXPPj6j2j6j9Pj2j4ZRPj-YQj1j5j8j9Qj8jej7RQjFRj2j0QRjDj8j7jAPjBjF
jpjmjc
jpjujnjaUjljC
jpjuSjrjaSjS
jrjajhjCUjdjijWjojTUSjyjBjiS
jrjhjc
jrjhjcjrjr
jrjojrjrjESjsjajL
jrjojrjrjESjsjajLSUjG
jrjpjujr
jrjwjljr
jrUSjnjijojPUjljijF
jsjcjijrSUjMjmUSjsjyjS
jsj%j\js
jsj%js
jsjrUjdjojcjnjEUjgjajmjISUjGjp
jsjsUjcjojrjPSjnUjrjrjujC
jsjsUjcjojrjPUjdjojCSjijxjE
jsjsUjcjojrjPUSjajnjijm
jsjuSjaSjSjnjojiSUjljpjmjojCjdUjuUjujQ
jsjuSjaSjSjnjojiSUjljpjmjojCjdUjuUjujQS
jsSjcUjjjbjOUjljpjiSjljujMjrjojFS
jsSjijBjIjD
jsUjgUjljijvjijrjPjnUjkjojTSjsju
jsUjljujdjojMjsjsUjcjojrjPjm
jVj<j<j.j
jwjojdjnji
jwjojdjnjijW
jwjojdjnjijWjpjoSjkjsUjD
jwjojdjnjijWjyjojrS
jxjEjsjwjojdjnjijWS
jyjpjc
jyjTUjvjijrjDSU
jyUjKUjsjojljCjgU
KERNEL32.dll
l!;b	F
L\Hf9t\H
[-&LMb#{'
LoadLibraryA
L$\t8;
malloc
memcpy
MFC42.DLL
mj>zjZ
MSVCRT.dll
need dictionary
Npf+F\
_onexit
OpenEventA
OpenEventW
OpenMutexA
OpenSemaphoreW
OZw3(?
__p__commode
PDSj}j2j2j5XPj6jEj9j8j1j0jAjCZRjFj-YQj4j3j0jAQj1jaPj4QPRj9RQRjBj3j9j3jBPP
__p__fmode
PhWj}j4
PPh/AC
PTSjs_
PTSjsj%js
PTWjsj%js
_purecall
PVVVVh
Qj6QjFjCj0jEjFj1jCj1j-XPj8jFj3jBPjdj0j4j4Pj7j7j1QPjBj3Qj3jDj8jBjA
Qkkbal
`.rdata
ReadFile
ReleaseSemaphore
ResetEvent
ResumeThread
?[Rich
S$_^]3
__set_app_type
SetCurrentDirectoryA
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesW
SetFilePointer
SetHandleCount
SetPriorityClass
__setusermatherr
SetWindowLongA
SjajPjgjnjojLSU
SjcUjjjbjOSjcU
SjcUjjjbjOUjljgjnjijSjrjojFS
SjcUjjjbjOUSU
SjcUjn
SjejgjejljijvjijrjPjnjwjojdjtjujhjSjejSP
Sjejxjej.WWjmWP
Sje^VjxVWjsj%P
SjfWjijhjtjtW
Sj\j:jc
SjkjajbWjsj%P
Sjljljdj.jvjnjiWjyWP
SjnjujojCjkjcjijT
SjnUjvjE
SjnUjvjEjljljijKU
SjnUjvjESU
SjnUjvjESUjSU
SjnVjp
Sjojhjsjpja
Sjojijdjujtjsj jljajujsji
Sjpjmjtj.j}j3j1j9j5jDj1j8jBj0XPjEjFjFj-YQjBj6ZRj3j9QjfRj2j4QRPjDj9QRPPPj3PPj5
Sjpjmjtj.j}j3j1j9j5jDj1j8jBj0YQjEjFjFj-XPjBj6ZRj3j9PjfRj2j4PRQjDj9PRQQQj3QQj5
Sjpjmjtj.j}jEj2j7j9jA^Vj7j2Vj4XPj8j1jFj-ZRjFj9PVRjdj8jaPRj1j5jBYQPRQQQj6VPj9jC
Sjpjmjtj.j}jEj2j7j9jAZRj7j2Rj4YQj8j1jFj-XPjFj9QRPjdj8jaQPj1j5jBQPjBjBjBj6RQj9jC
SjpjmVjtWjsj%P
