Analysis Date2014-10-14 11:22:18
MD52394f27e0f5190348e754dc298266b2e
SHA1d9f8c2a81087f5378b21f2b56c0a661c4386a5b7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0b3598b91ff8f6173c5d7a41c17bceb6 sha1: d7fbfaac07898db18de7c5c482e28771c742aea5 size: 10752
Section.rdata md5: 31c80930ef73ddc27baeafefac538a06 sha1: b03af66c3edf0bfb72c6a603f8727891dd32b5f3 size: 11264
Section.data md5: dea319ae745d6c8ed0e3822626ee0841 sha1: 1503353d89ca6a63fb7057399acf727ca61ebe44 size: 195072
Section.abdata md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.edata md5: 0758bab62996eefde50ec78c1dc303d9 sha1: 892a397b02e28d816a5aebf2ea65cb31a2e70ecd size: 512
Section.rsrc md5: 3db7d3b5189c2f7b4c7cff9614fef0aa sha1: 36fa2d73d20bec61dd3e53ce10129837ec259ea6 size: 8704
Timestamp2010-02-01 10:35:09
VersionLegalCopyright: Copyright © 2010 ag VideoSoft cP All rights reserved. Cu
InternalName: oNoter6.exe
FileVersion: 2.0.0.1222
CompanyName: VideoSoft
LegalTrademarks:
Comments:
ProductName: d
ProductVersion: 2.0.0.1222
FileDescription: uVideoq ComponentG Setup
OriginalFilename: oNoter6.exe
PEhashd4c58b96584d34ad87fbf29f49f6d2aa557d81ed
IMPhashde9a9c8c926d3cf17d03d029a3c99d2b
AV360 SafeGen:Variant.Kazy.22738
AVAd-AwareGen:Variant.Kazy.22738
AVAlwil (avast)MalOb-EM [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.NV.gen!Eldorado
AVAvira (antivir)TR/Dldr.Renos.NT.1
AVBullGuardGen:Variant.Kazy.22738
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Agent-229235
AVDr. WebTrojan.Inject.38523
AVEmsisoftGen:Variant.Kazy.22738
AVEset (nod32)Win32/Kryptik.AJNC
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.NV.gen!Eldorado
AVF-SecureGen:Variant.Kazy.22738
AVGrisoft (avg)Downloader.Generic11.ZRU
AVIkarusTrojan-Downloader.Win32.Renos
AVK7Trojan-Downloader ( 0022d70b1 )
AVKasperskyHoax.Win32.FlashApp.gen
AVMalwareBytesTrojan.FraudPack.Gen
AVMcafeeDownloader-CEW.au
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.22738
AVNormanwinpe/Renos.DOJB
AVRisingTrojan.Win32.Generic.1287445B
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen52
AVTrend MicroTROJ_FAKEAV.SM35
AVVirusBlokAda (vba32)Trojan.ExpProc.EA
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs ➝
NULL
Creates FileC:\WINDOWS\system32\sshnas21.dll
Creates Processrundll32.exe C:\WINDOWS\system32\sshnas21.dll,GetHandle
Creates ServiceSSHNAS - %SystemRoot%\system32\svchost.exe -k netsvcs

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1860

Process
↳ Pid 1156

Process
↳ rundll32.exe C:\WINDOWS\system32\sshnas21.dll,GetHandle

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\idgbn5xehg\wd29 ➝
172877844
Creates MutexGlobal\{02ACCAA4-D375-440f-9261-58B7221B7317}

Network Details:

DNSlivedoor.com
Type: A
125.6.149.67
DNSyieldmanager.com
Type: A
208.67.66.24

Raw Pcap

Strings
..
..
^...
n
.-.
.
^
H
:
.
\
s~
..
.;
u
..
.f
.}g
040904E4
2.0.0.1222
 2010 ag VideoSoft cP All rights reserved. Cu
Comments
CompanyName
Copyright 
	Ctrl+C
d69U
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
 (MAP)
MS Shell Dlg
oNoter6.exe
OriginalFilename
ProductName
ProductVersion
StringFileInfo
SysTreeView32
Translation
U(UK
uVideoq ComponentG Setup 
VarFileInfo
VideoSoft
VS_VERSION_INFO
-,+*)(#
#%/*+|
%$#"! 
]0c3i'
0?FaK're
0PdzrG
0V1{yO(
!?0+Vb
1 #-?C;
*22=:P
*&2+:5
;-"2Cg
*"2':P
2R5	EC
2RyqNMF/@
{2TJCA
2Y^[}s
31v!Ti
33333333333333333333333333333333333333333333333333333333333333333333333333333333(
3iNH#|
3pIH19y
4$:*@2a:q
49:C3L
4^S&Z.
5.Ns}z
"5rv6&G
61bE`9
6EW#;z<M
(6&jY#
6t4t4VS
72T_Qcb
73>?G;Me
7c&'.J
7&D8t/dO
7_	ePE
7?HTzP
7~J	A$
&+#?|7T
_7y54CQztxTE
|(|8|Ht`[
?8JPFU
8[m;A[
>=<;:9
9cguSR0mwRPs@8
9&{@E;
9^LtCc
:aAc#OeR
.abdata
ablYgto
AbTtIr
A{c#?5
ahgV5rnW1_DPv
appwiz.cpl
.APRpx
#A U[5
-@Aw1ZM
`axX?A
B"CN3<
BeginPaint
B$)#N+
#bN4V2
B< pazOf
'bSno_
B@&{w^
c'2Ctv
^c33}.
C3YghLT
C5CZDPT
c|`{6#
>c8a.s
c/*c'q
(cELTCb
CharLowerA
CharNextA
CharToOemA
CharUpperA
ChildWindowFromPoint
ClientToScreen
cm;0Eu
cNa7Uy@20
com$zde_
CreateEventA
CreateIcon
CreatePopupMenu
CRh?=`
CSXf#|
c_]y\^)
cYwN3xq
D4<0<,0(
=D7h<j'r
,D9tAd\
@.data
$d*D/$<
d"D.$5
~dE-[&
DefFrameProcA
DeleteMenu
DestroyMenu
DestroyWindow
d>\HcN
DispatchMessageA
]'d#k/
dQWkZ#
DR"< 6
DrawAnimatedRects
DrawEdge
D@|Ru%
dwcj7Q
E1gqB'
/E7F31
,Ea=+e
@.edata
E>K&P.Y*d2l:
EnableWindow
EndPaint
EnumChildWindows
?eQDwu	
Er(}Mr
^e"Sc}
Eu[gwY
ExitProcess
e;Yrw)
EZ{;MP
F~1q"0^
F6nIvs9
F7"!5;
?f\BM7
FillRect
fl,#ae
f?l]U1
f&p__d
FvzdPk
f/x!/6^
/g&}""6
G987654
Gc1ru2nB@24
gD34I6A#0L
gdi32.dll
GetBkColor
GetBkMode
GetCapture
GetClassInfoA
GetClipboardData
GetCommandLineA
GetCommandLineW
GetCurrentProcess
GetCursor
GetDateFormatA
GetFileAttributesA
GetIconInfo
GetKeyboardType
GetMenu
GetMenuItemCount
GetMenuStringA
GetOEMCP
GetProcAddress
GetStdHandle
GetStringTypeW
GetSystemMenu
GetWindow
GetWindowDC
GetWindowTextLengthA
gKXqd'?c#j
GlP,U,o,
Gr5J-g
gR'tEc
_gV"!L
GZ|cI?
H#2h	Y
H4Q$V*h2s:z
hayiQ-Ce]
