Analysis Date2015-12-02 02:28:10
MD505783f747b2f1d380f984f0e3d8f06b4
SHA1ca774950d187e8cb9c0fe067c384eb9511b0a390

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5e47ab5c9cf81df6a88d35c37306f05c sha1: 115395cfa49053a4a9ad0568b062ea815939909c size: 104448
Section.rdata md5: ab5ff432716e2f74473fd1068288356d sha1: 328ac400c7ec2760ad4c16ea884e1ab26786221b size: 28160
Section.data md5: 942f5f2128c12f4b3985de3827e0d8f6 sha1: c7758e909f974530a88e76e9a0240972f4d1f68e size: 4608
Section.rsrc md5: 8d47923e1d8063519f41a39058da7e86 sha1: faf06e56b0b7c6e07b34e8327a3359a1fc339e89 size: 439808
Sectionjytvqbj md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1996-11-02 04:28:08
PackerMicrosoft Visual C++ ?.?
PEhash362446604a69c15a2de81dc3ff21ad0d81b80a77
IMPhash720f62ecaae027b5c3ec6686644322e9
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.MSILCryptor.MUE.A4
AVRisingBackdoor.Win32.Bindi.a
AVZillya!Trojan.Bladabindi.Win32.56808
AVKasperskyTrojan.Win32.Generic
AVClamAVWin.Trojan.Agent-827408
AVIkarusTrojan.MSIL.Bladabindi
AVMicroWorld (escan)Gen:Variant.Kazy.496320
AVTwisterBladabindi.L.kktr
AVEset (nod32)MSIL/Bladabindi.L
AVMcafeeRDN/Generic BackDoor
AVK7Trojan ( 003f3a341 )
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVEmsisoftGen:Variant.Kazy.496320
AVGrisoft (avg)Inject.FMI
AVMalwareBytesTrojan.Agent.MSIL
AVMicrosoft Security Essentialsno_virus
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVBullGuardGen:Variant.Kazy.496320
AVF-SecureGen:Variant.Kazy.496320
AVArcabit (arcavir)Gen:Variant.Kazy.496320
AVBitDefenderGen:Variant.Kazy.496320
AVFortinetW32/Generic.L!tr
AVDr. WebTrojan.KillFiles.17960
AVAuthentiumW32/A-3e7aeab6!Eldorado
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVAd-AwareGen:Variant.Kazy.496320
AVFrisk (f-prot)no_virus
AVCA (E-Trust Ino)Win32/Tnega.ACBUdFB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\4610427f9cc5281defe9550a924fd4ea\US ➝
!\\x00
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\server.exe
Creates FilePIPE\lsarpc
Creates Process"C:\Documents and Settings\Administrator\server.exe"

Process
↳ "C:\Documents and Settings\Administrator\server.exe"

Network Details:


Raw Pcap

Strings