Analysis Date2013-11-11 11:10:24
MD54a0d34b9c6ede2c929261ea4fe4bc763
SHA153b48b99efd8b4a4bf233ebdcbb40142e6398ae5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3852c5a908858340ed8a628068b51033 sha1: af37c175a5b7a8ecfb869d97308938432de87c37 size: 61440
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: c39589ce745d3f7be0737e38b2da02ad sha1: 6cf3556814d0b0e5d6e33ae3ca6b73c0684b7022 size: 4096
Timestamp2011-02-19 17:59:37
VersionInternalName: a
FileVersion: 1.00
CompanyName: sony
ProductName: winimage
ProductVersion: 1.00
OriginalFilename: a.exe
PackerMicrosoft Visual Basic v5.0
PEhash726fa388ba15a8e8e04ee2ef0e048bd26f4e8f3d
AVavgPSW.Banker5.CITM
AVaviraTR/VB.Downloader.Gen
AVmsseTrojan:Win32/Dabvegi.A
AVmcafeePWS.uo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\msn[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\globo[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\terra.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\yahoo[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\google.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFB158.tmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.msn.com
Winsock DNSwww.yahoo.com
Winsock DNSwww.terra.com.br
Winsock DNSwww.google.com.br
Winsock DNSwww.globo.com

Network Details:

DNSwww.google.com.br
Type: A
173.194.78.94
DNSds-eu-fp3.wa1.b.yahoo.com
Type: A
87.248.112.181
DNSds-eu-fp3.wa1.b.yahoo.com
Type: A
87.248.122.122
DNSwww.globo.com
Type: A
186.192.82.163
DNSus.co1.cb3.glbdns.microsoft.com
Type: A
131.253.13.21
DNSwww.terra.com.br
Type: A
200.154.56.80
DNSwww.yahoo.com
Type: A
DNSwww.msn.com
Type: A
HTTP GEThttp://www.google.com.br/
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Creative AutoUpdate v1.40.02)
HTTP GEThttp://www.yahoo.com/
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Creative AutoUpdate v1.40.02)
HTTP GEThttp://www.globo.com/
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Creative AutoUpdate v1.40.02)
HTTP GEThttp://www.msn.com/
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Creative AutoUpdate v1.40.02)
HTTP GEThttp://www.terra.com.br/
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Creative AutoUpdate v1.40.02)
Flows TCP192.168.1.1:1031 ➝ 173.194.78.94:80
Flows TCP192.168.1.1:1032 ➝ 87.248.112.181:80
Flows TCP192.168.1.1:1033 ➝ 186.192.82.163:80
Flows TCP192.168.1.1:1034 ➝ 131.253.13.21:80
Flows TCP192.168.1.1:1035 ➝ 200.154.56.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 55736572   User-Agent: User
0x00000020 (00032)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000030 (00048)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000040 (00064)   204d5349 4520382e 303b2057 696e646f    MSIE 8.0; Windo
0x00000050 (00080)   7773204e 5420362e 313b2057 4f573634   ws NT 6.1; WOW64
0x00000060 (00096)   3b205472 6964656e 742f342e 303b2053   ; Trident/4.0; S
0x00000070 (00112)   4c434332 3b202e4e 45542043 4c522032   LCC2; .NET CLR 2
0x00000080 (00128)   2e302e35 30373237 3b202e4e 45542043   .0.50727; .NET C
0x00000090 (00144)   4c522033 2e352e33 30373239 3b202e4e   LR 3.5.30729; .N
0x000000a0 (00160)   45542043 4c522033 2e302e33 30373239   ET CLR 3.0.30729
0x000000b0 (00176)   3b204d65 64696120 43656e74 65722050   ; Media Center P
0x000000c0 (00192)   4320362e 303b2043 72656174 69766520   C 6.0; Creative 
0x000000d0 (00208)   4175746f 55706461 74652076 312e3430   AutoUpdate v1.40
0x000000e0 (00224)   2e303229 0d0a486f 73743a20 7777772e   .02)..Host: www.
0x000000f0 (00240)   676f6f67 6c652e63 6f6d2e62 720d0a43   google.com.br..C
0x00000100 (00256)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x00000110 (00272)   2d636163 68650d0a 0d0a                -cache....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 55736572   User-Agent: User
0x00000020 (00032)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000030 (00048)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000040 (00064)   204d5349 4520382e 303b2057 696e646f    MSIE 8.0; Windo
0x00000050 (00080)   7773204e 5420362e 313b2057 4f573634   ws NT 6.1; WOW64
0x00000060 (00096)   3b205472 6964656e 742f342e 303b2053   ; Trident/4.0; S
0x00000070 (00112)   4c434332 3b202e4e 45542043 4c522032   LCC2; .NET CLR 2
0x00000080 (00128)   2e302e35 30373237 3b202e4e 45542043   .0.50727; .NET C
0x00000090 (00144)   4c522033 2e352e33 30373239 3b202e4e   LR 3.5.30729; .N
0x000000a0 (00160)   45542043 4c522033 2e302e33 30373239   ET CLR 3.0.30729
0x000000b0 (00176)   3b204d65 64696120 43656e74 65722050   ; Media Center P
0x000000c0 (00192)   4320362e 303b2043 72656174 69766520   C 6.0; Creative 
0x000000d0 (00208)   4175746f 55706461 74652076 312e3430   AutoUpdate v1.40
0x000000e0 (00224)   2e303229 0d0a486f 73743a20 7777772e   .02)..Host: www.
0x000000f0 (00240)   7961686f 6f2e636f 6d0d0a43 61636865   yahoo.com..Cache
0x00000100 (00256)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000110 (00272)   68650d0a 0d0a0d0a 0d0a                he........

