Analysis Date2014-01-21 22:10:14
MD51262e371f936b7efc734b0468d21fd04
SHA103ca371b35ad8273e3eed1178479ff0bda2d96e3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section md5: 250e38a035d2c7f5336ff66a0d2dceb2 sha1: 91ad8e0bc17523376dc8adbeb6a4ce5bab75d44f size: 138240
Section md5: 3e176ad1495f3196178b11935aa39519 sha1: c800698f221ec6b894ebb05b68bfb3aed3926ffe size: 12288
Section md5: 3b10578acfe96e44528d77ef3ebe6782 sha1: 160e4acdef2b3e7895a015a85920a072a4ca1c0d size: 1024
Section md5: e462482d10b99127e068a7b345c7865e sha1: ccf8f06bc195990e6557b1f03640fad559ed380d size: 3072
Section md5: 75126aea7c152a12aff0f52b995dad3f sha1: 621c6668164dfa3a061af184d70dabbcc4c72610 size: 5120
Section.rsrc md5: 443ffc8f0f5efb81ae16ad70e8663725 sha1: dda73fc26188a7e3513957651862ccd5a803f8e8 size: 12800
Section md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.data md5: 6e189172ef47ac0d47b8f4fd49f6f927 sha1: 8214d6ecc20403e0b5f817451711a7c1cdc0532e size: 151040
Section.adata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2013-02-16 23:53:56
PackerASProtect v1.2
PEhash02b2f3c1e7422ab7f734504b4874a68efa51fa9a
AVaviraTR/PSW.Zbot.15233
AVmcafeeRDN/Generic PWS.y!yg
AVavgPSW.Generic12.XEQ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CLASSES_ROOT\.key\ ➝
regfile
Creates FileScsi0:
Creates FilePIPE\lsarpc

Network Details:


Raw Pcap

Strings
ASKNEXTVOL
ccpp
GETPASSWORD1
LICENSEDLG	RENAMEDLG
REPLACEFILEDLG
STARTDLG
=<^++	"
 !"#$%&
/= $()[
{{{{{{{{{
},;:-_
08HpX"h
`08:,ut5
^0d?Ky
0GOr]Pr.
}/0J#DAB
/'[,\\0]^_\\\Q
0)sRIw
0vHG\*
<0XLdf
14K[l4
]1a'eL
1E{9}Z8
.1'G'>
1hzP/i
\1mcL*
1@N"|s>
1=T*;PBJ
1UY:I-
1W7?Ar6
1XvaN](M
23456789
26+JEU?
+2D<K[
2EVi"0
2]fV%k
2[)/`)i
2K	G"w
2lz'i-
2q(5mB`
~$2S{\J)H
2U}l>EN;
3,45657879
35LOg1(
36r?JI
386x,[p
3avZ5)
=3g)p<
3|h6f=la
_3[)q=
3qq}?c
3v;?#,
3x<_mI@
:(,4;<=>;?@
42cb]t
4:8;@<D=L
4?!8yS
	:4;< gP>j?r{t
,4Hv%U
4 +m'5+
"4?]?Oh
4U1J,=
4XY3?v
5;0PCO^
5@2..x
5 '9GDgzL
5H:pQ'!
5YWW)$
6|@DHH
74KD2d
7G^&JI
7K<;RQ
7"!m8y~
7WbZ[|$
7@Y7XP
(7y`gT
.81aX5(
8888888888887
8888888888{x7
8/C6jUAxy
8D'// 
8<e@BR
8pvuVGxK
8uRZp_
&8)YJ<C
(8yoX%ta
8Zainn
9&,0	T
921+Jx
;98lP<
9A7|yH
9B3~*Nd
9<:@;D<H=L\F?^
9EG%"X
9ghLNX=
,9Gic\A
/9k@I6
9NUo^9
'#9PntEQ
'A,4;BC
%a4,D 
aaaaaaaaaaaaaaaaaaaaf~leQmux
acs	Tx
.adata
advapi32.dll
A;[<f=s
:ahYfq
a<J,9@
\\AL4}
'aLR}r
ansm-et~g
%.aqn}
<A"wtR
B]/`5#
B,]7f{
B:c';o	
B+C*`O
-Bdq-v7
_B@({(E4
_beWx2
BFaIod$
BgSOw{W=h*bnq\
BhR4gf
 BJfP\
B"PRZt
B*pssTC
>**BQvp
b^`R4Q
BRQ25;
B/s#lJ
 ^b)tbs
bTUi~c
BVg[T(}
b`,V>Kw
B/W{$O
}&@C~"
c$2}GY
C*7`M>@
-C|')9
cbcg7O.0
cBCXWt
CDEFGH8IJ
*c.fO7e'#
;:?;C<G=K>S?Y?k?q
cHX/^l
cJ'u{2
cL[j|M
CNi4P_+
comctl32.dll
covZgx
Cp tM7
(CR3=k
#C"W"#
c}W9j#%
C@XnCT
):CYHc
D13vW.
