Analysis Date2013-12-05 17:21:58
MD52b132164894f20f803b5154672d529cb
SHA19111b1c93c8dd2531bdcfa8ae9a1dac6d8dcec8b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 40dccaa25ebfc11c419e797da09beaa1 sha1: ab87463e8b269f679aae092cacb0d29abc5e6365 size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
AVavgWorm/Generic2.BLRH
AVaviraBDS/Backdoor.Gen
AVmcafeeW32/Generic.worm!p2p
AVmsseWorm:Win32/Ainslot.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\g415fg44+afsg+4fsg45f+ ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EE9F98AF-1DAF-EE0D-E7DB-AB40CD8E5C7E}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g415fg44+afsg+4fsg45f+ ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\FCUHBYERUL ➝
December 5, 2013\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\FCUHBYERUL ➝
fulnp's Bot\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{EE9F98AF-1DAF-EE0D-E7DB-AB40CD8E5C7E}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g415fg44+afsg+4fsg45f+ ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\logs
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates MutexFCUHBYERUL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe ➝
C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\\malware.exe ➝
C:\\malware.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\8JEO1IL5UL.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network Details:

DNSdbag40.no-ip.biz
Type: A
68.6.204.77
DNS1dbag40.no-ip.biz
Type: A
Flows TCP192.168.1.1:1033 ➝ 68.6.204.77:3333
Flows TCP192.168.1.1:1035 ➝ 68.6.204.77:3333

Raw Pcap

Strings
PERS
SETTINGS
023VBW
>02]	9r0(p
062D2BD
&]*0DFs
.0F:9g
0`H>8C
"'0*Rz
0sL*#X
0SuwhO
0T r%9<
15dF8F91AEE<A
1c2->a"6
1XGv/if"
20C<|0d
22A368949C0&
27OnQui
2!CH8HHK
2>e%Xdq
+2;J+8
2.jD`#
32BH&hQ
32EDE121D9E2Fk
3333\r
$345H1
\3ap#e
}[>3/H
3#hh+#a-a(
.3l/A,7
3oy.i~
3X!wD`
%&'()*456789:CDEFGHIJS
46[7Dw."F
\4a`Qw
;4?+c{
4[cv4=bGa
4 .\e'jWjF
4H4sg%
4##TTD
(4wOVl
!4yvT")
4Zp~qH+L
501E:9~
567tB:
5Async
,5t)eb
.64"/R
678[rp\9
6ENC^fADClifSteam
6iH(b"
6n1?e:-VS
6T3>>F0'
6V2Ziz<p],
6WWH^)\<
7.0(0<
7033413A647k
733jhd>
76oCHAT_ADDMSG
7b8x3 L
7_DIP,
7'/"+Fp
7IsoBY
.=7Kajt
7Lk82t
7niffOS4
7{_O6F6
7o<V@`Ec7y
7Z$_\WF
8|+4!>0$
<840,6q
&84az2
8d!R8Km
8g,9-,
8	,g?h41{
(8HX5n2^
-8|Qx2#%
9\BBN2d
9dy)}G
9g%J|i.
_9R?I/p
A4B6739316C4F5B5C5*14
a4.U}N
$Aac!TI
aAliy8ek
AD'1vb 1
AddMsg
AddRef
adi%WrJ
AG?GTqE$'
ais{pQ
;AK,2R
al Stz\\98
alUpda
A}<#%O
API'7`
AprUo'
a+Rf4rHgA
Audio.
au'p\lorf/
awuois=
!;Ax`.
B2 9`f\&
B""7^Lz
[BG*~*
(_BJV(
b(KNsf
\BN2 dH
+$]bQp
b=R/ jQ
br};L_
bss_ser'
BtKill
by.ToY
; ;$(c'
c0dt&Le?
=c_6/	
;]C9HYH.
