Analysis Date2014-10-12 10:51:53
MD5bdb9cb34b21b8b75ed1e0c8cbf63a94d
SHA180c8dac536e446f8a9e06bc8101008f7f6d412ae

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 158ef9eeacf0c4cf881344a659cb348b sha1: 67691f7cd9c17514b307edf4ee2ba15beaf34ed7 size: 135168
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 10c4b9e5804e3040825d6136416ccd0b sha1: 0018aa4e66039fe692a13011a04585d96152714b size: 65536
Timestamp2013-12-11 13:42:45
VersionInternalName: Hl
FileVersion: 2.03.0005
CompanyName: Microsoft
ProductName: Microsoft Archive
ProductVersion: 2.03.0005
OriginalFilename: Hl.dll
PackerMicrosoft Visual Basic v5.0
PEhashf1713f1698156b70480f87390e83292622519881
IMPhash35e22371bf8c8d37b1995e3b29cc7dff
AV360 SafeGen:Variant.Graftor.155269
AVAd-AwareGen:Variant.Graftor.155269
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.RTEO-7310
AVAvira (antivir)TR/Ransom.dbtzs
AVBullGuardGen:Variant.Graftor.155269
AVCA (E-Trust Ino)Win32/Tnega.KVZbdIC
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Agent-727518
AVDr. WebTrojan.Siggen6.1604
AVEmsisoftGen:Variant.Graftor.155269
AVEset (nod32)Win32/Spy.VB.NWB
AVFortinetW32/VB.NUB!tr
AVFrisk (f-prot)W32/Trojan2.OJFH
AVF-SecureGen:Variant.Graftor.155269
AVGrisoft (avg)Generic35.ARPH
AVIkarusTrojan-Ransom.Win32.Blocker
AVK7Unwanted-Program ( 004a8e8a1 )
AVKasperskyTrojan-Ransom.Win32.Blocker.dbtz
AVMalwareBytesTrojan.Ransom.Blocker
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Msposer.A
AVMicroWorld (escan)Gen:Variant.Graftor.155269
AVNormanwin32:winpe/Agent.BCZYA
AVRisingno_virus
AVSophosno_virus
AVSymantecInfostealer
AVTrend Microno_virus
AVVirusBlokAda (vba32)Hoax.Blocker
AVYara APTno_virus
AVZillya!Trojan.Blocker.Win32.12800

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Archive.exe ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft Archive.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UACDisableNotify ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft Archive.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFBDC2.tmp

Network Details:


Raw Pcap

Strings
@@
.
.
.
.

 >> 
 --- [
040904B0
10.11.1954
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
2.03.0005
{557CF401-1A04-11D3-9A73-0000F81EF32E}
AddAttachment
Ads`
anonymous
appdata
B*\AF:\Projeler\HAKOPS Logger v11\Server\Project1.vbp
</b></center>
<b><center>
<br>
<br><font color=red>[  
<br><hr>
Cannot save the image. GDI+ Error:
CDO.Message
COBEIN_FTP_CLASS
CompanyName
Computername
Configuration
configuration/smtpauthenticate
Critical
 disponible
EkranGoruntusu.jpg
EnableLUA
Exclamation
.exe
explorer.exe 
Fhqdahkhqrhmhy<G@JNOR<Hmenql`shnm<G@JNOR<E`krd<G@JNOR<mnsdo`c-dwd<G@JNOR<E`krd<G@JNOR<gsso9..vvv-fnnfkd-bnl-sq.<G@JNOR<Sqtd<G@JNOR<7/<G@JNOR<Sqtd<G@JNOR<E`krd<G@JNOR<E`krd<G@JNOR<Sqtd<G@JNOR<E`krd<G@JNOR<Sqtd<G@JNOR<
Fields
FileVersion
]</font> 
]</font><br>
 <font color=green>[Kopyaland