d1xGxIG
d/2Gf6
d)3-Li
 D4b,b_
}D5{"P
D7"^%5
{(d]8	
d9$|Q#
d_A5jh
''''''''''''''''''DaJKHPam
ddddddd
dddddddd
dFKu4}
dG4@'X
dJ!Fe=
d_l=JZ
D|nt+6
DN_y<-
.d{p>Vi
DSv9/-+v
D]wOBzQb
d(WR=G
E{"0	W
};Ea[&:
eaau]MT
?Ec<?\
E;c'Ky
E;d`0Yn
_EFcodpb
`@(EGw9vL
>EHJuZ
eHomW%
Eip@)%x
E?j.UX
ek	9zAI
e@ KQ5
emorNy
=EO29}
))/epA
eQhK*7&,59
e[qiE^
eRP=$[
!es+g+_
F'1eV	!rO
f3GkJuV
<F%4Nb
*F9)Z"
FBoMu'
FD)9~8
@-f'dy#
Fen;#VK
FE\)Of
Ff>_Pyd(Ya
fG!7i!Pm
Fghuy<$	
FH\n\,i
fIAn5I
fKaH<Z9
$fN;@Lr
f?od0~2<	
f^PfJ?
fpK1z	g
$;FpoK
f|RHV(
FTWARE\B
FXb&d.f
g4E>}1
*G!66B&
gavc `w{V
gdi32.dll
,Ge nu
GetKeyboardType
GetModuleHandleA
GetProcAddress
G_f5|c%
GFcy a
G =g*&7u
 g'|I-G
'=G{igA
"(GLOa
#%gmp>n
gon0Pwa:
G{OO{*Y
G<o|T3Q<
G`shK%
~%#}GT
g[uSo%
^*GUw|
gxdNG;
<,<GZ`
'=Gz(@1f
_H8VW^
haG;vT~
	H"dD0
H%DeYK
hEA."O
=H?jh(
H#K(6u
Hl,3K&
`hlc+Pz
HlRWy@B
hLuIkX
Hl|&x}
HlX1x"<
h[O0on
h:p;t<x=|>
hQ+S}N
[%ht,0
Hv8v/P
<h}w)"
%-<>,I
+;i5-_
i/-9MI;
i9%tAi
%\^I|A
i%A'Og=
ibl	+7
	IBx7`
I@|HmL'
IJKL=MNOPQ
ImageList_SetIconSize
i[oW`L
ipqLww
Iq\!a@
I s1?(
iskFr`
J";^*&
J'3=Lk
j&6?5}k:
j7n(K+
<JA96'
jCaR>C
/jfJiX
j^f~)Sd8
JFXu$<I
jgZ2"V1`
JHXB=m
JJJJJJJJJJJJJJJJJJJaieQRamu
{_j]K6
jklmnp
JMS-|z
Jn#$Lf
=JQuOEB
jU<G6d
jv$CN(8&\
 JwO<{
jYOo_j
k6-8k(
kEM3C`
kernel32.dll
Kft@x8
k>Hdt*
kIV D[
K/JaZi
kkkkkkkkkkkjhjjjo
kKOtf5
KLMNOPQ
&k})nE>
KP5_v.
kq14}_m
kt<&la
kW4><6
kX6H	];
KY7o:rF
>~kyW<&4
KZeF=e
	+l.b9
LbT%Q|
lc@{7{
=LGRgo
`LI(<$
l^]LB:
LoadLibraryA
l:p;t<x=|
;l=-#S*Q
lt=J~v
l"{u-~
L<y4qo
,L(YtV
+L=z\[`g
lZWvE@M
:'m0zGz
M4Ifv{/4
MAIL F
M#,an0
mAOa){
MARTvV
Mas:kV	l
M	|Bh1
MEj-J]
m<: gNV
mJx6-'{
mmrrrrs
mnopqr8st
m(n?r}t
%M`[O>
M 	@p<|
~MQ(<e
m\t>hH
mu;j0)
?"M_v8
M(X1zt
N]2OJOfT
*N7RUS
nqT.iNe>
N^rB]U
NS}S J
N_vR'}
NXq"|9
NyblVW
o1#A6w>
O1IYy(
o("'1r-
	O{	2-
O5'O)d
O+$[	b
O*BA$RS
OCU"K9
O$e_.4
oleaut32.dll
{OP#{G
+ o?R3:MR
orland
O	,TSK
otT)[B?
