Analysis Date2015-10-20 03:58:48
MD5cfa568665f415f2ba5d5715b02a06d61
SHA10a00a6520153016670c654a6a47b7c34d35ea6a0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.text1 md5: 5bcbceb53caad73d629770074ca15092 sha1: d8e70aa7e9e1447358f4cac702b7571ecbba7f98 size: 385024
Section.adata md5: 938d6d97628275a512e07c66be5ccecf sha1: 97e468e47489e38b33b0f14714a775c619ba9a90 size: 53248
Section.data1 md5: 4ca2c736434642b67337fd5aaa58c2f0 sha1: 26a058e3eb837283c7df2fefc334cb8c68f391e0 size: 77824
Section.pdata md5: 532e21e33c9805216beb2a58947ce1a4 sha1: d60a54f780c57909a6e79f3e8397816fe908d521 size: 1187840
Section.rsrc md5: bd0f6a7fd75962739350b017048e51f4 sha1: 31fe09236a44a583851afa2783f2ec5ab7502fce size: 28672
Timestamp2009-12-29 03:06:23
VersionLegalCopyright: microsoft compiler
InternalName: al
FileVersion: 1.02.0057
CompanyName: microsoft
Comments: microsoft
ProductName: microsoft dll loader
ProductVersion: 1.02.0057
FileDescription: dll loader
OriginalFilename: al.exe
PackerMicrosoft Visual C++ ?.?
PEhash37f4db4885043f2bdced556efde75cf21ad79eb0
IMPhash0539a31253f066f6315e4c0a3a3568dd
AVCA (E-Trust Ino)Win32/Fruspam.GF
AVF-SecureTrojan.Generic.7871045
AVDr. WebBackDoor.Siggen.49051
AVClamAVTrojan.Typic
AVArcabit (arcavir)Trojan.Generic.7871045
AVBullGuardTrojan.Generic.7871045
AVPadvishMalware.Trojan.Typic
AVVirusBlokAda (vba32)TrojanDownloader.VB
AVCAT (quickheal)no_virus
AVTrend MicroTROJ_AG.6ADCF040
AVKasperskyTrojan-Downloader.Win32.Dapato.stb
AVZillya!Dropper.Typic.Win32.736
AVEmsisoftTrojan.Generic.7871045
AVIkarusBackdoor.Win32.Bifrose
AVFrisk (f-prot)W32/Typic.A.gen!Eldorado
AVAuthentiumW32/Typic.A.gen!Eldorado
AVMalwareBytesTrojan.Downloader.WCA
AVMicroWorld (escan)Trojan.Generic.7871045
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Tonick!rfn
AVK7Riskware ( 0015e4f11 )
AVBitDefenderTrojan.Generic.7871045
AVFortinetW32/Dapato.KQ!tr.dldr
AVSymantecTrojan Horse
AVGrisoft (avg)Generic18.AYWF
AVEset (nod32)Win32/TrojanDownloader.VB.OSN
AVAlwil (avast)VB-AHIE [Trj]
AVAd-AwareTrojan.Generic.7871045
AVTwisterBackdoor.DDA501D481E62633
AVAvira (antivir)TR/Dropper.Gen
AVMcafeeObfuscatedAKN!hb!CFA568665F41
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Licenses\{R7C0DB872A3F777C0} ➝
NULL
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\tob\x\x ➝
x\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{F7920A59-A57C-32D5-44B9-04FEA547B88C}\ ➝
objref\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
Creates FileSCSI0:
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xxxc.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates MutexRAL0343850B
Creates Mutex0343850B::WK
Creates MutexDBWinMutex

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe

RegistryHKEY_LOCAL_MACHINE\Software\Licenses\{K7C0DB872A3F777C0} ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
RegistryHKEY_CLASSES_ROOT\CLSID\{F7920A59-A57C-32D5-44B9-04FEA547B88C}\Zztfdqhq ➝
Bm\E^LV_{c]oL\U|X\\x7fGpSlo`zhVnR
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates FileC:\Documents and Settings\All Users\Application Data\TEMP:C9C13817
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll
Creates FileSCSI0:
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\key.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip
Creates FileC:\WINDOWS\system32\vbzip11.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\readm.txt
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\Install.exe
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates MutexRAL0343850B
Creates Mutex0343850B::WK
Creates MutexDBWinMutex
Winsock URLhttp://ns2.thebuisness.com/zip.zip
Winsock URLhttp://google.com

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip

Network Details:

DNSgoogle.com
Type: A
74.125.21.100
DNSgoogle.com
Type: A
74.125.21.139
DNSgoogle.com
Type: A
74.125.21.138
DNSgoogle.com
Type: A
74.125.21.113
DNSgoogle.com
Type: A
74.125.21.102
DNSgoogle.com
Type: A
74.125.21.101
DNSns2.thebuisness.com
Type: A
198.71.232.3
HTTP GEThttp://google.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://ns2.thebuisness.com/zip.zip
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 74.125.21.100:80
Flows TCP192.168.1.1:1032 ➝ 198.71.232.3:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   5631290d 0a486f73 743a2067 6f6f676c   V1)..Host: googl
0x00000060 (00096)   652e636f 6d0d0a0d 0a                  e.com....

0x00000000 (00000)   47455420 2f7a6970 2e7a6970 20485454   GET /zip.zip HTT
0x00000010 (00016)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000020 (00032)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000030 (00048)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000040 (00064)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000050 (00080)   20352e31 3b205356 31290d0a 486f7374    5.1; SV1)..Host
0x00000060 (00096)   3a206e73 322e7468 65627569 736e6573   : ns2.thebuisnes
0x00000070 (00112)   732e636f 6d0d0a0d 0a                  s.com....


Strings