Analysis Date2013-08-03 16:29:24
MD535a81e6d286ed34fed3ba6c6626ec9e2
SHA11038441603fdb62894b61836a35d2fd8d6b303c6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 222a65dd33b4479b4d1828f3e32bf60a sha1: 3f7dca1262e792c5fc112603db4e9f287c0869cd size: 12288
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 2b039d1e8e2af3923588517407c1af19 sha1: db07039ca10885f8216ccebcef08a206a2d984b3 size: 8192
Timestamp2012-03-29 20:28:26
PackerMicrosoft Visual Basic v5.0 - v6.0
PEhash3610d58488600441e0d40e79916d1d9e2ac0ff8d
AVclamavW32.Trojan.VB-7

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSsvrupdates001.s3h.net

Network Details:

DNSpark.onamae.com
Type: A
210.157.1.134
DNSsvrupdates001.s3h.net
Type: A
HTTP GEThttp://svrupdates001.s3h.net:23345/a/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 210.157.1.134:23345

Raw Pcap
0x00000000 (00000)   47455420 2f612f20 48545450 2f312e31   GET /a/ HTTP/1.1
0x00000010 (00016)   0d0a4163 63657074 3a202a2f 2a0d0a41   ..Accept: */*..A
0x00000020 (00032)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000030 (00048)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000040 (00064)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000050 (00080)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000060 (00096)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000070 (00112)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000080 (00128)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x00000090 (00144)   35303732 37290d0a 486f7374 3a207376   50727)..Host: sv
0x000000a0 (00160)   72757064 61746573 3030312e 7333682e   rupdates001.s3h.
0x000000b0 (00176)   6e65743a 32333334 350d0a43 6f6e6e65   net:23345..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x000000e0 (00224)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....


Strings