Analysis Date2014-03-08 18:30:25
MD5322a7b4d1371f49da4b0ed88ba4a1ef8
SHA1559140f3557c30fb7317353f8955886bb35108f6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cc859796af0aa48f7829e344fa7bc178 sha1: fe535a8c9920e5910c88759a8bc002f9ddb9958f size: 184320
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 6722ea83e58f171a15a5071c1bbafaf1 sha1: 88c95802f365e4c4176c3fa94a14e80555b77838 size: 20480
Timestamp1998-11-17 05:39:08
VersionProductVersion: 7.66
InternalName: Subculture
FileVersion: 7.66
OriginalFilename: Subculture.exe
ProductName: Chouser
PackerMicrosoft Visual Basic v5.0 - v6.0
PEhashc7c8209c99dddcf4a5dcdc56ab30986ec457ab16
IMPhashfcd8a0782c1d686af2c239bcee30b687
AVclamavWIN.Trojan.VB-4408
AVmcafeeDownloader.rv
AVmsseWorm:Win32/Vobfus.HV
AVavgVBCrypt.EYA

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\voeuw ➝
C:\Documents and Settings\Administrator\voeuw.exe /c
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate ➝
1
Creates FileC:\Documents and Settings\Administrator\voeuw.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates ProcessC:\Documents and Settings\Administrator\voeuw.exe
Creates MutexA

Process
↳ C:\Documents and Settings\Administrator\voeuw.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\voeuw ➝
C:\Documents and Settings\Administrator\voeuw.exe /l
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate ➝
1
Creates MutexA

Network Details:

DNSns1.chopbell.com
Type: A
148.251.65.168
Flows TCP192.168.1.1:1031 ➝ 148.251.65.168:8000

