Analysis Date2013-09-26 06:54:32
MD5f68c5ac5b51db4903cb078e2b12a44d2
SHA1dd65886b9802897e15c89d3269d0c914597f40f6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 5ad074ea70cf1aedbfbaa9dc825b0d65 sha1: 3c01bc5b7a2bb78c4b809394af56bcafc36b4591 size: 75264
Section.rsrc md5: 085ece4575b8e2900cf89e46d5bc3da0 sha1: 2d0686f0e18f3381a399705563beb7561a4cbbcb size: 1024
Section.reloc md5: ce99014b5858d093aac9ea2d862423fe sha1: f34cc9e90557c65a8a8bcd04e2be079d1d691a34 size: 512
Timestamp2013-08-21 19:55:49
Pdb pathc:\Users\Sentra user\Dropbox\Aplicacion\Aplicacion\Aplicacion\obj\Debug\Aplicacion.pdb
VersionLegalCopyright: Copyright (C)
Assembly Version: 1.0.0.0
InternalName: Aplicacion.exe
FileVersion: 1.0.0.0
ProductName: .Net
ProductVersion: 1.0.0.0
FileDescription: Aplicacion
OriginalFilename: Aplicacion.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash59439a631a7530644460254f87e4c6389134fac3
AVavgPSW.Generic11.CCBF
AVaviraTR/Rogue.9525268

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CLASSES_ROOT\netfile\shell\runas\ ➝
"%1" %*\\x00
RegistryHKEY_CLASSES_ROOT\netfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ ➝
{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}\\x00
RegistryHKEY_CLASSES_ROOT\\\xe0\\xb5\\xe1\\x85\\xe0\\xb5file\shell\runas\ ➝
"%1" %*\\x00
RegistryHKEY_CLASSES_ROOT\.\\xe0\\xb5\\xe1\\x85\\xe0\\xb5\ ➝
\\xe0\\xb5\\xe1\\x85\\xe0\\xb5file\\x00
RegistryHKEY_CLASSES_ROOT\\\xe0\\xb5\\xe1\\x85\\xe0\\xb5file\shell\open\EditFlags ➝
NULL
RegistryHKEY_CLASSES_ROOT\\\xe0\\xb5\\xe1\\x85\\xe0\\xb5file\shellex\DropHandler\ ➝
{86C86720-42A0-1069-A2E8-08002B30309D}\\x00
RegistryHKEY_CLASSES_ROOT\\\xe0\\xb5\\xe1\\x85\\xe0\\xb5file\shellex\PropertySheetHandlers\PifProps\ ➝
{86F19A00-42A0-1069-A2E9-08002B30309D}\\x00
RegistryHKEY_CLASSES_ROOT\\\xe0\\xb5\\xe1\\x85\\xe0\\xb5file\shell\open\command\ ➝
"%1" %*\\x00
RegistryHKEY_CLASSES_ROOT\netfile\shellex\DropHandler\ ➝
{86C86720-42A0-1069-A2E8-08002B30309D}\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\Microsoft.NET\Framework\netfxsbs10.\\xe0\\xb5\\xe1\\x85\\xe0\\xb5 start\\x00
RegistryHKEY_CLASSES_ROOT\\\xe0\\xb5\\xe1\\x85\\xe0\\xb5file\shell\runas\command\ ➝
"%1" %*\\x00
RegistryHKEY_CLASSES_ROOT\netfile\shell\open\EditFlags ➝
NULL
RegistryHKEY_CLASSES_ROOT\.\\xe0\\xb5\\xe1\\x85\\xe0\\xb5\PersistentHandler\ ➝
{098f2470-bae0-11cd-b579-08002b30bfeb}\\x00
RegistryHKEY_CLASSES_ROOT\netfile\shell\runas\command\ ➝
"%1" %*\\x00
RegistryHKEY_CLASSES_ROOT\netfile\shellex\PropertySheetHandlers\PifProps\ ➝
{86F19A00-42A0-1069-A2E9-08002B30309D}\\x00
RegistryHKEY_CLASSES_ROOT\.net\PersistentHandler\ ➝
{098f2470-bae0-11cd-b579-08002b30bfeb}\\x00
RegistryHKEY_CLASSES_ROOT\\\xe0\\xb5\\xe1\\x85\\xe0\\xb5file\ ➝
Aplicaci\\xc3\\xb3n\\x00
RegistryHKEY_CLASSES_ROOT\.net\ ➝
netfile\\x00
RegistryHKEY_CLASSES_ROOT\netfile\shell\open\command\ ➝
"%1" %*\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Security ➝
C:\WINDOWS\Microsoft.NET\Framework\Framework.net\\x00
RegistryHKEY_CLASSES_ROOT\\\xe0\\xb5\\xe1\\x85\\xe0\\xb5file\shellex\PropertySheetHandlers\ShimLayer Property Page\ ➝
{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}\\x00
RegistryHKEY_CLASSES_ROOT\netfile\DefaultIcon\ ➝
%SystemRoot%\System32\shell32.dll,-154\\x00
RegistryHKEY_CLASSES_ROOT\netfile\ ➝
Componente para aplicaciones Microsoft .NET\\x00
RegistryHKEY_CLASSES_ROOT\\\xe0\\xb5\\xe1\\x85\\xe0\\xb5file\DefaultIcon\ ➝
"%1"\\x00
Creates FilePIPE\ROUTER
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\Microsoft.NET\Framework\netfxsbs10.\\xe0\\xb5\\xe1\\x85\\xe0\\xb5
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Microsoft.NET\Framework\Framework.net
Creates Process"C:\WINDOWS\Microsoft.NET\Framework\Framework.net" bautiza
Creates MutexSantuario_12-
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Starts ServiceRASMAN

