Analysis Date2013-10-26 22:48:19
MD51d4ed38015e68f076fae1ff90d244ad3
SHA1351223d4a28de33eb293870acda48c1a8193e9ee

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 998c58e8926dbc5e24b598fb5830ad51 sha1: 9c82a3e230c1253b1083b5a593cf29bdfc6d8f0f size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
AVavgWorm/Generic2.BLRH
AVmsseWorm:Win32/Ainslot.A
AVaviraBDS/Backdoor.A.159

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{F962277A-FF2F-F2D8-CC69-AF97CCCE94FF}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\gfdfg5+fg44+fg++48g ➝
C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gfdfg5+fg44+fg++48g ➝
C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\VHTP5CH06O ➝
October 26, 2013\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F962277A-FF2F-F2D8-CC69-AF97CCCE94FF}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\VHTP5CH06O ➝
fulnp's Bot\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gfdfg5+fg44+fg++48g ➝
C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\logs
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates MutexVHTP5CH06O

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\N97U4I2IHA.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Network Details:

DNSdbag40.no-ip.biz
Type: A
72.199.216.104
DNS1dbag40.no-ip.biz
Type: A
Flows TCP192.168.1.1:1033 ➝ 72.199.216.104:3333
Flows TCP192.168.1.1:1034 ➝ 72.199.216.104:3333

