Analysis Date2014-11-23 00:38:01
MD52931dd66ca10a6afa1f837db60d572d0
SHA1d7ac9d656917b6e09c054b9ac5b22fbd12296a53

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ca303cc2324e610f1e735dd01dfd4bb8 sha1: 7fe0a3f42cdf68022c47ba53e5c2dabdd31135c6 size: 32768
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 50036e258afaa9ac75e8ed5e7da5af72 sha1: fdd1632392b1b01d6081e93347eeb8367a801998 size: 4096
Timestamp2014-06-25 07:50:26
VersionInternalName: Stub
FileVersion: 1.00
CompanyName: SilvaaA
ProductName: Project1
ProductVersion: 1.00
OriginalFilename: Stub.exe
PackerMicrosoft Visual Basic v5.0
PEhashf99997781dbd787fc174b224a546a5ea08382ec8
IMPhash48d1937c024e427b53a91d1d6c05e5e9
AV360 SafeGen:Variant.Barys.2422
AVAd-AwareGen:Variant.Barys.2422
AVAlwil (avast)GenMalicious-DV [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/VBTrojan.9!Maximus
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardGen:Variant.Barys.2422
AVCA (E-Trust Ino)Win32/VBInject.C!generic
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Barys.2422
AVEset (nod32)Win32/Injector.BLVZ
AVFortinetW32/Injector.BFOK!tr
AVFrisk (f-prot)W32/VBTrojan.9!Maximus
AVF-SecureGen:Variant.Barys.2422
AVGrisoft (avg)Worm/Generic_vb.ZC
AVIkarusTrojan.Inject2
AVK7Riskware ( 0040eff71 )
AVKasperskyWorm.Win32.VBNA.a
AVMalwareBytesMalware.Packer.VBR
AVMcafeeRDN/Generic.dx!ddh
AVMicrosoft Security EssentialsBackdoor:Win32/Xtrat.A
AVMicroWorld (escan)Gen:Variant.Barys.2422
AVRisingno_virus
AVSophosMal/SillyFDC-G
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Malware-Cryptor.VB.gen.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 756 -e 100 -g

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 756 -e 100 -g

Network Details:


Raw Pcap

Strings

040904B0
1.00
*\AProject1
CompanyName
FileVersion
InternalName
OriginalFilename
ProductName
ProductVersion
Project1
SilvaaA
StringFileInfo
Stub
Stub.exe
Translation
VarFileInfo
VS_VERSION_INFO
@>%./-
2BWXd(
3qEOu;
3<VPPA
4(xpNQ
5[']II$
5YCdQOPIY
6llo\R
7A4{=_
9@"0y5
AABA	ZCE
aC:\Windows\system32\wmp.oca
Afu;3B
+al6H,-A1@
AZB4~K'
B2.tNq
BAZB:\
BAZBh%ET
^BAZBN
~BEAAo
]BNsABofW+
B(ycQ&m
c8BEAAMR`
CallWindowProcA
*C-C(e
Check1
Command1
Command2
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
cq6C.u;
@cwu^B
`.data
DBAZB<
DllFunctionCall
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
e{Y{{g
FBAZ,/5
Frame1
GetBkColor
GetBkMode
GetClassLongA
GetClassNameA
GetModuleFileNameA
GQgu;(usiquskfiVgSV
!\IR9+md
J/?]4;yyF
JoA<ui*
kernel32
kh;`m$
m8l!(8
MethCallEngine
MsA[9j=
MSVBVM60.DLL
nAZBNf
NBy\u;
o.[BNsA
#oEAAB
Option1
ProcCallEngine
Project1
QHAABA
[Q{!NA
)S1AzCN$
SdqgIe#
sJwA\!ZO
!This program cannot be run in DOS mode.
#tU{1g{
t VisuProject1
Tw6`5N<@
|uBN	@
uNsHf-(
user32
user32       
Uy? 7i
)_vAZB
\VB98\a
VBA6.DLL
__vbaExceptHandler
vGafx2
:VokN_X'`
&w,/4!
WindowsMediaPlayer
@'wL:|
wmp.dll
WMPLibCtl
WMPLibCtl.WindowsMediaPlayer
x%AABA
X>BAZBUi\
>xI[O25
xnlU:J6=
$Yeb]B<
ZBNs3{
-+%ZtD