Analysis Date2016-02-08 17:10:23
MD5506af539e363b047cfbdda6014a74e4e
SHA1025cac9415bb594e41da2016a9a8267375f45582

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.text1 md5: 5bcbceb53caad73d629770074ca15092 sha1: d8e70aa7e9e1447358f4cac702b7571ecbba7f98 size: 385024
Section.adata md5: 938d6d97628275a512e07c66be5ccecf sha1: 97e468e47489e38b33b0f14714a775c619ba9a90 size: 53248
Section.data1 md5: 4ca2c736434642b67337fd5aaa58c2f0 sha1: 26a058e3eb837283c7df2fefc334cb8c68f391e0 size: 77824
Section.pdata md5: 532e21e33c9805216beb2a58947ce1a4 sha1: d60a54f780c57909a6e79f3e8397816fe908d521 size: 1187840
Section.rsrc md5: bd0f6a7fd75962739350b017048e51f4 sha1: 31fe09236a44a583851afa2783f2ec5ab7502fce size: 28672
Timestamp2009-12-29 03:06:23
VersionLegalCopyright: microsoft compiler
InternalName: al
FileVersion: 1.02.0057
CompanyName: microsoft
Comments: microsoft
ProductName: microsoft dll loader
ProductVersion: 1.02.0057
FileDescription: dll loader
OriginalFilename: al.exe
PackerMicrosoft Visual C++ ?.?
PEhash37f4db4885043f2bdced556efde75cf21ad79eb0
IMPhash0539a31253f066f6315e4c0a3a3568dd
AVCA (E-Trust Ino)Trojan.Generic.7871045
AVRisingNo Virus
AVMcafeeObfuscatedAKN!hb!506AF539E363
AVAvira (antivir)TR/Dropper.Gen
AVTwisterBackdoor.DDA501D481E62633
AVAd-AwareTrojan.Generic.7871045
AVAlwil (avast)VB-AHIE [Trj]
AVEset (nod32)Win32/TrojanDownloader.VB.OSN
AVGrisoft (avg)Generic18.AYWF
AVSymantecTrojan Horse
AVFortinetW32/Trojandownloader.STB!tr
AVBitDefenderTrojan.Generic.7871045
AVK7Riskware ( 0015e4f11 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Tonick!rfn
AVMicroWorld (escan)Trojan.Generic.7871045
AVMalwareBytesTrojan.Downloader.WCA
AVAuthentiumW32/Typic.A.gen!Eldorado
AVEmsisoftTrojan.Generic.7871045
AVFrisk (f-prot)W32/Typic.A.gen!Eldorado
AVIkarusBackdoor.Win32.Bifrose
AVZillya!Dropper.Typic.Win32.736
AVKasperskyTrojan-Downloader.Win32.Dapato.stb
AVTrend MicroTROJ_AG.6ADCF040
AVVirusBlokAda (vba32)TrojanDownloader.VB
AVCAT (quickheal)No Virus
AVBullGuardTrojan.Generic.15745200
AVArcabit (arcavir)Trojan.Generic.7871045
AVClamAVTrojan.Typic
AVDr. WebBackDoor.Siggen.49051
AVF-SecureTrojan.Generic.7871045

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Licenses\{R7C0DB872A3F777C0} ➝
NULL
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\tob\x\x ➝
x\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{F7920A59-A57C-32D5-44B9-04FEA547B88C}\ ➝
Color Property Page\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
Creates FileSCSI0:
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xxxc.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates MutexRAL0343850B
Creates Mutex0343850B::WK
Creates MutexDBWinMutex

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe

RegistryHKEY_LOCAL_MACHINE\Software\Licenses\{IF41747BB2672C200} ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
RegistryHKEY_CLASSES_ROOT\CLSID\{F7920A59-A57C-32D5-44B9-04FEA547B88C}\Zztfdqhq ➝
Bm\E^LV_{c]oL\U|X\\x7fGpSlo`zajaR
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates FileC:\Documents and Settings\All Users\Application Data\TEMP:C9C13817
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll
Creates FileSCSI0:
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\key.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip
Creates FileC:\WINDOWS\system32\vbzip11.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\readm.txt
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\Install.exe
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates MutexRAL0343850B
Creates Mutex0343850B::WK
Creates MutexDBWinMutex
Winsock URLhttp://ns2.thebuisness.com/zip.zip
Winsock URLhttp://google.com

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip

Network Details:

DNSgoogle.com
Type: A
216.58.219.78
DNSns2.thebuisness.com
Type: A
198.71.232.3
HTTP GEThttp://google.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://ns2.thebuisness.com/zip.zip
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 216.58.219.78:80
Flows TCP192.168.1.1:1032 ➝ 198.71.232.3:80

Raw Pcap

Strings