Analysis Date2014-03-08 00:50:10
MD5305eaa98995c211586b180ae1e135d2c
SHA14b5a77eafa49e11a87bc1ccb2206a8dce7b861a6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8ce105c8e522493eaa40384fcedc1028 sha1: 2066967368d22087689c3f52d97d5009f8559928 size: 53248
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 4254f762ad9704a1d3cb79daf9fd7937 sha1: 9190cac6e9eff518280bb1627ea8cb660fea0dc7 size: 28672
Timestamp2014-02-23 11:39:22
VersionInternalName: aplicativo
FileVersion: 1.00
CompanyName: Microsoft
ProductName: gbplugin
ProductVersion: 1.00
OriginalFilename: aplicativo.exe
PackerMicrosoft Visual Basic v5.0
PEhash25cb8e14f70a97fb839f88c904e8a4e99573d937
IMPhash141eb3daf368496a6a0eee8f5dc872be
AVavgDownloader.Banload2.GOC

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\documento.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFCA13.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSftp.hps.url.ph

Network Details:

DNSftp.hps.url.ph
Type: A
31.170.164.118
Flows TCP192.168.1.1:1033 ➝ 31.170.164.118:21

Raw Pcap
0x00000000 (00000)   55534552 20753137 34363237 3739310d   USER u174627791.
0x00000010 (00016)   0a504153 53207937 68377733 33713232   .PASS y7h7w33q22
0x00000020 (00032)   0d0a5057 440d0a43 5744207a 69700d0a   ..PWD..CWD zip..
0x00000030 (00048)   54595045 20410d0a 50415356 0d0a5459   TYPE A..PASV..TY
0x00000040 (00064)   50452041 0d0a504f 52542031 37322c31   PE A..PORT 172,1
0x00000050 (00080)   362c382c 312c3139 2c313337 0d0a4c49   6,8,1,19,137..LI
0x00000060 (00096)   53540d0a                              ST..


Strings
040904B0
1.00
@*\AC:\Users\hP\Desktop\arquivo2014\baixador2014plugin\baixador2014plugin\gbplugin.vbp
aplicativo
aplicativo.exe
\appinf\
\appinf\sk1.txt
Archivo descargado correctamente:
arquivo2014
\Chrome.exe
.com
CompanyName
Conectado a: 
Desconectado de: 
.dll
documento
documento2
\documento2.exe
ERRO 4454680
Error 
Error al cambiar de directorio
Error al desconectar
Error al intentar descargar el fichero: 
Error. Compruebe los datos del servidor Ftp sin son correctos
Error en la conexi
.exe
FileVersion
gbplugin
.htm
...Intentando conectar a: 
InternalName
jjjjj
.jpg
.log
Microsoft
n a internet, compruebe la conexi
No se puede conectar. Verifique el Nombre de usuario
.ocx
OriginalFilename
ProductName
ProductVersion
.scr
StringFileInfo
Translation
.txt
userprofile
VarFileInfo
VS_VERSION_INFO
.zip
.    .
"%%*,+
))))))))))))))))))))))
$$$$$$$$$$
/0JJLNy|z{
/0JLLNz|{{
!$$$%'*,112
333345
...33335555
 !!333sss)
...3.433345
......3.534
45555555555
'47sss)
-!!!5,+
.         5
54445555555
5555&.
$555-5555&
79;?ee
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
_allmul
aplicativo
A___r_q__uI__Co__pI_a
&CDE[^sss)
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
`.data
DllFunctionCall
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
ffffffffffff
fffffffo
FileTimeToSystemTime
FtpCreateDirectoryA
FtpDeleteFileA
FtpFindFirstFileA
FtpGetCurrentDirectoryA
FtpGetFileA
FtpPutFileA
FtpRemoveDirectoryA
FtpRenameFileA
FtpSetCurrentDirectoryA
gbplugin
gbplugin_modulo
gbplugin_modulo1
GGIIPP
InternetCloseHandle
InternetConnectA
InternetFindNextFileA
InternetGetLastResponseInfoA
InternetOpenA
kernel32
lu:99uuuuuTOL-)
MSVBVM60.DLL
.<=>Muy}
nnmmnmm
Project1
P__uxa__arqui__vos
RedLabel
RttPPPPPPPPPPPPPPPsqq)
Rtttttttsssssssssssss)
Rtttttttssstsssssssnq)
RTTTTTTTTTTTTTN
RutuuPPPju
Rutuuuttts
Ruu==l
RuuPPPPPgu(Fabaab_sss)
RuuPPPPPiu###%I\IHqqs)
Ruuttttttssttssssssss)
Ruuus:	Zuuuuuuu-+**+-
RuuuuPPPPPPPPPPPPPuus)
Ruuuuuuuuu
RuuuuuuuuuAIA?K]HBsss)
RuuuuuuuuuuuuuiMM
Ruuuuuuuuuuuuuuuuuttt)
RuuuuuWWuuuuuuuQtiN
shell32.dll
ShellExecuteA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
!This program cannot be run in DOS mode.
Tuu0kV
Tuuu:0
Tuuuul
Tuuuuuuuuuuuuud.,
TuuuuuuuuuuuuuuQeN
Tuuuuuuuuuuuuuusuuqqt)
Tuuuuuuuuuuuuuuuuusst)
uuuuuuuuuuuuuR)
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
VBA6.DLL
__vbaAryDestruct
__vbaChkstk
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFPException
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaHresultCheckObj
__vbaI2I4
__vbaI4Str
__vbaI4Var
__vbaInStr
__vbaInStrVar
__vbaLenBstr
__vbaLenVar
__vbaLsetFixstr
__vbaMidStmtBstr
__vbaNew2
__vbaObjSet
__vbaObjSetAddref
__vbaOnError
__vbaRecAnsiToUni
__vbaRecUniToAnsi
__vbaRedimPreserve
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrFixstr
__vbaStrI2
__vbaStrI4
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarMove
__vbaStrVarVal
__vbaVarCat
__vbaVarCopy
__vbaVarDup
__vbaVarForInit
__vbaVarForNext
__vbaVarMove
__vbaVarSub
__vbaVarTstEq
__vbaVarTstNe
wFDB@4,&$
wFDB@41*&$$
wininet.dll
Wu::9uuuNsse.+
wwwwwwp
wwwwwwwwwwp
wwwwwwwwwwwwwwww
Yu::9:9uuuuttt)