Analysis Date2014-12-21 14:03:33
MD5650547f0c197808bca3ab828dd746e97
SHA14c8c33d3b2142b46218dda66b338f17f00747259

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: 5e3456205c3b57caa122cc3b702ec768 sha1: 536d318a9d13afe532b839e487c0c4f3cb2deb98 size: 36864
SectionUPX1 md5: a9c5c0ef9ac72a5d7760f407beec128e sha1: abb90b106497376e13663b097cffb6290923f458 size: 8704
Section.rsrc md5: 25e88bf9084c7bb00f587e4d895e2ada sha1: 5c4c9b5896fd98f5d6c48cf95280573d7f1c9fc1 size: 3072
Timestamp2009-07-07 12:34:46
VersionInternalName: vidabela
FileVersion: 1.00
CompanyName: Microsoft
ProductName: downl
ProductVersion: 1.00
OriginalFilename: vidabela.exe
PackerMicrosoft Visual Basic v5.0
PEhash190b2a75b19dc10226e066a3d4f4408c4d2ef7e9
IMPhashda1ed48316c978a0d4cd568355a45287
AV360 SafeGen:Variant.Graftor.66377
AVAd-AwareGen:Variant.Graftor.66377
AVAlwil (avast)VB-LXB [Drp]
AVArcabit (arcavir)Gen:Variant.Graftor.66377
AVAuthentiumno_virus
AVAvira (antivir)TR/Dldr.Agent.SB.32
AVBullGuardGen:Variant.Graftor.66377
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoad.26363
AVEmsisoftGen:Variant.Graftor.66377
AVEset (nod32)Win32/TrojanDownloader.VB.NYR
AVFortinetW32/VB.CFFT!tr.dldr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Graftor.66377
AVGrisoft (avg)Downloader.Agent2.FPF
AVIkarusTrojan-Downloader.Win32.VB
AVK7Trojan ( 00386dc51 )
AVKasperskyTrojan-Downloader.Win32.Agent.cfft
AVMalwareBytesTrojan.FakeMS.Gen
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Bancos.EB
AVMicroWorld (escan)Gen:Variant.Graftor.66377
AVRisingno_virus
AVSophosMal/VB-YZ
AVSymantecDownloader
AVTrend MicroTROJ_DLVB.SMIB
AVVirusBlokAda (vba32)TrojanDownloader.Agent

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\vidadoctor04.hpg.com[1].htm
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSvidadoctor04.hpg.com.br
Winsock DNSitemmodulo.hpg.com.br
Winsock URLhttp://itemmodulo.hpg.com.br/process.jpg
Winsock URLhttp://vidadoctor04.hpg.com.br
Winsock URLhttp://itemmodulo.hpg.com.br/MCItaNE.jpg
Winsock URLhttp://itemmodulo.hpg.com.br/usbmsn.jpg

Network Details:

DNSitemmodulo.hpg.com.br
Type: A
187.31.64.20
DNSvidadoctor04.hpg.com.br
Type: A
187.31.64.20
HTTP GEThttp://itemmodulo.hpg.com.br/process.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://itemmodulo.hpg.com.br/MCItaNE.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://itemmodulo.hpg.com.br/usbmsn.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://vidadoctor04.hpg.com.br/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 187.31.64.20:80
Flows TCP192.168.1.1:1033 ➝ 187.31.64.20:80
Flows TCP192.168.1.1:1034 ➝ 187.31.64.20:80
Flows TCP192.168.1.1:1035 ➝ 187.31.64.20:80

Raw Pcap
0x00000000 (00000)   47455420 2f70726f 63657373 2e6a7067   GET /process.jpg
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2069 74656d6d 6f64756c   .Host: itemmodul
0x000000b0 (00176)   6f2e6870 672e636f 6d2e6272 0d0a436f   o.hpg.com.br..Co
0x000000c0 (00192)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000d0 (00208)   6c697665 0d0a0d0a                     live....

