Flattr this analysis!

Tags: None

Analysis

Category Started Completed Duration
FILE 2013-10-24 07:20:53 2013-10-24 07:21:21 28 seconds

File Details

File Name 29201291888_1.1.hidden1_xor41.exe
File Size 129024 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 406d6001e16e76622d85a92ae3453588
SHA1 1aa4d96fdcafe8dbece906c68772614bfe72ceaa
SHA256 3483a7264a3bef074d0c2715e90350ca1aa7387dee937679702d5ad79b0c84ca
SHA512 77d7852fde08e4bdcbabfe5f2022bfe0c83f21404caffeab04c7cae1885ce5709d7d7ace1b8c328f45b39fe8ce11facd7aeed991cdd918cc1fc88ced9fea28dc
CRC32 6369E195
Ssdeep 3072:mrDTRmygx7FuKXxTEfjqW+ihkKXwzl2cW7:y5u7FuKXU5jgI
Yara
  • shellcode - Matched shellcode byte patterns
You need to login

Signatures

File has been identified by at least one AntiVirus on VirusTotal as malicious

Screenshots


Hosts

No hosts contacted.

Domains

No domains contacted.


Summary

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Version Infos

LegalCopyright Copyright (C) 2010-2013 - ProperWay Software
InternalName BLEND VWDExpress
FileVersion 2.3.1.1
CompanyName ProperWay Software
ProductName BLEND VWDExpress IDE Extension
ProductVersion 2.3.1.1
FileDescription BLEND VWDExpress IDE Extension
OriginalFilename blendvwdext
Translation 0x040e 0x04b0

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00015ded 0x00015e00 7.29743548412
.rdata 0x00017000 0x0000281a 0x00002a00 4.86533228933
.data 0x0001a000 0x00003180 0x00001200 3.25651725102
.rsrc 0x0001e000 0x000045b0 0x00004600 4.57670166998
.reloc 0x00023000 0x000013e0 0x00001400 4.63684776831

Imports

Library KERNEL32.dll:
0x417048 WriteConsoleW
0x41704c LCMapStringW
0x417050 HeapFree
0x417054 SetStdHandle
0x417058 LoadLibraryW
0x41705c RtlUnwind
0x417060 SetFilePointer
0x417064 GetConsoleCP
0x417068 GetConsoleMode
0x417070 HeapSize
0x417074 FlushFileBuffers
0x417078 GetStringTypeW
0x41707c CloseHandle
0x417080 LocalAlloc
0x417084 HeapReAlloc
0x41708c GetLastError
0x417090 HeapCreate
0x417094 GetCurrentProcess
0x417098 MultiByteToWideChar
0x41709c HeapAlloc
0x4170a0 GetCommandLineA
0x4170a4 HeapSetInformation
0x4170a8 GetStartupInfoW
0x4170b4 IsDebuggerPresent
0x4170b8 EncodePointer
0x4170bc DecodePointer
0x4170c0 TerminateProcess
0x4170c4 Sleep
0x4170c8 TlsAlloc
0x4170cc TlsGetValue
0x4170d0 TlsSetValue
0x4170d4 TlsFree
0x4170dc GetModuleHandleW
0x4170e0 SetLastError
0x4170e4 GetCurrentThreadId
0x4170ec GetProcAddress
0x4170f0 GetCPInfo
0x4170f4 GetACP
0x4170f8 GetOEMCP
0x4170fc IsValidCodePage
0x417100 ExitProcess
0x417104 WriteFile
0x417108 GetStdHandle
0x41710c GetModuleFileNameW
0x417118 GetModuleFileNameA
0x417120 WideCharToMultiByte
0x417128 SetHandleCount
0x417130 GetFileType
0x41713c GetTickCount
0x417140 GetCurrentProcessId
0x417144 CreateFileW
Library USER32.dll:
0x41714c RegisterClassA
0x417150 GetScrollPos
0x417154 DestroyWindow
0x417158 FillRect
0x41715c SetCapture
0x417160 DeleteMenu
0x417164 LoadMenuA
0x417168 EnumWindowStationsA
0x41716c GetClientRect
0x417170 SendMessageA
0x417174 GetMenu
0x417178 CreateWindowExA
0x41717c EnableMenuItem
0x417180 SendDlgItemMessageW
0x417184 CreatePopupMenu
0x417188 IsWindow
0x41718c CreateWindowExW
0x417190 SetScrollInfo
Library GDI32.dll:
0x41701c BitBlt
0x417020 SetTextColor
0x417024 DeleteDC
0x417028 SetBkMode
0x41702c DeleteObject
0x417030 SelectObject
0x417034 CreateCompatibleDC
0x41703c TextOutA
0x417040 CreateBrushIndirect
Library COMDLG32.dll:
0x417014 PrintDlgA
Library ole32.dll:
0x417198 CoTaskMemFree
0x41719c CoCreateInstance
Library AVIFIL32.dll:
Library COMCTL32.dll:
0x417008 ImageList_Destroy
0x41700c ImageList_Create

