Analysis Date2013-10-20 01:06:45
MD576874da1824146bb2565ec86271d2c1c
SHA1c6b6b96a913fc8e281623e2bab0a369d9607732d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 8961e5356401aee67c406f552814b740 sha1: 8cb24fd15e1c1b0cc012dc02750a085d36603706 size: 9216
Section.rsrc md5: 10ea87c4eda7ad4b071c9495b047c3b5 sha1: c874b42df7946b51640b9d48525324fda6f40c7b size: 69632
Section.reloc md5: b0841c5250ae8603ad0646edbc6dbbeb sha1: bb944b3a1ae0b1a0d9f5c95cc3c82ccc1919749e size: 512
Timestamp2013-08-31 12:04:27
Pdb pathC:\Users\Hackiosa\Documents\Visual Studio 2008\Projects\XCrypt\XCrypt\obj\Release\s76df87g687sgs4.pdb
VersionLegalCopyright: Copyright © 2013
Assembly Version: 1.0.0.0
InternalName: s76df87g687sgs4.exe
FileVersion: 1.0.0.0
ProductName: s76df87g687sgs4
ProductVersion: 1.0.0.0
FileDescription: s76df87g687sgs4
OriginalFilename: s76df87g687sgs4.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashd3a99f44a0093976102b579608af90eb56a01ebf
AVavgBackDoor.Generic17.BNZL
AVaviraTR/Gamarue.A.39

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows KB ➝
C:\Documents and Settings\Administrator\Application Data\kb_mldeaohebobjdnfe.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Application Data\rbqjbogp.jpeg
Creates FileC:\Documents and Settings\Administrator\Application Data\kb_mldeaohebobjdnfe.exe
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
000004b0
1.0.0.0
  2013
23_88_1337
8a7sd87fa9s8dfasdhfas8df7o
AmdNot
asdufzasudfzashdflkjasldfj
Assembly Version
Copyright 
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
.exe
FileDescription
FileVersion
Intel
IntelSucks
InternalName
.jpeg
\kb_
LegalCopyright
noitceSfOweiVpamnUwZ
ntdll.dll
nuR\noisreVtnerruC\swodniW\tfosorciM\ERAWTFOS
OriginalFilename
ProductName
ProductVersion
s76df87g687sgs4
s76df87g687sgs4.exe
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Windows KB
?;&]=:
021.Nec^
0n}tkE!
1.0.0.0
"" 1=<:\@?=`BA>bDCAdRO?o
$1f2a3b44-7f7c-4282-8310-09f9b36e1f84
1/+YUQG
  2013
2/,YVQJ
%?}48p
	=;4czug
=^+5[{
62W7RY
640VXUN
	6z+FF
=;7lXSK
:83lOJB
86/Xpk\
960Yni]
A?9~QLD
{ac.F&'
$)$AfZ
*(#A`\P
Append
Application
</assembly>
Assembly
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyCultureAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
AssemblyVersionAttribute
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AsyncCallback
A@;{VPI
)(#Avqc
BeginInvoke
BENY8r
BinaryReader
_BinaryReader
blStartup
callback
.cctor
C\#h?.
commandLine
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
ComVisibleAttribute
Concat
Console
CONTEXT
ContextFlags
Convert
CopyInt16
CopyInt32
Copyright 
_CorExeMain
CreateProcess
creationFlags
currentDirectory
CurrentUser
C:\Users\Hackiosa\Documents\Visual Studio 2008\Projects\XCrypt\XCrypt\obj\Release\s76df87g687sgs4.pdb
DB<}		
DebuggableAttribute
DebuggingModes
Decrypt
Decrypter
Delegate
DeviceDriver
DllImportAttribute
Dvn0ql{8[E
'&#DVRJ
dwProcessId
dwSize
dwThreadId
EndInvoke
environment
Environment
E(VxP7>
+*(EWTO
Executer
Exists
FB)O-)
FileAccess
FileMode
FileSize
FileStream
FixedBufferAttribute
FixedElementField
flAllocationType
flProtect
fStream
f=Y+=:X|
G'AxL-
GenerateString
get_BaseStream
GetCommandLineA
GetCpu
GetDelegateForFunctionPointer
get_EntryPoint
get_ExecutablePath
GetFolderPath
get_Length
GetLength
GetProcAddress
GetStartupActivated
GetThreadContext
GetTypeFromHandle
gFsS[4)3
g:#m-Sm
Gsa1yP
&%#GSPJ
GuidAttribute
\h aiR5x
hBIrl>
Hib0iMG
h+$IXb
hModule
>@+-H?oX
hProcess
hThread
*)&HYUM
IAsyncResult
inheritHandles
IntPtr
Invoke
*)&IXTL
`J*ad:~q]
kd9q76tu
kernel32.dll
kfy4jc
KillYourself
+*'K^YP
LayoutKind
Length
LoadLibrary
LocalMachine
lpAddress
lpApplicationName
lpBaseAddress
lpBuffer
lpContext
lpDesktop
lpLibFileName
lpNumberOfBytesWritten
lpProcName
lpReserved
lpTitle
LvSST-XRz^
Marshal
MarshalAsAttribute
McOBDD
method
MethodBase
MethodInfo
mG]`b7
Microsoft.Win32
"MJAz}xh
mm$O<f
<Module>
mscoree.dll
mscorlib
MulticastDelegate
mxPN>{
-,|nbk$-9
_NtUVOS
 ;,!O1
object
Object
<OIfl*
O>(=ii
OpenSubKey
op_Equality
op_Explicit
O$+uL1#
OutAttribute
{<Pa{Q
p`]{[O
PqV{'U
processAttributes
processInformation
PROCESS_INFORMATION
Program
,+(PWTJ
-+(PYVM
Q /=>)\
q'LSlS
Random
RAqp#B
ReadByte
ReadConfig
ReadInt32
Registry
RegistryKey
@.reloc
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
result
ResumeThread
Reverse
ReverseString
ROAtEDBiEDAiDCAiA@>f>=:_985T('&=
`.rsrc
R)U%gW
RuntimeCompatibilityAttribute
RuntimeTypeHandle
s76df87g687sgs4
s76df87g687sgs4.exe
    </security>
    <security>
SecurityAction
SecurityPermissionAttribute
set_Position
SetThreadContext
SetValue
SjLfQLj
SkipVerification
S*(MZej
SpecialFolder
startupInfo
STARTUPINFO
Stream
String
StringBuilder
#Strings
StructLayoutAttribute
/-)SWTJ
System
System.Diagnostics
System.IO
System.Reflection
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security
System.Security.Permissions
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Text
System.Windows.Forms
$T6j@{qQ
!This program cannot be run in DOS mode.
threadAttributes
t)Lj{$
ToChar
ToCharArray
ToString
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
(uB[<c5
UnmanagedType
UnsafeValueTypeAttribute
unused
unused2
<unused2>e__FixedBuffer2
<unused>e__FixedBuffer0
<unused>e__FixedBuffer1
UnverifiableCodeAttribute
>UP+U94
.-*UVQH
.	U	yb
v2.0.50727
ValueType
.veQ<$m
v[-/h@Q
VirtualAllocEx
'&"?vpd
## =VQI
VrY].WG
}W3xvS
@w~66C
WrapNonExceptionThrows
WriteLine
WriteProcessMemory
))&<WUQ
w?%z &+?
X3RU|V
xk<&>HA
xLXN#z:
xlYN"s{gw
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XSystem.Byte, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
XSystem.Byte, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0894
yN-"8}
ynsx5e
Ys'=GW
z;i[Rj
ZtS:-n