Analysis Date2014-06-03 05:53:44
MD542e7445b9f17c82a80101e773a1319e0
SHA1144097a373c5198346d0dc24e62e4e3c33880e07

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 63c788d34506ffdeb7cc758b18052358 sha1: 49908e360521fe23319f4babed93778963b21e69 size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
IMPhash3243b13e562279ab7fbe2f31e45d3a95
AV360 SafeTrojan.Keylogger.MWP
AVAd-AwareTrojan.Keylogger.MWP
AVAlwil (avast)KeyLogger-ARY [Spy]
AVArcabit (arcavir)Heur.RoundKick
AVAuthentiumW32/VBInject.AM.gen!Eldorado
AVAvira (antivir)BDS/Backdoor.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Worm.Ainslot.A.mue
AVClamAVno_virus
AVDr. WebWorm.Siggen.6967
AVEmsisoftTrojan.Keylogger.MWP
AVEset (nod32)Win32/Ainslot.AA worm
AVFortinetW32/Cospet.HA!tr
AVFrisk (f-prot)W32/VBInject.AM.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Keylogger.MWP
AVGrisoft (avg)Worm/Generic2.BLRH
AVIkarusTrojan.Win32.VB
AVKasperskyTrojan.Win32.Generic:Worm.Win32.Shakblades.bdc
AVMalwareBytesTrojan.Agent
AVMcafeeW32/Generic.worm!p2p
AVMicrosoft Security EssentialsWorm:Win32/Ainslot.A
AVMicroWorld (escan)Trojan.Keylogger.MWP
AVNormanwin32:win32/Ainslot.A
AVSophosMal/VB-GI
AVSymantecW32.Shadesrat
AVTrend MicroWORM_SWISYN.SM
AVVirusBlokAda (vba32)Malware-Cryptor.VB.gen.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Windows Dir ➝
C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{BE5EAEDF-F4CE-ACED-FF1E-ABD0CA3EB6BB}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Dir ➝
C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\7I3RX1KGE6 ➝
June 3, 2014\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{BE5EAEDF-F4CE-ACED-FF1E-ABD0CA3EB6BB}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\7I3RX1KGE6 ➝
Deus's Bot\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Dir ➝
C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\Brits
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates Mutex7I3RX1KGE6

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe ➝
C:\Documents and Settings\Administrator\Application Data\9S5HX3GAGS.exe:*:Enabled:Windows Messanger\\x00

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\\malware.exe ➝
C:\\malware.exe:*:Enabled:Windows Messanger\\x00

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network Details:

Flows TCP192.168.1.1:1033 ➝ 192.168.1.1:3460
Flows TCP192.168.1.1:1033 ➝ 192.168.1.1:3460
Flows TCP192.168.1.1:1035 ➝ 192.168.1.1:3460

