Analysis Date2015-10-22 18:35:36
MD5d18e568e528ac5cf38781dbe7d5cdd27
SHA1202d89c46731b5d7363b468e6b2ac1a45b228a28

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.text1 md5: 5bcbceb53caad73d629770074ca15092 sha1: d8e70aa7e9e1447358f4cac702b7571ecbba7f98 size: 385024
Section.adata md5: 938d6d97628275a512e07c66be5ccecf sha1: 97e468e47489e38b33b0f14714a775c619ba9a90 size: 53248
Section.data1 md5: 4ca2c736434642b67337fd5aaa58c2f0 sha1: 26a058e3eb837283c7df2fefc334cb8c68f391e0 size: 77824
Section.pdata md5: 532e21e33c9805216beb2a58947ce1a4 sha1: d60a54f780c57909a6e79f3e8397816fe908d521 size: 1187840
Section.rsrc md5: bd0f6a7fd75962739350b017048e51f4 sha1: 31fe09236a44a583851afa2783f2ec5ab7502fce size: 28672
Timestamp2009-12-29 03:06:23
VersionLegalCopyright: microsoft compiler
InternalName: al
FileVersion: 1.02.0057
CompanyName: microsoft
Comments: microsoft
ProductName: microsoft dll loader
ProductVersion: 1.02.0057
FileDescription: dll loader
OriginalFilename: al.exe
PackerMicrosoft Visual C++ ?.?
PEhash37f4db4885043f2bdced556efde75cf21ad79eb0
IMPhash0539a31253f066f6315e4c0a3a3568dd
AVCA (E-Trust Ino)Win32/Fruspam.GF
AVF-SecureTrojan.Generic.7871045
AVDr. WebBackDoor.Siggen.49051
AVClamAVTrojan.Typic
AVArcabit (arcavir)Trojan.Generic.7871045
AVBullGuardTrojan.Generic.7871045
AVPadvishMalware.Trojan.Typic
AVVirusBlokAda (vba32)TrojanDownloader.VB
AVCAT (quickheal)no_virus
AVTrend MicroTROJ_AG.6ADCF040
AVKasperskyTrojan-Downloader.Win32.Dapato.stb
AVZillya!Dropper.Typic.Win32.736
AVEmsisoftTrojan.Generic.7871045
AVIkarusBackdoor.Win32.Bifrose
AVFrisk (f-prot)W32/Typic.A.gen!Eldorado
AVAuthentiumW32/Typic.A.gen!Eldorado
AVMalwareBytesTrojan.Downloader.WCA
AVMicroWorld (escan)Trojan.Generic.7871045
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Tonick!rfn
AVK7Riskware ( 0015e4f11 )
AVBitDefenderTrojan.Generic.7871045
AVFortinetW32/Agent.KQ!tr
AVSymantecTrojan Horse
AVGrisoft (avg)Generic18.AYWF
AVEset (nod32)Win32/TrojanDownloader.VB.OSN
AVAlwil (avast)VB-AHIE [Trj]
AVAd-AwareTrojan.Generic.7871045
AVTwisterBackdoor.DDA501D481E62633
AVAvira (antivir)TR/Dropper.Gen
AVMcafeeObfuscatedAKN!hb!D18E568E528A
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Licenses\{R7C0DB872A3F777C0} ➝
NULL
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\tob\x\x ➝
x\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{F7920A59-A57C-32D5-44B9-04FEA547B88C}\ ➝
Microsoft DirectInputDevice8\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
Creates FileSCSI0:
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xxxc.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates MutexRAL0343850B
Creates Mutex0343850B::WK
Creates MutexDBWinMutex

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe

RegistryHKEY_LOCAL_MACHINE\Software\Licenses\{K7C0DB872A3F777C0} ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
RegistryHKEY_CLASSES_ROOT\CLSID\{F7920A59-A57C-32D5-44B9-04FEA547B88C}\Zztfdqhq ➝
Bm\E^LV_{c]oL\U|X\\x7fGpSlo`zh^nR
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates FileC:\Documents and Settings\All Users\Application Data\TEMP:C9C13817
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll
Creates FileSCSI0:
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\key.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip
Creates FileC:\WINDOWS\system32\vbzip11.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\readm.txt
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\Install.exe
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates MutexRAL0343850B
Creates Mutex0343850B::WK
Creates MutexDBWinMutex
Winsock URLhttp://ns2.thebuisness.com/zip.zip
Winsock URLhttp://google.com

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip

Network Details:

DNSgoogle.com
Type: A
173.194.37.71
DNSgoogle.com
Type: A
173.194.37.72
DNSgoogle.com
Type: A
173.194.37.73
DNSgoogle.com
Type: A
173.194.37.78
DNSgoogle.com
Type: A
173.194.37.64
DNSgoogle.com
Type: A
173.194.37.65
DNSgoogle.com
Type: A
173.194.37.66
DNSgoogle.com
Type: A
173.194.37.67
DNSgoogle.com
Type: A
173.194.37.68
DNSgoogle.com
Type: A
173.194.37.69
DNSgoogle.com
Type: A
173.194.37.70
DNSns2.thebuisness.com
Type: A
198.71.232.3
HTTP GEThttp://google.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://ns2.thebuisness.com/zip.zip
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 173.194.37.71:80
Flows TCP192.168.1.1:1032 ➝ 198.71.232.3:80

Raw Pcap

Strings