Raw Pcap

Strings
j
      
%&/()?_=<>
01234567890 .,;*+-/\'!"#
0123456789abcdef
040904B0
1&'(
28C4C820-401A-101B-A3C9-08002B2F49FB
7.66
9368265E-85FE-11d1-8BE3-0000F8754DA1
abcd
abcdefghijklmnopqrstuvwxyz
ascii
binfile
Bit rate
both
Chouser
Client object must be a scrollbar.
CLongScroll
copy
CPOGBVE1
CPOGBVE2
CPOGBVE3
CPOGBVE4
duleF
e9368265E-85FE-11d1-8BE3-0000F8754DA1
End of '
File is too big
File is zero length
FileVersion
Find
full
ileN
imlIcons
info
InternalName
,/KPip
LargeChange
MSWHEEL_ROLLMSG  
No Description assigned to bookmark.
ohoj!!
OldProc
open
Open
OriginalFilename
other  
oUpdate
/ P6pL
paste
/-P?pR
print
ProductName
ProductVersion
Protected
' reached!
redo
Redo
\resized.tmp
save
Save changes to 
SetFocus
SmallChange
StringFileInfo
Subculture
Subculture.exe
.tmp
Translation
undo
Value
VarFileInfo
VB Hexedit
VS_VERSION_INFO
You need atleast 2 files to compare
!"''"#
!#(()(
........///................................
\((((((,('
000O`_ml]ml
0$$$0;;===1000000010000;;=;;00
00<OP_]NN]m
01357Fprpp@ImJmmt
0.?Lds
\0P{&(
0QTUUWj
0;Rfu}pont
$11;OPT]NN]]
{1	8#C
}1g=bj
1|'l%'
222AC^^ZQT:100000@@?000?FPZ]Z5
230404}#HexEd
28;f/F
2=QSfqqspnr
#2.Quantivalent lifeguard
2=R-rN
333333
 3Cv]\
!$3:Vi
3_yJYo
4BKEC?>44>>A@?Aq~~|~}~
$4DKix
4heVVVi12bm
4O]:p1{p
55568GmmmG==lmm
5{6E5I
58K">X
5;=DYYki^PI?00000000000?TU]]U5
5/"^pB
&*5=<QRU]NN]]
:=5RBD=TI@00000@@@@@@000FPZ]Z;
-5rZVH~
6:5-.j
68689GHnooHmtstrr
#.6CF>\\_^]^o
(6(i'"
$]6V'"
6Vgiol
73&GE8
$77*^,
777770
77ODDD
77ODODD
@7N*hzz
7!;*p3
7%RzhJ
8~4usH8
8,DsCx
@8@EZL9
$8Kdix
8Kf>vnpE
8:u+T~%
%8W80B*`
94CDf^ZZZ^CA:0200@@?@0000:===:
<99<998U[iiiC49OOO93302323A=C4
<999999[fikkf[UWTOOO9240:A=5*
9*C4BE
9>CCAZWTUZ>><9OOOII02220005==C
9Qg$Wl
A5E.T) 
A&}8Ah
a9{mwM+
Action
ActivateChunk
ActiveWindow
advapi32.dll
AHM[egbabg
A"mhyc
Amount
APcG?09P
ArrPos
ARv*J,
.ASa*&_
Ascii BG
AsciiBGColor
AsciiColor
Ascii FG
AsciiView
AX\NNZUO993999323422000003;==;
AXXNi^UOU>;>5335F???@FI?FP===:
,b33Zd
B;5zW1U
==_BA;#
BackColor
BackStyle
bikkko93dp
BitBlt
BJ8)Ju
Boatbuilding
Boatbuilding.HexEd
Bookmark
BorderStyle
bottomY
B|vf2~:
B|wf2~;
ByteCount
Bytes to insert:
ByteValue
-C000-Boatbuilding
c4..2)
CallWindowProcA
CallWindowProcW
Cancel
Canvas
Cascade
$C&Bbv
Change
CharHeight
CharWidth
Chunk size
Client
cmdApply
cmdCancel
cmdChunk
cmdFont
cMHh)#
Colors
Columns
Comdlg32.ocx
CommonDialog
Compare
Compare Files
Compare Next
Courier
Courier New
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
C:\Program Files\SUPERAntiSpyware\SASCTXMN.oca
Create
CreateCompatibleBitmap
CreateCompatibleDC
CreateFontIndirectA