Process
↳ "C:\WINDOWS\Microsoft.NET\Framework\Framework.net" bautiza

Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 840

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1152

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1840

Process
↳ Pid 996

Network Details:

DNSlb.wordpress.com
Type: A
72.233.2.58
DNSlb.wordpress.com
Type: A
72.233.69.6
DNSlb.wordpress.com
Type: A
66.155.11.238
DNSlb.wordpress.com
Type: A
76.74.254.120
DNSlb.wordpress.com
Type: A
76.74.254.123
DNSlb.wordpress.com
Type: A
66.155.9.238
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.108
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.107
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.106
DNSsecretosytrucos.wordpress.com
Type: A
DNSdarkvaticano.blogspot.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 72.233.2.58:80
Flows TCP192.168.1.1:1031 ➝ 66.155.11.238:80
Flows TCP192.168.1.1:1031 ➝ 76.74.254.120:80
Flows TCP192.168.1.1:1032 ➝ 173.194.34.108:80

Raw Pcap

Strings
$0aeaba5c-66eb-4909-a5c3-b31612e152ab
1.0.0.0
11.0.0.0
5	`	i	q	}	
accion
adanString
AddFireWall
AddressFamily
AddSeconds
AllocHGlobal
aplicacion
Aplicacion
Aplicacion.exe
Aplicacion.Hijo
Aplicacion.Identidad.Hijo
Aplicacion.Purgatorio
Aplicacion.Santificacion
Aplicacion.Santuario
Aplicacion.Trinidad.Espiritu
Aplicacion.Trinidad.Hijo
Application
ApplicationSettingsBase
appString
archivo
ArrayList
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyCultureAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
AssemblyVersionAttribute
AsyncCallback
aunBautizado
azarDigitos
bajarArchivo
Bautiza
Bautizar
BautizarComputador
bautizo
BeginChangeDir
BeginClose
BeginGetFileList
BeginGetFileSize
BeginInvoke
BeginLogin
BeginMakeDir
BeginUpload
BeginUploadDirectory
BinaryMode
binMode
Bitmap
botarDeEjecucion
botWasHere
buffer
BUFFER_SIZE
callback
CancelEventArgs
CargaInformacion
.cctor
ChangeDir
ChangeDirCallback
CheckKey
chequeterePath
cierraProceso
CipherMode
ClassesRoot
cleanup
cliente
clientSocket
CloseCallback
command
Compare
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
ComputeHash
ComVisibleAttribute
Concat
CONECTADO
Connect
Contains
Convert
copiar
CopyFromScreen
Copyright (C)
corazon
Corazon
_CorExeMain
CorreAplicacion
costilla
CreaEvaDesdeCostilla
crearFrameWork
Create
createDataSocket
CreateDecryptor
CreateEncryptor
CreateSubKey
creoEnDios
CurrentUser
c:\Users\Sentra user\Dropbox\Aplicacion\Aplicacion\Aplicacion\obj\Debug\Aplicacion.pdb
DateTime
DayOfWeek
DebuggableAttribute
DebuggingModes
Default
defaultInstance
Delete
deleteFile
Desencriptar
desencriptaSimple
desifra
destinatario
Detener
DialogResult
Dictionary`2
directorio
Directory
DirectoryInfo
dirName
Dispose
DllImportAttribute
dosEnUno
Double
DownloadFile
DriveInfo
DriveType
dwDisplayType
dwScope
dwType
dwUsage
ejecuta
ejecutaAppSana
ejecutaAppSanaJoineada
ejecutable
ejecutaFrameWork
Ejecutar
ejecutor
elejidos
