Analysis Date2013-10-16 13:05:10
MD55c2f8f3169f6aa13b23cbcac0b2530b3
SHA1bd1b8216d05ea7b9e283f5ed295d054ecddc40f5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 1e4d5f5cab1840801cefcde6a339a16e sha1: 8f94f51af61d36ae48c7c84d0992a009522a6221 size: 157184
Section.reloc md5: 03f967047c07d696cd223d5c2235fe22 sha1: 6613e9d8d4d0d8bb49f6d1a26b20517235c1553d size: 512
Section.rsrc md5: 4c72c6140ee4c0ad50777d49a91c190d sha1: 3d42e91f4d556224e6c7e2a0fdf87f01060fdc18 size: 27648
Timestamp2013-10-10 08:01:50
VersionLegalCopyright: Simalungun, Inc.
Assembly Version: 2.55.0.0
InternalName: dwm.exe
FileVersion: 2.55.0.0
CompanyName: Tobasa
LegalTrademarks: R&W
Comments: Hutting
ProductName: Martabe
ProductVersion: 2.55.0.0
FileDescription: Aili
OriginalFilename: dwm.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash8629c079a5abee4b8fc45074f2da87f121fe59ab
AVaviraTR/Dropper.MSIL.8451
AVavgBackDoor.Generic17.BQUN

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm ➝
C:\Documents and Settings\Administrator\Application Data\Avanger\dwm.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\\x00
Creates FileC:\Documents and Settings\Administrator\Application Data\Avanger\dwm.exe
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Creates Process"C:\malware.exe"
Creates Process"cmd"

Process
↳ "C:\malware.exe"

Process
↳ "cmd"

Creates Filedwm.exe:ZONE.identifier

Process
↳ "C:\malware.exe"

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lcpBji ➝
C:\Documents and Settings\Administrator\Application Data\temp\dllhost.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Application Data\temp\dllhost.exe
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\196a_appcompat.txt
Creates Process"C:\malware.exe"
Creates Process"cmd"
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 200

Process
↳ "cmd"

Creates Filedllhost.exe:ZONE.identifier

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 200

Network Details:


