Analysis Date2014-02-22 10:35:28
MD59a562cd09de4abe9ebfdaa89442f1469
SHA14537ddb25b7fd9415812e57b50a2814e614ba4f9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 14660a18f8423a9dfb0b8f42840199ae sha1: bbe0560298ab187f09c85ee5a4eed2d44e426b6d size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
IMPhash3243b13e562279ab7fbe2f31e45d3a95
AVavgWorm/Generic2.BLRH
AVaviraBDS/Backdoor.Gen
AVmcafeeW32/Generic.worm!p2p
AVmsseWorm:Win32/Ainslot.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\STGXZ0EERM ➝
February 22, 2014\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\STGXZ0EERM ➝
31's Bot\\x00
Creates FileC:\Documents and Settings\Administrator\Application Data\launcer
Creates FilePIPE\lsarpc
Creates File\Device\Afd\AsyncSelectHlp
Creates FileC:\Documents and Settings\Administrator\Application Data\CHZI1QL1V0.exe
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\CHZI1QL1V0.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\CHZI1QL1V0.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates MutexSTGXZ0EERM

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\CHZI1QL1V0.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\CHZI1QL1V0.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\CHZI1QL1V0.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\CHZI1QL1V0.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\CHZI1QL1V0.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\CHZI1QL1V0.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\CHZI1QL1V0.exe ➝
C:\Documents and Settings\Administrator\Application Data\CHZI1QL1V0.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\\malware.exe ➝
C:\\malware.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network Details:

Flows TCP192.168.1.1:1033 ➝ 94.102.10.8:15001
Flows TCP192.168.1.1:1033 ➝ 94.102.10.8:15001
Flows TCP192.168.1.1:1035 ➝ 94.102.10.8:15001

Raw Pcap

Strings
.D
.
oO
..
.
.
V
.
N
T.
 
..
Q.
.
.
)
.D
.
oO
..
.
.
V
.
N
T.
 
..
Q.
.
.
)

