Analysis Date2013-09-27 20:59:12
MD501daaffb18633043d17db0fe20728261
SHA10a5ed76d86433aa348c85d50e83baa3f54879e29

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 14c65585469c456f4752881c98aa774a sha1: ad7076a0774f6d0a701042442cf64cb46cf5aa03 size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
AVavgWorm/Generic2.BLRH
AVmsseWorm:Win32/Ainslot.A
AVaviraBDS/Backdoor.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\crss ➝
C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1BB28FB4-7C6E-F51D-FC3A-B1AF2626BED5}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss ➝
C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\DXV50NRKU8 ➝
September 27, 2013\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\DXV50NRKU8 ➝
Build1\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1BB28FB4-7C6E-F51D-FC3A-B1AF2626BED5}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crss ➝
C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\data.log
Creates FileC:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates MutexDXV50NRKU8

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe ➝
C:\Documents and Settings\Administrator\Application Data\0EVRIBA91A.exe:*:Enabled:Windows Messanger\\x00

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Network Details:

DNSbs.anzima.eu
Type: A
82.41.186.144
DNS1bs.anzima.eu
Type: A
Flows TCP192.168.1.1:1032 ➝ 82.41.186.144:4747
Flows TCP192.168.1.1:1034 ➝ 82.41.186.144:4747

