Analysis Date2014-12-09 08:31:42
MD5bd63a1244c35d66deb7a8809a5e029f8
SHA1583476557a4182379f920cc11b03bedb7b0b3e12

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
AV360 SafeTrojan.Encpk.Gen.4
AVAd-AwareTrojan.Encpk.Gen.4
AVAlwil (avast)Blackbeard-AH [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/PSW.Fareit.amtu
AVBullGuardTrojan.Encpk.Gen.4
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)VirTool.VBInject.AC3
AVClamAVno_virus
AVDr. WebTrojan.PWS.Panda.4624
AVEmsisoftTrojan.Encpk.Gen.4
AVEset (nod32)Win32/Injector.ATPU
AVFortinetW32/Injector.ATCM!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Encpk.Gen.4
AVGrisoft (avg)PSW.Generic12.RXN
AVIkarusTrojan-PWS.Win32.Tepfer
AVK7Trojan ( 00491ca11 )
AVKasperskyTrojan-PSW.Win32.Tepfer.svxi
AVMalwareBytesTrojan.LVBP.ED
AVMcafeePWS-Zbot.gen.oj
AVMicrosoft Security EssentialsVirTool:Win32/VBInject.gen!LD
AVMicroWorld (escan)Trojan.Encpk.Gen.4
AVRisingno_virus
AVSophosTroj/Agent-ADBJ
AVSymantecTrojan.Zbot
AVTrend MicroTSPY_ZBOT.SMUL
AVVirusBlokAda (vba32)TrojanPSW.Tepfer

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msoaivo.bat\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msoaivo.bat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\583476~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.138.153
DNSwww.update.microsoft.com.nsatc.net
Type: A
157.56.96.55
DNSwww.update.microsoft.com
Type: A
DNSevobank.co
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.138.153:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53

Raw Pcap

Strings

@@,<
040904B0
18:5
$,3;9
@@"4
4.01.0454
77/X5>#
*\AD:\8789798798m\gugu.vbp
CompanyName
Dino1
Dino1.exe
DJm6j7
@&exe
FileVersion
FSRs
InternalName
ireeghjkrdy
JJqzAERWMqG
K6JVf
KJ6sq5lZ
KlRN5CJpKe
L2uPpLwfQC
loihytgvfd
OriginalFilename
ProductName
ProductVersion
rA133F000-CCB0-11d0-A316-00AA00688B10
sG6N
{sGrQ~Z?#
s[kv
SRCb7QKOyS
StringFileInfo
Translation
:>&,V<.
VarFileInfo
vJJwwi
VS_VERSION_INFO
?x/{wx
0999999$
|,0Gve
@12?KKKKKKKKKK=4H1
1IyAT@
2										9
5%%3lD`
5-5B$V
\:5JJ-5MF/,
!5JM/`
%6/						
	6265626
\6=^Q$
7AN=I-
7xaeag
!	>>>>>>>8
879878979456mm
#879878979456mm
879878979456mm6489498498498l879878979456mm/*
879878979456mmT@
	*<AA,Q 8JF/O
_^_*=:;b412
B`;{:a
bbbB566
bDf	y|
BoundText
b`_RSc^w
c'\=}6Z
CloseHandle
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
CreateFileW
@C<	upz
`.data
DataCombo
DataCombo1
~DataCombo1
DataList
DataList1
DefWindowProcA
dEZDH~
DllFunctionCall
d")sRjo
ECC`977
effzzefze
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
,EXJ7a$ 
}^\Ey6
fG 83e
Frame1
FreeLibrary
GetModuleFileNameA
GetModuleHandleW
GetProcAddress
@H+8ex
HB_K<a
 H(mWr5 ^A2
Hvvv"iii
IZYYL}
j,AJ8(
JJJ1333u)**
JJJJJJJJ
j;/le8
joaajl
JOOOOOOJ
j|`s\E
{K<6.G
kernel32
kernEl32
kernel32.dll
kernEl32.DLL
kijnbg
lkjiiP
LoadLibraryW
lolololp
lssbeialtbwyeh
MethCallEngine
mkkOIN
]$MME,
MSDataListLib
MSDataListLib.DataCombo
MSDataListLib.DataList
MSDATLST.OCX
MSVBVM60.DLL
nhbgvfcdl
|nlkjim
/NNNNNNN
n,(?\S
Ns	n+'
OLMRD=A
omm9_[]wICG
onn)+()_423
OpenProcess
ProcCallEngine
Process32First
Process32Next
PropertyPage
PropertyPage1
p"Zh e*Z
qC:\Program Files (x86)\Microsoft Visual Studio\VB98\vbc30554.oca
\[[qHHH>
{qnlkj
ReadFile
RowMember
RowSource
rqrFrqr
rqr rqr
RtlMoveMemory
S\bDl]
s/im0M
skiiPO{
sss5988
SSSlNNN;LLL
SystemParametersInfoA
TerminateProcess
!This program cannot be run in DOS mode.
$@.\TO
}/TTTa(''
U.58D/,O
user32.dll
UserControl
VBA6.DLL
__vbaExceptHandler
Vgggrqqq=yyy
VVVJ0//
WriteProcessMemory
WRU9>:<~+(*
)wvlllk
'Ww@Io
www#/*p
'wwww/
wwwwwp
www@www
wwx:zz