!Hchu<
HeapAlloc
HeapDestroy
HGXT,%S
H'?pF4
|]|hps
&hz8]'9$
)h:z^L
ibL)Sc
I&BP1s
ibrYyG
IC4\[8)
iMmQllX9@8
InsertMenuA
IsCharUpperA
IsChild
IsDialogMessageW
IsVali
IsWindowEnabled
IsWindowUnicode
IsWindowVisible
i@%W[A
IWKkMa
:>"\"j
<j1S9u
j&2*cH
j9cv*o
J9R|z<
`[Ja!h:
JcY-u/
j=M_Wc][
/J>Q;\
J}SB]VC
jSUy?:
kaeOUoEHdS
kc9\GBK
kc]tr@
KERNEL32.dll
KERN{L32pm
_KIn1y81Z3y
kjogQR
kQco"=
}Kt5Zh
Kum:8#
kvr}{J
l9b5FIa
<lA,K,`,q+z|
L\c)PH	
L/"E)y
>lF,L,Q,z,
l#+gOUNI
LoadCursorA
LoadLibraryA
LoadResource
LocalAlloc
LocalFree
LocalReAlloc
l%|sir
lstrcmpiA
lstrlenW
&L-S-U
L/Xqn#
/##M;	
M4T$`tMc{%
m*5{qn
mAbkFj
MapVartudgK
MapWindowPoints
<mCBGy
MCQ+u:$
MdSAY,
#mEDLo
ME+#^P
MessageBoxA
mES$u7
~Mo|`g
m|r|w|
M?T;`'j#
mTl!ZB5A
~MUBPQ
M"UIxZ
MulDiv
#$N0p6@<PB H0N
N4_DSw&	
('N8Dx@/
o0u`{3
o25mS!V
O3c_$ f
{O6mx.ktskiz
ODC<f"#
OdpDz$
O#e^y.
:O gs>
O-{@*I
OIV_}7
oK^eAp	
oleaut32.dll
oNoter6.exe
|opb?r
O#]Pepl
o Rg]jc~
_Os462SIi@24
@^#;ov
ov"Va?5_{
OYyV,Fz
p.3^w<
@$P7 H0Q
PdarDs
PDc @16ceFI
PEat`Z
PeekMessageW
"PI.D<$
pInfo`
|(|@|Pi`p
pJ6RFX
PostMessageA
PostQuitMessage
;pR"+d
pr!fNS
P?U;Ze
p)VHK<J(
*q'4]+>b
q6h-o3
q[`.7!q
_[q}@HN
qh>$px
{Qh!Z9
QJ(m6c
_=Q<Skt
'"!r07
r5^cx!
`.rdat(
`.rdata
ReleaseCapture
ReleaseDC
RemoveMenu
rKoSRe)
&rlq(Rt
rLu1@:
RpM_0g
@.rsrc
R?X;^'e#
rXK~3)
rXO5/>
R|Xx^;
s+>0D'tZ
^S3x\+
.sab_C
ScrollWindow
SeL#\{
SendMessageW
SetActiveWindow
SetCapture
SetCursor
SetMenu
SetScrollPos
SetWindowLongA
SetWindowPos
SEvjw&
ShowWindow
@snCw&
+^S)p|l
]SQ2R4
"#SruW
"st@};
})s<Tk
@SWR='
SysAllocStringLen
SystemParametersInfoA
t5;:u5
TcFHF)
#@T+d%p
#T%@Ea
tfJ'xu
_Tg8iENCyzldIlg@4
T#	GVc
!This program cannot be run in DOS mode.
tjd"S{,M
tkc@"S`
[#'\to
TrackPopupMenu
TranslateMDISysAccel
+?"trk
}tXWkSA
u~C?j=
ud#nyjP
[@>U&eQ
U#^#gH
<UgT@n
%/	Uk,=sq
UnregisterClassA
UO(B/<
u%P;lt
USER32%.
USER32.dll
uTFK^W
U'udQV
U'YMSg
U,Z,n,
vCtGuwR
V#fHLj
Vgy\6#E
VirtualAllocEx
V^Krm'$
Vl^,c,h,m,
vQ5Xcs
Vs]scK
_w0PCtBaE6
W1~k?<!
W `"_8
Wch3LZ0v#
/w{DSv
WideCharToMultiByte
Wr#D,m
WriteFile
WTCV~*p
W`Vpar
w'/}X5
Wyc< ks
(`'x)>
xbFrameH3nd
^xH!K+
^{X("Tf
XtfmFWd
X<T<P<L:H
X?UVq2W
YdfNvWl
_y[e]B
yftBl}
y?KP\I
&%y Q>
Y"s=ty
_^][Yw
`z8pc7
zd4E8I5Zmi3k@8
z'dLN'-
zget|<i
zPGfE5
Z/sHFG