Analysis Date2014-03-14 23:50:31
MD5b4014dc2b6757a14cdb904d033887cb1
SHA1d88d47519bcc49b5c3b345e98e87d20b8928a2c3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f380d36c6d636f50392e83fb58fb8a59 sha1: afee9bd8b26616f8e21ad9d9d5f97944c62ee3e5 size: 28672
Section.rdata md5: ec4333504b637c25bc52c46a9d373f4d sha1: 7328ab1aa06da781c5fe5ae7934fe7ff40316e33 size: 12288
Section.data md5: 32368fbf6a44edc39af701dcf79c0e4b sha1: b628edb0c7082e4c6071736a4e146ba7ceea608e size: 4096
Section.rsrc md5: bf19b783c1194ee768eeb5eac8b1a42f sha1: 8be734aa46d8c869dfa0c38c55b07616f7521415 size: 24576
Timestamp2009-10-14 08:58:38
Pdb pathd:\projets\vbs2exe\release\vbs2exe.pdb
PackerMicrosoft Visual C++ ?.?
PEhash53cfb5171bde62dbc76f3e8588dafdc5f365fd00
IMPhash6461a28f11f6bda4deb322cbb1589250
AVclamavWin.Trojan.Agent-410899

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Temp\VHLWNZONBM.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Temp\VHLWNZONBM.vbs
Creates Processwscript.exe "C:\Documents and Settings\Administrator\Local Settings\Application Data\Temp\VHLWNZONBM.vbs"

Process
↳ wscript.exe "C:\Documents and Settings\Administrator\Local Settings\Application Data\Temp\VHLWNZONBM.vbs"

Creates FilePIPE\lsarpc

Network Details:


Raw Pcap

Strings
CC
. 

#129
#130
333f3
 //B
f3fff
                                 H
         (((((                  H
         h((((                  H
\Temp
.vbs
wscript.exe
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
0WWWWW
4~f9.u
8VVVVV
AAGGf;
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
An application has made an attempt to load the C runtime library incorrectly.
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
bad allocation
 Base Class Array'
 Base Class Descriptor at (
__based(
BBFFf;
__cdecl
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
 Complete Object Locator'
`copy constructor closure'
CorExitProcess
CreateFileW
CreateProcessW
- CRT not initialized
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
 delete
 delete[]
DeleteCriticalSection
DeleteFileW
DOMAIN error
d:\projets\vbs2exe\release\vbs2exe.pdb
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
EncodePointer
EnterCriticalSection
ExitProcess
@@f98u
__fastcall
February
FindResourceW
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeResource
Friday
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetExitCodeProcess
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
JanFebMarAprMayJunJulAugSepOctNovDec
January
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
JHHGGGGGGGGHI
JJIIIIJIIIIJJ
j@j ^V
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadResource
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
LockResource
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxA
Microsoft Visual C++ Runtime Library
.mixcrt
MM/dd/yy
Monday
mscoree.dll
MultiByteToWideChar
 new[]
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
O(@>=77A779?<8;$O' 
October
O%JEEEEEEEEEFFB
`omni callsig'
operator
PA0 PA
__pascal
P<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
PPPPPPPP
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
Program: 
<program name unknown>
__ptr64
- pure virtual function call
QQSVWh
QSSj 3
QueryPerformanceCounter
RaiseException
`.rdata
__restrict
RtlUnwind
runtime error 
Runtime Error!
Saturday
`scalar deleting destructor'
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
SHCreateDirectoryExW
SHELL32.dll
SHGetFolderPathW
SING error
SizeofResource
__stdcall
`string'
Sunday
SunMonTueWedThuFriSat
t^9(uZ
tD9(u@
TerminateProcess
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
Tuesday
;t$,v-
t+WWVPV
 Type Descriptor'
`typeof'
`udt returning'
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
Unknown exception
UQPXY]Y[
URPQQh
USER32.DLL
UUUUUUUUUU
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
v	N+D$
WaitForSingleObject
Wednesday
WideCharToMultiByte
WriteFile
wwwwwwwwp
xwwwUUUUUUUUUUU
>=Yt/j
YYu-9D$
YYuTVWhE.@