<font color=RoyalBlue>[A
<font color=RoyalBlue>[Back]</font>
<font color=RoyalBlue>[Delete]</font>
<font color=RoyalBlue>[End]</font>
<font color=RoyalBlue> [F10] </font>
<font color=RoyalBlue> [F11] </font>
<font color=RoyalBlue> [F12] </font>
<font color=RoyalBlue> [F1] </font>
<font color=RoyalBlue> [F2] </font>
<font color=RoyalBlue> [F3] </font>
<font color=RoyalBlue> [F4] </font>
<font color=RoyalBlue> [F5] </font>
<font color=RoyalBlue> [F6] </font>
<font color=RoyalBlue> [F7] </font>
<font color=RoyalBlue> [F8] </font>
<font color=RoyalBlue> [F9] </font>
<font color=RoyalBlue>[Home]</font>
<font color=RoyalBlue>[Insert]</font>
<font color=RoyalBlue>[Page Down]</font>
<font color=RoyalBlue>[Page Up]</font>
<font color=RoyalBlue>(Pause|Break)</font>
<font color=RoyalBlue>[Print Scr.]</font>
<font color=RoyalBlue>[Sa
<font color=RoyalBlue> [Scroll Lock] </font>
<font color=RoyalBlue>[Sol Ok]</font>
<font color=RoyalBlue>[Tab]</font>
<font color=RoyalBlue>[Yukar
From
G`bj<G@JNOR<Ytk`
=HAKOPS=
HAKOPS LOGGER v11 - [
Hl.dll
HTMLBody
http://schemas.microsoft.com/cdo/
http://schemas.microsoft.com/cdo/configuration/sendpassword
http://schemas.microsoft.com/cdo/configuration/sendusername
http://schemas.microsoft.com/cdo/configuration/sendusing
http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout
http://schemas.microsoft.com/cdo/configuration/smtpserver
http://schemas.microsoft.com/cdo/configuration/smtpserverport
http://schemas.microsoft.com/cdo/configuration/smtpusessl
incorrecto o n
Information
InternalName
Item
J`o`k
Kopyalama
L`hk<G@JNOR<4<G@JNOR<rlso-fl`hk-bnl<G@JNOR<354<G@JNOR<e`gqdcchmatq`jj`x`?fl`hk-bnl<G@JNOR</4324730/77<G@JNOR<e`gqdcchmatq`jj`x`?fl`hk-bnl<G@JNOR<@ooC`s`<G@JNOR<Lhbqnrnes
Log.html
Mail
mero de puerto incorrecto
Microsoft
Microsoft Archive
\Microsoft Archives\
\Microsoft Archives\Logs.html
\Microsoft Archives\SS.jpg
n a internet si est
netsh firewall set opmode disable
net stop security center
net stop WinDefend
No se ha encontrado el archivo en la siguiente ruta: 
No se ha indicado el puerto del servidor
No se puede enviar el correo. 
Nxtm`
o en el password 
 Ok]</font>
OriginalFilename
Posible error : error en la el nombre de usuario, 
Posible error : nombre del Servidor 
ProductName
ProductVersion
@qbghud-dwd<G@JNOR<Sqtd<G@JNOR<E`krd<G@JNOR<Sqtd<G@JNOR<Sqtd<G@JNOR<Ytk`
Question
Send
shell32.dll
SOFTWARE\Microsoft\Security Center
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
StringFileInfo
Subject
System32
\System32\
Translation
UACDisableNotify
Update
Username
VarFileInfo
Verificar la conexi
VS_VERSION_INFO
windir
Windows
             />
            />
    />
"""""""*
""""""*
2""""*
3333""""
33332""""
33332""""""".
33332"""""""""".
33332"#3""""",fT
333332""""
3333322"""""""
333333"""""
3333333"""""".
3333333#332"""""""
3333333333
333333333332"""""""
333333333333""".
