Analysis Date2014-04-06 22:56:20
MD504f606f674b3be93b75a4cbe22c14223
SHA1ea18691dd61f8b25e8531b8ac2ca7c0661f71be2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 38146e64e2b563432ea789434d1d1a4a sha1: d7184443f79863f9833ab7cca1cbccdd1693dcb9 size: 49152
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 3cfc94e1efb8a7868c731dc78453897b sha1: 59aeffafd0c6c6454281e2f12a0b5bed43656824 size: 4096
Timestamp2000-01-01 12:00:00
PackerMicrosoft Visual Basic v5.0
PEhash8541ff04f5b9430b5f0e52f4a653320398f51019
IMPhashf64561c414a8a613e7166c47746b27b3
AVclamavTrojan.Chinky-1
AVavgWorm/AutoRun.HV
AVaviraTR/Dropper.Gen
AVmcafeeVBObfus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\gomep.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates ProcessC:\Documents and Settings\Administrator\gomep.exe
Creates MutexA

Process
↳ C:\Documents and Settings\Administrator\gomep.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\gomep ➝
C:\Documents and Settings\Administrator\gomep.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
Creates MutexA

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Network Details:

DNSns4.theimageparlour.net
Type: A
192.155.89.148
Flows TCP192.168.1.1:1031 ➝ 192.155.89.148:8000

Raw Pcap

Strings
CreateShortcut
IconLocation
Save
TargetPath
VS_VERSION_INFO
8&O.I"
?Bp0jN
CallWindowProcW
CkkXKlHU
CkkXKlHU0
CkkXKlHU1
CkkXKlHU10
CkkXKlHU11
CkkXKlHU2
CkkXKlHU20
CkkXKlHU21
CkkXKlHU22
CkkXKlHU23
CkkXKlHU24
CkkXKlHU25
CkkXKlHU26
CkkXKlHU27
CkkXKlHU28
CkkXKlHU29
CkkXKlHU3
CkkXKlHU30
CkkXKlHU31
CkkXKlHU32
CkkXKlHU33
CkkXKlHU34
CkkXKlHU35
CkkXKlHU36
CkkXKlHU37
CkkXKlHU38
CkkXKlHU39
CkkXKlHU4
CkkXKlHU40
CkkXKlHU41
CkkXKlHU42
CkkXKlHU43
CkkXKlHU44
CkkXKlHU45
CkkXKlHU46
CkkXKlHU47
CkkXKlHU48
CkkXKlHU49
CkkXKlHU5
CkkXKlHU50
CkkXKlHU51
CkkXKlHU52
CkkXKlHU53
CkkXKlHU54
CkkXKlHU55
CkkXKlHU56
CkkXKlHU57
CkkXKlHU58
CkkXKlHU59
CkkXKlHU6
CkkXKlHU7
CkkXKlHU8
CkkXKlHU9
`.data
DllFunctionCall
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
fQA]f!Z9
gethostbyname
GetModuleFileNameW
GetProcAddress
kernel32
LoadLibraryW
MethCallEngine
MSVBVM60.DLL
NsetPs
Ns$FPs
Os\TPs
pe{4Aj;
ProcCallEngine
Process32Next
{Ps?|Ps
PsZ]Os
qHtxXxJCVSpKjbXj
qHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjqHtxXxJCVSpKjbXjPADDINGXXPAD
Qsj|Ps
Qs&nPs
RtlMoveMemory
sZrehHvsmEBYuTYVgjyUVfojNcvPieSyHHGLwpwannDGJBapiSzCW
!This program cannot be run in DOS mode.
user32
VB5!6&*
__vbaExceptHandler
vdZ7)2
vGHop56o7po667
wsock32
xKxkLhgI
*Y!0g:O