Analysis Date2014-11-22 15:32:52
MD5f33498132036358ac2cd02fa2b6f0f2f
SHA1500f0ded8c76055d7c19168f9db3deb51315caae

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash0870c27c67ca6cf3568933c812085f8d3585f986
IMPhash5795c9e1e92679de260a5b2a5f81dae0
AV360 SafeTrojan.Encpk.Gen.1
AVAd-AwareTrojan.Encpk.Gen.1
AVAlwil (avast)Fareit-KX [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.GWLA-1545
AVAvira (antivir)TR/Inject.295564
AVBullGuardTrojan.Encpk.Gen.1
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanPSW.Fareit.amdr
AVClamAVWin.Trojan.Fareit-309
AVDr. WebTrojan.DownLoad3.28650
AVEmsisoftTrojan.Encpk.Gen.1
AVEset (nod32)Win32/Spy.Zbot.AAO
AVFortinetW32/Injector.ATCM!tr
AVFrisk (f-prot)W32/Trojan2.NXQA
AVF-SecureTrojan.Encpk.Gen.1
AVGrisoft (avg)Generic9_c.BPSN
AVIkarusVirus.Win32.VBInject
AVK7Trojan ( 0048f6841 )
AVKasperskyTrojan-PSW.Win32.Fareit.amdr
AVMalwareBytesTrojan.VBKrypt
AVMcafeeGeneric-FANR!F33498132036
AVMicrosoft Security EssentialsVirTool:Win32/VBInject.gen!LD
AVMicroWorld (escan)Trojan.Encpk.Gen.1
AVRisingno_virus
AVSophosTroj/Agent-ADBJ
AVSymantecTrojan.Zbot
AVTrend MicroTROJ_SPNR.35KD13
AVVirusBlokAda (vba32)TrojanPSW.Fareit

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\Zuaq\siacg.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Firup\esilk.siq
Creates FileC:\Documents and Settings\Administrator\Application Data\Abvyni\hyqyf.pip
Creates FilePIPE\lsarpc
Creates Process"C:\Documents and Settings\Administrator\Application Data\Zuaq\siacg.exe"
Creates MutexGlobal\{3A3989C7-A562-D1B8-B27B-A12242AEC48F}

Process
↳ "C:\Documents and Settings\Administrator\Application Data\Zuaq\siacg.exe"

Network Details:


Raw Pcap

Strings
`$~
....
...
..
..
.
.
O
.`$~
....
...

