Analysis Date2014-06-07 05:22:10
MD58a930ec4cea343ac3dc7e591cea36dbe
SHA141117a259d256fd4ccc6dd747de642b74859fe59

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: a7c0c20045198c3a02015832aff43a72 sha1: b822ad04d471370c95ec128271067f1ad624a0f3 size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
IMPhash3243b13e562279ab7fbe2f31e45d3a95
AV360 SafeTrojan.Keylogger.MWP
AVAd-AwareTrojan.Keylogger.MWP
AVAlwil (avast)KeyLogger-ARY [Spy]
AVArcabit (arcavir)Heur.RoundKick
AVAuthentiumW32/VBInject.AM.gen!Eldorado
AVAvira (antivir)BDS/Backdoor.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Worm.Ainslot.A.mue
AVClamAVno_virus
AVDr. WebWorm.Siggen.6967
AVEmsisoftTrojan.Keylogger.MWP
AVEset (nod32)Win32/Ainslot.AA worm
AVFortinetW32/Cospet.HA!tr
AVFrisk (f-prot)W32/VBInject.AM.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Keylogger.MWP
AVGrisoft (avg)Worm/Generic2.BLRH
AVIkarusTrojan.Win32.VB
AVKasperskyTrojan.Win32.Generic:Worm.Win32.Shakblades.bdc
AVMalwareBytesTrojan.Agent
AVMcafeeW32/Generic.worm!p2p
AVMicrosoft Security EssentialsWorm:Win32/Ainslot.A
AVMicroWorld (escan)Trojan.Keylogger.MWP
AVNormanwin32:win32/Ainslot.A
AVRisingWorm.Win32.Anisolt.a
AVSophosMal/VB-GI
AVSymantecW32.Shadesrat
AVTrend MicroWORM_SWISYN.SM
AVVirusBlokAda (vba32)Malware-Cryptor.VB.gen.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{19B0FB39-5DAF-EBD9-F62F-E2CA249B3BDB}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Windows Defender ➝
C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\EU42VC91Z3 ➝
June 7, 2014\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\EU42VC91Z3 ➝
kkkk's Bot\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{19B0FB39-5DAF-EBD9-F62F-E2CA249B3BDB}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\abcd
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates MutexEU42VC91Z3

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe ➝
C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\AGVPCGLIXQ.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Network Details:

Flows TCP192.168.1.1:1033 ➝ 192.168.42.151:3080
Flows TCP192.168.1.1:1033 ➝ 192.168.42.151:3080
Flows TCP192.168.1.1:1035 ➝ 192.168.42.151:3080

Raw Pcap

Strings
.X
.
.
L
d
..
.r(
P
. 
I
 .
...o{
..$
.
.F>
.X
.
.
L
d
..
.r(
P
. 
I
 .
...o{
..$
.
.F>