Owa%s	
.p~1]g
p[-2N="!8
p37i`;*
P37@k~S{z
P3=H[cZ
pcEi~9R-
PE'}n7
pIyBDX<
pNx/B$
PO]k 9
p.pt`h
p%QAyu
printf
}@pUg\D(
p"uQM%
Pv?K5Ri7
PWE:7'&
p>W"`~s
P$Xgyx
PzMh9oD
P;z[_p
?Q0VV!A
&<Q0X 
Qe}l.%
qM\8!m
qN-'DW
q-NS$qj
/Q)OO5
%$QOrh
qOsjh_
QPX[R+
QRLYBc
Q,!@`WZ
q .,y	'^,
	qz2pk
QZ^ &n
r $0'I
@R6&B[
R89>@g26
rAAv&ARX
RaiseException
# RB\H
RCPTx 
@!RD^lt
RegQueryValueExA
rf` br
]R,gp-
RLp.Ut
rQWvG%
R+^QXW
rrrrrmm
rrrrrr
rrrrrrr
rrrrrrrr
rrrrrrrrrrrrrppps
RSTU0VWXYZH
RTL8PU
Runtime 
RUP[${
Ruq?y%
-RvB;rf
-	"}s)
:=-:'s
,:s0`"NM2p
s2_sRco
!^@S^>8`
s8 R@wi
SafeArrayPtrOfIndex
SAJ@0-
sAnjB#.
SD\Lue
S/^>E=d
%shXY+k
s@idDP1
sKcCoub,
SL&1E0pnw
sLM\tU
&s!o=S
sqkFu`<k
Strin5
suV_-=3
sw6k$K
SysFreeString
;,t@@$
/-_ t~
[T8'y`
tAS &Po
t(c)t5
TFilen
$_@TG8)
!This program cannot be run in DOS mode.
;*Th	Z
ThzePp>dou
TI^2Y1Y
t@l(}i
't lovd
TNatr9
T)O%uo
"t<ovP
tPgl$#
tqmxzz
tR*f]v
:T,S.St
ttsxSxt
 	 TUu
t'vJxbI
T,XrY@
t"xz%:
U!05#&
_u80cs
	,U84P
ubi|)	
&Ubxg'{}
\Uh>[+
+u~HUz
< u'JZ
UL/Ao~E
UlG'V^
UnrealizeObject
UOjJ%"
}U*Q5"|
'uqmK;
UQYM.d
user32.dll
&u>sM=
U*uE3Z
uvwxyz0p1
Uzv'6C
v0s_ux
V1 `U3
v8645x
VA	)=C"
VariantChangeTypeEx
v;aTP6d
VC0PhH
\\`Ve}b
VerQueryValueA
version.dll
`V;:F5tg
 {<VgIi
Vhh|!o&
.v)>I?
Vk{']R
/VoFU<	
v)q;w kXJS
vr")`@
vRr]Fl
~vrrrrr
~vrrrrs
vR:R]TL
VS"yot{x
vx=iUD0
vx{_P-
w1jp`o
*._W7f
(|w	HAW
 W+HrJ
.Wj%\1
(,'W	Q
(wRr$:Ag&\
Wswy)=
wwwwwwww
"W]Y)@RE/
=|X],}
x0z4L|
x+1UQ=
&x1z;|A~
x2rw@QSF
x6O,0	8
x|8fgC"
x$8=Hp
X,980MH
XdK?	`
Xf0b5]
#XHc%p
xI?b?K
XJ NB_	
XMN"<E
xp=}/:
X&v6xS
xXa\&d
]&xX#S
x~XYl&
X,Z1Z.
x'zH|P9~
x"z*Y2
 Y$6<P
Y9\DenHBx
]y9:<W
>y ,`F
yIKd"(
Y#;~o1
-;yR\<
>Yrf7L/jn
YRlY~&X]
yrrrpps
yrrrps
y"u4H#
YU]`KE
(Y,v&4
yVTT6H
YVXc~c
Y^@%+.w;U
#YZv+j
(z,]0V?8
*;Z3/ZK
Z9\+8.
zA[LJ3
zAl(mOq
zfq5 j
zfSi	J
ziEwXD
z?Nb]4}
z]r9>O
z*@r>W
Z(v@	6
zw.@**
.Z|'W1p
zwqz9;
ZX4>&)
%z`xj>p?
zZ^5TF