Analysis Date2014-12-15 03:05:40
MD511d6d86dad57adc23ebc043dfc0575ee
SHA1ba33ace549e6298ea9dd0e96840885f20750aca7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d27b46904dd217edadaec636df481c93 sha1: 70599148673afd5060bdb37d7024d74e8fe12693 size: 15872
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.xcpad md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 37404f81f77deaae50eb5d162b96b170 sha1: b2875f8862f61060350d0fa7447a9411a8117939 size: 1024
Section.reloc md5: 1d2826c44311e3eea7285e947f031826 sha1: 151a275336fe91e4b1ac431cddfb43c73c5b6186 size: 512
Section.rsrc md5: 5cf8d0795919dc08650dd1220fbdca28 sha1: 5183aaa8055fa6a6c50174bc236eab7ccab89075 size: 1024
Timestamp1970-01-01 00:00:47
VersionLegalCopyright:
PackagerVersion: 7.0.162
InternalName:
FileVersion: 1.0.0.0
CompanyName:
Comments:
ProductName:
ProductVersion: 1.0.0.0
FileDescription:
Packager: Xenocode Postbuild 2009 for .NET Beta
OriginalFilename:
PackerBorland Delphi 3.0 (???)
PEhash6ad5567155f08a082a5151db3c6ea25002b4c893
IMPhash4582ffdd7eb98cb63a937096204182b7
AV360 SafeGen:Variant.Barys.2469
AVAd-AwareGen:Variant.Barys.2469
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)Gen:Variant.Barys.2469
AVAuthentiumW32/Risk.JPCN-5436
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardGen:Variant.Barys.2469
AVCA (E-Trust Ino)Win32/Poison.BT
AVCAT (quickheal)no_virus
AVClamAVTrojan.Poison-517
AVDr. WebTrojan.DownLoader.64331
AVEmsisoftGen:Variant.Barys.2469
AVEset (nod32)Win32/Poison.NAE
AVFortinetW32/BDoor.DKI!tr.bdr
AVFrisk (f-prot)W32/MalwareF.GFR
AVF-SecureGen:Variant.Barys.2469
AVGrisoft (avg)BackDoor.Generic12.CDJV
AVIkarusBackdoor.Poison
AVK7Backdoor ( 04c4c6e51 )
AVKasperskyBackdoor.Win32.Poison.aec
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-DKI.gen.ak
AVMicrosoft Security EssentialsBackdoor:Win32/Poison.M
AVMicroWorld (escan)Gen:Variant.Barys.2469
AVRisingno_virus
AVSophosno_virus
AVSymantecBackdoor.Trojan
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process"C:\server.exe"
Creates Mutex_xvm_mtx_file_0x1D0AE50A
Creates Mutex_xvm_mtx_other_0x1D0AE50A
Creates Mutex_xvm_mtx_reg_0x1D0AE50A

Process
↳ "C:\server.exe"

Creates Mutex_xvm_mtx_file_0x1D0AE50A
Creates Mutex_xvm_mtx_other_0x1D0AE50A
Creates Mutex_xvm_mtx_reg_0x1D0AE50A
Creates MutexDBWinMutex

Network Details:


Raw Pcap

Strings
.@
`@
                          
000004b0
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
0x00020: 
0x00021: 
0x00022: 
0x00023: 
0x0003: 
0x00040: 
0x00041: 
0x00042: 
0x00050: 
0x00051: 
0x00052: 
0x00053: 
0x0006
0x0011
0x0012: 
0x0013
0x0014
0x0015
0x00E00
0x00E01
0x00E1
0x00E2
0x00Z1
0x00Z2
1.0.0.0
!1Aa
#+3;CScs
7.0.162
Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
OriginalFilename
Packager
PackagerVersion
ProductName
ProductVersion
StringFileInfo
There has been an error starting this virtual appliance.  Error code: 
VS_VERSION_INFO
Wuser32.dll
Xenocode Postbuild 2009 for .NET Beta
Xenocode Virtual Appliance Runtime
_xvm_mem_application_info_0x
_xvm_mem_process_info_0x
&>*+ +
;/0|	,"
0	1,2g2
<03#M|
.'0B\W
:($0pT
-0%%S=7c
0UH5M 
0v+-qe
_0Y$jC
0YsHN/
0Z^22*
;~=1">
1<2S2g2y2
1,5HtHi
16eunq
18;PB?