PERS
SETTINGS
"=~##_$
00G0rE
05ea.l).
0F\*M'<
0i~/\l
|0''#O
'0OtBo
0P$PHD
0sL*#X
0{-T};
1234\r
15dF8F91AEE<A
^1t]:/
1T0'o,"jH|
1T}`FAb$
20C<|0d
22A368949C0&sX
=@|2$5%
2]	9r0(
2>e%Xdq
`.@]2X
32EDE121D9E2
33JB:,v
33jfXB
$3A2F.
*3>>F0
3``h\n
3l/A,7B`
3t\p#L
3|yF~)
4`@`` 
%&'()*456789:CDEFGHIJSTUVWXYZc
4#7K_s
4	8T4d,
\4a`Q;a
4a(&q$V
4[cv4=bGa
4H4sg%
'&4M{8"
4pZ[8a
!4yvT")
501E:9~
5Async?PWs6
5]P0lcd
6E4ZF7C8
6IR1/2
6n1?e:-VS
6V2Ziz<p]
7033413A64
>73&97
7;4716
774NE55*237X2
@7/(7y
7A4B6739316C4F5B5C5*14
7b8x3 L
;7h"p9d7
7@](Il9
7J::cY8
.=7Kaj
7lfrnb6
7niffOS4
7pUKl&
7S^ONv
8*	33#
83(9)X
86)\Mic*soft Visual St.
\8fO7{i
}8ngArE
@&9$$&
99dt1l
9i.884
)9,pxr
a\,^($
a4.U}N
AddMsg
AddRef
AdjuFP
ad<l0s2r
A*dT4d
A,E8(i\
ais{pQ
alUpda
/a]~`%mPL
A,nK.i0
aO@08lq
aqAt[W
Audio.
A/uV0K
awuois=
b86mswin
BDkQKh
bE4`G'
Bfr%sl6Q
BG*~*)
bjBd@Fv?,
%	[bJTPM
BnV7"09
+$]bQp
bss_ser'
BT4w2 w
BtKill
?Bw lZ3
by.To,
B~!ZnB+
c2->a"6
;]C9HYH.
>ca?A^I
CallBaK
'%capG
<Ciuqa
coCHAT_ADDMSG
Cog	b;
Compzb7
+C	=Oo
C:\Prog
c(q[W-
'Cr2J	K	
CrypcImagex
cSubClHi
cVcs7:P@
Cw- 5O
D0*I`DWH
[D3SaR
D#69$N*
 d#;9$
_Da# 3C
><#DDVw
df"FC^YO
Dh) &G
#dHlq6
DI/.`7
#D+k#,
Dk#"lM
 ,<DLw6}
dM:9beZ
d@NHPtDM
/Do3^FL42|
Dot7*x
DragQuery
\d(#t\.
dT4XN<
)D;uO)
d@$X O
+~e&0d
e3rc`Or
E4:|	"=
<e4ym5
e83U<sl
E^CQxX:0p
ef7d 9
EFB$9$xU
E\FwPN
Eh%v^lI
Ek"/Sp
E/L7wW
_E(pt|lWcD
.eq@rG
e 'rr*
E	ST*Cp
EVENT_SINK_Ge
'EV?L_]
ExitProcess
E/$yEz
F062D2BD
F0K)8i
:f.C)G
FFFFXX
FfIj^C
"f_h/)
 Files (x
fJpDD@
$,FLLe
Floo!b\w@
F%mG#}
#)$<Fo0
-f)pP&
fpy<(E
fr4B`(0
`fRJ<c
frmMain
fx0:M5
Fy.#fbv
f>Z/._;
$'''g?
_"g 7X
g=]:8H
#(g##;A
'=GA-L;
GetProcAddress
G>t3YTP
\G]#tiO1
GWSOCKu
@h_0^w
?h6 B:
h7jPE~
 h8d8J
[heQT%
h' #FX
 hGed /
HHL5B$
Hsi.+XT<L
HTO?69
.hXfX8
 HXll4
ia _77@68
I`BUn8
icalDr
i((C$H!a
ICK_DELAF
i:`dp`3n4
ifD_/A
ifSd `\g
I&`gX 
i.H/8H
i	j\TP
InfoTO
InvokeV
I;OIiMg
I@Q*[^
IsDCq@
It:gRZ,-
iX8Kpy9
($ izZz.
jd?#b\
/jdRaf
jIcV$g
j/)k9D
J&*kal
/j<s!+g#
,jU{Vh[
*'Jw]:
K]>1h-
K22liWGr[
kc_13B
k(&{D5
KERNEL32.DLL
[k^~H<
kI"&=9i
@@Kjka)
-k$(.S
ksl/=I<
|*}<kV
}kW\+H
L2 '4<