!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
uTVWh;Y@
^SSSSS
HHt$HHt
?If90t
j@j ^V
t"SS9] u
PPPPPPPP
PPPPPPPP
URPQQh
;t$,v-
UQPXY]Y[
<+t"<-t
+t HHt
/@^w=2B;XT
]nzpzW
:v#?/Q
C}i$<p/=
st\ W)
;B.~%F
pkW_7AM-
Q>OnAy
T,JK'f
!IICfoL
=,-"#lP
IJKDEI
EKDEIJ
IJKDEIJ
IJKDEIJKD
KEIJKDEIJKDEIJK
EKDEIJKDEIJKDEI
DEIJKDEIJKDEIJ
FJKDEI
JKDEIJKDEIJKDEI
IJKDEIJKDE
DDEIJKDEIJKD
FJKDEIJ
EKDEIJo
KDEIJK
KDEIJKDE
JKDEIJK
DEIJKDEIJKDEI
EIJKDEIJKDEIJK
DEIJKDEIJKDEIJ
JKDEIJK
KDEIJKDEIJKDEIJ
IJKDEIJKDEI
KDEIJKD
IJKDEIJK
EIJKDEIJ
a=xxw1
EKDEIJKDEIJK
JIJKDEI
JIJKDE
DEIJKDEIJK
FJKDEIJKDE
~zyo zzy
aIixwN
m|swvn
KDEIJK
EKDEIJ
JKDEIJKDEIJKDE
KEIJKDEIJKDEIJK
JIJKDEIJKDE
JIJKDEIJKD
EIJKDEIJ
|b7oYvvz
KEIJKDEIJKDE
JIJKDEIJKDEI
DEIJKDEIJKDEIJK
FJKDEIJKDEIJKDEI
FJKDEIJK
D$@Pj(j6V
t$0j#jdSShD
T$HRSP
|\9\$8tR
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
CorExitProcess
(null)
`h````
xpxxxx
1#QNAN
1#SNAN
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
`h`hhh
xppwpp
_fcvt_s failed with error code %d
Converted value: %s
Horizontal
333333
D:\maska\shmel\kkt\kosogla\Release\.pdb
HeapAlloc
GetCurrentProcess
HeapCreate
GetLastError
LocalAlloc
CloseHandle
KERNEL32.dll
RegisterClassA
GetScrollPos
SetScrollInfo
CreateWindowExW
IsWindow
CreatePopupMenu
SendDlgItemMessageW
EnableMenuItem
CreateWindowExA
GetMenu
SendMessageA
GetClientRect
EnumWindowStationsA
LoadMenuA
DeleteMenu
SetCapture
FillRect
DestroyWindow
USER32.dll
TextOutA
CreateBrushIndirect
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
DeleteObject
SetBkMode
DeleteDC
SetTextColor
BitBlt
GDI32.dll
PrintDlgA
COMDLG32.dll
CoCreateInstance
CoTaskMemFree
ole32.dll
CreateEditableStream
AVIFIL32.dll
ImageList_Destroy
ImageList_Create
COMCTL32.dll
GetCommandLineA
HeapSetInformation
GetStartupInfoW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
DecodePointer
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetModuleHandleW
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetProcAddress
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameW
EnterCriticalSection
LeaveCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapReAlloc
HeapFree
LCMapStringW
MultiByteToWideChar
GetStringTypeW
LoadLibraryW
RtlUnwind
SetFilePointer
GetConsoleCP
GetConsoleMode
IsProcessorFeaturePresent
HeapSize
FlushFileBuffers
SetStdHandle
WriteConsoleW
CreateFileW
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
,,,\ppp
,,,\TTTp
VVVpeTel
YYYlgRgl