CreateFromPBOX
CreatePalette
CreateSolidBrush
CTWGV_W]
Custom
C:\Windows\system32\mscomctl.oca
C:\Windows\system32\msvbvm60.dll\3
cz,ayq
d	#1{gE
D3RzGd
D4C|vf
D5B!ma
`.data
DataLength
DataName
DataScreen
DeleteData
DeleteDC
DeleteObject
DeleteService
Description
Destroy
Disaccordance
DllFunctionCall
DoUndo
DrawEdge
DrawTextExA
dtFlags
_@e5Z"a
eb?"\2
EditUndo
EH$J'=@
!\eJp};
Enabled
e+Ngf/
ennV)prm)
EvenColor
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
FC:\Windows\system32\stdole2.tlb
fffffC
ff[[[g
fhfffffff
f{H`X[U
Filename
FileNew
FileOpen
FileSave
FileSaveAs
FileSize
FillArea
Fillcount
FillRect
FindDifference
#$)@@FJ
f)JhL[O
fkIn;o
FontBold
FontHeight
FontItalic
FontStrikethru
FontUnderline
ForeColor
Frame1
Frame2
Frame3
frmEditor
frmInsert
frmMain
frmProgress
frmSettings
frmStrings
frmWindows
FullView
`F%Uxw
fZ}ucX
:g16ey
-g6IVqo
GDI32.DLL
Ge5O3T
gE+m<u=^<p
GetBkColor
GetBkMode
GetData
GetDataChunk
GetDeviceCaps
GetObjectA
GetPropA
GetSysColor
GetSystemPaletteEntries
GetTabbedTextExtentA
GetTempPathA
GetTextColor
GetTextFaceA
GetTextMetricsA
GetWindowLongA
"$>[ggvrv
gHKo	h?
GIF89a
GlobalAlloc
GotoNextBookmark
%gP~/J
gq0<nT
H1I"0'
Height
Hex BG
HexBGColor
HexEd1
Hexeditor v 0.3
Hex Even Column
Hex Odd Column
HexView
hfhhhhfff
H<<=Hooosm=mmmmsr
%HJ;.<	
hL.\S@
HnoH:2=6;6=HHHmHG
HotTracking
hParentDC
hpxuaji
hpxuaji=
hScrollAscii
hScrollCanvas
hWndAscii
hWndCanvas
/h)WVNQ
 HZvt|
i=Cg^a
-IFJTkppk_VWVWFFFFFFFFJT]^fpeV
ihhhhhhhhhhhhhhh
iiiiiiiiiiiii
iikrtt
-IJJPk
ImageList
imlIcons
imlMenu
imlToolbar
imm32.dll
ImmDestroyContext
Insert Bytes
InsertData
InsertDataStatus
InterlockedDecrement
InvertArea
InvertRect
IsCreated
IsDirty
IsInitialized
Italic
i[T__V_aWOOJJJJTaWOW^ffh
jb[TOaaW_OFOJJJWaWOZ^h^h
JHEM;E6m
jkjf]^hk__aa_a[WWVVFOU^iph
>jo#i+<
jSASContextMenu1
j]TJWVWFFFHFFFIJJU^fpm_
jyq<}=
j^ZU]p
<$KdEH
kernel32
KERNEL32.DLL
K(f>0<
k-FQnT
kg][^pqmh___OJOOOIIIOUp
ki^UUeVW_W_OOOFFVWIO[^ffp
ki[W[_q____a___WaWOIOkkp
kj[[[eee_f___OOOOOOJOZp
kNzYGG5
Ko)a@FPS
KPDxND
KrA!+$
kwxkXh
K;^z4?
Label1
Label10
Label11
Label12
Label13
Label14
Label15
Label16
Label2
Label9
LargeChange
lblABG
lblAFG
lblFont
lblHBG
lblHEC
lblHOC
lblMBG
[lblMBG
lblMFG
lblMOD
l>%BpuG
"|{lCK
@,Ldq@Pq`
Length
/=Lfzqsssqy
ListView
)lLU.U
_lnpkkif^fq
l |,P!
" """"LQW[juu
lstWindows
lz32.dll
LZClose
;m?1V`
_M3\#y
m|!3<_z
=]:M9t
Margin
Margin BG
MarginBGColor
MarginColor
Margin FG
m_ClientH
m_ClientV
MDIForm
MDIForm1
MethCallEngine
MFZY!:!
m$}g;+
mLg$V:
mnuHead
mnuPref
mnuWindows
ModColor
modGfx
Modified
modShared
modSubclass
modTempfile
moHH(F<
mpc$~@
m!=pW;
mqWVTTT__[a_Vep
