Analysis Date2014-08-24 13:01:11
MD530e69e6bd174cc66b53ee301dacac0ca
SHA1cb34ab6a565ea8a4b8a96443ebceefe71b018bac

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\aethora[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\churchsupplies[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\traderush[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\youjoomla[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bigjohnsbeefjerky[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wlf.louisiana[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kamaruka.vic.edu[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\choice-select[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dithd[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wlf.louisiana[2].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\empordalia[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lexjuridica[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ixtractor[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\aethora[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\empordalia[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\churchsupplies[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\traderush[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lexjuridica[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\youjoomla[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ixtractor[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wlf.louisiana[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\choice-select[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wlf.louisiana[2].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dithd[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexwiveguxaqxyd
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSempordalia.com
Winsock DNSyoujoomla.com
Winsock DNSe-shuukyaku.com
Winsock DNSibcd.com.br
Winsock DNSdithd.com
Winsock DNSixtractor.com
Winsock DNSwlf.louisiana.gov
Winsock DNSwww.traderush.com
Winsock DNSbigjohnsbeefjerky.com
Winsock DNSkamaruka.vic.edu.au
Winsock DNSginalimo.com
Winsock DNSbapasitaramsevatrust.org
Winsock DNSagence-des-druides.com
Winsock DNSxuanxiao.com
Winsock DNSlexjuridica.com
Winsock DNSchoice-select.com
Winsock DNSrueggeberg.com
Winsock DNSchurchsupplies.net
Winsock DNSaethora.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25

Raw Pcap

Strings
.T
.[
..
/.

..<?
040904B0
1&'(
15.1
15.1.exe
2.01.0001
59TZ
6\Y0&*WU
}7b6s>
*\AD:\9798889O78\bubu.vbp
CompanyName
FileVersion
FQlrF^csF_l|HQlrI
GtlA
GvX86
hqwB
InternalName
jU6um
L2kKj
lokijnhygb
nhjbnhgytv
(None)
OriginalFilename
ProductName
ProductVersion
qfTK
s~M]Ze
StringFileInfo
Translation
uQ7R
VarFileInfo
VS_VERSION_INFO
x6r0
zVtBK
^_^_^_^_^_^_^_^_^[
?00p\n
#0j?l3
0TR=;dvvvhS/>ovvvvvvvvvvuu^
16mA=3I
1*[DAvF<.K
?1-\pyS	
204489477897878798797898
20448947789787879879789832165466598uy32516548poi51125365547204489477897878798797898$X
204489477897878798797898777777777777
29*"Ki
35Qa]h
3`iQ&8
@3t4)04
41-=IJJC2
4`$4, v
_4hA<mEC
4Q&	nfY
5555555555
56>OD1D
#!5*CG
5JJJJJJJJ6I*
5JJJJJJJJ8*
-5Y/(Y
7+?C/6
[7c[@U^
^8Fm04
8'jf}-
 ;!8vqJC
93#*ivvvvvv.@uvvuuuuuuqvuu^
9/B7MF~
>9F(rm
9@U\\.
a044D"
agif']e
aH204489477897878798797898_2
aryd7K+
-aviTF
avvvvvvvvvvuuuuu^
*BCG}3'
bghytrdcf
BJh%j3
#BJJJJ*
bm)Vt*:
CallWindowProcW
Cancel
cboDrivers
cboDSNList
=c) fZ*
chkLoadTipsAtStartup
CloseHandle
cmdCancel
cmdNextTip
Connection Values
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
CreateFileA
ctkV!d
ctvvvvL
Cvvvvk":vvuuvvvvquuuuu^
=C{Weo
+D6u/R
`.data
Data&base:
DDDDD.9DJHI
Did you know...
DIJJJJ%
DllFunctionCall
Dri&ver:
D^XeT<2
E5#vJs'
EHre\j
)e@q14
erFSc!
ETtUON
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
fhp?d:~
f lR6c
fraStep3
frmODBCLogon
frmTip
frxxAV
fvvvvvvvvvvuuuvvu^
_f>whc,	
?@G	@3
G'b	z&
GetDSNsAndDrivers
GetModuleFileNameA
g\`hd-
grzT[:I&
H876(bvW&
+*HdW]
H!g`~V
h=ib'lF
,hiClW
h?q6sd\
IC&m\D
IC`,WD
#i]fcK
$IHJJJ!
;IJJJJJ%
"IJJJJJJ'
*IJJJJJJJJJJ*
?JHIJ 
&JJJJJJ'
*JJJJJJJJ5*'*
*JJJJJJJJJA@*
Jq7,ZOD~
kernel32
kernel32.dll
kerNel32.dll
'KPp1t
Kp`ZL[
!kvvvuuuuvvququu^
Kvvvvvuuuuvvuuqu^
Label1
lblStep3
lblTipText
LoadLibraryW
*L"Wm`
\}^%m@
;m31++++
MethCallEngine
?m?>|hfg
 	m&s:
MSVBVM60.DLL
'mvvvvvvvvvuuvvuqv^
Mvvvvvvvvvvuuuv^
_N.,}_
N^^^^^^^\?^^^^^^^^^^^^^^
&Next Tip
njaSCX
njiuhj
O6m~8z
ODBC32.DLL
ODBC Logon
Oggsw\
o"g!Wzg
okbUA\
OpenProcess
o	P^kj
&Password:
Picture1
pn{_5 
//P-PW
P:R6{/
ProcCallEngine
Process32First
Process32Next
p?@UY:Cm
Qq_I*z
RcoEgP
ReadFile
RK4OJo
RtlMoveMemory
S7#6o&
>S834#
s9&_H~
&Server:
&Show Tips at Startup
|Si$,0l&
SQLAllocEnv
SQLDataSources
+S%S<m
s/*x`KJ
SystemParametersInfoW
\.,T>0
!This program cannot be run in DOS mode.
t>I:4'
Tip of the Day
Tw,[<G
txtDatabase
txtPWD
txtServer
txtUID
)u=}&4
uk.Mm=
USER32
user32.dll
USER32.DLL
_uuuuqvquuuquq^
v[<~%\
V3x><(Kzv	Y
VBA6.DLL
__vbaExceptHandler
~VoXML
V<QItvvvvvueP	Evvvvvvvvvvu^
VQ	n0e
,vvvvvvvuuuuuqvuu^
^vvvvvvvvvvvvvvvv`GD
^vvvvvvvvvvvvvvvvoYZ
^vvvvvvvvvvvvvvvvvFBAABF
^vvvvvvvvvvvvvvvvv[kZ
^vvvvvvvvvvvvvvvvv\uoZ
^vvvvvvvvvvvvvvvvvvv_\GF
^vvvvvvvvvvvvvvvvvvvvvv^
\vvvvvvvvvvvvvvvvvvvvvv^
^vvvvvvvvvvvvvvvvvZqqkFB
/VyN/S
web@Q'
wP$e;i
`	%w@v
wW/FP/eX{\8.P
/X?	1!
)X8WL |3
\XK/32|
x'`_.Ky
\xoS>L'_Z
x	sVxR
xu=`}y
`)X	VA
Y16IP2
}ylG33
Y&OhJk
&*yo`s
~Z3Qu-P
Zhm@;*
#zqoS'