1%E<{>
!1E?0}61
1\Hn B
1MV\uBL
1OO"j!
	&1%"R
%1}ure
1VH;sd
1WM3v?
2]<8tTt
}2C(|<
(( %2e
2?.IH-
2jx;vF=?j~
!2k)uS0q
&2n/""&
2P5d5t5
)2Pj?\c
_2S+>d8
2@uwyE
3%3K3j3
35{LL-"
35^w{N
*3#8yX5
3 HT}`y'F
[3n\Gh;_m
-3-o'l
3>RJ%6
]3W7FKl
4^@BBX_
\ 4dFHI
:#4D+x
4eP]]9i
4m**^|
4n3!X(
"4rhOB
4RKc39
<'4S^ 
4S:T CH
4W5a5s5
>4_{?Y
5AdT<0
5>A,qU
'$5D\Au
5>eJ_Gxf
`>$5.g
'5NkTG
@5"rBv]x
5'svck
5t@.WCT
"5#Y+E
5Zb:Ce
!6 2S(
6iH}}+
6Oz!kt
6pwuei
$@|6-sA
6y=a<|5
6yj L\)
70PKy"
7<43OZ
7&71767>7C7K7P7X7]7e7j7q7}7
7m@JxFJ
+7PK!b
7q/<5]
7QetSt
7t@NdH
7T\`PW
~)7<{Vr<
~`~7z8
	? 820
84faN&
882i~NB 
8.8:8?8N8x8
-8[f,_
8{F?LLfm
8Hkmi7
8Jx1*d3
{8RQ<b
8UQEp!_P
8u]yx7
8~X$ey
8+Y3}KoYKH
8>Y8@8
9":):6:=:
96_z`F
/97+$g
9,8k(eS_
9")!\aS
9H|teSV
9!(IKj
9T$ t$P
9W1OWZ
$.@$ a
\#*:A_1
A6kbk;
AB_wTH
ACi^WZ
ac S^tV
aCXAy~
a<DtHV
aD	xp\
A?nkJN
aNXQm]
AO O>$
A!oYV>`
A$p(9H
@'-ar1%AG
*As[ ,
#|AsU2
,aU4TH
A{\uyvm;
AWUP9^
B_)&[\
B08!nj!
B:]<1;5
\B1"]9Z
#b]8uZ\
Bar|k8*YN;
@b;%Bx
bEP6v^
$Bf<+['
B/>fo[
b&IVT]
)~b~jF
bk	zTjt7
bPq<\]
;BP.wz
bQ,ct@P
B.rsrc
B^Rx)fL
BS?|nQ
b(tJFJ
buffer error
<bV77AF
b:v`ZMyF
bYr}$263k
.^BzUW
}c"/<*
&|\:=c18
c'39OCM
:C=3iWq
c4rr*~&
c5];AQ
c8;Sn;
^ccBUD
CcdX%p
ccT@q[=
c>eX-k
!c?}f4
~C\hhx#*
cHQ$TRp
,c",jj
/>c/jX
CloseHandle
c*Ne-o
c]OV7iq^v
CreateFileMappingW
CreateFileW
/$-Cti
c}X\,"
C(xd$Fit
c:\XRoot_Build\X7.0\Vm\Release\x86\StubExe.pdb
'&d1w7
D2e"uy/
d2TICDz~
D3Km+/
d?3^l,
DalU4Vz
`.data
data error
D$ +D$
)~De'"
?=DfBU
.d{IQr+
DKc-_=
	dKNKW
DL M-r3
.d?&O1G
-d:pBf
DPj_XVY
Dr KH/,
D$Tt*;
DU7hW0
d$- ~ [x
#dx!s\
dz.wgI
&e1)k~
E4m%Ggo2|
e'Bm8\
`eCf6Q
Ej$1PX
EMMw5f
E^mmzq
en4}kW`
enn>q>
< eoMy
E>PhS[
%e-q$}
.ere>z
ErPZ_T
	erTcy~
e{t6pfn
e|Tk&S
&Evboq
;e' wF,
:_`EZ7
`F1Pr	
f2A6KA
F2X_-k
f5w)tW
fB1b&&4(
~=fc5KT\;
(fE!)({uQD
file error
F/k5[Q
FMdKLR@
F_OgTc
)f~Q<L
F,ze^k]s
*,FzI	
GbmhD/
GB[u)v
gCq\jD
\,gCxb@5
&G@#d8
GetCurrentProcessId
GetFileInformationByHandle
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetTickCount
>)=GGyz
Gh9Ghr
 )GN7)
g/+O)Q
`:g^PA
gP@JX%
)gq^,>
gr{Re/
GthRD4
gU%#TDz
gVTBY'
gW 5	~
GW-yKc9
)GY wO
g(<ZtJ30
GzuB$,
=H!_9?
