Analysis Date2015-02-03 15:13:36
MD5ea2beb404d3cda48018a9eaf01df513c
SHA115f345e8e11d0f39296e0fc6bc94deda63c96a68

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhashd427ee27a0bea24b8009f9eda089c6b8d6d761a2
IMPhash06d8b2b6c5081b4fb8ed56c826c7e6c2
AV360 Safeno_virus
AVAd-AwareGen:Variant.Symmi.8312
AVAlwil (avast)VB-AIKK [Trj]
AVArcabit (arcavir)Gen:Variant.Symmi.8312
AVAuthentiumW32/Trojan.UAOL-3334
AVAvira (antivir)TR/VB.Inject.65536.2
AVBullGuardGen:Variant.Symmi.8312
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.PWS.Panda.2401
AVEmsisoftGen:Variant.Symmi.8312
AVEset (nod32)Win32/Injector.APMC
AVFortinetW32/Injector.ATCM!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.8312
AVGrisoft (avg)BackDoor.Generic17.CHUE
AVIkarusVirus.Win32.VBInject
AVK7Trojan ( 0048d2f61 )
AVKasperskyBackdoor.Win32.Androm.bcfp
AVMalwareBytesno_virus
AVMcafeeRDN/Generic BackDoor!bbl
AVMicrosoft Security EssentialsVirTool:Win32/VBInject.gen!LD
AVMicroWorld (escan)Gen:Variant.Symmi.8312
AVRisingno_virus
AVSophosMal/VB-AJZ
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Backdoor.Androm

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1ee9_appcompat.txt
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 168
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1200 -e 124 -g

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 168

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1200 -e 124 -g

Network Details:


Raw Pcap

Strings
H
 <> ''
.00.0454
040904B0
:2#94;BE
!4]$
4v&6%_
5.00.0454
<5!5
=5E(
651A8940-87C5-11d1-8BE3-0000F8754DA1
9&g8
Add New
*\AD:\Duflamongo\14\lhsK.vbp
ArUC4
Close
CommandText
CompanyName
Count
'*D5
dd/MM/yyyy
e651A8940-87C5-11d1-8BE3-0000F8754DA1
eBfSPc
EDIT
eLorDqG
,exe
Execute
Fields
FileVersion
Filter
FolderExists
fzeffzefze
GetFile
ggzegzgzegz
gotcha
h6Je
imgemynetvso
InternalName
L2CZ
LIKE
muDMtgHJwBs
M/>z%!|)3^);\)
Name
N~rUX
nV7Au
 or da
OriginalFilename
ProductName
ProductVersion
project2
rA133F000-CCB0-11d0-A316-00AA00688B10
RecordCount
roject2.exe
Size
State
StringFileInfo
T6JXs8rF1BR
Translation
VarFileInfo
Visible
VpXVE
VS_VERSION_INFO
?&W5
?Y&[(?[$&
Add New
Add_Record_in_Parent
adfaef
AllowAddNew
AllowArrows
AllowDelete
AllowUpdate
Animation
Appearance
BackColor
(Bill Rate)
BorderStyle
BoundText
Category Code :
Category Name :
Change_Button_Caption_To_ADD
Change_Button_Caption_To_ADDNEW
Change_Button_Caption_To_EDIT
Check_Form
Check_Numeric
Clear_Form
CloseHandle
Close_Recordsets
cmbField
cmbOperator
cmdAddNew
cmdAddNew_Click
cmdExpandRecordset
ColumnHeaders
C:\Program Files (x86)\Microsoft Visual Studio\VB98\MSCOMCT2.oca
C:\Program Files (x86)\Microsoft Visual Studio\VB98\MSDATGRD.oca
C:\Program Files (x86)\Microsoft Visual Studio\VB98\MSDATLST.oca
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
CreateFileW
`.data
DataCombo
DataFormats
DataGrid
DataGrid1
DataList
DataMember
DataSource
DefColWidth
DefWindowProcA
Disable_Edit_Buttons
DllFunctionCall
DTPicker
Edit_Record_in_Parent
Enable_Edit_Buttons
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
Fetch_Parent_Fields
Field :
Fill_Combos
Fill_Datagrid
Fill_Form
Fill_Labels
Find_Record
FlatScrollBar
ForeColor
Frame1
frameDatagrid
FreeLibrary
frmMedicines
FuckBitDeffende
fzefgzzeg
General Item
GetModuleFileNameA
GetModuleHandleW
GetProcAddress
Initialize_Calendars
Issue Rate :
Item Type :
kernel32
KERNEL32
kernel32.dll
KERNEL32.DLL
KerOcx
KeyAscii
Label1
Label2
Label3
lblParentDate
lblParentMain
lblParentMaster1Main
lblParentMaster1Normal
lblParentMaster2Main
lblParentMaster2Normal
lblParentMaster3Main
lblParentMaster3Normal
lblParentMaster4Main
lblParentMaster4Normal
lblParentMaster5Main
lblParentMaster5Normal
lblParentNormal
LoadLibraryA
Locate a record
Make_Connection
Medicine
Medicine Code :
Medicine Name :
Medicines / General Items
MethCallEngine
MonthView
|}\mrg
MSCOMCT2.OCX
MSComCtl2
MSComCtl2.Animation
MSComCtl2.DTPicker
MSComCtl2.FlatScrollBar
MSComCtl2.MonthView
MSComCtl2.UpDown
MSDataGridLib
MSDataGridLib.DataGrid
MSDataListLib
MSDataListLib.DataCombo
MSDataListLib.DataList
MSDATGRD.OCX
MSDATLST.OCX
MS Sans Serif
MSVBVM60.DLL
OpenProcess
optGeneral
optMedicine
Packing :
ProcCallEngine
Process32First
Process32Next
Product Name :
project2
(Purchase Rate)
ReadFile
Receipt Rate :
Refresh_Combos
RightToLeft
RowMember
RowSource
RtlMoveMemory
Search  (Click on row to locate that record. Press Esc to hide this box)
Select record from drop down list
Set_Fields
strCond
Supplier Code :
Supplier Name :
Supplier's City :
SystemParametersInfoW
TabAcrossSplits
TabAction
TerminateProcess
!This program cannot be run in DOS mode.
txtMasterParent1Normal
txtMasterParent2Normal
txtMasterParent3Normal
txtMasterParent4Normal
txtMasterParent5Main
txtMasterParent5Normal
txtParentDate
txtParentMain
txtParentMaster1Main
txtParentMaster1Normal
txtParentMaster2Main
txtParentMaster2Normal
txtParentMaster3Main
txtParentMaster3Main(0)
txtParentMaster3Normal
txtParentMaster4Main
txtParentMaster4Main(0)
txtParentMaster4Normal
txtParentMaster5Main
txtParentMaster5Main(0)
txtParentMaster5Normal
txtParentNormal
txtSearchValue
txtStr
txtWarranty Over Date :
Unit :
UpDown
user32.dll
USer32.DlL
Value :
VBA6.DLL
__vbaExceptHandler
WrapCellPointer
WriteProcessMemory