Raw Pcap

Strings
|:%| |
#&(}	$
.,00@L
02S!/T
0*#!'4
,08_>o
~0~%D&
;*0DFs
\0K30b
0N`h0a
0,($`o
0|@&ph
0r(If8
0T5(%[
"0$vh	
",0"'ZO
;	\"1}
15dF8oo
1DlFun
1;'\Dq
1pB4l-
1Q_P^h
1<]U'\
1wp{t#
1 z(CF(
22A368949C0&
'22I\dV
27Onld
2]	9r0(u
2`BUnh
2E]hPf
2>e%Xdq
`2l.mp
2Q%AT~
2(Tt{8xo_
32EDE121D9E2F062D2BD
3FG/m;
 3gp$d
3$kbeZ.
3l/4dJ
3"l\T&ZM
3SC`7P
$3V0=K
%&'()*456789:CDEFGHIJSTUVWXYZcde
4a`Q6 
4[cv4=bGa
4>FAJD
4H4sg%
4 .\jF
4\KO+xl
4/lN(0
4'lNo>O3
-4RoU,
4UP@dd
}4Wb+?
4/xL<(p
501E:9~
5*237X2
54rUbJ 
5555\r
5Async?Pf6
5'h\n'M5
5[#.j=`8
5LPUhq	c
6%`"4<
6666\r
(#68oc
6d2~BZ
`-6p.'	!2/
6}@v:]
6V\0/S
6V2Ziz<p]
6@X?@1>M
7033413A647A4B6739316
7;471A
774NE5
78jdjAff
7B$P;j
7IsoBY
.=7Kajt8
7niffOS4
8888\r
8A!RHc(
{8hGFJ
8HH~!-
8HX5n2
|>8!'y@
<9hCtK _s7
.9Jllh 
9`MQ[d_
/9o/Da
A,0kt[r
a4.U}N
/Ab>l<
AddMsg
_ADDMSG
AddRef
AdjuFPj
adyStq
ais{pQ
a_J8=MA
aJfoP;
$]aj*G
alUpda
Ar\'//+
aSBlKA
a*Tf},
AUb9]^9t]:g
Audio.
<*B <(
B.345B.
b86mswin
B|@D.d
bddw,/
b/"+FM
bhc)g1\
?Blink
.B^lQI:-
BOk$\#
bss_ser'
<bt/4MDA
b"XLCWB
by.ToPl
=c2->a"6
C4F5B5C5*14
;]C9HYH.
CallBaK
cdiP$i
C<F6E4ZF7C8
Ch5 1k>
/Chat'
<Ciuqa
Cog	b;
Compzb7O
+C	=Oo
CROL<`
CrypcIma
~cs7:P
cSubClHi
CUJu;t
(`Cu>@Po
` #D~7
df"FC^YO
d@F`h 
d@F^t1\d
DIt?Rh
*]/Do4c
D}rX[8
\d(#t\.
/\dT4JJ
DWdglS;
dWr[{C
DZPp_|
e{0<4Q
E2xDN6
E\FwPN
egffdn@<,
ENC^fADClifSteamG
eOr2>#7
<e/SrcLef]
EtDt}4
EVENT_SINK_Ge\X
'EV?L_]
ExitProcess
F4\<AXt
F6I zg{
F6w	-T5
F91AEE<A
F:9=.g
fac #@
f.C)G<
F<#DhD
F> FDfo
 Files (x86)\M>
F*l{,l
#)$<Fo0
f&O8V\
For+e/
f)pP&,.
fP(t)e
*#&f>qqq
frmMain
fS~ij."
f Sr7X
Ftp^i]m
fvF(DN.
F/Wdv 
f"x/(/
@F@XN\%
Fy.#fbv
/g0D+k
g^0OlE
!G$7$L5
#(g##;A
gCmp_2
ge'%capG?
GetProcAddress
GGinW-
G-g\P]
GGSCTt
ghDCG*
gHgD'*
gHija.
G'Mk26CQ[PIj
G	oYlB0
gQuery
gQVA^A
.\gSHL2X 
$gt&x"
GW`)i@
GWSOCK
`_Gw{.X5v.w
=h0SQ[
!hAN`SH
<HD@<8
Hd&Bzx\
[heQT%
H	Fl']
H<FR-#
H:Ft]*
h' #FX
` hGed /X 
HkD6Dm
HOc3fg
h(TnKphy(_
hunk5G
@HvLDP
@hW#3\H
I0/w(+
Ia-Kx 
icalDr
ICK_DELAF
ICk)S%
ic*soft Visual Stz\
i_FACEBOOK_START
ifyuw9S;>
\.i%J|&
/iJ2 '3
InfoTO
INrp{8
%.INY,l
@iQ!9[
I@Q*[P'
\IsssG x %'
i*#TTd
iV_mJ.
^J"%'(
j1gH1j(
J8M<pF
}j/8qX
jag@o|
ji<+Gp
j/)k9D
^j/KcP
jk`[/{d
 J	pHp
JP)>j+
<JSMb	
-jv3]ZB
/JWX9:
K]>1h-
[&:$k7[
KERNEL32.DLL
@@Kjka)
Kl;y;DY
k	\!n2
KsPXooK
k.+(TA%Xcf"
k@ujno
|*}<kV
$kzw2.
L7o<c&X
Lau&hF/
lbl](+8W
lB<R;N-
LCou.y
L?dMA$
L&d/O<p
lE.4TM
L=FQpO
	l[H/Y"P
lijhq)
Lla+(B
lM$Os%
l-n/on
,:\L`o
LoadLibraryA
lobalAl 
\!{Lod
lO_:gZn$
loseHandJ
Lp-&&/
L~'(P`
Lus:1]K_
lwI{P+
L)^Y"aA
>LYWQI
(L>Zero
m1"DTo
m	5N{a
M\@Ck_
M`fIL* 
m[G?GE$'
M"i[$h
^Mkok$P
mlE)Sa
mm9UCn
	mMl%6`
mnK{Vf
MPn6Z?
%Mshh+
MS SaX
\msvbvm60
MSVBVM60
MSVBVM60.DLL
M_SY)`
'mXKoi-
<M `\XT
M&Xu%:]
:M+.z,#
@n0Nu&
{n1?e:-VS
"N2]F|
NB7Y^I)o
N&)h,9
NJLgH0
@N:l//
novbv)#
(Nqq/*
n-RrPB
NTDLL>
-N<V<_
O-6RK7
*O8^.N
'o"BgBvtyBO
-obh.&
O@:<c{.
odFucrons
OlE2Tp
oO`0H*
<ook?RS`curity
os#+Om
+oTBN2pw\
oWaiqS
oXCCdC39
 @P`@``
*(?|&^P
p5HBITMAP
!^;'Pd"
picThumb
plCG:R
Pn"j0^
ppghY\L
~<pp;w
PRINT_
pUC'4G
q7fL'X^
qh/L]r
`:q:Ip
qkj>$F
QP	F}w
queezer
"\$r/ 
r-&84H	
\r999V
RAn'tZ'
raTaggN2
!#R&B*d_
R BH'_
"Rd:\SysWOW64\
!@${ri
rk$(.S
rlCache
rPWO8{
$R,S M
>S0,iP2,
`-sa.HI:
:ScanLj
~SCManPr
s:.cpV
Screensho
S?CuCeG
SER_FB77
 *.S{f
sHG%hu 
sH\TP(
s/Jo	K
slPk(p
Socket
s.op-<-
"SS=#.
="SsOS
s the p@
?st_lj
STRUCTIO
stV&y<
SZoM7Pn`
\!t2.*
T4gzF>aX
t)5H%a"
TaenmPB
,.tA/.i.
TEgw *
'/\t!f
TF`Pp;/
!This program cannot be run in DOS mode.
$thj}{Vo
thK SH
Th'#ON
Tim[?Sh4
tiy%q_
:;tkEe}
[T	kRS
tmqPjk
tmrLivLogg+
],t~ n
Tool	hx2
?TorrentS
`tPp=+7Z
&u^8uF
ua)>^s
u,B[{	
 Uc;AD
U$F(U<
ui/N2 
Un@cvssPATH_WINLOGON
u?oHWP2
URLDVnl
 usiid
utQD0K:H2
@v1v2R
vb8x3 L,
v.Bf&|
vBIV9*O
vc.`t&
vECZGF
vf`M1P
+vieframe.dl
 $Vi]<M3
VirtualAlloc
VirtualFree
VirtualProtect
v:o4bc
v$qTh_=[
VUc!V_0
_VVwCtl~ebBrow
W0%=~#
W0!@w:5
w?5274
=[_@wa
wCzk_G
@${WD[
W(D0HE/$
_WebHide
":Wk_U
-_WMqo
^)w*n]
wN$N$7
wOkf4p
wRtla)
(w*t2|
w\ZT'F
x13OZ$
x2U/X&
x`4.8j
_X7$_F
/XATyp
#'x'by
"xCWoB
Xd@Fvg
(Xd-t4
}\xEm>
xF9Ww[
X#G`1@
XheInvokeV
xIhSr 
X'j'b3-
+@x'L!
xlh^NJ
"XlKN2`
@xM\us
x&!Mw!
xn4803k
xohJ10.
+_\X~PA
xphZRJ<
XPTPSW
xQ?|PC
xRr@M<7
xu5sx4
XuTZ C"6
XZ4#\C84u;
Y$4]@Co
y>99T4
yG!0"<
yGrabbOg	V
Y@J\cf+
yjd|lhNG
Yl1X4L;
YLLH8$a*Kg4
ylZX/$
YP+:S59
yXe(aS
YX"")fv
YXF?xw
Z|+:4I
za\bo`
>Zcr]G
~zIOcm%_
@Z?kZK
Z$}tw3
\	\zyotvh
-Z$Y=W):