Analysis Date2014-03-03 17:36:25
MD53889373f13b33f3c5bc5cba047455401
SHA1118b78337bb2e00e05b758b8d2c1fb31d56ea65a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 15825095920ac2d2728b5b9b9bd9bb10 sha1: 2b20b82667f70e3d7f23e18e2900b4bc407b626c size: 282624
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 44206e865a8bddf55ccaa3eb3eeca58b sha1: f5514d72a92dfb62e3317e93ee95c1a3f6aa2a56 size: 16384
Timestamp2012-03-30 06:08:45
VersionProductVersion: 1.090
InternalName: 97
FileVersion: 19.00
OriginalFilename: 66
ProductName: 99
PackerMicrosoft Visual Basic v5.0 - v6.0
PEhasha5d37452df02c07af023b35879e4d128a3338e54
IMPhashe4ac1101086e1bee2447ececf73a982b
AVavgSHeur4.WPY
AVaviraTR/Otran.A.7621
AVmcafeeVB.kk

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xauim ➝
C:\Documents and Settings\Administrator\xauim.exe /W
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate ➝
1
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\xauim.exe
Creates ProcessC:\Documents and Settings\Administrator\xauim.exe
Creates MutexA

Process
↳ C:\Documents and Settings\Administrator\xauim.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xauim ➝
C:\Documents and Settings\Administrator\xauim.exe /l
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate ➝
1
Creates MutexA

Network Details:

DNSns1.spansearcher.net
Type: A
213.249.64.211
Flows TCP192.168.1.1:1031 ➝ 213.249.64.211:8000