Lau&hF/
lB4l`b{
L&d/O<p
lEnghe4
`lfXbl
li:E4,
lijhqOy
lj@9>$&l{9
Lla+(B
l-n/on
Lntlt`H
LoadLibraryA
lobalAl
_loseHandJ
L_:P&x8
L}|[Uq5
Lus:1]K
%#!lx6
!}ly_;
L)^Y"aA
`{$;M3\
m	5N{a
M?(b{Z
Mddj!;20
M%>E	\T
m[GHN.
^__^Mkok$P
	mMl%6`
mn^8uF
m{NB2ds
MQ[d	h
?MR{3u
MRJdHw
MS SaX
\msvbvm60
MSVBVM60.DLL
MSVBVM60UX
MtHH@~
&mT&p	@
m"u/D2W
%~M#w&
m;wWlGam-
M&Xu%:]
N' ~0~%V+eTD&
"N2]F|
N2 swx
NGZdNo
NJ4qi8
 ]>nn1huA
Nnz# N
noMIY"
nP_PYz
NRyf/pN1
NTDLLD
_NvAf !
!#<:nW-
-O8n(_
*O8^.N
-obh.&
oE01#OQ
O[_FACEBOOK_START
o^fADClifSteamG
OFj	H7H
OGON/_B
!okF> FDD
'Okf	Q
#ONFh$
ook?RS`curity
-*ovbv)
oWaiqSx
OwnZ6i
_)ox^=
O^Xa5_
oXCCdC
(`@\o+y
*(?|&^P
)'P='9
P)9h_x
_)pbEM
PC0?:B
P/\dT4
Peekxo
pFlx,f
pfmDNoB
picThumb
&@p*&*l
PL=E-=Q`'	
'p\lor2{
PlPb!X
PoK78Sh
pOX/;?
,ppcdAWAd
P}{P/s/P
;PQFd"
pQValu
PRINT_
<pT6z(`8
 px@9	
Q0x&,2-P
q5no- 
;'QA~j
q DCU<
Q\g\wK
qjtH#?o`?
q$nUHVS
%(Qp,9
q(#qZC
queezer
qUGH&P
"\$r/ 
r\'//]_
.r@_0h
r456tr!
r%9May
raTagg
rAUb9]^9t]
Rd:\SysWOW64\
RH/kT>y
rI#;R$
rJvj_Vd
rlPIyEhG
RoYlB3
<R;pja
/Rr@M<7
ry7RzL]
*:R.Z_
:ScanD]
#SCManPr
s:.cpV
Screensho
SER_FB77
]]s<e/SrcLef]
sG\bo`
SGUfhG
;slR&F*
Socket
s.op-IM%`/EC
\("SS=
s the p@
#'@sTL^
STRUCq
stV&y<
SZoM7Pn`
t1\'W2
t3qK#dg
t)5H%a"
TaeS;i
TEgw *
tF6I z
!This program cannot be run in DOS mode.
ti -+?
:;tkEe}
TM83$- S
tmrLivLogg+
^T)M_SY
TM	;uSR
],t~ n
TorrentS
 t$p'l
tp#M6:A
`tPp=+;
T r%9<
trz`.g
T+v2~3L
#U@32A
ucrons
ud\N	h
uHR2\?
Un0H&4F2P
Un@cvssPATH_WINL0
UrlCache
URLDVnlg
*?UXr1
UYl1X4
"u"~Z(o
]uZzgf
,.)V{:
V00"43
{?v#0H
~VBA6T
v.Bf&|
vBIV9*O
v{C;? 
vf`M1P
$vh7aq!}
_vieframe.dl
VirtualAlloc
VirtualFree
VirtualProtect
v'n;~ 
?]v;nb3LA
 ;$(,;vr
$Vr#@*
)vS| M
VwCtl~ebBrow
WAcquR
*WaOV=E
wapMo~
w'Av)u
	w+C{P
WD.0K:
&WdglL
_WebHide
WH^)\<
w.jje[
-_WMqo
^)w*n]
wRi@foB
'Wr<ld
W=SBlj(
W&utPW8
WWdv;\
X<==a2:Y
}\xEm>
xG0WoK
xgCmp_brs
XPTPSW
xQ?|PR
xt.&l&l
$xV=&h
X!wD`T
y#2AP_
@Y'a6t
YbB;`1
yFor+^x
yGrabbOg	V
yHX5n2
Y@J\cD6[1
Yk/ qu
Y NAga
yPLHD@
YP+:S@@
yr\X~P8
YX"")fv
YXF?xw
yy:<F(:,k
z2BEz`
Z|+:4	
{Zdh= >2\[p	
z\N{: 
ZT'F0`q
Z$}tw3
Z}%_%y7