Analysis Date2014-02-22 21:53:52
MD53691b8c1cbf650a7af82b37c6a343e51
SHA137a9ba50a13d363c2d05536e5e00b4cbb137d9f0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5b492ee473650e4141784c7fc2c3f563 sha1: fc7731bed16668031d221661c77d11e890f29e60 size: 229376
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 450b08bb248a5e32bbbe5f51fc3aad5c sha1: 663a9dade4102c92c8d58ce0204678d6caaa44b3 size: 16384
Timestamp1970-01-01 00:00:00
PackerMicrosoft Visual Basic v5.0
PEhash25c43d70adb0e4226dfe4aa5b8926628a3ea7405
IMPhash500e9319990f85c827fc67e4af8274ff
AVmcafeeVB.kk
AVclamavWorm.VB-4844
AVaviraTR/Otran.allue
AVavgSHeur4.GCR

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fatey ➝
C:\Documents and Settings\Administrator\fatey.exe /W
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
Creates FileC:\Documents and Settings\Administrator\fatey.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates ProcessC:\Documents and Settings\Administrator\fatey.exe
Creates MutexA

Process
↳ C:\Documents and Settings\Administrator\fatey.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fatey ➝
C:\Documents and Settings\Administrator\fatey.exe /H
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
Creates MutexA

Network Details:

DNSns1.player1532.com
Type: A
DNSns1.videoall.org
Type: A

Raw Pcap

Strings
..=g..
C...