EnableVisualStyles
Encoding
Encripta
Encriptar
encriptaSimple
EndInvoke
EndPoint
EndsWith
Enumerator
EnumWindows
EnumWindowsProcDelegate
enviarMensaje
Environment
Equals
escanearRed
escuchar
escucho
esFakeExe
esFrameWorkdotNet
esLaMismaVersion
esMenor
esNetUSerNet
esPuta
EsPuta
estaAppEstaConCopiaFakeExe
estado
estadoApp
EstadoApp
estaEnWindir
estaVivo
esteAppEstaBautizado
esteEquipoEstaBautizado
estoyBautizado
estoyEnUnPendrive
esUnEjecutableDeInicio
esWinRarExe
Exception
existeArchivo
existeDirectorio
existeOtroSantoEnElCielo
Exists
extencion
extraeAppSanaFromFakeExe
extraeFrameWorkFromFile
fakeExe
FakeExe
FileAttributes
FileInfo
FileMode
fileName
FileStream
FileSystemInfo
Finalize
FindWindow
Framework.net
Framework.net.Properties
Framework.net.Trinidad.Hijo
Framework.net.Trinidad.Hijo.Espiritu
Framework.net.Trinidad.Padre.Purgatorio
FreeHGlobal
FromBase64String
FromImage
ftpClie
FtpClient
ftpComando
FtpException
fullEnte
GeneratedCodeAttribute
Genesis
geroglifico
get_AddressList
get_AllScreens
getAlma
get_Aplicacion
getAplicacionInocente
getApostolName
get_ASCII
GetAttributes
get_BaseStream
get_BinaryMode
get_Bounds
get_Build
GetBytes
get_Canal
get_Chars
get_Cielo
getClave
get_Clave
get_Client
GetCommandLineArgs
get_Connected
get_Count
get_CreationTime
get_Current
get_DayOfWeek
get_Default
GetDesktopWindow
getDios
GetDirectories
get_DirectoryName
GetDrives
get_DriveType
GetEnumerator
GetEnvironmentVariable
get_EsPuta
get_EstadoApp
get_FakeExe
GetFileList
GetFileListCallback
GetFileListMaskCallback
get_FileName
GetFileName
GetFiles
GetFileSize
GetFileSizeCallback
GetFolderPath
get_FullName
GetFullPath
get_Height
get_Hogar
GetHostName
get_Hour
get_Id
getInfo
get_IpLocal
get_IsReady
get_Item
get_Jpeg
get_KeySimple
get_LastAccessTime
get_LastWriteTime
get_Left
get_Length
get_LocalEndPoint
GetLogicalDrives
get_MainModule
get_MainWindowTitle
get_Major
getMarca
getMensaje
get_Message
get_MiDios
get_MiNameApp
get_Minor
get_Minute
get_Minutes
get_Modules
get_Name
getNombre
get_Nombre
getNombreFem
getNombreFromMSN
get_NombreSanto
get_Now
get_Pais
get_Parametros
GetParent
get_Password
get_PathFrameWorkDotNet
getPaths
get_Peso
get_Plegaria
get_Port
GetProcesses
get_ProcessName
get_PROXY
get_Puerta
get_Puerto
get_PuertoHot
get_Puntaje
get_RemotePath
get_RemotePort
get_Rezo
getRunList
get_RunRuta
getSala
get_SALVADOR
getSanto
get_SanuFloodHilo
get_Second
get_Server
get_Servidor
get_ServidorHot
get_Sistema
get_Size
get_StackTrace
get_StartInfo
get_StartTime
GetStream
GetString
GetSubKeyNames
get_Timeout
get_Top
GetTypeFromHandle
get_Unico
get_Username
get_UserName
get_UTF8
get_Valor
GetValue
GetValueNames
get_VerboseDebugging
get_Verdad
get_Visible
get_Width
get_Windir
GetWindow
GetWindowLongA
GetWindowLongPtr
GetWindowText
Graphics
GuidAttribute
GW_CHILD
GW_HWNDFIRST
GW_HWNDLAST
GW_HWNDNEXT
GW_HWNDPREV
GWL_EXSTYLE
GW_OWNER
hablar
HashAlgorithm
IAsyncResult