Raw Pcap

Strings
000004b0
2.55.0.0
Aili
Assembly Version
Comments
CompanyName
dwm.exe
FileDescription
FileVersion
Hutting
InternalName
jnCMg
LegalCopyright
LegalTrademarks
Martabe
OriginalFilename
ProductName
ProductVersion
qtkKZ
SCjlH
Simalungun, Inc.
StringFileInfo
Tobasa
Translation
VarFileInfo
VS_VERSION_INFO
|$#.}@
`'0|_&'$"
0/>1&((
0<8VX{/Y<
0a{Zzlb
0l&Hss3
0n0]|K
0TMAJ1W
0tx)c'
184H{{
?1OgYf
1|z+f-
2012-08-19T06:51:15-05:007m
2012-08-19T06:51:15-05:00F0j
^233IMME
2.55.0.0
_2AXzi;
2VTVRRRBi
3&*4.*,U
3BnLME
3~bz}}X<	
3Cc%Wd
	3eNpoJo
3&NbKlT<
3Xx|&U
 49Ec$
&>4!cJ
%4dKic
'\[4@s
4System.Web.Services.Protocols.SoapHttpClientProtocol
4Un2+df
555x<#
>58Uo0}
^5/odL
@5P\[[
6_|1[n
6]~KTGm
70g_/2
74"h|7
{7@d-bX
7m;]eIJ
~7.Sa1|/
\7u5Uy
7\wC1H
8.0.0.0
,8cbJW
8GdH1{
&~8Ma{
8o?FJQ
/_8Q_Q@
8ub7[-
8V_OFF
*9IPp&
;9!~~Qj
a1,jYH
a6BInM
?.A|{7
a7Y_&q
Activator
Adobe ImageReadyq
{`akpug
,A*Odp@
AppDomain
ApplicationBase
Assembly
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyName
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
Au5]}}
AU79'x
\Av:wh
`B%!(5U
b7-'Eq
-^BaN.k
{bCGc~
B#|D7X~
{BeB)P9
Bg~nzAnz
BGSmyI~
BinaryReader
Bitmap
bKKD={
b@KVO*
B>O3/a
Boolean
#B ?Q?
B.rsrc
BUrRuc)
Button
bVNAZc
C:;;'$
cc]a1-
.cctor
cE`22Dx"
CFpb}<
cGhHkhh
cJ&6-/
ClearProjectError
CMYRTE
Cnn.uuu
CompareString
CompilationRelaxationsAttribute
Computer
ComVisibleAttribute
Concat
Console
conwEA^S
_CorExeMain
c&p<j"
CreateInstance
Create__Instance__
]C+V+l%
DAW$-6
=D<>Cz
DebuggerHiddenAttribute
Dictionary`2
Dispose
Dispose__Instance__
DmI97+W
Dnn.+V
Dn-zGnr
DPPXH~~>
d@Q{RR
d,VeHWe
:]dVFm,
Dv*LdgJ%}
dwm.exe
dzzz$$
+e1HV80
E2KdO`
'e5JW5 Ve
EditorBrowsableAttribute
EditorBrowsableState
!	?EF$%
*\EFGu
"ei vxH
Encoding
EqdQZ[Os
Equals
e	rMkh
E+.X_a
Exception
Exists
eYW^K:
.]F~~>
fhh(,]
FhLr h
f-if2/F
.FOv<ST
FromArgb
f`T8rM
:"f{v7F
`fY(iF
=}f>ZG
/g3&svm
GeneratedCodeAttribute
get_BaseStream
get_Count
get_Current
get_CurrentDomain
GetCurrentProcess
get_CurrentUser
GetEnumerator
GetExecutingAssembly
get_FileName
GetHashCode
get_Height
get_MainModule
GetManifestResourceStream
GetMethods
get_Name
GetName
GetObject
GetObjectValue
GetPixel
GetPublicKeyToken
get_Registry
GetString
GetTypeFromHandle
get_Unicode
GetValue
get_Width
GG{;MM'i8q
@gg'O=
g!.KG\
?.godD
;Gr&{)
gr(ega
gRZ<OcSp
gS=Pp|
GUJ<=I
gV_g\N-e
*G<x>6OKyX]
GzF(s'
hCSuqcm
HideModuleNameAttribute
HO'##c
;h/qx r
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
Hutting
	H?[@z
Ia:wv$qu
IDATx^
IDisposable
IEnumerable
IEnumerator
i:H5:,
Intern
Invoke
#IPT\Dq
iQ2yG.
i-`"s?
Is* "~
Is5*4W
I";+_	U
i>ufeY
i#>vkB
$JJKB1
JWW'U;w
	]jxq`
;K3|[I&)
K9,UTSd
Kaa!999
Kl>hFc'=
)K===ne
 @kO/V
KR(N^T
kxEfpx
l1Q9/I
L4466r
l}5T@v
L&A6>D
lAi_6"C
LateGet
l_Bhoh
(>l\C#
lFq~pW
List`1
LL.S{<$+
LnVcz;
,LP^CI
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
l#Y6d"
m&[]@'>
m6"'AzI
Martabe
Mcs;p%)N
 Md7\]
MemberInfo
MethodBase
MethodInfo
M,fg~0
_:m%}I
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.MyServices
Microsoft.Win32
MlM	"k
m%MWF.
}\mNfv
<Module>
Monitor
MoveNext
]M$Rq&
mscoree.dll
mscorlib
MyGroupCollectionAttribute
MyTemplate
<n?^@+{
n?2>LdF
NewLateBinding
]NG{;>
NGAA!K
NGZZZ(_
;nHJOs
.N>QB=
n[sMkS5
Nv1dL=
N]vbh4
nx0J~nzq
Object
#[=o?d
OpenSubKey
Operators
op_Inequality
@o$Vu8
p8hiiIX
P_Fz[Z
Process
ProcessModule
ProjectData
$PR* xz	
ptD0S-
pw?nmM
pxTXhP
Q7LvyH
%qDJda
QDNB;q
^Q||Dph
Q[[Kcc
QQSSCuu5>
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
,QTDiaG
QX>t#rc
QZf	L/-3
,&r8XX
ReadBytes
ReadInt16
ReadInt32
ReadLine
RegistryKey
RegistryProxy
RegistryValueKind
`.reloc
ResourceManager
RFFB)&
!rIDATx^
rJJK)--
rjWfil
rl;_Fc@
RnMROZcrNOXhcGV.resources
RSR))*&++
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
RXPHVV6n
S(DDAD!
ServerComputer
set_Position
SetProjectError
SetValue
Simalungun, Inc.
sl8*yOH7TDk
,sQaUr
s~qgtqg
SSCMY8
sSSS*3
StandardModuleAttribute
STAThreadAttribute
sTnpZ+
Stream
String
#Strings
s*TY, 
SuppressIldasmAttribute
System
System.CodeDom.Compiler
System.Collections
System.Collections.Generic
System.ComponentModel
System.Diagnostics
System.Drawing
System.Drawing.Bitmap
System.IO
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Text
System.Threading
System.Windows.Forms
t$5U/08#G
taJEXym$
	TD^@z
TextBox
%tEXtdate:create
%tEXtdate:modify
tEXtSoftware
~tfxE2Z
!This program cannot be run in DOS mode.
ThreadStaticAttribute
)TIDAThCM
TJ17xS$#
|>tjM(
%tK,	A
tLBotd4P
]t^mJ'
ToArray
Tobasa
ToString
T"R\_u^`
TryGetValue
TT,@T(
]]]tvw
u6bq59
u*B(NP(
uCFF]p0
UInt16
UInt32
ujy<I<J
)`um5sS
U'N>>I
UP^rWN
urRblxXPV
UU455%
UU;iooOH5.
UW]MCC
!'V+0'
v2.0.50727
v_222Bc
vB|4Vq
VBmNkz
V/$cd!
v`+@gG
:{VhsLy
?VOOOO
v>oS#M
v&qsm,
VVzD1nt(
>VY+Xw
V[zihq@p
}:,'w`
W2'qIp
W}dcNO^+
wEe%{w
Wk]ILd
W^MYYY
WQV^NZ
WrapNonExceptionThrows
WriteLine
WSKGoo
^XAMyy
X`-&dn
*X+.ff
XGy:v\/P
X,h4ZLF#
XkmGK%s
XNUf.+
xOMMepp
}\XV]2
xWx2Xf$
=}yFdy
y!!Fo	
yI<I{HO
#y~o'_
yu	mXH
YV}R\Xn
&Yw/_z
Y]ZAvz
{Z3|-6
+,Z	=c
ZEGG;/
ZojjJNF"
_.]Z,r
zu]e17I
^[ZZrrn
|ZZZ8Z_