Raw Pcap

Strings
.X.
n.
,O
.r
.
.
.C:T.
f
`.
.
._
.X.
n.
,O
.r
.
.
.C:T.
f
`.
.
._

PERS
SETTINGS
 )@0@>
004P+Ic/
00G0@'
05mA*XO
' 08lq
0cmu<\
0Cx: L<
$0DW$p0
0gX H51
)	0#.i.
.?0%mPLa=
 0OtBo
^0+P0B
0P$PHD
0sL*#X|ck
0Y.D'%
15dF8F91AEE<A
1 $7J/
1pm(&^
20C<|0d
22A368949C0&9
 |2$5%`
#27I:Ng,9-}
27OnQui
2]	9r0(
'2"/,a{
2>e%Xdq
32EDE121D9E2
$345RL
373&97
3chk)P
\3``h\nT
(3*/i.
3l/A,7!0AC
3.-mohl
 3ug8g
($ 4=-
/#&42|
 447w;
4'4ShwlNo
%&'()*456789:CDEFGHI@m
47A4B6739316C4F5B5C5*14
4A3r4B`(0
\4cF`%O$
4[cv4=bGa
4H4sg%
4TM83$- 
4Yhf2v
!4yvT")
501E:9~
5Async?Pf6
5MV(r\h
,5t)eXj
(+6_ ~
-6/5G"H{
{6IR1/2
6n1?e:-
6o2&Ar
6.OLPX
6ss/\4Z
6T&p	 
6V2Ziz<
7033413A6
722G"4:0
7@68A_
774NE55*237X2
7b8x3 L
7niffOS4
7p}! `
/-7XhM
<840,M\
8#6<,f
8HVq2]
8HX5n2
 8*&*l
~8N{f'N
|>8!'y@
9d\4a`Q
9liWGr
9lR&F*
&9%se\
a4.U}N
AbUWgtp
AddMsg
AddRefA
Adju6{(QFPjN
ad<l09
adySt+.
A},HwX
ais{pQ
AJ{ZdT
alUpda
aMtHH 
aO$^#o{
Ar\'//]
A\t5UHL$
a Te"l
Audio.
awuois=
b86mswin
BIAq$=
BITMAP
BJ)5TZ
=B \lG
b' lL'
+$]bQp
bss_ser'
% Bt/8
*bvk_G
}B#W8Y	
/b!XDv
c2->a"6
\c2AUt
c3d(v0
;]C9HYH.
CallBaK
c`aw9h
C;C;G3'4
Cg\`@I
/Chat'
<Ciuqa
+C	=Oo_p
C:\Prog
!_ cpy
CrypcIma
cSubClHi
Ctl~ebBrow
cukw/K
`ddpv"
DE/$yEzL
df"FC^YO
@?DL|+
DL_:P&<
}dME,e
&d/O<p
:`dp`37
dQx5@z
DragQuery
dr>jBy
\d(#t\.
:D,tX#
DURB;4al
DZPp_|
e(1)!C
E4:|	"=
<e4ym5
E$6/ql[
_E(8:>6WcD
E-,8$uw
E^CQ<,
EFB$9$xU
-e<k&(
E/L7wW
ENC^fADClifSteamG
ENGZdN
enr:bMz
EVENT_SINK_Ge
'EV?L_]
ExitProcess
@:<F(:,
F062D2BD
F4?bA+.
F6E4ZF7C8
:F6I q
f7J::c,
FAi(>$
fD_/ lJ7
F> FDD
FfIj^C
 Files (x86)\Mic*soft Visual
$,FLLe
#)$<Fo0
-f)pP&BcI[,.)
FP<pT6=
FrBf>Z/.
frmMain
"")fv.:
Fy.#fbv
F'ZO'Si
g3#hh+HXKX(6q
#(g##;A
GbkUFW
@G~>c Gf
gCmp_2
ge'%capG?
GetProcAddress
gHija.
gHRL2 #
!Gk_SW
g,!W!W0(
H177P:
^,h1Ko
$$&\H2
$!H33!$
h3a"Z0*O
|H7?%'
)h83(9
H{a2p`
Hf4rHgA
h' #FX
 hGed /H
HHL5B$
hHPtQS
hJATXf
H.J.JL<
hK&x(&
@@H^r!@
HRL2 #
~hunkt
@HvLDP
`hx5L+
i. [\a
ICK_DELA
ICk)S%
~ijnGl
'&_img|H
InfoTO
INrp{8
InvokeV
iO E%\
iPlPb!
\Ip]&<M)
I@Q*/a
I]^QZ4
IyEhGp
j1gHJy
jag@o|
&)JdHw
 JDxH17/
J[iL\G]
jl Kd)x
$JOR,~,
JSTUVWXYZcdefg
JUJuQ(t);k
*'Jw]:
K03RJ<c
K]>1h-
K2rT4x
K6&?SC