Raw Pcap

Strings
PERS
SETTINGS
 )@0@>
004P+Ic/
00G0rE
05mA*XO
' 08lq
0cmu<\
0Cx: L<
$0DW$p0
0gX H51
)	0#.i.
.?0%mPLa=
 0OtBo
^0+P0B
0P$PHD
0sL*#X|ck
,0",'ZJ
15dF8F91AEE<A
1 $7J/
1c2->a"6
1pm(&^
20C<|0d
22A368949C0&9
 |2$5%`
#27I:Ng,9-}
27OnQui
2]	9r0(
2>e%Xdq
32EDE121D9E2
3456x-M
$345RL
\3``h\nT
(3*/i.
3l/A,7!0AC
3.-mohl
 3ug8g
($ 4=-
/#&42|
 447w;
4'4ShwlNo
%&'()*456789:CDEFGHI@m
47A4B6739316C4F5B5C5*14
4A3r4B`(0
\4cF`%O$
4[cv4=bGa
4<FSnp
4H4sg%
4TM83$- 
4XMAuk
4Yhf2v
!4yvT")
501E:9~
5Async?PWs
5MV(r\h
,5t)eXj
(+6_ ~
-6/5G"H{
6ENC^fADCl
6o2&Ar
6R-BbRC
6ss/\4Z
6T&p	 
6V2Ziz<
7033413A6
7@68A_
774NE55*237X2
7b8x3 L
7p}! `
/-7XhM
<840,M\
8#6<,f
(8Hhtp
8HVq2]
 8*&*l
!8&MZnGo
~8N{f'N
8_O6F6
\91?1!
9d\4a`Q
9l8;8L
9liWGr
9lR&F*
a4.U}N
AbUWgtp
Acce+W\
AddRefA
ad<l09
A},HwX
ais{pQ
AJ{ZdT
alUpda
aMtHH 
aO$^#o{
A\t5UHL$
{aTagg
a Te"l
Audio.
awuois=
,&BCWV*
BE:=##
BIAq$=
BJ)5TZ
=B \lG
b' lL'
+$]bQp
bss_ser'
% Bt/8
BtKill
}B#W8Y	
BW"']M
/b!XDv
\c2AUt
c3d(v0
;]C9HYH.
CallBaK
c`aw9h
C;C;G3'4
Cg\`@I
/Chat'
<Ciuqa
+C	=Oo_p
C:\Prog
CrypcImage' 
C"SsOS
cSubClHi
cukw/K
`Cu>@Po
$C;:'`XN
CxpBok7\
).<D7D
`ddpv"
DE/$yEzL
d@F\d0
df"FC^YO
@?DL|+
DL_:P&<
<<DLX`y
}dME,e
d_[O@`
:`dp`37
dQx5@z
DragQuery
dr>jBy
d`'SX0g8X05
_d:\SysWOW64\
\d(#t\.
d@thFl
'E!|/!
e(1)!C
E4:|	"=
<e4ym5
E$6/ql[
_E(8:>6WcD
E-,8$uw
E^CQ<,
ect?Torrent2
EFB$9$xU
-e<k&(
E/L7wW
ENGZdN
Et0''#O
EVENT_SINK_Ge
'EV?L_]
?e:-VS
ExitProcess
@:<F(:,
F062D2BD
F4?bA+.
f4rHgA
F6E4ZF7C8
:F6I q
f7J::c,
FACEBOOK_START
fD_/ lJ7
F> FDD
"f_h'n;
fhw;&U
 Files (x86)\Mic*s
$,FLLe
Floo!fb\w
#)$<Fo0
-f)pP&BcI[,.)
FP<pT6=
FrBf>Z
frmMain
fS~ijnGN
"")fv.:
Fy.#fbv
F>z%Id
g3#hh+HXKX(6q
#(g##;A
g[B?1l
GbkUFW
@G~>c Gf
gCmp9B
GetProcAddress
gHRL2 #
g`IV)g
GWSOCK
g,!W!W0(
GZ4;OC]
H177P:
^,h1Ko
$$&\H2
$!H33!$
h3a"Z0*O
)h83(9
H{a2p`
h' #FX
 hGed /H
hHOcp.^j3f
hJATXf
H.J.JL<
hK&x(&
@@H^r!@
~hunkt
@HvLD0C
,I86>H
i. [\a
icalDr
ICK_DELA
ICk)S%
ifSteamGook?
InfoTO
InvokeV
Io6IR1+8
iO E%\
iPlPb!
\Ip]&<M)
I@Q*/a
I]^QZ4
IyEhGp
j1gHJy
&)JdHw
 JDxH17/
J[iL\G]
].jjeZo^[
jl Kd)x
$JOR,~,
JSTUVWXYZcdefg
JT}AdjuFPjN@N
JUJuQ(t);k
`J^$v4
K03RJ<c
K]>1h-
K2rT4x
K6&?SC
KERNEL32.DLL
k*MDHL
k)P&Bw$F]D
[k"/S4
-k$(.SrIs
\k.("SS=Is
\KuewD
`>L(@,
@\%L2 #
l^9!<qK
L&d/O<
>ld}p4
Ldt&Le
|lEnghe
lf^NJ5
lIh: N
Lla+(B
L:lngg7x
LLTH!9L
LMUL?6
l-n/on
}&l&N(q6
Lntlt0$
LoadLibraryA
lobalAl
loseHan
lOU!a+B
Lpg@F~
^$?Lt"
lvssPATH_WINLOGON
L)^Y"aA
M`0`q'
m	5N{a
mC{AJ)
MF<-N4
_M:g4a&
-M.H<Pk
_@$_mi8
MJQ+Dq 4I0
^__^Mkok$P
	mMl%6`
,Mn	~<n
$MNNN$$#
modFucr
+m(q9%
MS SaX
\msvbv
MSVBVM60
MSVBVM60.DLL
mswin .
mVBA6T
Mv#(i(
M&Xu%:]
:="MZp~qH
'//]/n_
N' ~0~%
"N2]F|
NhV(|f^
<N.Lx&
nm0Sw_$
NmZ#_k
N#ONF\
@nq\yAa
)n r9(+
NRR'=@
NTAdm~
NTDLL>
n*/TrX
N&u^8uF^51
o04M>H
?o`?[+1
o7^DrU(
<O#7K_
*O8^.N
<O8Pdxt>
OafFoc
OBB.#(b
-obh.&
oCHAT_ADDMSG
OEmpty
oft Visual Stz\\9
Oh1LDMd
O$jAJ+
Okf	Qi~K
oM7Pn`
ompzb7_
o#OfGLX
OP-T3.
os#+Om
ovbv)I
oWaiqS
OwnZ64u;
oXCCdC~h
$.OY@+
.<@P,{
p^`.@]2X
p5HBITMAP
P8N(wP
pb`ffvl
PBPB~S
P/\dT4
P-_d/y%
`pE~A<
P#)G_K-
*p].i.
picThumb
piiU*p
}plbc]
<PLHD@
'p\lor
~<p'M3%pDD@U
Pp=+7Z
PRINT_
P%S*	B|
p'sIW	#V
:p"w(~
QaW	U7
q$nUHVS
_qSHDVVwCtl~ebBrow
queezer
`"QWbj
"\$r/ 
=r.0`;
r!11r!
r!22r!
r333"<'
\r333k
rAUb9]^9t]
R	$'Cr
R_gf=4^
Rh+:'Z'
rIsA/uV%
rJvj_Vd
r;&L-fP
;R,([n
/Rr@M<77
rs7+Ld
RS`curity
.rsrch
rYZl,v
RZ%F9W_A
S1!	{,
:ScanLz
scii'h
s:.cpV
Screensho
$$se2 
SER_FB
's<e/SrcLef]`
Sh&N#[
Siph4H
$}SkP{
Socket
SpAIHo
>spu"G
sra$Wx
s the p@
STRUCTIO
stV&y<
s#U@32
S]w*t.
t1\d 'W2
t)5H%a"
td@^%"
TEgw *
@/tFGL~
tF&;NF
T@!$G^
tg|D@JN
!This program cannot be run in DOS mode.
Th':'tR
ti&Ci7
Tim[?Sh
TKDQHs
:;tkEe}
tmrLivLogg+
^T)M_S
T r%9<
tSd `\3
tT7lzl
TTXW$t
% |.T	ZV
&U0d/J
$U0m6k
uBrC?f&
u/D+]d
  UJ?G(
%[U#m'
UnDno.
UPoit|
UrlCache{
URLDVnl
UWH^)\<
`u@XXT
UYl1X4mLn_L;
v5X;uO
v.Bf&|
vBIV9*O
%VC`x)
vf`M1P
V%h0SQ
vieframe.dl
VirtualAlloc
VirtualFree
VirtualProtect
v`jc`*
vJQ:[\
vr\`gd
VUc!V_0
vuHR2\?
V$wN$N$
;W0G@<
w- 5'`
W)A 5fE
?Wb+<|
WD.0K:g
_WebHide
-_WMqo
^)w*n]
w,p0[%
wq1RCF
w%\</s/J
[_@w>t
X(0Fp!
X2!dMPA
,xAd~G
=?xAp+i
}\xEm>
xFJ\AO
x"*ibR
XJB5NZ
XJB:,v
X@jO0l
)XK7la
x<#ON4
XPTPSW
xQ?|)y
xtAd@Nf
+XT<LU
xV)mBC
X!wD`*
XWhC)D
####XX
_xXVGa
-}%_%y
y6PBGM
@Y'a6t
&?yB:0H
+ygHij
yGrabbOg	V
y.hXfX8
Y@J\cD.
 Yk/ qu
YP+:S@@DfX
Y]T#&D
YXF?xw
yxhXH^
Z*_3Ki
Z|+:4	
zF>[hS
Zm7_SW
Z$}tw3
(zW`"Xy