`!HaVc|K.
HeapAlloc
HeapFree
H!f6}69
h%%GJp
\HiHHO
HKk*@Dk
hM+_5"
#HM5wx
*hQR	I
h!>*Ta
'htt3vS
hv!gHio<
H=WtRV4+=
*$:h?YA
#}>I}#
i3KZS#
IbQ0;Bp
|i C$wm
.idata
IeU;Z`
i-H9.9
i}IE^ft
ii<vo"
IMO.2=
incompatible version
incorrect data check
incorrect header check
 inflate 1.2.3 Copyright 1995-2005 Mark Adler 
insufficient memory
invalid bit length repeat
invalid block type
invalid code lengths set
invalid distance code
invalid distances set
invalid distance too far back
invalid literal/length code
invalid literal/lengths set
invalid stored block lengths
invalid window size
[iR7~H
i!rDL_
Is$G|K
iVekqb
i|~yC-
iYcPk1
J1.d }7;>
J3Q`hL
j45{3#
J=4pod
j5vyhaXo
j+6M5T
?j6$\p
j7+<d/
j7^fT s5G
"jbwA(
:J-iHq
jLY^=W
{J}|ni
jNMf(6
jOM}[i
Jr5`j}=
J T7/h
jtO4m6
Jux	>L
J:VRzbm
k0_Wvo-J
k:~$0;X
k1z~~9[
K'9Oqh
kA/'1E
KA-N@c
KCOk}N
KERNEL32.dll
`kG`?;I,
<K"l=>
@%kMy]
K!oP~bf
k Pl6E:
Kr0Chx
kvJTW{@
k Y\[&xZ
KY!>@Y8
L2Y?Y4
L$4;D$Ts<)D$T
l60,OC
L$ 9ODv
"?l	~c
'L cRI
>;?@?L?c?r?y?
LdrGetProcedureAddress
_`l>%^gNK,
liq^A#
LjQX8N
lk;?0>s
L$ +L$
l^~LV3
$l&MXlbL
[%lo2Xz
LoadLibraryW
LPvh8y
LS-%%u
l~tGk'\
;l$TsY)l$T
%.lvI~>4
?&lwT.|
lye6DoM
M^05.^
MapViewOfFile
	mB*gV
m_BU6~Bn4
md=tV5
@ME9GX
MessageBoxW
.:MFCN
m&Hfni9
#mi2|#
m)J)M~l
ML} }PK
m\oR%I
]mp^9#	
'M rXC
MV)3	W
!]M"<W
N,_^]3
n4!VcK
;N7Kg$
%N8*j)C
N9YmK(
n a0jD
nal,z4Z
[NBXhZ
nD|^l.