.00.0009
040904B0
1.00.0009
CompanyName
config
FileVersion
InternalName
mpolikjutd
mposednhytf
onfig.exe
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
03iYsHG
}08Y6\
0.d_;\
0/f-c\
0=	={H#
0NqN@P
<|0nYl`K
0Qp'pn
0RiFYJ
=_16"9
1a8ym%
,1bqSw
1+GZhZ
1<m}3@
:.1O1BZ
1s:84`
`!_1VQ
:1?-;w
'"1z='
21J*:=
;<?23hQ
2&6D7	
2=7:G"
28at_<D
2AuI~u
{/_2bPUM
 2}Dkd
2IjN?w
2]m1s&
360:Po
*3c8)6}TC
3=D$cq
3gZV'wjM_w
3wq`6`
=^3+Y5}-
`45-@|
4Cc#"p
4E6!99
4et;JpuE
?*4FH:,
4h0<Km/!
<~#4H>;_3
/4T<~,^
4vpBSZ
4.wZt&{
4yKARJ
4ymQy9,
]57Q"D
5#hMz6
5h!q,@
5<"KV|Cg
5lzihu
|5Ma$I"cTu
5mU"SG
^ 5Q)(
,5Q4To%
5!sa#a
5`t|v/x
5>)`Xh
5	:xJ)
6/9\<6
#6H"vd
	6MdN[5
6:W3;oI
6wNa,9
6zbym!
-7a4_~
_%7DUs
7kSy;X
7o2t%R
7tx[#%
%7\Vo8
7yzYe(
*8)8Ym
8e2_$yH
8/FBJ.
8.h9N<
8[jp+2
8j"teD
~}'8:N D
/;8^RA'
+8\<{V
8ZR++?
	92_DG/
)9b^+N 
9g	$NN6
!9h%Y1
9I`RuF
9l$\w_
9}Rc~ 
9zy:oo
A2gdOI$2
a<3~.@Mv
a7Rmq-
AI}/ae
a|>IV}
AJWI@}
AQsNK*
asQ"B)
:aT _d
AU/ijd
axr]cW
>aXxuzT
a\yk2WbYn8;zH
a,[#<z
AZ#X_A
>B7a^^\SOII
{bAgAs
@ B(D	E
B<}).FId
BGYOfRC
}BHvR,a
_-b;k==z I
/]bmoQ
bO?]Y1
.bqI$L
"Bsj<4|
B>u!`\
<B-v~"
*C5e6-
c@6(V!!VVT,
C~8Na-
c.~a7(zR
CAOW6rz
CCVfq3
cG_/~a
	CHM$d
c`NWvd
Cp=?ho{
)'c%Tokq
[~CTri
@~c_,VE
c>v,Q'
c~xA}P
d2;HaP
d)2YK$$
d?[.6}9Sd
d7n\N/
&DaZ*	
 :`+D"D
dGlRLg
.)D$H)
DhvF7u
#DKjT=
DL.{7$
Dm@r.#
{DNU3"
d/q'4.
<&DQ4	
DQd!UyLT
D$t+D$\
D$t#D$h
d-%U1}
';),dV
Dw_9P%
e;1>.00*($$$$
E=6A{#
E8)hr6
E8*O6^
%e8Z#e
=;e9%`
e9YoT8gi
/|eA`L
+)e!a~MZ'
ebCdS3
eBgtvk
e/ H_8
}E.,>j
]E:LIRo
E('_*mi6
e{	R4pY(^l
$E} S+Y
ewLPIi
,e<W~M
%'eWq)
_eW$#$r
ExitProcess
e{XzRi
|;EzsZ6
f0APLv
F2-1)s
~f6q}W
%FGL&4#'
fgMiIL
fuBC`Zd
g\?+=]
GetProcAddress
GG:7.z
G!`g^'h
gij:R|}H
gIUuDX9
|%/>gN
gT4k7>;&
G.Tgj 
_`GTHIl
g{t;W'
G*\u7O
GX[K[c
$!][H$
H2`qJ,e
H3q7Z8
h?B4LF
h$`B,4r
hCdipL['r,N8
h;cq"(
hfhhf*l[
-!&HH.&
HhR2DV
hk6,F?'
hK 9V4
h@k~f!/
hl S|?
HnzTv4
>HoL:I
H~Ot-<
"~hwn?
|H :Wn
HZxH+S
'i0<A:o
[I2NiI
#="_I3{*_
i3ws| 
I7k26	n
IFHr'23
iiNZXXXXTTTP////T
&Iv@;bg
iW`M`VWMWZKMKK7G70*0%79<9
Iw%v4Y](|?
]:IX~B.FRw
J@:> \
J04q277
	#JC`A
JEcP*k]r
J}EZk5a*
"$JLPY:v
@%J Nr
j`nY7\
JOe}G3
j@_op`
@Js->F
j	StNdO3
j]suE,
jtxgEt
j@u!"F
<J{!wBT
$j?xjl
	{jy*6|
jYy3y3S
k|0=|R
%k	3%t
