Analysis Date2013-10-28 15:55:39
MD5edeee212b2c35d2a241e0969feacd132
SHA15b2acf2195a3fc23025bab305a1dbbfe569366c2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 7f95a5b1025d50e2310d08973512faa4 sha1: be0f09093ac8982d50d787af4c78d62081330dee size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
AVavgWorm/Generic2.BLRH
AVaviraBDS/Backdoor.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CBF38D3-9ADA-BB3E-AE76-3FE9CF3BADF1}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\g415fg44+afsg+4fsg45f+ ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g415fg44+afsg+4fsg45f+ ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\EXC2FDRVX5 ➝
October 28, 2013\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\EXC2FDRVX5 ➝
fulnp's Bot\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CBF38D3-9ADA-BB3E-AE76-3FE9CF3BADF1}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g415fg44+afsg+4fsg45f+ ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\logs
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates MutexEXC2FDRVX5

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe:*:Enabled:Windows Messanger\\x00

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Network Details:

DNSdbag40.no-ip.biz
Type: A
72.199.216.104
DNS1dbag40.no-ip.biz
Type: A
Flows TCP192.168.1.1:1033 ➝ 72.199.216.104:3333
Flows TCP192.168.1.1:1035 ➝ 72.199.216.104:3333

Raw Pcap

Strings
PERS
SETTINGS
]</<{+
0<40uL
<0/_.<9
09,L=D
&]*0DFsAT,
0he;Rq
)0j,,(
0|@&ph
0r(If8
^0%/$v4
0WD@f1
1234"p
15dF8F91AEE<A
1>h$'Z
1_j+(>
1Vcs7:P 
20C<|0d
22A368949C
27OnQui
2>e%Xdq
2t4l6$
32EDE121D9
3413A647A4B6739316C4F5B5C5*14
3FGs{i
: 3gFO
3#hha-aI+(
3nLCou
3VEFCgBWF
%&'()*456789:C
;4?+c{^C
4[cv4=bG
4H4sg%
4 .\'jW
4'mPLPL<
'4r'FA
4[TQ6*5
4#]<xi[
!4yvT")
501E:9~
5555\r
5ad<ld
5U\w;&U
6677\r
[6ENC^fADClifSt
@6@-jN;X
6n1?e:-
6nxAL6
6xjhd>
;7;4716^
774NE55*237X{
7b8x3 (
7@`ESo<c
7J::cpJ
.=7Kajt8
7niffOS4
[7owIIn:
7S^ONv
7V!o6D"