PERS
SETTINGS
<0/_''
,.,0003
05mA*XO
@0~%D&
&]*0DF
0:`D%o
];0G0rE
&0j?7a
0|@&ph
0r(If8
0WD@f1
0x-j!/&44
",0"'ZO
1*5b!c
15dF8F91AEE
1+(>6_
^'"1b"
1ZWR/$
22A36f7
22I\dV
291:!1
#2AP_u<
(2;<C.
.!2e>#l
2KHkCP+LC
3(5bvGy'
35;hsI
3o!O[M
%&'()*456789:CDj
,4'!AJN
4I('>[
~4$pXO;
-4QKwW\
4|x-t_ff
!4yvT"
"4#Z F)
5b/Oe)
5k1"DT
5vF`l<8
6ENC^fADCli
-6R??y
6V2Ziz<p]
6xjhd>
7033413A647A4B6739316C4F5B5
72w22r
774NE55*
}77PR[B
78jdjA
7`ES+o<c
`7m-:_ u0
7NH<s2+
7niffOV
7rAUb9]^9t]:g
@7('!V 
82PKA7
\&84Hj
88Gh1+
8949C0&
-8ept~9o
8Et#2g,.
-8#FD|Q%
(8HX5n2iT
8_O6F6
!8&o!MZn
< 8 X-
8 $"XO
,('90CS
9BuI?x
#9lK<l
9vgub'
9yN.h`
*	9z&k
a4.U}N
"A4*Vu
~,A5tA!~
aAK[f;vaj
AaLM>kl
ADbjd^
AddMsg
AddRef
AdjuFPjN
adyStq
agQuery
^aH#S+
ais{pQ
alUpda
A)ox^=
`aP:H>
a`Q6*5>Hw
*aSBlj(
Async?PWs
{aTagg
Audio.
AW9j`#
awuois=
<*B <(
b86mswin
bCECR@
BGW	XJ
BIV9*O
brmm6 
bss_ser'
BtKill
by.ToPlPbRAY
=c2->a"6
;]C9HYH.
CallBaK
C<F6E4ZF7C8
/Chat'
Cn'LN*t
Compzb7
+C	=Oo
CROL<)X
`Cu>@Po
curity
C,UXRl
d@&' (<
!d`1HI
<D@<84
dA&v9z
`.daW[
####ddTT4
df"FC^YO
DG=B \6:
_d&JELgJ_
djy_Bv
Dl/%mP 
DN4I"3&
d_O@`4
Dq@Gi=
d`'SX0g8X05
\d(#t\.
<DVG2 'C|@H
 D(Wc@
'E!|/!
\*E [\
E4:|	"=
$~E5u*
e+$]bB@
E^Ct`*
ect?TorrentS
EDE121D9E2F062D2BD
EFB$9$xU
EFGHIJSTUVWXYZcdefg
E\FwPN
EP`?&0
EtDt},M
EVENT_SINK_Ge
}?e:-VS
Exd@f/
ExitProcess
$=@:f_
F1$3[^
F6I zg
_FACEBOOK_START
F> FDD
fG"cnN
"f_h'n;
 Files (x86)\
Fk?xn#
F+L0T5(%
$,FLLe
#)$<Fo0
F;=Ph(
fPL@ek
fQ+AT\z
FrBf>a`
frmMain
fS~ijn
fSteamGook?RS`
:Ft]:/
fWmZvv7
Fy.#fb
* '^ G
g0D+k`
G3#h-aI
!G$7$L5
{^GEKW
GetProcAddress
ghDCG\
GiPph.
gj	sl.i
gLPU)Z\
#(g##;Q
GWSOCK
Gz[zY@z
H177P:
h4M@dd
H5Gucu
`#H-B@
"HD3aO
Hd&Bzx\
hd`\c]
_HD`@N
<He8p(
heInvokeV
H:Er +)
_@$_Hf
h' #FX
hGed /X 
h&I;r3U
^*HO)k
HO^T)M$
h(Tn(_
[#-hu8
`hv/z	
h+!w#a(
hZRX,5
(.\.i.
icalDr
ICK_DELAF
ICk)S%
iFTr2l%
in8<L`
InfoTO
IW7CN_.
IX,9Laq
\IyKcj
]}j08l
j729"Q
@J\cD.
.jjeZo
:Jk@IP
Jk_X[/
[@-jNX
\~JP-{
J!<pAip
^jR&l(
JUpK'|
jx(V%4!n
jZA\4X)M
k&<[/ `)~
k{0<40L
K]>1h-
	,K$41
K6&?SCO+U
kBb!ei
 ~$KC'
KERNEL32.DLL
kHCb+x
KJ|&<\.i.
@@Kjka)
',K~$SCPP
&k)U2r
|*}<kV
}KXWU8
k,#yf"
:`KZ+d(
L0P$P8
@\%L2 #
L2 ' (
L5DDHLbi?
l6:t*H
@l\9,p
lcPEs/\
L&d/O<p
lE.4TM833
-l!fH,';G
