Analysis Date2014-04-21 22:55:19
MD58f396cc81ed4008182bce8dfc3134471
SHA1d1ea908da97279192f7476ea9a2e990a4ffc823f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 4b2708bcc5ece21fdfacf0df8ded3e14 sha1: 7b9689c538557b01dcebea7189b689dadb041c34 size: 147456
Section.rsrc md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.reloc md5: 38b640f8a5655646d49c68a43f4e5248 sha1: 3ab3b27f474462b37aab0717f0076d531a74b067 size: 512
Timestamp2014-03-25 16:02:54
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashee2ec8d667099574bf2ddec8bcfa3ac6a7ca97bc
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVaviraTR/Spy.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoftlog.exe
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoftlog.exe"
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Creates MutexLEThjJwJFKr

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoftlog.exe"

Creates Processdw20.exe -x -s 276

Process
↳ dw20.exe -x -s 276

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\19390.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.172.254
DNSSmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.172.254:587

Raw Pcap

Strings
 ..Ql..
.
...................
COR_ENABLE_PROFILING
COR_PROFILER
Debugger detected (Managed)
gjdou
Loop broken
Profiler detected
	;:02+
1.0.0.0
1L}1`{F
[1`P=$#
1pBB	25X#Jhmpj
1rB-yC;t
1)W}6j
2d	I*W{
	|:^2H
	#:`2r
2*r(SU
	|:^2S
	}:\2U
4System.Web.Services.Protocols.SoapHttpClientProtocol
5\\@($;;
	5:\2E
	5:\2U
	5:D2N
 5E_i 
	5:M2H
	5:N2B
	5:N2D
	5:N2N
	5:n2U
	5:N2U
	5:O2D
	5:R2S
	5:S2D
	5:S2N
	5:u2j
	5:V2O
=6@!M/
	6:u2N
7b+%x@wn;
7kYaaX
=7)-s\9?-
8.0.0.0
	8:~2M
:85VhTKD%
'@$8)HEu
	8:n2B
*+8,t^Z@
9'}9Z]\u
	a:^2}
	`:a2q
	{:a2q
	a:\2S
A*BSJB
AccessedThroughPropertyAttribute
Activator
add_ResourceResolve
add_Tick
{	AEFT)
	a:H2Q
	a:J2@
`:ak{B
akWlIo7q
a	l	s	}	`
AppDomain
Application
ApplicationBase
AppWinStyle
Assembly
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
AsyncCallback
	a:T2M
	a:T2O
Attachment
AttachmentCollection
Attribute
	a:U2@
	A:U2D
	a:X2E
aXXXb`o
	b:\2R
(b8yd|B
BAz'LXV
.b|DcgB
BEbP3L=
BeginInvoke
	B	F	Y	
BinaryReader
BitConverter
Bitmap
BlockCopy
	b:N2}
	b:T2M
	B:T2O
	b:U2N
Buffer
	c:\2M
@c6'JV2A
c9RfMV]
CallNextHookEx
Callvirt
Castclass
.cctor
ClearProjectError
ClipboardProxy
CloseHandle
C]lW"wB
Collection`1
Combine
CompareMethod
CompareString
CompilationRelaxationsAttribute
CompressionMode
ComputeHash
Computer
ComputerInfo
ComVisibleAttribute
Concat
ConfusedByAttribute
Confuser v1.9.0.0
ConstructorInfo
Contains
ContainsAudio
ContainsFileDropList
ContainsImage
ContainsKey
ContainsText
Conversions
CopyFromScreen
_CorExeMain
Create
CreateDecryptor
CreateDelegate
CreateDirectory
