Analysis Date2014-01-16 04:49:40
MD50230e2f366bf8ede27af178c6266f7ce
SHA1681ba683ebc663731cc02eba9c8d03c22cd47fb7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 533f515c7344393f50355a103087fe96 sha1: c174d02fe920891bc007778a64536e65dddf25a6 size: 1536
Section.rdata md5: 79f81bfa5980fdf445c975cb6b4c4a41 sha1: 3a315d3c2b3f3166849c47570ccb86e50a36465e size: 2048
Section.data md5: acdfb7e1b9c4944aa0677a9b3a9f9872 sha1: 905e024c4705ce6286f2cd8aea3ea9592582c30d size: 53248
Section.rsrc md5: b46a99c4e067a7eabfc770ba9b33ee14 sha1: fe57790fe30063004e7842a3cac2227b188fbb17 size: 16896
Section.reloc md5: c83ee255dec7430317e43c1e7129bbab sha1: ee132f8bfa462731a3542e9f4d18bf708852ff85 size: 24576
Sectiontkgylnv md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1998-01-28 16:37:15
VersionLegalCopyright: Copyright © 2007 Avira GmbH. All rights reserved.
InternalName: AntiVir/Win32
FileVersion: 7.6.0.59
CompanyName: Avira GmbH
PrivateBuild:
LegalTrademarks: AntiVir® is a registered trademark of Avira GmbH, Germany
Comments:
ProductName:
SpecialBuild:
ProductVersion: 7.6.0.59
FileDescription: AntiVir Command Line Scanner for Windows
OriginalFilename:
PackerBorland Delphi 3.0 (???)
PEhash7efab1fcc44b01b2d43394ee27590a4165e08c75
AVclamavTrojan.Kazy-1028
AVaviraTR/Patched.Ren.Gen
AVavgZbot.AWX
AVmcafeePWS-Zbot.gen.cy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates FileC:\Program Files\Internet Explorer\dmlconf.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Network Details:

DNSreplost.com
Type: A
109.74.195.149
DNSgoogle.com
Type: A
173.194.34.163
DNSgoogle.com
Type: A
173.194.34.164
DNSgoogle.com
Type: A
173.194.34.168
DNSgoogle.com
Type: A
173.194.34.162
DNSgoogle.com
Type: A
173.194.34.174
DNSgoogle.com
Type: A
173.194.34.169
DNSgoogle.com
Type: A
173.194.34.166
DNSgoogle.com
Type: A
173.194.34.160
DNSgoogle.com
Type: A
173.194.34.165
DNSgoogle.com
Type: A
173.194.34.167
DNSgoogle.com
Type: A
173.194.34.161
DNSreplost.com
Type: A
109.74.195.149
DNSzeplost.com
Type: A
109.74.195.149
DNSzeplost.com
Type: A
109.74.195.149
Flows TCP192.168.1.1:1034 ➝ 173.194.34.163:80
Flows TCP192.168.1.1:1033 ➝ 109.74.195.149:443
Flows TCP192.168.1.1:1035 ➝ 109.74.195.149:443
Flows TCP192.168.1.1:1036 ➝ 109.74.195.149:443
Flows TCP192.168.1.1:1037 ➝ 109.74.195.149:443