KERNEL32.DLL
<@/Kh7
k*MDHL
-k$(.SrIs
\k.("SS=Is
\KuewD
k"/WX0|S4
`>L(@,
L2 tdT
l^9!<qK
Lau&hF/
>ld}p4
Ldt&Le
|lEnghe
lf^NJ5
LGVBOx0C
^^$Lh|
lIh: N
lijhq=
Lla+(B
L:lngg7x
LLTH!9L
LMUL?6
l-n/on
Lntlt0$
LoadLibraryA
lobalAl
loseHandJd 
lOU!a+B
L~'(P`
L)^Y"aA
Lzb7_FACEBOOK_4
m	5N{a
mC{AJ)
MF<-N4
-M.H<Pk
_@$_mi8
MJQ+Dq 4I0
^__^Mkok$P
	mMl%6`
MS SaX
MSVBVM
\msvbvm60
MSVBVM60.DLL
Mv#(i(
M&Xu%:]
:="MZp~qH
N' ~0~%
"N2]F|
NB7Y^I)o
NhV(|f^
@N:l//
nm0Sw_$
NmZ#_k
@nq\yAa
)n r9(+
NRR'=@
NTDLL>
n*/TrX
o04M>H
?o`?[+1
o7^DrU(
*O8^.N
OafFoc
-obh.&
{';OcD 
oCHAT_ADDMSG
odFucrons
.o>g"K
Oh1LDMd
O$jAJ+
Okf	Qi~K
oM7Pn`
<ook?RS`curity
OP-T3.
os#+Om
+oTwv	9
ovbv)I
oWaxeD
OwnZ64u;
oXCCdC~h
$.OY@+
.<@P,{
*(?|&^P
p^`.@]2X
P8N(wP
PATH_WINLOGON/_B
pb`ffvl
PBPB~S
P/\dT4
`pE~A<
p~ewm=Ck
P#)G_K-
*p].i.
picThumb
}plbc]
<PLHD@
'p\lor
~<p'M3%pDD@U
Pp=+7Z
PRINT_
P%S*	B|
p'sIW	#V
pWAcquRf
;'QA~j
QaW	U7
qJiW_A
q$nUHVS
	qS+$7
queezer
`"QWbj
"\$r/ 
r!11r!
r!22r!
r!33<'
\r456p\r
r*"9!m@{z5
RAn'tZ'
raTagg
rAUb9]^9t]
R|c0M/W
R	$'Cr
Rd:\Sys
R_gf=4^
RH/kT>y
rIsA/uV%
rJvj_Vd
r;&L-fP
;R,([n
/Rr@M<77
rs7&I{
.rsrch
ry7RzSW
rYZl,v
S1!	{,
:ScanLz
scii'h
SCManPr
s:.cpV
Screensho
SER_FB77
's<e/SrcLef]`
SHDVVwkO
$}SkP{
Socket
SpAIHo
>spu"G
sra$Wx
s the p@
#'@sTL^
STRUCTIO
stV&y<
 Stz\\98
:SW{F3E
S]w*t.
t)5H%a"
td@^%"
TEgw *
@/tFGL~
tF&;NF
!This program cannot be run in DOS mode.
Th'#ON
ti&Ci7
TKDQHs
:;tkEe}
tmrLivLogg+
^T)M_S
Tok@nCe
?TorrentS
T r%9<
tSd `\3
tT7lzl
% |.T	ZV
&U0d/J
$U0m6k
&u^8uF
u/D+]d
  UJ?G(
%[U#m'
Un@cvss
upQValu2 
UrlCache
UWH^)\<
`u@XXT
UYl1X4mLn_L;
V,7Sm 
_VBA6T
v.Bf&|
vBIV9*O
%VC`x)
vf`M1P
V%h0SQ
vieframe.dl
VirtualAlloc
VirtualFree
VirtualProtect
v`jc`*
vJQ:[\
VUc!V_0
vuHR2\?
vwf[O=i/
V$wN$N$
;W0G@<
W0!@w:5
w- 5'`
wapMo~
WD.0K:g
_WebHide
WhHO.^j
-_WMqo
^)w*n]
WOW64\
w,p0[%
wq1RCF
w%SrJl
?WTask
WX0@N2`$W
X2!dMPA
}\xEm>
x"*ibR
XJB5NZ
XJB:,v
X@jO0l
)XK7la
XL2 '(0d
XPTPSW
xQ?|)y
>xt.&l&N
+XT<LU
xV)mBC
$X `WC
X!wD`*
XWhC)D
####XX
_xXVGa
-}%_%y
y#2AP_
y6PBGM
@Y'a6t
&?yB:0H
`*]YcM
yGrabbOg	V
y.hXfX8
Y@J\cf+
 Yk/ qu
YP+:S@@DfX
yr\X~P8
Y]T#&D
YXF?xw
yxhXH^
Z*_3Ki
Z|+:4	
_Z{c<t3
zF>[hS
Z$}tw3
(zW`"Xy