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 55736572   User-Agent: User
0x00000020 (00032)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000030 (00048)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000040 (00064)   204d5349 4520382e 303b2057 696e646f    MSIE 8.0; Windo
0x00000050 (00080)   7773204e 5420362e 313b2057 4f573634   ws NT 6.1; WOW64
0x00000060 (00096)   3b205472 6964656e 742f342e 303b2053   ; Trident/4.0; S
0x00000070 (00112)   4c434332 3b202e4e 45542043 4c522032   LCC2; .NET CLR 2
0x00000080 (00128)   2e302e35 30373237 3b202e4e 45542043   .0.50727; .NET C
0x00000090 (00144)   4c522033 2e352e33 30373239 3b202e4e   LR 3.5.30729; .N
0x000000a0 (00160)   45542043 4c522033 2e302e33 30373239   ET CLR 3.0.30729
0x000000b0 (00176)   3b204d65 64696120 43656e74 65722050   ; Media Center P
0x000000c0 (00192)   4320362e 303b2043 72656174 69766520   C 6.0; Creative 
0x000000d0 (00208)   4175746f 55706461 74652076 312e3430   AutoUpdate v1.40
0x000000e0 (00224)   2e303229 0d0a486f 73743a20 7777772e   .02)..Host: www.
0x000000f0 (00240)   676c6f62 6f2e636f 6d0d0a43 61636865   globo.com..Cache
0x00000100 (00256)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000110 (00272)   68650d0a 0d0a0d0a 0d0a                he........

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 55736572   User-Agent: User
0x00000020 (00032)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000030 (00048)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000040 (00064)   204d5349 4520382e 303b2057 696e646f    MSIE 8.0; Windo
0x00000050 (00080)   7773204e 5420362e 313b2057 4f573634   ws NT 6.1; WOW64
0x00000060 (00096)   3b205472 6964656e 742f342e 303b2053   ; Trident/4.0; S
0x00000070 (00112)   4c434332 3b202e4e 45542043 4c522032   LCC2; .NET CLR 2
0x00000080 (00128)   2e302e35 30373237 3b202e4e 45542043   .0.50727; .NET C
0x00000090 (00144)   4c522033 2e352e33 30373239 3b202e4e   LR 3.5.30729; .N
0x000000a0 (00160)   45542043 4c522033 2e302e33 30373239   ET CLR 3.0.30729
0x000000b0 (00176)   3b204d65 64696120 43656e74 65722050   ; Media Center P
0x000000c0 (00192)   4320362e 303b2043 72656174 69766520   C 6.0; Creative 
0x000000d0 (00208)   4175746f 55706461 74652076 312e3430   AutoUpdate v1.40
0x000000e0 (00224)   2e303229 0d0a486f 73743a20 7777772e   .02)..Host: www.
0x000000f0 (00240)   6d736e2e 636f6d0d 0a436163 68652d43   msn.com..Cache-C
0x00000100 (00256)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000110 (00272)   0d0a0d0a 0d0a0d0a 0d0a                ..........