need dictionary
nI#lu^
nNvqw*
NP@>Q1
nRAIDp
nR	yR5
nUn,w[Q
n$va=>
@nW*<6DYi:
$N,(y)p
NZsA	v
[[+@o=
o[)'(#
,	~!O]
Ob~cpHJ
*o<GEu
Oh;O\sR
OI6^dk
,Ol>LL`#
OpenFileMappingW
oTfCBu
OUj?a{4&
:[O<w~
+-p6My
pfcl1h4w
#~pG3<
P"=H8b
p# hn#
?$pI,5
,p?jg`8O=
pnY'lx
)polgmok
P[P*[E
;PpHFM
'/Pr*-
P(r8sb
Ps4^{p
&pSC!aq
+ *Pt7
PWjp>Z,X
Pxx~% ~Z<
P&"~Y03
p[yrP%
*%(q4/
Q6<GHk
Q84[~<)]
Qbs~+X
q<<D!e-
qDlUH~
q[El{1
QgH*]o
qGlxd{X
QhBC~t
Q.lrPJ
QLzQAk
q^mu,wm%C
{qo4*7C
QpD;;f8lZ
Q})W\@%
+qW8<u
%qZ?9L5)
R2s?p%
r,\=5|
r7jun3
R7+:yW
]rAKdm
ra/NyTS#@k
R%+~bS
<RBuq8
@.reloc
rfQ\#NP
$r&>%J=
RJ~Z;F
>r)KJ.
RkjmA/
RmQ!t{
+{=]rR
rt1yV~
	R}uO_
R~xA4:j%
rZh/Lf&
Rz%i_V
S0[9~mZ
S<%|:0$d
%S1_N=b
[S\aqP
SD@%|`
SE0"l4
(Sel`S
@S$_[F
%SF!ub
S-g}rM**
S>,&iP:
SIUzqK
s@j7U~/
#sJ^Ge"
sJxjLe
sKC%eo
)S=TlV{
stream end
stream error
s[wq3C
SW)UO,
sxn*58X
SZu^m@
$@=%].T
t0{a0<
T0"Qg+-@
T2&_TZ
/)T-{?5w
t	@AAf
Ta";h*e
TdPHwe
tDrP&!
tEL_.%
^-T E_m
T,E|R\
t-f-;~
<TfNO$
!This program cannot be run in DOS mode.
TH(~r+
t$H;t$8
%tIF/=
t_jhd,#t
TL+()7nh
tn1H0qX
too many length or distance symbols
>`T|\=q
-TqA\G
tQlB	>$
t[ ?ri
ts=P'/*
t(sQEN
tStN==Q\%
Tuw9a$QD19
U0P5(B
u28D d
u~)`]A
Ua;\Js
	u(H')
unknown compression method
UnmapViewOfFile
?u~o.`9
uOO/{K
u&Pl<:
Us,';q
uV!|p@
uxRQe<
@<}V\,
V0cD|1T
V:0o0y
v`[3G%
v:[5S_
V6+KD0
V`6-nD
`vag";
)Va?X{
VAY~D8
vD9z+7
vF~eohA
VfWN^EV
VirtualAlloc
VirtualFree
vJrH,{
>`Vk ~
VlBB*h
vonUxo"#
vu:vz6
[v[VBD
vwbM{ 6
VyV^GJ
{-v|Z>
vzfZVT
W05u8L
W1D5Wc
W)5oHt
w8RLFH
=W 8We
w9c' r
WayxFx
WBfM7Q
wch+>x)
W*<CR"b$1
Wd0W[dk
W"G Tc
w{*lk.
w(|M$~
W=po*>
#\W<qT7
W=Qw:?
w	tg=c
wU<0{7E
w}/V+-
*wVpg1
WYMU63!T"j?
>wYyO	FL7MW'#Ml
wzmHeZM
(x3Ygr
X88vv[.
(X@a/m=
xa,[Tn
=XB^t6
.xcpad
	xd!tz#$^
xg~9YpU
xG[fVAPO
xlayer
>xlcLLV
x>N)jNAG
xWyeV0
x]YBoc
/y;	,`
y3*BXI
Y8&{!<
y'#CFTy
yC$o|DeAm
YgW*n;r
yia}V]
]y!iu(MDJ
.Ylq{Hr
yLS'=6
yQ&/	TLQ
#=yqw	
ys"	5H
y%trKY
\Y)'#xnr
	+yxV)
yxy,g~gU~j
`z_$1aR
^z5X-mT
z#bWw!
zC;,gx'2S
z%:D0_s
];ZE/C
z(FcKG#
zFHm:0<6
zF[i>Q
Z;N*l?
ZO7yb-
zO/|MJ
zp%: Bc
=zP[NuWq
Zqxf=7
:@//zr
ZtBS ^xO
,z-"Ua
((zvx0j
Z+x)<5
zX\s w
z[YfP"