IComparer`1
ICryptoTransform
idealApp
identificacion
IDisposable
IEnumerator
ImageFormat
imagen
InAttribute
IndexOf
infectaRED
infectarRed
INGRESANDO
inicia
iniciaEscaneoRED
INICIO
innerException
IntPtr
Invierte
Invoke
IPAddress
IPEndPoint
IPHostEntry
iplocal
ipLocal
IpLocal
IsDigit
IsRunning
IsWindowVisible
keyActivo
keybuffer
keysimple
KeySimple
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
LayoutKind
lazaro
leerArchivo
leerDios
List`1
listenUsb
LOCALE_SABBREVCTRYNAME
LOCALE_SYSTEM_DEFAULT
LocalMachine
loggedin
LoginCallback
lParam
lpBuffer
lpBufferSize
lpcCount
lpClassName
lpComment
lpEnumFunc
lphEnum
lpLocalName
lpNetResource
lpProvider
lpRemoteName
lpWindowName
lujuria
MakeDir
MakeDirCallback
makeFrameWork
Marshal
MarshalAsAttribute
masificaByPath
MD5CryptoServiceProvider
meHablasAMi
mensaje
_mensaje
message
MessageBox
MessageBoxButtons
MessageBoxIcon
method
$$method0x600012b-1
Microsoft.Win32
miDios
MiDios
miNameApp
MiNameApp
mision
_mMutexOwned
<Module>
MoveNext
mpr.dll
mscoree.dll
mscorlib
mueveTmp
MulticastDelegate
NativeWin32
NETRESOURCE
NetworkStream
nIndex
nMaxCount
nombre
_nombre
Nombre
nombreSanto
NombreSanto
notificarMensaje
NotImplementedException
Nuestro
nuevoApostol
NuevoUserinit
obedecer
object
Object
observar
OpenRead
OpenSubKey
OpenText
op_Equality
op_GreaterThan
op_Inequality
oracion
OSVersionNoRevision
otroNombre
OutAttribute
PaddingMode
pantallazo
parametros
Parametros
password
Password
PathFrameWorkDotNet
pathInicialFrameWorkDotNet
Pecado
Pecador
pecados
PixelFormat
plegaria
Plegaria
pobrefile
pobrePathFile
Poseer
<PrivateImplementationDetails>{155C7316-F040-4EFD-BEE2-6A33B929CE1D}
procesos
Process
ProcessModule
ProcessModuleCollection
ProcessStartInfo
ProcessWindowStyle
ProtocolType
PtrToStructure
puerta
Puerta
puerto
Puerto
puertoHot
PuertoHot
puntaje
_puntaje
Puntaje
Random
ReadByte
readLine
ReadLine
ReadOnlyCollectionBase
readResponse
ReadWeb
Receive
recibir
Rectangle
recurse
registro
Registry
RegistryKey
RegistryValueKind
ReleaseMutex
@.reloc
remotePath
RemotePath
RemotePort
Replace
Resolve
RESOURCE_CONNECTED
RESOURCE_CONTEXT
RESOURCEDISPLAYTYPE_DIRECTORY
RESOURCEDISPLAYTYPE_DOMAIN
RESOURCEDISPLAYTYPE_FILE
RESOURCEDISPLAYTYPE_GENERIC
RESOURCEDISPLAYTYPE_GROUP
RESOURCEDISPLAYTYPE_NDSCONTAINER
RESOURCE_DISPLAYTYPE_NET
RESOURCEDISPLAYTYPE_NETWORK
RESOURCEDISPLAYTYPE_ROOT
RESOURCEDISPLAYTYPE_SERVER
RESOURCEDISPLAYTYPE_SHARE
RESOURCEDISPLAYTYPE_SHAREADMIN
RESOURCEDISPLAYTYPE_TREE
RESOURCE_GLOBALNET
RESOURCE_RECENT
RESOURCE_REMEMBERED
RESOURCE_SCOPE_NET
RESOURCETYPE_ANY
RESOURCETYPE_DISK
RESOURCE_TYPE_NET
RESOURCETYPE_PRINT
RESOURCETYPE_RESERVED
RESOURCEUSAGE_ALL
RESOURCEUSAGE_ATTACHED
RESOURCEUSAGE_CONNECTABLE
RESOURCEUSAGE_CONTAINER
RESOURCE_USAGE_NET
RESOURCEUSAGE_NOLOCALDEVICE
RESOURCEUSAGE_SIBLING
responde
responder
respuesta
result
resultCode
resume
RSDS/B
`.rsrc
runApp
runAppAux
runAppByPeso
runAppByPuntaje
runFile