k}6`Ds
Kd	Fnr
k{d_g	
KERNEL32.DLL
Khn@e;e
k<%HS[
khWm40
|Kk.'t2tw
KL87!z
.klyp%
k?pOQpa
kV*LF4
-?{!Kx
-kXa*?
kYU[_:
l.1CPO
%L6?o{+
L8Y[=Lg
lfYPir1Fm
l	H.0]8
LkN#D4t
LoadLibraryA
Lp>@$O
L?p)+U	
^L^|qm
;+LTP^
 :$m<1
)-M2;.
m9Ui-E
mA?9ff
mb7&."aP
M|Ehqy
Mk#%!lX
mKqg$T
M[m+nfO
MN(@Xy
mr@Wq`
MSVBVM60.DLL
N32 I<
N3!d5R
N:9S%u
n*~BIJ
Nc mwu
n;(!EfFG
newektoworgo
newektoworgoSVXXPXSRXOPRVVWXTPUWXOVUWVWSWQQTXXRXPSTTOPSWOXOUUVnewektoworgo?
NfSkwt[
NG3b&X
NGc#\@
NjN#KRU
NNNNNNNNN)
NntvczC
,-nOIa
NR3"FKET
Nr_Z(q
nY@<qf
nzjbKa*a
o4y$I %
OD-/p$
[o}E=k&
O#h@7_ 
oI[hzU
oooo0a
oPLiq0
oQ*VK|-v
@oY%g 
=%oZE'
P0c9"?
>+$p1n
p44uu8
P%*49]K
;PBf'U
p~|:DA.
*pfagY
pjtK?B|F(
PLbTd<Y
pooo0a
ppEbcJx
PR-l31s!
PU$O9f
P:vy^fv
Q31o6ZS
QawqAp
qFtHRnT
:q@Fty
'_ qGa
Q<^>I9
QO-%ylP-
@*qR_Q
QUK:<s4
QW=Mb 
-r+7xjFmN
R8lXI[
r9^To5
rCO:J#K^hv
rE#qr:
rG=g<{V
Rh$g	3	
R."|J;
	r@n'5
rN_H-yp
rn*kY{De
r:qrXoa
$RS6m^
rvrvoop[[[<<<<:::L49
rv":-Zz
"rY@	KrW
S7{43	k
	sb]7erJ
S!Fmya
S,G1Xv
sk_vtQ
S"kZcu
s`)L$4
>S$%QU
SuLAq(
SystemParametersInfoW
#s*">yTHHC
=sy`TO
SZ\!%sg
t0qmQj
t;~7lp
T]aCp=
T!aKvJ
t[|dhV=
|#	thGA
!This program cannot be run in DOS mode.
&TiKH)YWWicpQHW]@
t!OsK_
|}TqsPD
t$t#t$l
ttttt<|
-T.UOBZ
!-_t[!y
U{02{	
?u4pLDf
U4Qkh-
*ucAJ3
UcRZss
UEThR5
uH'\`4
uh`w>p
u!!L=d
un]s`G
un-u`Q#xqE
>Up>#)%#Qx
U'Qkd,
(*}uqn\
USer32.DlL
UU\}|p
|$	->'UUpF
U;v:.D
uVf'cg
:|(V``
!v$0%Z
&V9l6h
vaf%Wv
v	eJ/>
"v\^eR
 vEwSJ
VFO]vP
-+vhz.
V,IHAR!|
VirtualAlloc
VirtualFree
VirtualProtect
) v'k'
]V(NP_
vn-'vi
VS;IH|
vZZNl]1
*$w6VW%
wBKHK&~w"
wDqmH<0
/W.?GzG
wK$(ruS\
wl{lt+
(w=NOGR
w[Pf_m
W qN;%W#
WS!eJO
wSG;BG/
-^%wWH|
wwwwwwp
wwwwwwW
wwWXwX
W	xB=gp&9
wXwxxwuuuw
#,WzfX}
$X1k1^
x]3[-+M
!|x4_j
x, 5el`WG
XD{.yS
xgxU!v
xia}vM
XO[8aw
XPTPSW
XsmmppppppppppmC
xuuuewWwVWWw
xwuwuw
xwwxwWwW
||||xxpU
xxWwPw
xxxr0,
xXxxww|u}w
(-XYBGoFA
_Y;$6b
,!(%y9
.Y9Jut
y</^={A
__`yaN
Ya<Ti\
_Y|dJ_
`"]y="i
y`?KD1S
yMJ[g' 
YnewektoworgoD
y n\j}
yq\$R&SIa
ySx4we
Yt&HHQYo@
	yU(u{
yx7srR
}}yyyyvv|U
yzUXDQ
z68'_wdLx3
Z6dWjF
Z6.HkU
Z#\]7S~`
z?-8.T
Z;A|5k,
ZD<:\U
Zfg[YX%z
Z@HO,r
zI|o6*
|!Z)jSz	*
ZK|qS#
ZK=w9@
&ZnqH!
zP4xhCD
:!zpr)]
Zq85"O
zsx' 2
Z;;#t]
]Z-T?H
Z.w`2T
zZk,R ~
zZpw	9