|lhNGZd
LhPfpa
l-I?)gT
lijhq)
@*LL!CR!
LLLH87I
%lN(0(h
l-n/on
LoadLibraryA
lobalAl
L.o*<{g2
loseHandJ
loUn@cvssPATH_WINLOGON
`LP^h@V/cR
lsACiX
Lus:1]K_
L].w70,
?l{XBP8t
\l`+XT
(L>Zero
M1DlFun
 M3	!Zo
m6&9p#E
MDgBvty\
{mfRH>
Mic*soft Visual Stz\
M^@JollM( >
mKD'6'\
^__^Mkok$P
mm9UCn
	mMl%6`
mnK{Vf
modFucrons
MP@P? 
,mRhEk
MS SaX
\msvbvm60
MSVBVM60
MSVBVM60.DLL
*M<t8/H
mXKoTZ
M&Xu%:]
@n0Nu&
"N2]F|
N2 #`h 
n4!--=Q
N@. 7^
%NDqGK
n&FGLB
n@hkno
`n@,L@
nL2 o(
<N.Lx&
N\'#ON
npLl3M
+`;Nqq/M
NTDLLJT}
'NV:8H
"@Nvquee+
nxA,L6
o00/2GJ
*O8^.N
O{ak='G
OBB.#(b
-obh.&
oCHAT	O
$OCtK 
oL<~JA
oLX'#Of
O(M2G#2
 Oo-)  !
Oo'fB'
os#+Om
ovbv)#v"
oWaiqS
owIIn:
<'O`\XT,
OZ1l+%
 @P`@`` 
p5HBITMAP
P702GO_I
`^;'P8
P#)G_K-
picThumb
PLPL<1
ppeM(#6
pP&,.t
PRINT_
Ps/PX8
pv`!61H@
p# V\e
pv$-`t
 ,q/:.'
'q	, +
QdnZ48
Qg+kHx
Ql[0+$
qNt9H&
q$nUHVS
QoYlB0
@% q S
qTY6~?
>\QValu
>Qz*$p
R'!;\ 
r!11r!
r!22r!
r!34r!
r567NH'
R9xxx$
r*"9z5
Rd:\SysWOW64\	
Ri7$MD
rJvj_Vd
;r@M<7
r}#n|T
r	'N_ZG
r o4>FAJD
>RO@:<F(
rXRG<Q[8F
S73&97
S.=7Kajt8
s7p}!]
S92iDpjY@
)S	aip
:ScanLz
sciid@n
_?SCManPr
s:.cpV
Screensho
$$se2 
~SER_FB77b
SiZaYD	HH
s/Jo	K
so@a#t
Socket
s.op-/
s@Q*[P
SrcLef]
="SsOS
s the A
@S*/Tr
STRUCTIO
stV&y<
^[$#SU
s@#U@32
_SY)`A
SZoM7P
SZ/._v
'T0d/R
:t3YTP
T4gzF>Y
t)5H%a"t
"t)&<8!
(T9hNUX#
T_ADDMSG
TaenmP
tCZ^I_
&?t?:d*c
TgH1j"
tg@JN2|
!This program cannot be run in DOS mode.
Tim[?S
TIOcm%_
:;tkEe}
T!`k&KDQH
]T<-<`L
TLC|~S
tmrLivLogg+
],t~ n
T&p7V!
`tPp=+7Z
T+RN7%
($tSd 
T.ydTdT
tzS%Wb_
&u^8uF
UAOo^6`
u(.!C4
 )uHRL
#U|iWk
u<LXLQ
Uq$q]J
UrlCache
URLDVnl
 usiid
uV0vki.
v.2&A/
v4=bGa
v5;uO:
V'7*Bs
v.Bf&|
vf`M1P
+vieframe.dl
VirtualAlloc
VirtualFree
VirtualProtect
v$qTh_=[;
VUc!V_0
_VVwCtl~ebBrow
(v+Y!JT
W-#2 '
w3#	7a
?Wb+<|
wCzk_G
Wdv $|m
_WebHide
(.WGcS
wi*K|\
wIo6IR1/
wk4:``
Wk_UEH
^)w*n]
$wN$N$
WP-_d/
w$s'08!
w	-T}C
wtjfbbl"
WWdYKk
x4^<#O
x5FE\V
X8`G"_A
X9w9R/%
XCCdC3g|
}\xEm>
$.Xf2K
xHCSp 
XJB:,{
X'j'b3\
 xKi(p!#7q(d
xlh^NJ5
@XN\v	G
X@p5W0w
xphZRJ<@@Y/c
XPTPSW
XTPLH<
xu0[L8
xu5sx4
X'vThG
@Y'a6t
'Y|DXE
yGrabbOg	V
*Y|'i~
yn'Dl=
ypcImage', 
(@YPOp>:
YP+:S@aM
YX"")fv.:
YXF?xw
Z|+:4	
Z$OGZ)i
@*ZQR/*
zst^C`
ZsTs(>*1sTb
.Z_/x|x
\	\zyotvh