C	B~S-K
/Chat'
cImage'%ca
<Ciuqa
c]J?oH
Cog	b;
+C	=Oo
',CPffK~P
C:\Prog
{CROL<
=CS2ZG 
cSubClH
^C`Y`N
Czk_Gn
CZ@^O7
d`'0g8
D0X wD
--d`1L
D6@X?O
DADNy$
D$d&,0
!dDEF5
ddliWGr
df"FC^YO
d@FX`$W
di;	|,
^dIOu,!N
DI/z9%
dJ	K	p
\dlcD.dl
d|lh	'
doIP"8
:`dp`3
DragQuery
\d(#t\.
dT4XNy
DZPp_|)!
([E0#(
E0_NvA
E4:|	"=
<e4ym5
E4ZF7C8
E9Rl*|
ect?TorrentS
EFB$9$xU
ehk$Bj
':eIJZ
E	<ip$
E/L7wW
EngheiZ
Ep1?11
E;RYsR
EVENT_SINK_Ge
'EV?L_]
EX(G7l
ExitProcess
E/$yEz
FC&yh.
F> FDD
ffJB:,v
ffjfXB
 Files (x86)\Mic*soft Visu
:<F(:,k
$,FLLe
#)$<Fo0
F?o`?n
-f)pP&	
frmMain
F^rR>T
f'$sU:
fuT#&D
fWmZSi
Fy.#fbv
Fz'$V#
+g#:8f
G@_$'9
#(g##;A
[GaOo'/
Gas@hkn
gCmp_Xn
GetProcAddress
/gHija.
GhS9 x
g`IV)g
g:l)\A
Gook?RS`curity*d
G!oZ$O
GPT*|a
@GuH~i=
>gw#7H
gwbAuz
G_wI^r
h0Le$`
\^,h1.
#H+1q~
h5%LZR
h7BnV7E`r
HBITMAP
HDVVwCtl~ebBrowq
h' #FX
*hg	aa
 hGed /X "
_H%GrJD`L
HH'--\9
HkaQCP
h}Ki{)
hpbUC'
H#pdp8
HSDuQT
Ht _@G
HTO?lr
@HvL=B
hx`e$L
.hXfX8
|@HyD.d
\.i.<\
I0/w(+
i=4T@o0
ICK_DELAFm
ICk)S%
IE0\`S
~ijnGl
iMBd"C
InfoTO
InvokeV
Io6IR1/
/(IP,6
i,pxrW2%
i&P><z
I@Q*[P
I$$seL2 
Is``h\nSM
@j` 1m
\\)j'4
J:,hu7
jjeZoh
J	 L!gsC
jL\Q?;
jn\cD.
@jNF_;X
JPk(a0
JTFPjN
%&JZ\SB3
K]>1h-
-|K:a<
KERNEL32.DLL
k_{K6&?SC
kkW\8fI
k+#ncI?=
KP$PHD>R8
-k$(.S
K_START
K&u^8uF
|*}<kV
Kvk1w\.i.
k,\W+B
:kXpK<
?!.l <
L2 @d	
l(4<2r
l8;82!
L&d/O<
L/g0[,
{$Lh|p
Lla+(B
LNN2 #t|\N
l-n/on
&l&N(q6
LoadLibraryA
+lobalAl
loseHandJ
'L~'(P_
L`P*O'
Lr$$&s!