SjrjaSjSjsjujljpjijd
SjrWjdjnjijbWjx
SjsjrjijFj2j3jsjsUjc
Sjtjajdj.j}jCXPj2YQj7QPQjEPj1jDj5j1Vj0j1PjAVjejdjcWVj8WjEjEVjAj9jFPWQjFjF
Sjtjajdj.j}jFjFj0ZRjBjBj3j4YQjCjBj6j3j5j-XPj1j8Rj9PRjcj5QPjAj8j6jCPj9Qj3jDj1QRjA
SjujbjijrSSjAUjljijFSU
SjxjojfWjrjijf
stream end
stream error
SUjkjcjojsUjs
SUjsjr
SuspendThread
SVj0j6j3
SVjgjnjajwjgjnjajwjijlja
SVjgjnjijsjijr
SVjpjijzjnjijw
SVjrjajrjnjijw
SVjrjojtjcjojdjqjq
SVjrWjdjnjujhjt
SVjrWjgjnWjsjsWjmVWjvjijlj jsjwjojdjnjijw
SVjrWjrjojljpjxWj jtWjnjrWjtjnji
SVjrWjvjrWjsj jljqjsj jtjfjojsjojrjcjijm
SVjsjsWjrjpjxWj jkjojojljtjujo
SVjsjwjojdjnjijwV
SVWjcjijfjfjoj jtjfjojsjojrjcjijm
SVWjmjajgVjkjnjijljljajbjojljg
SVWVj\js
SWjxWj.jmjijijlja
SystemTimeToFileTime
;T$0sP;t$4sJ
!This program cannot be run in DOS mode.
tJHt'H
TlsAlloc
too many length or distance symbols
toupper
ts9_ tn9_$ti
UjgjajmjIUjs
UjjjbjOSU
UjljdjnjajHUjs
UjljdjnjajHUSjajcjijl
UjljijFjd
UjljijFjmjojrjFUjgjajmjIjdjajojLjp
UjljijFjojTUjgjajmjIUjvjajSjp
UjljijFUS
Ujmjajnjk
UjmjajnjyjbSjsjojh
UjpjijPUSja
UjzjijljajiSjijn
UjzjijSjsjrUjdjojcjnjEUjgjajmjISUjGjp
UjzjijSUjljijF
unknown compression method
unknown header flags set
USER32.dll
VjnjojcjIj jyjajrjTj jCjNjVjnji
VjpjmWjtVP
VWSjnjejp
V_:X1:
W(9W$u
Wjejxjej.
Wjgjejpjjj/jejgjajm
Wj}j2j5j2j8jEj6jEjFj1j5j7jBj-^VjFXPjCj9jBVj6jbj5j4VjDj0j9jEVj5PPPjEj7j8j7
Wj}j2j9Y
Wj}j9j9j1j7j8j3XPj2Pj6j2jFj2Vj6j1jCj9VPjej1j4VPj4j0jFVjDjFj0j4Pj7PjA
Wj*j.j*j\js
Wj*j.j*j\jsj%P
Wj.j.P
Wj>jtjnjejn
WjnjejpjoP
Wjsj%j\js
Wjtjajdj.j}jCXPj2YQj7QPQjEPj1jDj5j1Vj0j1PjAVjejdjcj4Vj8j4jEjEVjAj9jFPj4QjFjF
Wjtjajdj.j}jFjFj0ZRjBjBj3j4YQjCjBj6j3j5j-XPj1j8Rj9PRjcj5QPjAj8j6jCPj9Qj3jDj1QRjA
Wj%Wj%P
w+OQvr
|$ WUSV
WVj\js
WVjYjAjLjPjSjI
_XcptFilter
XPjPjnPjiSUjljpjmPjCPjIUSjaUjr
XPPjDj.j2j3PPjEjH
XPSjcUjSjljajcPSPjrjCUjzPjljaPSPjn
YQj3XPj6j1jCj8j5jDj9j6jBj7VjFjFjBjAVjfj6QQVj2j8Qj9VjAPjFPPjDPj8
YSj}j4_Wj3XPj6j1jCj8j5jDj9j6jBj7j-^VjFjFjBjAVjfj6WWVj2j8Wj9VjAPjFPPjDPj8
YSj}j9j9j1j7j8j3XPj2Pj6j2jFj2j-YQj6j1jCj9QPjej1j4QPj4j0jFQjDjFj0j4Pj7PjA
YSjpjojtjkjsje
YSjsj%j\jsj%P
)\ZEo^m/