Raw Pcap

Strings
...
...
.
1._
.
040904B0
0c3u
1.090
1352.org
19.00
1.pla
2kg5h
2x1fk
32t9q
3q54
3x3q
3zf7zw
3zuv
4akl
4b14
4gi2
4h4xj
4shs
52.n
57w53
5g87
72dk
7phws
7tes
8yxe
92ce
9j48
a4nc
a5vw
a9r24
aa1z
at90
b0mp
bn9db
cbvv8z
chkt
ckju
d2s6
d8v9
dowsUp
dq6w
dshk
duleFil
e23e
e5nc76
e6rulm1
earc
eciv
efgn
FileVersion
fk9c0if
fmru
ftcgkc
gar64bk
ggs1iv
gkrie
gsrpmip2
hjse
hwojtwm
ialw1f
ibpt
ICON4(
ijftsr
ijz7t
ijzu
InternalName
j5m73
j7r1
jbb7
JWtoahIo
kc4qwl9p
kmlpyvw
knpu
kq17ta
LiGczN
lit5w
ltpb83i8
lwkz8
m04n
m1rg
m5yo93
MSINFO
\MSINFO32.EXE
mszz
mvga8yx
n2dk
nsh8
o8rd
oa66
obgxd
oft\
oq58z
OriginalFilename
oxjn
p42mx
PATH
pl6zx
ProductName
ProductVersion
q7fm
q9r9
qacv
qaicmh
qe3c
qga3
r59k
rcher.n
@rXP
ry8x
RYgaQVsXybJ
seux
SOFTWARE\Microsoft\Shared Tools Location
SOFTWARE\Microsoft\Shared Tools\MSINFO
ss0u
start
StringFileInfo
sygw
System Information Is Unavailable At This Time
t7na
t91w7
tfar2q
tlwg
tn8s0
tplx
Translation
u9q7
uia3
ujhtka8
v1eof
VarFileInfo
vb4v
VS_VERSION_INFO
vu27
w0bn
wh17f
wnt8qj
wujh4
wv9wth
xabt
xfwv
xl6w
xvf8el
y526l
zisz
zrx2
:,(02<=y
$(11=z
@=220---.<G|
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
$(66IN
,7[!\97!##-,^
```8ae
8Xpp(q
9>LLLIJRRTRSQSSSSUM
'$$$''$'$AA''''$$'$'$'$'$$$'$C$''$$
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
advapi32
_allmul
;ALNMMIJMMQQQQQQRMMW
AppWizard6
AppWizard6.SubWizard
APPWIZ.OCX
.A/QQ74
;_bbkkwy~
BH99BB9D999HH98898888HH788888888877$
B]Xlllnnnr}}
CallWindowProcW
CEchugf{{
ChangeTheme
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
Combo1
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
C:\Program Files\Microsoft Visual Studio\VB98\Wizards\APPWIZ.oca
`.data
DllFunctionCall
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
~ff~ff
~ff~ff~ff~ff
~ff~ff~ff~ff~ff
~ff~ff~ff~ff~ff~ff
~ff~ff~ff~ff~ff~ff~ff~ff~ff~ff
~ff~ff~ff~ff~ff~ff~ff~ff~ff~ff~ff
~ff~ff~ff~ff~ff~ff~ff~ff~ff~ff~ff~ff~ff~ff~ff
:Fjjjjjkw~
;Ggbbgu}~~
GIF89a
H0e:6wcz
\\\\HH[
Hxq]]]4>$
Image1
Image2
Image3
Image4
Image5
Image6
Image7
Image8
IsActive
IsTheme
Jc\pZ4,
}#jdh`Q@
}#jhh`Q@
}#j`h`Q@
j@h w@
:jnnnnnks}}}skkkkg
}#jPh`Q@
JWtoahIo
}#jXh`Q@
<@KIIIIJMMQQQQQSQMW
kmlpyvw
LiGczN
m_Bottom
m_BottomLeft
m_BottomRight
mciSendStringA
MdlInfo
m_Left
mmioWrite
!(MMM6
m_Right
MSVBVM60.DLL
m_Title
m_TitleLeft
m_TitleRight
mXVXXXXnllsssttttt}}}}wn
oAyymptQlf
	=OTUTUSSSR^nnnlUQSNM
Ov^Ov^Ov^Ov^^
Ov^Ov^Ov^Ov^m
Ov^Ov^Ov^Ov^Ov^Ov^Ov^Ov^Ov^Ov^Ov^Ov^Ov^
|}OzPPP
}|OzPPP
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
	?PTnn]]lns}nlll^nq
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RYgaQVsXybJ1
shell32.dll
ShellExecuteA
	:sttrL
SubWizard
SubWizard1
SVnmnnrstt}
ThemeX
!This program cannot be run in DOS mode.
}}tnSS
Ts^{wr
}}ttsr
}}tttr
u^^]4>
user32
UserControl
VB5!6&*
VBA6.DLL
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryUnlock
__vbaAryVar
__vbaBoolVarNull
__vbaChkstk
__vbaEnd
__vbaErase
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFileClose
__vbaFileOpen
__vbaFixstrConstruct
__vbaFpCmpCy
__vbaFPException
__vbaFpI2
__vbaFpI4
__vbaFpR8
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaGet3
__vbaGetOwner4
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Var
__vbaI4ErrVar
__vbaI4Var
__vbaInStr
__vbaInStrVar
__vbaLenBstr
__vbaLenBstrB
__vbaNew2
__vbaObjSet
__vbaOnError
__vbaPowerR8
__vbaPut3
__vbaPut4
__vbaPutOwner3
__vbaRecDestruct
__vbaRedim
__vbaRedimPreserve
__vbaSetSystemError
|__vbaStrCat
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrErrVarCopy
__vbaStrFixstr
__vbaStrI2
__vbaStrI4
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1I2
__vbaUI1I4
__vbaVar2Vec
__vbaVarAdd
__vbaVarCat
__vbaVarCopy
__vbaVarDup
__vbaVarIndexLoad
__vbaVarIndexLoadRefLock
__vbaVarInt
__vbaVarMove
__vbaVarMul
__vbaVarSub
__vbaVarTstEq
__vbaVarTstGt
__vbaVarTstNe
__vbaVarVargNofree
__vbaVarZero
winmm.dll
woKJJ=K{
wvoZoo[<
wyvwvw
xVppxoVlll
xVUSTUVVlrsssttt}}}}t}tss
xVUU	VVnlrnrstt}}
xxxwHBB
,+-/:y
yqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq7774!
ywqkui
zstt}t