333333333""""""d
444ccc
7> BL)ER+DR*CQ+DR,HZ/Rk7Vr=]zE]|BZ|A_
888kkk
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
Adjunto
advapi32.dll
_allmul
anonymous
  <assemblyIdentity
            <assemblyIdentity
</assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
Asunto
AY+Gb7Pp>l
bPassiveSemantic
CallNextHookEx
CallWindowProcA
Cb}B]x?Xr<Wr=]zBe
C]~BXx>Vx?`
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
clsCDOmail
CLSIDFromString
C:\Microsoft Visual Studio\VB98\VB6.OLB
comctl32.dll
Connect
CopyFileA
CreateDirectory
C:\Windows\SysWOW64\msvbvm60.dll\3
`.data
Db"""""
Db33""""
Db3"""".eUUUUUUTUUUUUUUUUUDDDD
Db"""",uUUUUUUUUEUUUUUUUUUUDDD
Dc333333
Dc3333333
DDDDDDDD
DDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDO
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDO(
DDDDDDDDDDDDDDDDDDDDDDk
DDDDDDM
DDDvvv
DDD)vvv
DeleteDirectory
DeleteFile
DeleteFileA
    </dependency>
    <dependency>
        </dependentAssembly>
        <dependentAssembly>
Descripcion
  <description></description>
DEUUwwwUUUUUUww
DEUUWwwUUUUwww
DEuwwwUUUUUwwuUUUuUUUUUTEUUDTD
DEUWwwuUUUUWwuWwwwwUUTUTDDDUTD
DirectoryUp
Disconnect
DllFunctionCall
DP4CV.Oe6Qh7Mc5F[2CX0D[2G`4Mk:WzC_~Jh
DUUUUUUUUUUUUUUEUTDDDDk
DVfffffffffffffffffffffffffoTO(
DVgwvfuUUUUwwuUUUUUUUUUUUUUDDD
dwwOyyR||T
DWwUWwuUUwwww
dyyQ}}T
eAccessType
EffffffffffffffffffffD
EJ0=E%CO*GU,HX.FV-DT-EU.FW/GY/Nb4Tm9Tr=WuB\|Hb
EnumDirectories
EnumFiles
Enviar_Backup
EnvioCompleto
e|s333;
e{T^rEhtKdrH[mCQg?Lf>Li?Nn@RvE[
EVENT_SINK_AddRef
EVENT_SINK_GetIDsOfNames
EVENT_SINK_Invoke
EVENT_SINK_QueryInterface
EVENT_SINK_Release
EwwywUUWy
F32"""iuUUUUUUUUUUUTDD
F333"""
F33333
F333333>
F;333333333333"""
FC:\Microsoft Visual Studio\VB98\VBA6.dll
fe|s33;
fffffdO(
ffffffdO
fffffffdO(
fffffffT
ffffffT
fffffgvT
fffffgwdO
fffffT
fffffwdO
fffffwuD
ffffguUTO
fffgUTD
ffJKws3""+JK32&f
FI.<A#>E&AJ'AJ'BJ'BL'BM(CO)EP*JW.Tc3[k7[m8[p:]t=]t<_v>d}Cf
fkuTDDDDD
FreeLibrary
FtpCreateDirectoryA
FtpDeleteFileA
FtpFindFirstFileA
FtpGetCurrentDirectoryA
FtpGetFileA
FtpPutFileA
FtpRemoveDirectoryA
FtpRenameFileA
FtpSetCurrentDirectoryA
fuUUUUUUUUUUUUUUTDDDD
F""",uwwwwuUUUUUUUUUDD
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GDIPlus
GdiplusShutdown
GdiplusStartup
GdipSaveImageToFile
GetAsyncKeyState