Raw Pcap

Strings
`[']%]
?' $
&0:%
000004b0
>0SD
0tsG
1AGFU
1-O:
2@![
 2007 Avira GmbH. All rights reserved.
2deO
2lIQ
3RT#+X
4.)5
4]#At
4yd_e3#
6^) 
(7_`
73wvKaJz
7	$5ru
7.6.0.59
783$
#7[KYR3
`@8%
82bs
9^:c
9@dqH
]9#O
)+A3
AntiVir
AntiVir Command Line Scanner for Windows
AntiVir/Win32
>aQm
au"8
AuWK'
Avira GmbH
A|[Y3
!/az
/A~zMS
BK|)
BUQ/
Bv6C
bWY'=
?c0T
cex.
Comments
CompanyName
Copyright 
c'sFP
{	CY
![D7S
E'$C
EcSbT
EEV4
e;s	
_{eV
evN:G
f*7h
fH2b[
FileDescription
FileVersion
_FL929
[F%q
fr4	
fz B
gro4
g\uj
gUk#9$
G/Ygh
GYHG_
gz]<`
gZq%
H4G<
.\Hht
hkHU
};$i
*I] 
>IN3
InternalName
 is a registered trademark of Avira GmbH, Germany
iwA5k76M
j{_=
@jjj
-\jk]
%K:]
.KD8
K-Kd0a5
KMi?^;h0l
LegalCopyright
LegalTrademarks
,lr^
m4h0T'~;Y
M7[~
MANIFEST
m[BV
::mCa
MsF3
[MSxBR
N#4F
/NC`
Nk,&
n)nBR
NrK l
%N+>|S
n,VW
<nX:z
O0)V|n'x
_#o5KKr
^O&F[
o"O:
OriginalFilename
p1&&.
p1$jS'
pa4hr
p=?*f
PrivateBuild
ProductName
ProductVersion
@P+&w
:q, 
Q4__kS
Q&61:QN
qD:G
q}xn
q$"z8
.<r_
""r">
'Rb?
^$rg
rG1W
rGQW
rGRN
rI@Wa
roTl@b
S>+7
Sd#q
sGiQ
SpecialBuild
sSO_
StringFileInfo
svqk
SvXM-
+}^T
T7\T
<:tc
\$TD4
Translation
ttc&
`/ U
u,AK0Z1
#}UMr
U`UOzD
_V0G
VarFileInfo
_v	g
vMPJ
vpYVU
*vQJg
VS_VERSION_INFO
<Vuw
Wiw0G
W]$L>
WXPA=^P
WZ<a
~	X6
X!E>U'
X#I&>
:XSW
xUII
yAh8wt`
yE>W
yey<
-Y:f
_yj8
YtIJ
@!z`0Qa
}z46
z#&4V
zen	tKA
ZIhD
!ZK&
zKU{}
%?Zm
$$%@@@@
***>'''
&&&))))
&&&;000
0004,,,
0`1%4G
)))1$$$
***1$$$
102b2 3h3
1114///
1115...h***
1!1?1C1P1W1}1
1%P!4.
1P.Ak]@V
1;QHTp
-2@u#S
3LezV2`oex
484>4D4J4P4V4\4b4h4n4t4z4
   5   
'''5(((
5"5(5.545:5@5F5L5R5X5^5d5j5p5v5|5
   5   i   
_5YswE.
(((6+++
<\7}4k
***8(((
^8;g&N
8)~LAG
"8@Rh^G
9cL"&eBA
{9Wr\G
ADVAPI32.dll
A ItS=~
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
bD%`fx0
>BtF#_
///C)))
CallWindowProcW
$$$>cca
ChooseColorW
comdlg32.dll
CreateCompatibleDC
CreateFontIndirectW
CreateFontW
CreateHatchBrush
CreatePatternBrush
CreateWindowExW
,,,D$$$
DeferWindowPos
DeleteCriticalSection
DeleteDC
DeleteObject
DestroyAcceleratorTable
DispatchMessageA
   )   e   
   e   
"""e???
$$$e&&&*---
***E,,,
EnableMenuItem
EnumSystemLocalesA
ExtTextOutW
...*)))f)))
+++f///*
FindResourceW
FTCo%+XU
gdi32.dll
GDI32.dll
GetClientRect
GetCommandLineW
GetDlgItem
GetDlgItemInt
GetGlyphOutlineW
GetKeyState
GetMenuItemID
GetMessageA
GetModuleFileNameA
GetOpenFileNameW
GetProcAddress
GetSaveFileNameW
GetScrollPos
GetStockObject
GetTimeZoneInformation
GetVersionExW
gQFLsl
///h1115111
=hy{H2S
   i!!!
%%%i'''
&&&i'''5###
IsTextUnicode
IsValidLocale
...j&&&
#J6O*`
kEpclmH
kernel32.dll
KERNEL32.dll
,,,l$$$
LoadLibraryA
LocalFree
mouse_event
MoveToEx
;mq'QlV$p	
-/MX	H'
OffsetWindowOrgEx
PatBlt
pdY\2p
,pnQdUm
PostMessageW
PrintDlgW
'q-2{9
Qp#O=as
qsG<!w
#@'r28
	R~6^LR
r;bA6}8
`.rdata
Rectangle
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW
@.reloc
 <requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
RestoreDC
r!s_	Q%H
 </security>
 <security>
SelectObject
SetBkColor
S~pt$7
t07?Sd
t]:/6L
TC@\DS
TE&I^Q
!This program cannot be run in DOS mode.
tkgylnv
TrackPopupMenu
TranslateMessage
 </trustInfo>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
u.4X_i
uIRA3S3
UpdateWindow
USER32.dll
VirtualAlloc
VirtualProtect
VjwfQLj4
w9_DL,j
WaitForSingleObject
X{}#E2
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
^XYI6z
+yf",O
Yj?h2*
}"=Z:@
zBxQDxC