Analysis Date2016-04-29 02:52:53
MD5f0d4911bfe2fba80c692e26724662b76
SHA1f1279d76357073568952ce8be8164670cafff438

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 90d8bc8d375ad21561c19a623fefe833 sha1: f391d41996f51fae609a612409310c99821d0f8f size: 77824
Section.rsrc md5: 2a925216fbb591c397199f7d1a032093 sha1: b546bba267eaf955fad0a74a841cb93c92685a4d size: 4096
Section.reloc md5: 900a0c8b7fa84edaab686a239d36f4b0 sha1: 08d915cc91476f656975f44b17b57b55f94b1547 size: 4096
Timestamp2016-04-28 01:15:17
VersionLegalCopyright:
Assembly Version: 0.0.0.0
InternalName: server01.exe
FileVersion: 0.0.0.0
ProductVersion: 0.0.0.0
FileDescription:
OriginalFilename: server01.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash2997c930bb3eaaa39ce8a34489963d78533dbff3
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVCA (E-Trust Ino)Gen:Variant.Barys.40628
AVF-SecureGen:Variant.Barys.40628
AVDr. WebBackDoor.Bladabindi.1276
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Barys.40628
AVBullGuardGen:Variant.Barys.40628
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVEmsisoftGen:Variant.Barys.40628
AVIkarusTrojan.MSIL.Crypt
AVFrisk (f-prot)No Virus
AVAuthentiumNo Virus
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Barys.40628
AVMicrosoft Security EssentialsNo Virus
AVK7No Virus
AVBitDefenderGen:Variant.Barys.40628
AVFortinetMSIL/Kryptik.EDF!tr
AVSymantecNo Virus
AVGrisoft (avg)ILCrypt
AVEset (nod32)MSIL/Kryptik.DCQ
AVAlwil (avast)No Virus
AVAd-AwareGen:Variant.Barys.40628
AVTwisterNo Virus
AVAvira (antivir)No Virus
AVMcafeeNo Virus
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\server.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe"
Creates Mutexbabe8364d0b44de2ea6e4bcccd70281e

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe"

RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\server.exe.tmp
Creates File\Device\Afd\Endpoint
Creates Processnetsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe" "server.exe" ENABLE
Creates Mutexbabe8364d0b44de2ea6e4bcccd70281e
Winsock DNS127.0.0.1

Process
↳ netsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe" "server.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\server.exe:*:Enabled:server.exe\\x00
Creates FilePIPE\lsarpc

Network Details:


Raw Pcap

Strings