28C4C820-401A-101B-A3C9-08002B2F49FB
@,ARAlA
C1Qe5leqKZ
eyaoQmf
ez4ZJP1
F qhj ZtuQha;jdfn[iaetr 
FyBhgF0MlL89hkYZ
iAevkSLk4EpTiQ0Wcu
ICON1
ICON2
ICON3
ICON4(
jjjj
kkZIVHGETzPrFReHofe
KUR5P
lqD4z4RpZVlXJ80H
m1shyEh80pf
NBUBdB
         o349320953n 5m346n34,6l54k76457 657,23423.543.5,346 456547567567678         
OXyVRBOed
RorShs
s9qlBBz1pL
sBf69HvxP
Show
SjZmcKg
souOGDzO
tMo80a8hf6jQ1B8K
Txt Files(*.txt)|*.txt
v8V9GxeGuSZ9X4R2QokI
YhmDXTQJaHFoq74yAE
zYRlFpDg9L6tFJnT0WH
"""""""
&&&&&(&&&&&&&&&&&&(((((((((&&&&&&&&
00qUHP
0aggO6
0]<BEA
)+0>Bl
0*(*JG23/wI5
0x|wwgOOON
\#0YNN
:[=2E3
)*/2@i
%)3JLo
4QBq+c<
4RBq+d<
6Qc;+^
9Mj$jB
9Q"AyB
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
Alllollsnsu
_allmul
Arial'
Arial)
ArialD
B:9I:IJKKPSSNNNNKLT
BackColor
Backspace
bi:-$"%
BNLLJJKKLNSmSPNNKKT
<Bonsnntuouton\liia
Button0
Button000
Button1
Button100
Button1000
Button100000
Button10000000
Button17
Button18
Button19
Button2
Button20
Button21
Button22
Button23
Button24
Button25
Button26
Button3
Button31
Button32
Button33
Button34
Button35
Button36
Button37
Button38
Button39
Button4
Button42
Button43
Button44
Button45
Button46
Button47
Button48
Button5
Button6
Button7
Button8
Button9
B||wgOO6
-C000-eyaoQmf
CallWindowProcW
Caps lock
CEaeded
Check1
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
COMDLG32.OCX
Command1
Command10
Command11
Command12
Command13
Command14
Command15
Command2
Command21
Command22
Command23
Command24
Command25
Command3
Command31
Command32
Command33
Command34
Command35
Command4
Command41
Command42
Command43
Command44
Command45
Command5
Command51
Command510
Command52
Command53
Command530
Command54
Command55
Command550
Command6
Command7
Command8
Command9
CommonDialog
CommonDialog1
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\system32\RICHTX32.oca
d9&[&i2%
"""da""
`.data
<]ddd^rz
Delete
&\dL+D-+
DllFunctionCall
;/DLv`
:e7(^8
E9E9E8E8888778787E8888E898EE8878877&
E')A#?
Enabled
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
eyaoQmf
fFGBafEe
,FG2#~
Frame1
|f]UQE>
_f],WM
hebSM?,#"
HHDF``b
h@kx.Hy
[|hv=	h
H:w22,
i?22/...0>io
>?IIJJLKUmiQQPPOONT
IJ,,+9;qsr:7{
"[)i#S6H2
jcMKABcn
J:Nc+ :
Jw+tJ1
:KeqfL[5D
KjQ7m 
k_\MC/&.<
>kontotnt
LC"?'l
L}<G1`
m37eGK
mRSSBSSUlnnstuu{~~~~uuuts
mRSS<SUllnnstuu{
MSComDlg.CommonDialog
msoQQP
MS Sans Serif
MSVBVM60.DLL
MUllnsstuu~
\+.?\n
^NC3D$
Numpad
.o*;_L
On Screen KeyBoard
")OOOp
O][QF?^}Q
o^WVVR
 )pDB~
PiRy0t
=pprppx
\qAk7U
Q{m#OY
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqFGH5jk43h5
qRSSSSUS\lnnstuuuuuuuuusn
~RbLdo'3uOE
rCommand22
Rd'	JO@:Qc
RichTextBox
RichTextLib
RichTextLib.RichTextBox
RICHTX32.OCX
RorShsz
SFoJ3(	v
,S)it(g
SjZmcKg1
souOGDzO
SRSSSSU\llnsttuuu~z
.s)XV,X
symbols
Symbols
T"389'
t9u!1W
TextRTF
!This program cannot be run in DOS mode.
TL*bo\
~ttjjof
+t$(v=
&_+U%1
uhhhd4,&
USER32
>UUnSPNPPQlnxxo\QQNT
V0,6Hk
VB5!6&*
VBA6.DLL
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryUnlock
__vbaAryVar
__vbaBoolVarNull
__vbaChkstk
__vbaEnd
__vbaErase
__vbaErrorOverflow
__vbaExceptHandler
__vbaFileClose
__vbaFileOpen
__vbaFixstrConstruct
__vbaFpCmpCy
__vbaFPException
__vbaFpI4
__vbaFpR8
__vbaFpUI1
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaGet3
__vbaGetOwner4
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Var
__vbaI4ErrVar
__vbaI4Var
__vbaInStr
__vbaInStrVar
__vbaLateIdCall
__vbaLateIdCallLd
__vbaLateIdSt
__vbaLateMemCall
__vbaLenBstr
__vbaLenBstrB
__vbaMidStmtBstr
__vbaNew2
__vbaObjSet
__vbaObjVar
__vbaOnError
__vbaPowerR8
__vbaPrintFile
__vbaPut3
__vbaPut4
__vbaPutOwner3
__vbaRecDestruct
__vbaRedim
__vbaRedimPreserve
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrFixstr
__vbaStrI2
__vbaStrI4
__vbaStrMove
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1ErrVar
__vbaUI1I2
__vbaUI1I4
__vbaVar2Vec
__vbaVarAdd
__vbaVarCat
__vbaVarCopy
__vbaVarDup
__vbaVarIndexLoad
__vbaVarIndexLoadRefLock
__vbaVarInt
__vbaVarMove
__vbaVarMul
__vbaVarSub
__vbaVarTstEq
__vbaVarTstLt
__vbaVarVargNofree
__vbaVarZero
vHCK:/
WDG"-ZM
W{Fu"w'N
w|n5#W1
>|wwgg
zhXhbY&
>Zjnkojox
ZVlmm0msr
zxkjIE&