80:e<>	
 8}2v(
@<840q
87T`P5S)
8888\r
8d!8Km
8Eg,A.
8	,Kgh41
8Kza	[
8qpk~w;
'92_'!
	9O#W%
,a]1S6
a:2 #o
abF?wW
ab/(%G
AddMsg
aenmP]z
ais{pQ
AjjG%_
a]k4gzF>[MY
*A'kaQ
;=Al31
allBaK
alUpda
AOS}<#
A)ox^=
\ap# e
A!<pT6P
Ar\'//[
{A?TY$T
Audio.
awuois=
A[ Z:3A
<*B <(
B{0/(H
B.234B.
?b3LAzxA
B9`f+2\&
?:B;d*c
bgcmdtf~Jjm
"}BH=.
bHiX8Kr
|>bh<T
~BiG#2
BINrBT
BlinkZ[
/%BlM&
BrW*fb
bss_ser'
BtKill
bv)#v"J
B@yhf.
\`:\c 
=c6/	L
|Cb+tO
CC2KHP+L
[C<F6E4ZF7C8
%~>c G	|
/Chat'
<Ciuqa
]c\O0B
+C	=Oo
cO^T)M_
',CPfK~$P
C:\Prog
cSubCl
C;uYBW
/'CZ@h
d4###dTTD
D6IR1/2
&D8kx7
\\dd7r)
ddn9liW
DEFGHIJSTUVWXYZcdefg
d@foO$E
DGPT|a
D/%mPL
d@N(0d
dnOrtJ
d ''#O
DOSkB:
:`dp`h
DragQuery
\d(#t\.
.#Dt}T
DZPp_|%
E2F062D2BD
E4:|	"=
~E.4TM83$63
<e4ym5
eamGook?RS`cur
ect?TorrentS
EC\uSodZG
&edoI"8
EFB$9$xU
egHija.
eHN	L1]
eInvokeV
E/L7wW@
EVENT_Sp
'EV?L_]
ExitProcess
]F1-@G
f4rHgA
F_6nO{
F[8'za
fac h{
:f.C)x-L<G
"FC^YO
^>FeAE
F`f	4"
ff6XJB:,v
F> FDD
F_^GEm
f_h'n;
 Files (x86)\Mic*soft Visual 
$,FLLe
FN2 #`h
#)$<Fo0
frmMain
:Ft]:/
F+T5(%
Fy.#fbv
,$FYG1<
FZWF8M
*g26}g
/+g#8f
g8'o"Bvty
g&8OX6
#(g##;A
G=B \lq6:
gBN^8n
GCDr!a
GetProcAddress
G#[G#"
gH1j{0"
gHgD'U
G$iPp.
GK+_x	
gnvvGD
[GOo'/N
]Gp`lq
gQZ a5
gr86R@
^\gTd 
Gw{.w&\
h3``h\M
|H7~JN2P
H*"9z5
hCK6NN>
Hd&Bzx\
h( F;=
hfUYl1X41
h' #FX
H\G1.`
hg		aa
 hGed 
hG,INr
hgl$#0m
h{Ib@p
HL2 'HPT-G
hLZRX5
HSM5pv`@
%'hu/Dt
~hunk)
H.vd?d
`h%v/z
.hXfXw
hZRJ<c
I(' $>[
i0X$)tE
,I,42M
i4.mpK%
i7@68}
ICk)S%
ihNGZdN
#~ijnGl
i?LE:	
i\%]m#
InfoTO
INK_Ge
i,pxrJ
I(>//R
I;XN\$:
IyEYKcjhG
&<[)~j
@J\cD.
jdRaf`
&JEJ_dL
JF,Pk(0
j'je_jG
jk0i7mx$MD
jL'(A)N
.j"nMw
^jR'&l(
J:ScanLz
\jxYBI
K]>1h-
K6&?SC
K:a<-<
KERNEL32.DLL
=#/ki+
`#}KiK
k)ir/r
@@Kjka)
kkW\+L8fI
+k>L$U
|*}<kV
Kx>)q.
L0P$PHR8
@L2!CR
l8B&db;8<dB&d<@@
~*'l-b+
LDJN2T@
L&d/Oy.y
lEnghZ
L]{F3E
#lH	D=
{$Lh|N
lh^NJ5
lID9`=
l*k_."B
Lla+(B
lN(0p(h
&l&N(q6
LoadLibraryA
_lobalAl
loseHandJ
?l{P8t
 L!pJgs
L_:Pp*
Lr $$!
LSI+z@
\l+XT<
!}ly_;}-
L)^Y"aA
m	5N{a
m8;R,l
\<MA5o
