Analysis Date2014-01-02 16:21:47
MD5b169555c4304fad9f5c318763dcff445
SHA1a393e3f1bcb500aa05a28e6d0fce4bf8f59fff62

Static Details:

PEhash323ba71bc6adffd8683dddc499a3efea8cb77651
AVavgCrypt_vb.CA
AVmcafeePWS-Zbot.gen.oj
AVaviraTR/Dropper.Gen
AVmsseTrojanDownloader:Win32/Cutwail.BS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexvuruwybvorma

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.96.11
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.96.11:25

Raw Pcap

Strings
/=!{
040904B0
1E,[,T+Y&^&X7]
@@"4
4.01.0454
41T7y
:5=T.=?\
*\AD:\ae8f4e8f49z8e4f9z\REeB.vbp
ApMjRTUhfZ
CompanyName
dd/MM/yyyy
Dino1
Dino1.exe
e651A8940-87C5-11d1-8BE3-0000F8754DA1
FileVersion
g8uZbdeXVj
HOk0WcqfXcv
hOQ9vm
I0FrjQLy
InternalName
ireeghjkrdy
J2Nv
loihytgvfd
OriginalFilename
P9R8ybz
ProductName
ProductVersion
rA133F000-CCB0-11d0-A316-00AA00688B10
Rd2tqZyJvwQ
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
yTQ8
|||____
0:2l$8
)#12lV
1`5Nl{
]1O	 OU
2IY<m?
2Za{T/s
3:5("	
3[f5hX
%|*3Ujb
5pD}$,Xd
5WNL3R
6CXw@"T$
6G8G$*
:]6Uw=
7)nipq
"?<;8"
";81q 
"8|;'b
8Ib.r:
8N:5(	
%8uowt
'^8>Uy
9"1A'~
96B))d
9>ko/3
9SN:5	
9SO`k 
~9xpun"
ajjaol
A_+@r/
B1uZ1[
BBP~"?
'bf&Q9]
B)m[KV
BoundText
b+tuikidnicnchrm
b&`v1$
bYWTTPLI<<Ic
@cDrp\
CloseHandle
@.CO|J
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Program Files (x86)\Microsoft Visual Studio\VB98\vbc22608.oca
CreateFileW
	cS!zQ~
CtxtParentDate
? _,]d
Da"s?z
`.data
DataCombo
DataCombo1
~DataCombo1
DataList
DataList1
DefWindowProcA
_dF,M#W
DllFunctionCall
*D{n {E
DTPicker
DvvlAq
ei\W</a
./EQ]V
eslehbsiatbwyl
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
fbT&_xB
Fewh1A_
f/k74L
fk=8GG
FL4[`!
Frame1
FreeLibrary
>G}}2}
GetModuleFileNameA
GetModuleHandleW
GetProcAddress
GOjC-'
_?GtcL
gxKeq/
|||_hhh
hQL5*u
_H!r~F
&i"	F:
I_F78N(?k
Itu-	^
}}I,vx
JA5\%ED]s2y2
j BC&'o
!jpXcEhh
kernel32
kernEl32
kernel32.dll
kernEl32.DLL
k\H~m=
kijnbg
]]]?KKK?KKK?[qu?v
LoadLibraryW
lolololp
*Lw0t)$z
'L!zP8
Md$P3-
mM$5a%^
MS$*'[
MSCOMCT2.OCX
MSComCtl2
MSComCtl2.DTPicker
MSDataListLib
MSDataListLib.DataCombo
MSDataListLib.DataList
MSDATLST.OCX
MSVBVM60.DLL
<m-^TPS
n4}BB]f]
N5Fb_z
nhbgvfcdl
@.#oA>
oERF	?
OpenProcess
:\ozW~Bpe
ProcCallEngine
Process32First
Process32Next
PropertyPage
PropertyPage1
pr`UmmXk
"Pxfs`
pxYd#5R-
qC:\Program Files (x86)\Microsoft Visual Studio\VB98\vbc30554.oca
 Qs31{Y<
	q,TKT
ReadFile
Rnk<2S-
RowMember
RowSource
`r,R]7
RtlMoveMemory
#ru3Jd`
SGKNHn
SystemParametersInfoA
TerminateProcess
!This program cannot be run in DOS mode.
*tj_61
tuikidnicnchrm
tuikidnicnchrm5879449848948984lltuikidnicnchrm
txtParentDate
'u|&HqP_
|`Up|wk
uR9V9!
user32.dll
u;t:/jKM
VaW"XC
VBA6.DLL
__vbaExceptHandler
Vbq+H?
Vm$ztZ
|VrU\$
{vu;R:Z
WriteProcessMemory
@wu;=H
] ?y8A
Y?BO#2
Ygggv&
Yggvv1)bnje5
yG^i =
Ygt]M,jnnnjI
yV:2BtU
yyyobbb
ZIU]U4
zSYw,Q;7T