MSComctlLib
MSComctlLib.ImageList
MSComctlLib.ListView
MSComctlLib.ProgressBar
MSComctlLib.TabStrip
MSComctlLib.Toolbar
mscomctl.ocx
MSComDlg.CommonDialog
MSVBVM60.DLL
_mTSTTT_bV[VVVm
MulDiv
MultiSelect
mvBg:u
N6Kq>5
.NbHs$
NewFilename
NewFont
NewVal
NewValue
nllccc
nn?/OF
|nPN/!
"nSrf6
NToolbar2
Nu|LO_
NVWijqY
>Nwx1+3
.O'<#\
oa[[an_a_aTOT_W_____gp
OddColor
Offset
OffsetClipRgn
OffsetX
OffsetY
)-~o_I
ONWZZaf
."!]Op
oP|7?J
+??OP;=A;00000@@@@F@@??JPZZ;;0
Option1
Option2
Option3
Option4
&Options
OTL"_b_bebak
O~/vSE/N
&Ow+E 
oWR#D7
PaintEdge
pBottom
phf__OOOJJOFJOhqp
picFiller
PixelHeight
PixelWidth
pkfUOOWWVFF@FFFVFJTZ]]pe
pk^UTO[VWVFOFOWVWVW]hf^h
pme[VWVVFJFFFFWWT^f
;\`pomomt
pRight
PrintText
ProcCallEngine
Progress
ProgressBar
pTwR3M
!!.pyT
Q,:1f8
=<Qfqu}pnv
(QG-A5
QK=Ns[
qK![qqK!VqqL
qL!MlcK
qngggngea
;qp#kx
qpoopn_q
qq`dqqc`dqqd
qqqqqqqfimkimq__a___b_a__h
qqqqqqqfjkkkf[[[[UTT_
qqqqqqq_fkpki_[o[TTa_a_a_rrpg7
qqqqqqqqr
qqqqqqqqrrrrgqqqrqpko#
qqrernfejjk
/QRSbY[
Quantivalent lifeguard
Q@Yv5x$
"{!=-R
"=%R@1
[RCIPL
RealizePalette
RGBColor
RightClick
rightX
rpnohlggha
;R`pppmmv
RS`c`UM#MP\bbbcd]]dg
R)T*m#
rU,T=)
]r\+WQ
:/\rYn@,
s.0i{B
SASContextMenu
SASContextMenu1
SASCTXMN.DLL
Save As
SaveNew
Saving in progress...
Scroll
ScrollbarHook
ScrollTo
SelectObject
SelectPalette
SelLength
SelStart
Separators
SetBkColor
SetBkMode
SetFontAttributes
SetPropA
SetTextAlign
SetTextColor
Settings
SetWindowLongA
sJHJlnooommlmmm
s{'L+c%5r
SmallChange
smrrsrrtt
ssDDD@
Status
StatusName
StatusScreen
stdole
Strikethru
String extractor
Strings
Subculture
SUPERAntiSpywareContextMenuExtensionLibCtl
SUPERAntiSpywareContextMenuExtensionLibCtl.SASContextMenu
},;~SW
t*+_"]
^T74%K
TabStrip
TargetDC
TargetHeight
TargetWidth
tbFiles
tdole2.
TextOutA
tFG{(7N
tHcsHt
_TheTms
!This program cannot be run in DOS mode.
ti6f}>[
Tile Horizontal
Tile Vertical
TileWindowsH
TileWindowsV
ToggleBookmark
Toolbar
Toolbar1
Toolbar2
&Tools
toolsCompare
toolsCompareNext
toolsString
Tru>YE
{	TVcP	
tV[S=_
TWChV;
_TWTTT_b[Wa__q
txtCount
)_*TY*
ty[:H9
UCpTm>JJ
.:ug6&
Underline
UndoBlock
UnLoad
UnloadWindow
$>|uO	
\uO@7D
UpdatePBOX
user32
uSER32.Dll
UserControl
V$^37_nC
`V$3IHo
v4VRVW
v*7x,m
Value to insert:
v`=+B4
VB5!6&*
VBA6.DLL
__vbaExceptHandler
VbHexed v1.0
VE,bBL
VIIPi=lZD
VirtualDC
.`v*k4
VM0</kUc
:%VR-j
vScroll
)=VVju{
}v"Vo>
v|Z-_SzBAZ
w0Lt]D[h
wCa1R?u#
)>Wcruqs}v
w.`eFlC
)$$$!W\fwyy
&Window
W!wmcX
[_WWW[_WaWW[OU^p
wwwwwwwwww
]&wZ-FV
x5(J|mZ6
/xj\)R
Xkkxxee```VV
xLKIEGGIIG<%###
(+XXX(
y7(FcAg
ylBCAD]H~
Y>m}#p%
y.!qe(
"*-Yuffff
{YZ3>3
	.z	!0
zH]#=M
Z*k-D(
\zPlXAD
zuo7"Wy
:&ZZNw