GetCurrentDirectory
GetDesktopWindow
GetForegroundWindow
GetKeyState
GetWindowRect
GetWindowTextA
?? GH(HJ(GH&IJ'KM)OR+X\0`e4`g6`g7fn;hs=kwAlyBdt?[j:auAg
gTDDDD
H33332"""
H333333"""""&fa
H3333"""&TWwwwwUDDDDDD
H^9Hd5Nl:Ge7A\3?Z3B`4Fh8Mr>Z
hnBk~U
<!-- Identify the application security requirements: Vista and above -->
InitCommonControls
InitCommonControlsEx
InternetCloseHandle
InternetConnectA
InternetFindNextFileA
InternetGetConnectedState
InternetGetLastResponseInfoA
InternetOpenA
iuDDDD
j0hX4@
j4h(1@
j8hX4@
jdh(1@
jDh(1@
j<h(1@
j,h(1@
j$h(1@
j\h(1@
j hX4@
j(hX4@
j@hX4@
jlh(1@
jLh(1@
} jPh(1@
jth(1@
jTh(1@
kernel32
kernel32.dll
KK/CD$GH'HK(HJ'HI&HI'HJ(KM)MP*PS,W[0]a2af5bh6_d4`g6hn;hp<gq<iu>mxAlyBiw@an;\h:`n>i{El
k~~~k~~~k~~~k~~~k~~~k~~~k~~~k~~~k~~~k~~~k~~~k}}}k}}}k}}}k}}}k}}}k}}}k}}}k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||k|||kxxxbRRR;
                language="*"
            level="requireAdministrator"
LoadLibraryA
lstrlenA
MailAtici
MdlBaslangic
MdlEkran
MdlGenel
MdlTus
Mensaje
Mf8XoBGa9Ca8Ko>^
Microsoft Archive
Microsoft_Archives
MJH2)M
;M'Ng7Lc6E[1C[1He6VyCf
modManifestResource
MSVBVM60.DLL
                name="Microsoft.Windows.Common-Controls"
    name="Project1"
NP,NQ,[d6_j7_o9ezAgyCu
Numero
orJzzSv|Sq
PassWord
Picture1
,)Pnf-@
PQhlF@
                processorArchitecture="X86"
    processorArchitecture="X86"
                publicKeyToken="6595b64144ccf1df"
puerto
PutFile
pV2jO'nS+nT,oS,oU.pV.qW0tZ3v\3u[4w\6x^7|b:~e<
QPRhtO@
QRht4@
RegCloseKey
RegCreateKeyA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
          <requestedExecutionLevel
        </requestedPrivileges>
        <requestedPrivileges>
RPht4@
rP%yX.zY/{Z1}\3
RtlAdjustPrivilege
RtlMoveMemory
_rwNwxQxxRuxPrxPnyPl{Rm
s3333330DUUUUDDJF
S\C?N,H[1Od6Rh8Qg7Mc5H]2DY1DY1E\3G`4Kf7Rq=Z|E]~Ib
      </security>
      <security>
SendMessageA
servidor
SetClipboardViewer
SetCurrentDirectory
SetWindowLongA
SetWindowsHookExA
sFilter
sLocalFile
sPassword
sProxyBypass
sProxyName
sRemoteFile
Status
StretchBlt
sUsername
SYA<E'AK)ER,HW.JZ0J[0HY/EV.EV/FW/GY0H[1J_3Qi8Up<Us>WwCZzG^
szSuwOxxRtxPqyQn|Ro
taBbM(dO)fQ*fR,gR,gR,hS,hS-iT.jU/lW1nY2nY2nY3p[5q\5s_7vb9wd:ye;ye<|h?
TcGCY0Lf7Qm;Pl;Jd7E]4B[3C]4Ea5Ge7Kk:RvB[
tDDDDD
!This program cannot be run in DOS mode.