CreateInstance
Create__Instance__
CreateProjectError
CreateSubKey
CryptoStream
CryptoStreamMode
CurrentUser
	c:X2S
	C:X2S
DateAndTime
DateTime
dBmnlQL
Debugger
*}dE.c
DeflateStream
Delegate
Delete
D(Fy;W
Dictionary`2
*dIj&U `%zn:6}+$
Directory
DirectoryInfo
Dispose
Dispose__Instance__
d-"sC>
 dSZWYX]
DynamicMethod
EditorBrowsableAttribute
EditorBrowsableState
	e:I2T
E_iadm
Encoding
EndApp
EndInvoke
EndsWith
Environment
	E:O2N
}eP	e#
	e:Q2N
Equals
	E:R2M
EventArgs
EventHandler
Evidence
>Evm`e
	e:X2O
Exception
Exists
	e:y2@
]\f'?#
F/!0ynS
f15&Oo
f[1=H5
	f:^2N
	F:^2S
	f:\2W
	f:a2r
FailFast
	F:I2@
	f:I2D
	F:I2D
	f:I2S
FieldInfo
FileCopy
FileSystem
Finalize
flrmsAYJCkEyIcVuCUlomdNielECE
f"n"me,
	f:R2G
	F:R2G
FromImage
	f:T2N
	f:U2E
	f:V2L
	f:X2S
	g:\2O
*gaaXa 
[=ga F
GeneratedCodeAttribute
get_Assembly
get_Attachments
GetAudioStream
GetBounds
GetBytes
get_CapsLock
get_Chars
get_Clipboard
get_CtrlKeyDown
get_CurrentDomain
GetCurrentMethod
get_CurrentThread
GetData
GetDataObject
get_DeclaringType
GetEnvironmentVariable
get_Evidence
get_ExecutablePath
GetExecutingAssembly
GetFieldFromHandle
get_FieldType
GetFileDropList
GetFolderPath
GetForegroundWindow
GetHashCode
get_Height
GetHINSTANCE
GetILGenerator
get_Info
get_IsAlive
get_IsArray
get_IsAttached
get_IsInterface
get_IsStatic
get_Jpeg
get_Keyboard
get_Length
get_Location
get_MachineName
GetManifestResourceNames
GetManifestResourceStream
get_MetadataToken
get_Module
GetModules
get_Name
get_NewLine
get_Now
GetObject
GetObjectValue
get_OSFullName
GetParameters
get_ParameterType
GetProcesses
get_ProcessName
get_ReturnType
get_ShiftKeyDown
GetString
GetTempPath
GetText
get_To
GetTypeFromHandle
get_UserName
get_UTF8
get_Width
GetWindowTextA
	g:I2R
G~N#CF
	g:O2D
	G:o2d
	g:R2L
	g:R2R
Graphics
	g:T2O
	g:T2W
	g:X2B
	g:X2E
	g:X2R
	g:X2S
	{:H2}
h/5^w&;!
HashAlgorithm
HelpKeywordAttribute
HideModuleNameAttribute
HLhXa 
hObject
^&	I.~
	[:i2~
	I:~2T
	{:I2w
i8l	PR
IaRsa3
IAsyncResult
ibmvmv
ICredentialsByHost
ICryptoTransform
IDataObject
IDisposable
	I:j2H
	I:J2H
ILGenerator
	I:m2S
ImageFormat
	I:n2U
IndexOf
InitializeArray
Interaction
IntPtr
Invoke
	I:p2H
IsDebuggerPresent
IsLogging
	I:x2Y
joSBh_3W
jPOZxM2
judai_px4
judai_px4.exe
JXYnZX
	J:y2v
jy|WP~
JzvJbKQphyBhUjSkGpjtQnYek
`(#(K!
}k)Cr[un
kernel32.dll
Keyboard
]kg0>{
KXanZX
{l}3pae
lA}>FbY
	L:b2m
Ldarg_S
"lEVC6
	l:Q2N
	`:M2}
	|:M2C
MailAddress
MailAddressCollection
MailMessage
Marshal
mD6YK&)ZhT&dx<
MemberInfo
MemoryStream
MethodBase
MethodInfo
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.MyServices
Microsoft.Win32
Module
<Module>
Monitor
mscoree.dll
mscorlib
MulticastDelegate
My.Application
MyComputer
My.Computer
MyGroupCollectionAttribute
MyTemplate
