Analysis Date2013-12-17 02:54:23
MD555e7e4cc05748f5784d52db8ffd668d0
SHA1e613e68dec6bc99520d853fce2514b4ab140ef67

Static Details:

PEhash323ba71bc6adffd8683dddc499a3efea8cb77651
AVavgPSW.Generic12.QUP
AVmcafeePWS-Zbot.gen.oj
AVaviraTR/Dropper.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\5e0e_appcompat.txt
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 196

Network Details:


Raw Pcap

Strings
040904B0
@@"4
5.00.0454
*\AD:\fzfzefzef894984\REeB.vbp
ceEj4feV
CompanyName
dd/MM/yyyy
DEwe4OjkDS
Dino1
Dino1.exe
e651A8940-87C5-11d1-8BE3-0000F8754DA1
e)p$Bx
E-}Z
FileVersion
frdehtjykuh
gtfrdeszde
InternalName
jadidjemanchbahi
JJ7g5hq
l9v3
@l\Micr
nlfxEBj9IXM
ojjaal
OriginalFilename
OYrXQij7f
ProductName
ProductVersion
rA133F000-CCB0-11d0-A316-00AA00688B10
StringFileInfo
Translation
VarFileInfo
vp4x0
VS_VERSION_INFO
VUfSU
yaeswheitlbsbl
|||____
@}0 ^-
1')Thf
3:5("	
 37;BD
3K,ai5
@3T=\h
5WNL3R
5x\CtQ
6L>HxcyH
6olaC|
6qSoX|
6Uw[^`;K
^6)zr	
7e]h>AF
}7u"SOhQ
"?<;8"
";81q 
[<8hne
>8KCMT218
8N:5(	
8wE%[[+
9(|dBR
9^hJGxnI
9Ro6;GJ
9SN:5	
Al3%4T
ArMCcc
)BekFd
b+jadidjemanchbahi
b]msT%<
BoundText
!\{B_R
bsvsrQ
bYWTTPLI<<Ic
BZUy	Qy
CloseHandle
@.CO|J
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Program Files (x86)\Microsoft Visual Studio\VB98\vbc22608.oca
CreateFileW
^CR<+O
CtxtParentDate
`.data
DataCombo
DataCombo1
~DataCombo1
DataList
DataList1
defrgthyf
DefWindowProcA
DllFunctionCall
DTPicker
DvvlAq
D||X>7
,E&b$==
=\EHegV
ei\W</a
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
e>w6]JE
_?}F/+
f^)?7^
=FG(CZ
Frame1
FreeLibrary
%/FT+uaj
|+fUZ\
GetModuleFileNameA
GetModuleHandleW
GetProcAddress
gJ+Odt
!g%VqkJ
H$|$0?Z?iBH
|||_hhh
HI`5jU>/
hygtfr
i8>(5?M_
`icb;cT
idi5-]'
j@5TS3
jadidjemanchbahi
jadidjemanchbahi5879449848948984lljadidjemanchbahi
JDgLrA=F
J~Gb4(
kernel32
kernEl32
kernel32.dll
kernEl32.DLL
]]]?KKK?KKK?[qu?v
:K;sT=E
l5:DD"
^)(lD1&Xa
%`L>k{2
L+@MIG+
LoadLibraryW
lolololp
mM$5a%^
MO!hP'
MSCOMCT2.OCX
MSComCtl2
MSComCtl2.DTPicker
MSDataListLib
MSDataListLib.DataCombo
MSDataListLib.DataList
MSDATLST.OCX
MSVBVM60.DLL
mY'4A(
nt6+3l
NTPT*,
+nwLN'
O5cv2P$
O%Abo`y
O>"@hu;)
ojjaal
OpenProcess
;OP.YS
*Oqw!B4
p,gJcp
p.j`};
P!L?2h
ProcCallEngine
Process32First
Process32Next
PropertyPage
PropertyPage1
pr`UmmXk
p.vRT5[
qC:\Program Files (x86)\Microsoft Visual Studio\VB98\vbc30554.oca
=qGTJs
qLgyv?
@+R'7CS
	rdf+=Eb#
ReadFile
R+/ lU
')Rm2_
)Ro].0j;*\
RowMember
RowSource
RtlMoveMemory
RT{Ua5
>S$oTD
%S/PV7
srpN]a^'
SystemParametersInfoA
TDi:tI!<u
TerminateProcess
!This program cannot be run in DOS mode.
""TPS[D
	T{V0S
txtParentDate
U5%J&5
uC{_f"
U!/.{m
|`Up|wk
user32.dll
usoGEQ?~
VaW"XC
VBA6.DLL
__vbaExceptHandler
V&Fur`
VjWWix
vS$@S&T
v(=xpW
vY.ZGlV
+vz<]g
w292HZvB
,w/>m:
w%N>8(
]wpm>xd
WriteProcessMemory
WS=1).
Wt!K_/(
ww)m(1t<H
w}XZPp
Xd&2?/
!XexbF
&XfJ1U
x_`rjkb	
](xY(/
yaeswheitlbsbl
Y?BO#2
Ygggv&
Yggvv1)bnje5
Ygt]M,jnnnjI
yyyobbb
Z29!\v
"ZmN0O
$Zslut
zZ.]$t