runRuta
RunRuta
runSanFrameWork
RuntimeCompatibilityAttribute
RuntimeTypeHandle
salvador
SALVADOR
SantaClase
santoEnLinea
SantoIerrece
santosSiempreVivos
santoX
sanuFloodHilo
SanuFloodHilo
SC_CLOSE
Screen
SearchOption
SeekOrigin
semilla
sendCommand
sender
SendKeys
SendMessage
SendWait
sereYo
server
Server
servidor
Servidor
servidorHot
ServidorHot
servidorStream
set_Aplicacion
set_Arguments
SetAttributes
set_BinaryMode
set_Canal
set_Cielo
set_Clave
SetCompatibleTextRenderingDefault
set_CreateNoWindow
seteaApp
set_EnableRaisingEvents
set_ErrorDialog
set_EsPuta
set_EstadoApp
set_FakeExe
set_FileName
SetForegroundWindow
set_Hogar
set_IpLocal
set_Key
setMensaje
set_MiDios
set_MiNameApp
set_Mode
setNewFrameWorkDotNet
setNombre
set_Nombre
set_NombreSanto
set_Padding
set_Pais
set_Parametros
set_Password
set_PathFrameWorkDotNet
set_Peso
set_Plegaria
set_Port
set_PROXY
set_Puerta
set_Puerto
set_PuertoHot
set_Puntaje
set_RemotePath
set_RemotePort
set_Rezo
set_RunRuta
setSala
set_SALVADOR
set_SanuFloodHilo
set_Server
set_Servidor
set_ServidorHot
set_Sistema
set_StartInfo
setTaldo
set_Timeout
SettingChangingEventArgs
SettingChangingEventHandler
Settings
SettingsBase
SettingsSavingEventHandler
set_Unico
set_Username
set_UseShellExecute
set_Valor
SetValue
set_Verb
set_VerboseDebugging
set_Verdad
set_Visible
set_WindowStyle
showDir
simpleKey
sistema
Sistema
SizeOf
Socket
SocketFlags
SocketType
soploDeVida
soyUnApostol
soyUnSiervo
SpecialFolder
StartsWith
STAThreadAttribute
Stream
StreamReader
StreamWriter
String
StringBuilder
#Strings
StructLayoutAttribute
strVisible
Substring
Subtract
SW_HIDE
SymmetricAlgorithm
Synchronized
System
System.CodeDom.Compiler
System.Collections
System.Collections.Generic
System.ComponentModel
System.Configuration
System.Diagnostics
System.Drawing
System.Drawing.Imaging
System.IO
System.Net
System.Net.Sockets
System.Reflection
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Cryptography
System.Text
System.Threading
System.Timers
System.Windows.Forms
taldoChannel
TcpClient
teclas
teclea
Temporal
textoEncriptado
TextReader
TextWriter
!This program cannot be run in DOS mode.
Thread
ThreadStart
tiempoDesde
Timeout
timeoutSeconds
TimeSpan
ToBase64String
ToCharArray
ToInt32
ToLower
ToString
ToUpper
traducir
TransformFinalBlock
TripleDESCryptoServiceProvider
TryGetValue
Unayko
_Unayko_el_Unico
unidad
unidades
UnmanagedType
Upload
UploadCallback
UploadDirectory
UploadDirectoryCallback
UploadDirectoryPathRecurseMaskCallback
UploadFileNameResumeCallback
user32
user32.dll
User32.Dll
username
Username
UTF8Encoding
v2.0.50727
value__
ValueType
variablesMinus
verboseDebugging
VerboseDebugging
verdad
Verdad
Version
VERSION
vidaLazaro
visible
Visible
vocabulario
WaitForExit
WaitHandle
WaitOne
wasHere
WebClient
Windir
WM_SYSCOMMAND
WNetCloseEnum
WNetEnumResource
WNetOpenEnum
wParam
WrapNonExceptionThrows
WriteLine
WS_EX_APPWINDOW
WS_EX_TOOLWINDOW