Lu"lgc3
Lus:1]K
.LV.D'%
,l[];x
L'y'aa_
L)^Y"aA
M3 S!h
m46Oj'1
MddjBvd`
mE9/U[ 
M/&k0Z
^__^Mkok$P
	mMl%6`
modFucrons
( M^ol>uklM
MqvbH&8
MS SaX
\msvbvm60
MSVBVM60.DLL
mVBA6T
!mvD#B
:M#W+.z
M&Xu%:]
MZ?Nzt
N' ~0~%
N0OtBo
"N2]F|
,*n8<g
\`:\~Nc 
<N.Lx&
&NOkf	Q
n"/S44\a
NTDLL>
NTQ^7r
 <.nTVn
*O8^.N
'o"BgBvtyBO
-obh.&
	Og[pa,km55
#ONFt@
o	&<Nh
 _#ONn
or+oJe/
OsYl((
+oTBN2pw\
owIIn:
oXCCdC
P0  P3/
p1HSMv`@
PATH_WINLOGON/
pDD@WI
P/\dT4"
pfU<sl
picThumb
@P? j5,
p#L9.{
pmneh_
`Po[]6
->P.Po
PRINT_
p`t uv
'[QJ{z
q%K&yA!
QL'yN W
q$nUHVS
?qp!`h
qpk4~w;
qTxqP'D
queezer
&]^QZ4
"\$r/ 
r4B`(0
	]R8z&
rAUb9]^9t]
rBf>Z/._T
rh|Dr 
rJvj_Vd
RlC,K/
r@{o@*"9z5
rrhDL2
Rrh_xP9
Rr@M<7
RsH8g40
RUCTIO
RvS| M
RZ9W_A
ScanLz
scii'h
SCManPr
s:.cpV
Screensho
Sd `\X
SER_FB7n
s<e/SrcLef]
 *.S{f
sG xI3 W 
Sh&N #[
.s/JoPMX
SL?@B<
S?l?%J
SL	p&$
Socket
|Solx!
s.opRS	
S'P='r 8
>spu"G
("SS=%
s the p@
stV&y<
t1l"&$
&t1/T6
 -t_;2
t)5H%a"
T7^5>p0
"t8!M&)
#tc{N&
tdby$Ru
TdT4d-b
TEgw *
!This program cannot be run in DOS mode.
TIOcm5
<T,iP2
 TKDQH 
:;tkEe}
[T	kT2z
tlqd@.
TM83$- 
tmrLivLogg+
^T)M_SY4
to!g"K
[Tovbv)$5
TP-705UL?6
tsLWv(<
TUVWXYZcdefg
,TWx##0
*(?|&^'u
uBr]C?f
Ud19f!4E
uf>P-T3.
uHR2\?
Un0H&i
Un@cvss
UnDec 
uOH,VV
upQValu
UrlCache
!UYl1X4
uYSphL
V00"4g
v774NE55*237X2
vaS M\
v.Bf&|
vBIV9*O
vf`M1P
vG=	lgj!
vieframe.dl
VirtualAlloc
VirtualFree
VirtualProtect
vjtHPgC
VUc!V_0
V/vld~
V$wN$N$
W7@rrx
	#W8d%
,W'9!G
wapMo~
W(/$>C
_WebHide
wf_h'n;
"[W)fx
Wh5B/3HOc3fY8
w/h#qD
-_WMqo
^)w*n]
#WOBB(b
 #[wohs
wpxkI.{t;
?WSOCK
wVfc:>uO
`wXal!
\WzMknk
x0||{A
x3.1w^8=
.x<]4OD
x6&M+wxJ
x@*'7{
}\xEm>
xe<x9u(
xhD#G"&
,XH` n8s
x?j^aE
\XJ]fk
x/":`n
 ,'~XN
x@&@NC 
x O  2S
X O/J&
XOlEh8
xphZY/
XPTPSW
,?xqAp+
xQ?|PC
xRoYlB0g
xs<vJr
+Xt(D:
\+XT<LT
xUT&!'
)/X@XNG
~@Y$$|
y.@]2X
}%_%y77P|0"
@Y'a6t
yGrabbOg	V
Yk/ qu	
yN6#HL
YP+:S@@
ysWOW64\
yT :][##
y&X	BO
YXF?xw
*=YX^s
Z>*1so+
Z|+:4	
Z'4;mF
zb7_FACEBOOM
'ZdM-3
Zh0SQU
zSBlj(
Z$}tw3
ZV5|@*