Analysis Date2013-10-27 20:31:57
MD56f589a8a62155cf743ff5017304dae13
SHA137a96fcc67d4a968c4e6726d9db3604c5b90ed97

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 51060656f3d47ea4fde379b49905e483 sha1: 9d10abc86b8771898d1832699d1b2a1001a3bf00 size: 77824
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 9e8b79ea993d0c041d6f01923862ae60 sha1: 89b513ac7f4f72778602e2f9e44fdc06c276398e size: 16384
Timestamp2012-04-05 20:59:20
VersionProductVersion: 1.00
InternalName: IFvEZJuPOD
FileVersion: 1.00
OriginalFilename: IFvEZJuPOD.exe
ProductName: xKQtsFnr
PackerMicrosoft Visual Basic v5.0
PEhash804d4d84cbc6bc2afe5a4ff35d2b174d8ce9c1fe
AVaviraTR/Jorik.vbaayu
AVavgVBCrypt.FAJ
AVclamavWIN.Trojan.VB-5703

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\volej ➝
C:\Documents and Settings\Administrator\volej.exe /t
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate ➝
1
Creates FileC:\Documents and Settings\Administrator\volej.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates ProcessC:\Documents and Settings\Administrator\volej.exe
Creates MutexA

Process
↳ C:\Documents and Settings\Administrator\volej.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\volej ➝
C:\Documents and Settings\Administrator\volej.exe /Y
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate ➝
1
Creates MutexA

Network Details:

DNSns1.spansearcher.net
Type: A
213.249.64.211
Flows TCP192.168.1.1:1031 ➝ 213.249.64.211:8000

Raw Pcap

Strings
040904B0
0a35il
1.00
1mvwk5
1.sp
2jgy
5mft
5rmi
5wagd
69m0
6g2d
7r6zwg
8o9q
8zq1
9211re
95xs
9dvid
9mcs
9xs1u
abnj
ajd7t
ARE\P
art1
b5zd
B98;C:\Windows\system32;C:\Windows\system;
bade
bkm69
bwys
bxwl
c19vy
Checked
dmwfoesj
e6oe
Enabled
er13
f9yxe
fbc3sl
fcdit
FileVersion
gj7b8b
gkzr
h1bghlm
h4sd
hkji
hwbui
i2hlbop
i47lw
ICON2
ICON3
ICON4(
IFvEZJuPOD
IFvEZJuPOD.exe
ijgz
InternalName
inxp
ip7h
is0x3d
j0fnt
j2ul7
j2unu
kf2eo9
kwfiv
law6
layer1
lc30
lfrm
ljmakp
lk5a
m3vl8
ma7xd4
mnuFlag
my9dw
mzgh
n3sn
NapiQSEWixpi
ned1w
nforh
njrh
nkkg
nm6e
ns1.
nvx3u9
o3ac
o5sxfw
olicie
OriginalFilename
p29w
PfDeVaHHVFFVSJA
pib9j
.pla
/-P?pR
ProductName
ProductVersion
q67e
q9ocr
qaabtj
qeogt
qv29
r2qwe
rhqvw
rmo7
s0kg
sear
sfosv8e
skj3ub
spl9
StringFileInfo
t20b
t9bdc
thql
tk9dod
tNwqutiTvHnS
Translation
trkpj
u530
unic
Update
v7m40
VarFileInfo
Visible
VS_VERSION_INFO
wq91
ws\Wi
x4xj
x8n9k
xKQtsFnr
xr80017b
xrpo
y85c8e
y906
ytqq
--0006R
.0.04C
----03--z
.1OOOOO[dl
1pyyVU
2QUUUUTT[l
"2WYYY[
%-33B{
-3Oi]]XXW\^kh]\\]kee
}aa"[[[YW22
aEu%wcak
AllowFlags
Anti-Aliasing
AppWizard6
AppWizard6.SubWizard
APPWIZ.OCX
BBBABABVW]]]ddh^^^^^d]\\
BGVVW]]dhdkj
BitBlt
CallWindowProcW
cBBA*BABVWX^dddhjhhh^i]^]
chkCls
chkFlag
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
|C:\Program Files\Microsoft Visual Studio\VB98\Wizards\APPWIZ.oca
_C`)UI
DllFunctionCall
D')+/-RVF857488<<<<<=BA==
^d\Y^ee
efd778%
EJJIJJGJHGDHHJHJH,,G%%%DGGHHJHHH,,%
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
FLNNNNiLLFF>FNLLFL>>;::;;;>FL>F;FF;,
frmFlags
GBAAAABMVWX]^dd^^deele
GdiGetBatchLimit
GetCls
+G`NT4
hE#)+1N?
hiii^h
IFvEZJuPOD
/)))$I.**&Hj
iki^AB
ImgFiner.dll
ImgMod
J]^d]GF<?AVWWWVABB=?
--Je]]]WWW\h
-K:;587888<>><A=A=?=
Linear Chrome
LWXYX^^dhdkj
MethCallEngine
MSVBVM60.DLL
NapiQSEWixpifZ
,NQQQOOdll
n_vdGo
-O965554788<<<><=B=8
!-ooqo
OpenerAlphaBlend
OpenerAlphaMask
OpenerBlur
OpenerBrightness
OpenerBumpMap
OpenerChrome
OpenerCounter
OpenerCreateFastData
OpenerDrawPreview
OpenerFastMask
OpenerFlip
OpenerGreyScale
OpenerHSL
OpenerHSLRGB
OpenerInvert
OpenerMonochrome
OpenerMosaic
OpenerOutline
OpenerRotate
OpenerShift
OpenerTime
OpenerTimer
OpenerxBlendPicture
OpenerxBlendPictures
OpenerxCreateFastMask
OpenerxCreatePicture
OpenerxDeleteMask
OpenerxDeletePicture
OpenerxFastMask
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
PfDeVaHHVFFVSJA1
phbdecc
pjhjh^]
pppyyuyyyyhR5#
/,PPQQQgg
ProcCallEngine
qqpiiiiV5
R024000.0-06
rr||pW:*
sP9PPA436A
SubWizard
SubWizard1
!This program cannot be run in DOS mode.
tNwqutiTvHnS
(undefined)
Use Mask Color
user32
VB5!6&*
VBA6.DLL
__vbaExceptHandler
vHHHuu}
vXvYZZ
	w2"G<
@WVXW^]ddhkp
wxwwy|z
xkbbb[
xKQtsFnr
XYYYYT
~~yoooU
zvuuuuuuy
zwzzzz