My.User
My.WebServices
	@:N2D
	$:N2U
nameGuid
NetworkCredential
Newobj
ntdll.dll
NtQueryInformationProcess
NtSetInformationProcess
>'o{B*
~OB;Co
Object
OE*Y yE
offset
OpCode
OpCodes
OpenExisting
OpenSubKey
Operators
OutputDebugString
O\}Xcr
	`:P2D
	p:\2U
ParameterInfo
ParameterizedThreadStart
	P:d2~
	P:E2Q
	p:E2U
 ">pea
p	E;zn
	p:H2Q
	p:K2@
	p:N2}
	p:N2$
	P:o2}
	p:O2n
	p:O2R
Process
ProcessHandle
ProcessInformation
ProcessInformationClass
ProcessInformationLength
ProjectData
	P:s2e
	p:S2U
	p:X2O
	p:Y2@
	p:Y2H
	P:z2~
	|:Q2D
	|:Q2M
	q:\2U
	Q:\2U
QDRgx4
Q"h'f,
	Q:x2m
	]:R2L
	}:R2U
ReadAllText
ReadBytes
ReadInt32
Rectangle
Registry
RegistryKey
RegistryValueKind
@.reloc
Remove
ResolveEventArgs
ResolveEventHandler
ResolveMethod
ResolveSignature
resourceField
resourceLength
ResourceManager
ReturnLength
RijndaelManaged
rk=R1(
	r:N2}
r*Pf/B
`.rsrc
	r:T2O
@RTI~\
RuntimeCompatibilityAttribute
RuntimeFieldHandle
RuntimeHelpers
RuntimeTypeHandle
rX;j>L
	r:Z2H
	|:S2E
s.4ejD
Screen
sender
ServerComputer
set_Body
set_Credentials
SetData
set_EnableSsl
set_From
set_Interval
set_IsBackground
set_Item
set_Port
SetProjectError
set_Subject
SetValue
SetWindowsHookExA
SHA&,k<s
	s:I2}
	s:I2V
SizeOf
SmtpClient
SpecialFolder
	s:R2S
StandardModuleAttribute
STAThreadAttribute
Stream
StreamWriter
String
StringCollection
Strings
#Strings
Substring
SuppressIldasmAttribute
	S:v2S
SymmetricAlgorithm
System
System.CodeDom.Compiler
System.Collections.Generic
System.Collections.ObjectModel
System.Collections.Specialized
System.ComponentModel
System.ComponentModel.Design
System.Diagnostics
System.Drawing
System.Drawing.Imaging
System.IO
System.IO.Compression
System.Net
System.Net.Mail
System.Reflection
System.Reflection.Emit
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Cryptography
System.Security.Policy
System.Text
System.Threading
System.Windows.Forms
	`:T2(
	]:t2o
	}:T2R
TextWriter
!This program cannot be run in DOS mode.
thread
Thread
ThreadStaticAttribute
.`]TiJ
	t:O2D
	t:O2E
	t:O2U
ToArray
ToBoolean
ToInt32
ToInteger
ToLongTimeString
ToString
ToUInt32
	t:P2H
	t:P2Q
	t:P2R
	t:Q2D
TryGetValue
	t:S2B
	t:S2E
tTm$l4
`<,tvq
	t:Z2D
UnhookWindowsHookEx
user32
user32.dll
UWlM+d
v2.0.50727
	v:\2O
ValueType
	V:H2H
	V:H2S
	v:I2D
vm9~a~
	v:O2N
<$#V|OB
Voka8e
	V:Q2H
	v:R2L
 /VVdXdm
	v:X2R
\{]%w9$]
:w[D	wN
	w:R2@
WrapNonExceptionThrows
WriteAllBytes
	w:X2S
	X:|2b
	}:X2S
	x:\2U
	~:X2X
	;:X2Y
:^Xa q%
XLl@hs
	Xm~ZnW(
	x:N2}
	x:R2S
`xSc13<
	x:T2O
XW$O>8
	x:X2O
	{:Y2N
`Yab`o
y_@g")
	y:M2D
 <YPVX^
	y:R2@
	y:R2F
	y:T2Q
yUhRd=CHUt
	y:X2S
yX5XEf
YXaXZ 
	y:Y2D
	Z:~2`
	z:^2M
	{:Z2R
	z:[2U
zAmaPJUJpFsVttGxniuprKERdnJJc
	z:H2M
	z:H2S
	z:N2N
	z:O2E
	Z:o2e
	z:o2T
	z:P2@
	z:Q2H
	z:R2J
	z:S2R
ZTaab`