Analysis Date2014-12-17 18:40:19
MD536d7f8626911320abd84f260130f694a
SHA1c8d04dfd13843b506b679e8e5f02f302ce9f7da7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
PEhash995829ab353fdeb6aa07fc6cd78171f114701d75
IMPhash
AV360 SafeGen:Variant.Kazy.12933
AVAd-AwareGen:Variant.Kazy.12933
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.12933
AVAuthentiumno_virus
AVAvira (antivir)TR/Kazy.12933.psa
AVBullGuardGen:Variant.Kazy.12933
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-13
AVDr. WebBackDoor.Gbot.17
AVEmsisoftGen:Variant.Kazy.12933
AVEset (nod32)no_virus
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.12933
AVGrisoft (avg)Generic_r.FN
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Backdoor ( 0021c91c1 )
AVKasperskyTrojan.Win32.Diple.das
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.12933
AVRisingno_virus
AVSophosno_virus
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\27ac_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 168
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1352 -e 124 -g

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 168

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1352 -e 124 -g

Network Details:


Raw Pcap

Strings
*.N
...
Y6x..
.!B...
....".U.
..A.
.
B....#..Da...
.[
B.i....8._.
..r#u
 ....d=.q.%..
..
.>d"
y...
..p.
$..p..
...
^&
......
.
......D
.-.4..2.....\W...
<...

eED@
_6mo	"
@.data
-)j8=4
j9?n{k`
JRichu
j*TKuu
k7X_K2
L:;u9|
_m5vXWx'
;=mKlA
o>Jxm>7
oo~IvQ
OYunZB
`.rdata
^^=T7vK
!This program cannot be run in DOS mode.
)t+yu9S
U):4	g
VnlZ.n
w5z<}+Q
wO[6_@
wu4	V$
yjX:>D