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 55736572   User-Agent: User
0x00000020 (00032)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000030 (00048)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000040 (00064)   204d5349 4520382e 303b2057 696e646f    MSIE 8.0; Windo
0x00000050 (00080)   7773204e 5420362e 313b2057 4f573634   ws NT 6.1; WOW64
0x00000060 (00096)   3b205472 6964656e 742f342e 303b2053   ; Trident/4.0; S
0x00000070 (00112)   4c434332 3b202e4e 45542043 4c522032   LCC2; .NET CLR 2
0x00000080 (00128)   2e302e35 30373237 3b202e4e 45542043   .0.50727; .NET C
0x00000090 (00144)   4c522033 2e352e33 30373239 3b202e4e   LR 3.5.30729; .N
0x000000a0 (00160)   45542043 4c522033 2e302e33 30373239   ET CLR 3.0.30729
0x000000b0 (00176)   3b204d65 64696120 43656e74 65722050   ; Media Center P
0x000000c0 (00192)   4320362e 303b2043 72656174 69766520   C 6.0; Creative 
0x000000d0 (00208)   4175746f 55706461 74652076 312e3430   AutoUpdate v1.40
0x000000e0 (00224)   2e303229 0d0a486f 73743a20 7777772e   .02)..Host: www.
0x000000f0 (00240)   74657272 612e636f 6d2e6272 0d0a4361   terra.com.br..Ca
0x00000100 (00256)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000110 (00272)   63616368 650d0a0d 0a0a                cache.....


Strings
 $(!%&'
*+=,-)./\0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~
040904B0
1.00
:)29#STV81?
;*5:-[88]-Tmiemzo%MV
8+46!Auafsksi
-[88]-
activeElement
a.exe
]arjkhiY
]arjkhiYisjrg*{wf
.bat
BODY
-bqjt\ugehj:-[88]-JWDF
BswkZof^x`!t4*9/0-6$
/c{a'
c|*mlu
CompanyName
dNW:Y8I5M<`
documentElement
Ebrofp#LH
.exe
FileVersion
hdgt4h
hnie*5,3
http://
hwkuPtj{W
IFRAME
innerHTML
InternalName
irwl?.1t{r/erklkg+gjn,en@gvqt50-zs|-{^ljp,fkr:jqxk;-2s|v0dpjcm1_tl=exoq82+|vy+qno,fkr:jqxk;-2s|v0qims_1_tl0_v
ja~U
/LHP%BNO$-/.115644?
/LHP%BNO$./.1/5646?
/LHP%BNO$./31/5646?
Ncgef
OriginalFilename
P>Q@> 
ProductName
ProductVersion
Q{Yx\4`m`u`i
`>S?^1a9*
sony
StringFileInfo
]t`0Mh\,Q
tagName
.tfcism*
Translation
UfuafcYfr
Upl`jmv,8)19#OQBE/?
VarFileInfo
Vqhn2@ibro;
VS_VERSION_INFO
/W>0g+profile=All
winimage
xgqer`ib
Yt\vgsbui3RD)`'vjyev[u3
Y?XAE9^-FDQ
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
_allmul
C:\Arquivos de programas\Microsoft Visual Studio\VB98\VB6.OLB
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
CloseHandle
CreateMutexA
`.data
DDDDDD
DDDDDDDDD@
DDDDDDDDDDDDDD
DDDDDDDDDGpw
DllFunctionCall
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
FindWindowA
GetParent
GetWindow
GetWindowTextA
GetWindowTextLengthA
HideProcess
ieframe.dll
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile
$J<:C:\WINDOWS\system32\ieframe.oca
} j|hpS@
} jPhpS@
} jthpS@
}#jXhpS@
kernel32
MSVBVM60.DLL
ReadyState
SHDocVwCtl
SHDocVwCtl.WebBrowser
ShowWindow
!thIs ProgrAm cAnNoT be Run in DOS mODE.
Timer1
Timer2
Timer3
Timer4
Timer5
user32
user32.dll
VB5!6&*
VBA6.DLL
__vbaAryDestruct
__vbaBoolVarNull
__vbaChkstk
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFileClose
__vbaFileOpen
__vbaFixstrConstruct
__vbaFPException
__vbaFpI2
__vbaFPInt
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Var
__vbaI4Var
__vbaInStr
__vbaLateIdCall
__vbaLateIdCallLd
__vbaLateIdSt
__vbaLenBstr
__vbaLenVar
__vbaLsetFixstr
__vbaNew2
__vbaObjSet
__vbaObjSetAddref
__vbaOnError
__vbaPrintFile
__vbaRedim
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrFixstr
__vbaStrI2
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarMove
__vbaStrVarVal
__vbaUI1I4
__vbaUI1Var
__vbaVarAdd
__vbaVarCmpEq
__vbaVarCopy
__vbaVarInt
__vbaVarLateMemCallLd
__vbaVarLateMemCallLdRf
__vbaVarMove
__vbaVarOr
__vbaVarTstGt
__vbaVarTstLt
__vbaVarTstNe
WaitForSingleObject
WebBrowser
WebBrowser1
winimage
wininet.dll
wwwwww
wwwwwwwwwwwwww