Analysis Date2013-12-27 07:04:40
MD5ebf8e087554ae0f375d6f5fd9e9d5b76
SHA110921321d069c12df940c041bd7747d1cec0ccab

Static Details:

PEhash1f17a7eea2aadd978b98d41fde44175fceb3682d
AVavgPSW.Generic12.PWE
AVmcafeePWS-Zbot.gen.oj
AVaviraTR/Dropper.Gen
AVmsseVirTool:Win32/VBInject.gen!LD

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\MicroSoftTmp ➝
C:\malware.exe
Creates Processsvchost.exe

Process
↳ svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DisplaySwitch ➝
"C:\Documents and Settings\Administrator\Application Data\winsecyr.exe"
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\winsecyr.exe
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSs9.postimg.org

Network Details:

DNSs9.postimg.org
Type: A
190.93.249.14
DNSs9.postimg.org
Type: A
190.93.248.14
HTTP GEThttp://s9.postimg.org/6ocqmk2wv/imgbee.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 190.93.249.14:80

Raw Pcap
0x00000000 (00000)   47455420 2f366f63 716d6b32 77762f69   GET /6ocqmk2wv/i
0x00000010 (00016)   6d676265 652e6a70 67204854 54502f31   mgbee.jpg HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   73392e70 6f737469 6d672e6f 72670d0a   s9.postimg.org..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 0d0a                -Alive....


Strings
@@,<
040904B0
,1qjk}
@@"4
5.00.0454
*\AD:\ytftfytfytfy\REeB.vbp
asecfrgvtfd
B4GFDB
CompanyName
dd/MM/yyyy
Dino1
Dino1.exe
DsHc8nePM7f
DUzUyA
e651A8940-87C5-11d1-8BE3-0000F8754DA1
eIpyrZ2vhEP
FileVersion
HIBj
InternalName
mpolkiujhy
Negyhhopgr
OriginalFilename
pNjj3fn5
ProductName
ProductVersion
PZsJ1jHHn
rA133F000-CCB0-11d0-A316-00AA00688B10
StringFileInfo
,T.&^>
Translation
VarFileInfo
VS_VERSION_INFO
]?-X6
yb48XO
ysz3B
YtqYQyF4k1H
|||____
0-4"oP
1	T`<{w
228}#1.
3:5("	
3M+B\P
5$v |3x
5WNL3R
"?<;8"
";81q 
-893D-mpilui
8N:5(	
,9P ~5
9SN:5	
astllesbwaybeih
av=3\A
BKG#[%
bNegyhhopgr
BoundText
bYWTTPLI<<Ic
CloseHandle
CN)P\\
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Program Files (x86)\Microsoft Visual Studio\VB98\vbc22608.oca
CreateFileW
CtxtParentDate
`.data
DataCombo
DataCombo1
~DataCombo1
DataList
DataList1
dcQ_Wo
DefWindowProcA
DllFunctionCall
dQdZ:"Je
DTPicker
DvvlAq
E-4?CI
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
Frame1
FreeLibrary
GetModuleFileNameA
GetModuleHandleW
GetProcAddress
g\)z'z8
h/42~vl 
|||_hhh
!hkr$Y
IaSrMB
jC@M%S
JhV'HYc
jnhytgbvf
K]c2Rw
kernel32
kernel32.dll
kernel32.DLL
]]]?KKK?KKK?[qu?v
,Kq1bJ
?lMxQy
LoadLibraryW
LP#ttE
L&z5`oQh"G
mpilui
MSCOMCT2.OCX
MSComCtl2
MSComCtl2.DTPicker
MSDataListLib
MSDataListLib.DataCombo
MSDataListLib.DataList
MSDATLST.OCX
MSVBVM60.DLL
>{mUsbC>9
Negyhhopgr
Negyhhopgrftukdfg56789dfghjk7845Negyhhopgr
	Negyhhopgri
O\&\C',/
	oc5fg
ojalja
OpenProcess
ouiouiou
&}(p-$=@*
"pMnJ:
ProcCallEngine
Process32First
Process32Next
PropertyPage
PropertyPage1
pr`UmmXk
P>vhV?<
qC:\Program Files (x86)\Microsoft Visual Studio\VB98\vbc30554.oca
ReadFile
ReferencUserControl1
RowMember
RowSource
RtlMoveMemory
Sg"lss
S=#I[R
SystemParametersInfoA
TerminateProcess
!This program cannot be run in DOS mode.
txtParentDate
U{`1~:
u&-)ds
|`Up|wk
user32.dll
UserControl
UserControl1
VBA6.DLL
__vbaExceptHandler
WriteProcessMemory
&|X>||
xE;"dM
X{rm@!n
y"; 5iKU
Ygggv&
Yggvv1)bnje5
Ygt]M,jnnnjI
Y#+pJ,P
,y]|&v
yyyobbb
zU@m+VU
!zx"@R