Mddvd`2j
^__^Mkok$P
"!M&Lt)	&<8
mm9UCn
	mMl%6`
mnK{Vf
modFucrons
 M^@olklM(>
MrJN$$se\d
m>spu"G
MS Sa0
MSVBVM6,
MSVBVM60.DLL
\msvbvm60u-l
mswin .
Mv#(i(
mX8)!dKo
M&Xu%:
N' ~0V
N0/w([
$:N2 ,
N2 |\N
nc?PWs
NcV=&'|
n\_m%L
>nOttX
NTDLL>
 nwS#,
`,''#O
*O8^.N
oCHAT_ADDMSG
>O@:<F(:<
oL<z7~JA
o&M8E0#
#ONFd0
"'O`p0*Rz
Opa,Pgkm
or'DL2 
os#+Om
Ou,a^d!N
ouj31_
o(Uo@6/
P`@`` 
}%_P|0
(p!7qi
;'P= 8
PATH_WINLOGON/_BQ
PEs/\4
pf2U<sl
 |P%hmV
picThumb
PkEwFO
p)m6&#Et
p/}o3.H
P=Q`'XI
P-T3._
p:(Tn(_i
.<@Pu.
PUh)Z\
q@Gu~i=
+`q/MQ
q$nUHVS
(qow0 
qtWtk*
-qt&x(&
 ,q.'~X
-Qx2T8#0FD|%
&	]^QZ
"\$r/ 
R2Y!pp-
`r4B`(0
rAUb9]^9t]
=rBf>Z/.
Rd:\SysW
R^GUEKW
rHthPG
rI-s,.
R?Ix_/p
*RjRb4
rJvj_Vd
=#;R$K
&rKk)U
rMGT!I 
RrPGh_9
RsawFH/kT>
r@tOnF
rvqueezer\
RWTask
rXRRG<[8E
R'y!;\
,{s7p}!
scii'h
SCManPr
s:.cpV
Screensho
SER_FB77p;h
's<e/SrcLef
Sf'$sJ
sG 3 W
!SH8 Z
SHDVVwCtl~ebBrow
SiZ	HH
{sk_{+
#S(,o>
SO=B1V9
Socket
s.op-/EaxZRv
S\pMn	V
\>("SS
s the p@)A
STRUCTIO
stV&y<
Stz\\98
s:VU96
S@)XYK
SY)`q>A
SZoM7Pn`
\	-T};
t5CZ^_
t)5H%a"
T7055PUL?
T7lzlo
tby$&RuM
!This program cannot be run in DOS mode.
,THWx0
TLn+xpX6
tmrLivLogg+
t@'#ON
=.ToPlPb!
<TPLHD
`tPp=+7Z
*/TrXWr
$tSd `\
T.TdT4b
t u0pv
T!u\L$
tUT7^R5>p0
tvieframe.dl
)uHR2\?
U/{I=9
Un@cvssN
;uO:' 
upQValud@nG
uQ <LX
UrlCache
 usiid
V0vk1.i.
V2Ziz<p]
v.Bf&|
vBIV9*
=vGgj!
#v-i<3
VirtualAlloc
VirtualFree
VirtualProtect
vJ7GhK^C
vOhr8/:
$Vr#T 
v)&u^8uF
VUc!V_0
V$wN$N$
WAcquR
wapMo~
`wb+18
WcImage'%`
WD.0K!
_WebHide
WfE0H	
(.WGcS
WhH/5B/Oc3f
-_WMqo
wn0Nu&
wVfc>uO
Wx/"`n
W?Zc+M
x0:M}'B75
X88G1+
X9R/qm%
x9u('W
 X&a '
@x;<dB&d<@@&dB&DDHB&dBHL
XD{EG 
Xel[d_
}\xEm>
xG`[TL
XH`C n8
xIhC d
XJ8i5,B
X'j'b3X\
(  xK^ 
x Oo)  2S
XPTPSW
x-t_;2
{x	t8	
<'XT,ic
X)tO./1
xu5sx4
"X?[W)
xx=R7Y
Y7|1'1
y(8HX5n2K
@Y'a6t
y&d"X	O
y #g+{
yGrabbOg	V
[ Yk/ q
yN SQLW
(@>!YPO:
YP+:S@@
YSp hL
Y:ts_CDp
yw/hqD
YX"")fv.:
=YXi^s
Y@z`pk
Z|+:4	
Z7vc7x
zb7_FACEBOOK_Si
ZE=a,	
+Z?j` 
 Z'M3	o
Z';mFZ
ZOCGZ)
zo"OR6g
*ZPg[U
Zs(>*1s
Z$}tw3