Analysis Date2014-03-24 11:16:33
MD5711af13a441caa51b8876ebf8cfe890c
SHA128d5877f89cdd9b224710860f80a2e809b3e0f06

Static Details:

AVavgGeneric35.CGXH

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexwiveguxaqxyd
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSrobertmcintyre.com.au
Winsock DNSnuritech.com
Winsock DNSempordalia.com
Winsock DNSibcd.com.br
Winsock DNSixtractor.com
Winsock DNSbigjohnsbeefjerky.com
Winsock DNSagrarno.ru
Winsock DNShostphd.com.br
Winsock DNSbapasitaramsevatrust.org
Winsock DNSnazcapictures.com
Winsock DNSkrafthaus.com
Winsock DNSmandi-man.com
Winsock DNSlexjuridica.com
Winsock DNSpaulrenna.com
Winsock DNStavdi.com
Winsock DNSdenville.ca
Winsock DNSulcndsu.org
Winsock DNSe-kagami.com
Winsock DNSteasing-video.com
Winsock DNSaethora.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.172.254
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.172.254:25

Raw Pcap

Strings
.B
.[
..
/.

040904B0
16.1
16.1.exe
2.03.0001
*\AD:\8873875L42\bubu.vbp
@blCJkl@Eja@Je`@KjoNEjaO
CompanyName
cvfL
E45c
@egarde
F0Q6
FileVersion
iIwKA
InternalName
jFx4
kA5R
knjikolkju
knjuiuyhb
OriginalFilename
P&&.Q'
ProductName
ProductVersion
P.tSFV|SFV
s*C1
StringFileInfo
Translation
Two0
VarFileInfo
VS_VERSION_INFO
wrRX
z4X3s
^_^_^_^_^_^_^_^_^[
?00p\n
0TR=;dvvvhS/>ovvvvvvvvvvuu^
16mA=3I
1gvJF/
204489477897878798797898
204489477897878798797898''''''''''''
20448947789787879879789832165466598uy32654p17204489477897878798797898
2,5~pk
29*"Ki
2<+dzr
2}eS2y?O
/2HV!#]vzzpM%
2(U#q`
2YB"78
35Qa]h
@3t4)04
41-=IJJC2
_4hA<mEC
4*ogw{wJE_
5555555555
#!5*CG
5JJJJJJJJ6I*
5JJJJJJJJ8*
-5Y/(Y
6ZKK=fCY'WsU
)7`[1-`
71t(t%
}/730?
7+c4G{
<7K]5bI\ud>
[7Kb[O
8&!1M`
89887587K
89887588S
8|CV,[
8+QJq7
93#*ivvvvvv.@uvvuuuuuuqvuu^
9/B7MF~
9R}0V\
9V]0!S
9/ZUMX;
a044D"
-A7H~5
aB;?V\X
aO92522
avvvvvvvvvvuuuuu^
b%Ci7Y
#BJJJJ*
[|bLl]v
@bZ]7X
CallWindowProcW
chkLoadTipsAtStartup
CloseHandle
cmdNextTip
cm%!)U+m
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
CreateFileA
ctvvvvL
Cvvvvk":vvuuvvvvquuuuu^
=C{Weo
`.data
|DaZf0J
DDDDD.9DJHI
Did you know...
DIJJJJ%
DllFunctionCall
ec&K7h
eee:rrr
EHre\j
E&O?Zi\
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
F+}5SU]
F8L nU
f8TxZ!
-F_a[m
fBA;;;;B
fBA;;B?B
fC~H;84
f lR6c
frmTip
frxxAV
Fs})Qi
FT	s=or=
fvvvvvvvvvvuuuvvu^
_f>whc,	
g0"`Ea
?@G	@3
galCu-OB
GetModuleFileNameA
_gL<6I$
}G$OjU
H876(bvW&
H8N|]aOp
//Hfmnj9/
h=ib'lF
	H@I!X
HN?Ij]:?
/HQ\`bx|T
hS>8855w
hS`Kxyx^
Hz9/%2
IC&m\D
$IHJJJ!
II.10-
;IJJJJJ%
"IJJJJJJ'
*IJJJJJJJJJJ*
@iR#B'
Iw<-h	N
IZnaxFB
(@j@a]B
?JHIJ 
&JJJJJJ'
*JJJJJJJJ5*'*
*JJJJJJJJJA@*
jKF>AA;K
\j-{x>
{k11lf
_K875758
kernel3
kernel32
kerNel32.dll
KFQQ\XF
kijolk
KJsY}us
!kvvvuuuuvvququu^
Kvvvvvuuuuvvuuqu^
kXF??@;a
Label1
lblTipText
_^]lfdcp
ln2C7u
LoadLibraryW
&Lr~8N
l]_`[w
*L"Wm`
MA(Ebx
MHSnvil0
MRz[ K
MSVBVM60.DLL
'mvvvvvvvvvuuvvuqv^
Mvvvvvvvvvvuuuv^
Mv|wSdreW/
`@MwA)O:/I
|m:&Y1D
N^^^^^^^\?^^^^^^^^^^^^^^
naBI@;K
N|`AdG1p
nbhgtyvgf
~$NcYh
&Next Tip
njaSCX
njKHh^H
\\[:npo
N=Pydb
,NQ}]g\(%
[O/0#MX0gl
o5g8+M
o#Ax*m
ob	N,fgA
OpenProcess
,P@9|~
Picture1
pn{_5 
//P-PW
ProcCallEngine
Process32First
Process32Next
	Q5t[*
|}~Qfg
qk|$Tz
q>Sa b
r!2Z2zh
R5AzK'
rCe3LD
RcoEgP
ReadFile
rgf,jn
rqo15Om$
RtlMoveMemory
r=W&4FC
R*#~X#
S7#6o&
_S>85788S
s!9{en
>_"SF(
&Show Tips at Startup
`ShS8Zh
;ShU[W
	S~&	#P_
SystemParametersInfoW
Th2MM9
!This program cannot be run in DOS mode.
th`KK\P\K
Tip of the Day
@"t[l+
?t(`S-u
=tX>fvB622
UH7PPT7
uk.Mm=
UmM?m,
U&(myo
"&uo{Bf
USER32
user32.dll
USER32.DLL
_uuuuqvquuuquq^
#ux":&
VBA6.DLL
__vbaExceptHandler
	VEa{~(
?vf9fxJC62
~VoXML
Vp b6/p
V<QItvvvvvueP	Evvvvvvvvvvu^
VQ	n0e
,vvvvvvvuuuuuqvuu^
^vvvvvvvvvvvvvvvv`GD
^vvvvvvvvvvvvvvvvoYZ
^vvvvvvvvvvvvvvvvvFBAABF
^vvvvvvvvvvvvvvvvv[kZ
^vvvvvvvvvvvvvvvvv\uoZ
^vvvvvvvvvvvvvvvvvvv_\GF
^vvvvvvvvvvvvvvvvvvvvvv^
\vvvvvvvvvvvvvvvvvvvvvv^
^vvvvvvvvvvvvvvvvvZqqkFB
-`w5bB
Wb{;1|
w)!/@K
@W&ld5jD
w`SK<<9<9
wW/FP/eX{\8.P
X>857HJ
)X8WL |3
X99:AAqJ_h
X`IIK:875S
X{lf|v
xo*D/}8:/
Xr2.;7mtZ4#
xu=`}y
`)X	VA
xXSI/}
(`Y4&w
-`YhZ`
Y<ndSD
\YO1eV
&*yo`s
*$Y!tP
Yx6u$,	
YZYffhh
Z8,FwC 
Zhm@;*
Zh$`n2
*Z	q*	i