^^^lWPWl
```lMMMl
eeelMMMl
jjjlMMMl
llllJJJm
pppmYYYo
pppoLLL<~~~
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
6_6d6n6
8(9/9<9B9
:@;g;p;|;
<0<7<C<I<U<[<d<j<s<
=)=i=o=
>)?/?E?J?R?X?_?e?l?r?z?
00&050:0@0I0i0o0
4$4.4A4e4
707I7e7n7t7}7
=6=A=I=Y=_=p=
>:?R?\?w?
1%1+1E1T1a1m1}1
252h2w2
&0*0.02060:0>0B0Q0n0
5#6)6E6m6
8*8H8l8
9?9D9j9
9*:\:t:{:
; ;j;p;t;x;|;
8 8'8.858<8D8L8T8`8i8n8t8~8
8&9,969
:$:.:@:W:e:k:
>#>5>G>Y>
?!?3?E?W?
0,1D1K1S1X1\1`1
1:2@2D2H2L2
373i3p3t3x3|3
4!5'5/5v5{5
5A6J6P6
: :+:0:9:C:N:
=;=H=M=[=6>Y>d>
0e1q1|2
4#5C536\6
;4<U<w<
T0Y0A1G1
859O9X9
9(:P:i:
;&;4;A;`;
=S>G?O?
1 2&242
7!888r8
?!?%?)?-?1?5?9?=?A?
4E4O4g4
9*939F9m9
9-:`:r:
<>=d=l=}=
>">1>A>m>
30;0E0Y0_0c0i0u0
1+11151;1
2*373]3
4&4I4a4g4k4q4
5-53575=5
6)767V7y7
7%8H8]8c8g8m8
9)9/93999
:.;;;a;
<3<V<n<t<x<~<
=!=@=F=J=P=
>H?U?{?
0'0G0j0
131H1N1R1X1
253B3b3
4#4)4-43494C4L4R4V4\4b4f4l4
5"5(5,525
7+7Q7t7
7#8F8^8d8h8n8
90969:9@9
:8;E;k;
<'<J<\<d<v<
?$?,?4?<?D?L?T?\?d?l?
h1l1t;x;
<8<D<`<l<
=$=(=H=h=
>0>P>p>
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7p7t7x7|7
= =$=(=,=0=4=8=<=@=D=P=T=X=\=`=d=h=l=p=t=x=
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
nProtect Clean
CAT-QuickHeal Clean
McAfee Clean
Malwarebytes Spyware.Zbot.ED
TheHacker Clean
K7GW Clean
K7AntiVirus Clean
NANO-Antivirus Clean
F-Prot Clean
Symantec Clean
Norman Clean
TotalDefense Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
BitDefender Clean
Agnitum Clean
SUPERAntiSpyware Clean
Sophos Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
VIPRE Clean
AntiVir Clean
TrendMicro Clean
McAfee-GW-Edition Clean
Emsisoft Clean
Jiangmin Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
ViRobot Clean
AhnLab-V3 Clean
GData Clean
Commtouch Clean
ByteHero Clean
VBA32 Clean
Baidu-International Clean
ESET-NOD32 Win32/LockScreen.APR
Rising Clean
Ikarus Clean
Fortinet W32/Zbot.PKDP!tr
AVG Clean
Panda Suspicious file

  • 29201291888_1.1.hidden1_xor41.exe 1088
29201291888_1.1.hidden1_xor41.exe, PID: 1088, Parent PID: 1824

network filesystem registry process services synchronization

Explorer.EXE, PID: 1408, Parent PID: 1372

network filesystem registry process services synchronization

Domains

No domains contacted.

Hosts

No hosts contacted.

HTTP Requests

No HTTP requests performed.

IRC Traffic

No IRC traffic.

SMTP Requests

No SMTP requests performed.

Sorry! No dropped files.
Bummer! No comments yet.

You have to login to comment.