Timer1
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
TTS7^_aT`dhV_bgU_bfV_bfV^aeV^aeV]`dV]`cV\^bV[]`V[]`UZ\_UYZ[V+++$
TTS^_a`dh_bg_bf_bf^ae^ae]`d]`c\^b[]`[]`Z\_YZ[+++
                type="win32"
    type="win32"
UDDDDDDD
UDDDDDDDD
uDUUUuUUUTDDDDDDDD
            uiAccess="false"
UnhookWindowsHookEx
UseAuntentificacion
user32
Usuario
UUDUTD
UUU3333333
UUUDDEWD
UUUS33333333
uUU{tD
UUUUUU
UUUUUUUTEUUUUUUUUUTDDD
uUUUUUUUUUTDDD
UUUUUUUUUUUUUTDDDDD
UUUwwUUUUEUUUUUUUUUUDDD
UUwUUTUUUUUUUTDD
UW@>B%?D&@F'BJ(CK(BJ(CJ'CJ(CK(CL)EN*FO*HR,NY/Ub3\i6`n9_n9^n:_o:\n9^q:at=cw?e{Be|Be}Bg
UwwUE{
uwwUUw
UX@>B%?E&@H'CL)DN)EN*DP*EP*EQ+FR,FS,FT-HV.M]1Tf5Xl8Yn:Xo;Ys?`{D`|C_zB^zAc
VBA6.DLL
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryUnlock
__vbaAryVar
__vbaBoolStr
__vbaBoolVarNull
__vbaCastObj
__vbaChkstk
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFileClose
__vbaFileOpen
__vbaFixstrConstruct
__vbaFPException
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaHresultCheckObj
__vbaI2Abs
__vbaI2I4
__vbaI4Str
__vbaI4Var
__vbaLateIdCallLd
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLateMemSt
__vbaLenBstr
__vbaLsetFixstr
__vbaMidStmtBstr
__vbaNew
__vbaNew2
__vbaObjIs
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaPrintFile
__vbaRaiseEvent
__vbaRecAnsiToUni
__vbaRecUniToAnsi
__vbaRedimPreserve
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrFixstr
__vbaStrI4
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1Str
__vbaVarAdd
__vbaVarCat
__vbaVarCopy
__vbaVarDup
__vbaVarLateMemCallLdRf
__vbaVarLateMemCallSt
__vbaVarMove
__vbaVarTstEq
__vbaVarVargNofree
    version="1.0.0.0"
                version="6.0.0.0"
wininet.dll
wuTEUU{
wuUUWww
wUUWwuW{
wuwUUw{
wuWuUW
wUWUwuUTUUEDk
WuwwwuUUUwwuUUUDDk
wUWwwUUwwwtD
wwwUUUUUTUUwTD
|{WxwO
<?xml version="1.0" encoding="UTF-8"?>
XnKIe8Ql=Ok<Ig9B_5?\5A^6Cc7Gj:Ls?S{F^
XpE_pD^oDPg=Gb;Hf;Km>T{Fb
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~}}}}}}}}}}}}}}}}}}}}}|||||||||||||||||||||||||||||||||||||||||||||||||||||||||xxxRRR
yyuvffffffffffffffevr"""""""""
Zombie_GetTypeInfo
Zombie_GetTypeInfoCount
ZYAEE&GG'II(JL)JL)JK(JK(JK(JK)KL)MN*OQ+OR,RT-X[1\`2`d4bg6ch7bg6_d5ci8in;io<iq=ir=ku?nxBozCnzClxBfs?`l;_j<`m>fvCm
zzz'''
>zzz4'''
~~~|||}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}|||}}}|}}{{{||}||||||||||||{{{|||{{{zzz{{{zzz||||||{{{{{{|||{{{zzzzzzzzz|||ddd
~~~'|||&}}}&}}}'}}}'}}}'}}}'}}}'}}}'}}}'}}}'}}}'}}}'}}}'}}}'}}}'}}}'}}}'}}}'|||'}}}'|}}'{{{'||}'|||'|||'|||'|||'{{{'|||'{{{'zzz'{{{'zzz'|||'|||'{{{'{{{'|||'{{{'zzz'zzz&zzz&|||'ddd
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzyyyyyyyyyyyyyyyyyyzzzzzzzzzzzzzzzzzzzzzyyyyyyyyyyyyyyytttTTT