0x00000000 (00000)   47455420 2f4d4349 74614e45 2e6a7067   GET /MCItaNE.jpg
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2069 74656d6d 6f64756c   .Host: itemmodul
0x000000b0 (00176)   6f2e6870 672e636f 6d2e6272 0d0a436f   o.hpg.com.br..Co
0x000000c0 (00192)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000d0 (00208)   6c697665 0d0a0d0a                     live....

0x00000000 (00000)   47455420 2f757362 6d736e2e 6a706720   GET /usbmsn.jpg 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a206974 656d6d6f 64756c6f   Host: itemmodulo
0x000000b0 (00176)   2e687067 2e636f6d 2e62720d 0a436f6e   .hpg.com.br..Con
0x000000c0 (00192)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000d0 (00208)   6976650d 0a0d0a0a                     ive.....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 76696461   727)..Host: vida
0x000000a0 (00160)   646f6374 6f723034 2e687067 2e636f6d   doctor04.hpg.com
0x000000b0 (00176)   2e62720d 0a436f6e 6e656374 696f6e3a   .br..Connection:
0x000000c0 (00192)   204b6565 702d416c 6976650d 0a0d0a6c    Keep-Alive....l
0x000000d0 (00208)   6976650d 0a0d0a0a                     ive.....


Strings

040904B0
1.00
433A5C57696E646F77735C53797374656D33325C4D434974614E452E657865
633A5C77696E646F77735C73797374656D33322F70726F636573732E657865
633A5C77696E646F77735C73797374656D33325C
633A5C77696E646F77735C73797374656D33325C70726F636573732E657865
633A5C77696E646F77735C7573626D736E2E657865
6974656D6D6F64756C6F2E6870672E636F6D2E62722F4D434974614E452E6A7067
6974656D6D6F64756C6F2E6870672E636F6D2E62722F70726F636573732E6A7067
6974656D6D6F64756C6F2E6870672E636F6D2E62722F7573626D736E2E6A7067
76696461646F63746F7230342E6870672E636F6D2E6272
@*\AD:\Backup-Doctor\Caixa Nova\Nova Caixa Renascer\NOva Caixa Doctor-Itoken\Salvador\Compressor\Load\downl.vbp
CompanyName
downl
FileVersion
http://
InternalName
Microsoft
OriginalFilename
ProductName
ProductVersion
pwd001101045
StringFileInfo
Translation
VarFileInfo
vidabela
vidabela.exe
VS_VERSION_INFO
 $.' ",#
!22222222222222222222222222222222222222222222222222
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
(7),01444
'9=82<.342
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
_allmul
C:\Arquivos de programas\Microsoft Visual Studio\VB98\VB6.OLB
_CIatan
_CIcos
_CIcosadj_fp
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
`.data
d^dW|(
Decrypt
div_m64
DJFunction
DllFunctionCall
Download
Dx+@+ae
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_{Ref
EVENT_SINK_Release
ExitProcess
fac|Ex
GetProcAddress
Height 
Image1
Inp	Buf
InputBuffer
KeGGB?y V
KERNEL32.DLL
lease_X
LoadLibraryA
MSVBVM60.DLL
outFile
Password
Project1
Q0GNp;
QueryInt
Richya
strPassword
.text<
!This program cannot be run in DOS mode.
URLDownloadToFileA
urlmon
VBA6.DLL
__vbaBoolVarNull
__vbaChkstk
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaFPException
__vbaFpI2
__vbaFpI4
__vbaFreeObj
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaHresultCheckObj
__vbaI2I4
__vbaI4Var
__vbaInStr
__vbaLenBstr
__vbaLenVar
__vbaMidStmtBstr
__vbaNew2
__vbaOnError
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaVarAdd
__vbaVarCopy
__vbaVarMod
vidabela
VirtualProtect
WwE/g+
XPTPSW