Analysis Date2014-10-12 03:00:51
MD5c6dc2ed0a4b176905b53d52191780d38
SHA1ed8128f84c39c1edd150448e3b7f7817aaebcab6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a982e2b30e1c757a14dace445e395e10 sha1: 8f729dde239c59f87265596d8e533920939bd5b4 size: 81920
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: c539661d9e1d00048ad4885df3917815 sha1: 85f9de8dbe80f124a611250cb3f70ae6a801cebb size: 4096
Timestamp2014-10-01 03:46:12
VersionLegalCopyright: fu
InternalName: Install
FileVersion: 29.75.0002
CompanyName: DL
LegalTrademarks: OP
Comments: MwS
ProductName: BC
ProductVersion: 29.75.0002
FileDescription: Jru
OriginalFilename: Install.exe
PackerMicrosoft Visual Basic v5.0
PEhash24149657ada01e9e63cd8c06e1060cd8a009098a
IMPhash55919665feea334d6fe7336e6409ce5b
AV360 SafeTrojan.GenericKD.1908684
AVAd-AwareTrojan.GenericKD.1908684
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/VB.Downloader.Gen8
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.1908684
AVEset (nod32)Win32/TrojanDownloader.VB.QPD
AVFortinetW32/Dropper.NMW!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1908684
AVGrisoft (avg)Downloader.VB.AGQW
AVIkarusTrojan.Win32.Buzus
AVK7no_virus
AVKasperskyTrojan-Ransom.Win32.Blocker.fvvp
AVMalwareBytesTrojan.Ransom.Blocker
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVNormanwinpe/Troj_Generic.WFVCE
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\MSWINSCK.ocx
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNScfile201.uf.daum.net

Network Details:

DNScfile201.uf.daum.net.cdngc.net
Type: A
174.35.56.217
DNScfile201.uf.daum.net.cdngc.net
Type: A
174.35.56.96
DNScfile201.uf.daum.net
Type: A
HTTP GEThttp://cfile201.uf.daum.net/attach/25775437539DB5870A3F7D
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Flows TCP192.168.1.1:1031 ➝ 174.35.56.217:80

Raw Pcap
0x00000000 (00000)   47455420 2f617474 6163682f 32353737   GET /attach/2577
0x00000010 (00016)   35343337 35333944 42353837 30413346   5437539DB5870A3F
0x00000020 (00032)   37442048 5454502f 312e310d 0a416363   7D HTTP/1.1..Acc
0x00000030 (00048)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000040 (00064)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000050 (00080)   30202863 6f6d7061 7469626c 653b2057   0 (compatible; W
0x00000060 (00096)   696e3332 3b205769 6e487474 702e5769   in32; WinHttp.Wi
0x00000070 (00112)   6e487474 70526571 75657374 2e35290d   nHttpRequest.5).
0x00000080 (00128)   0a486f73 743a2063 66696c65 3230312e   .Host: cfile201.
0x00000090 (00144)   75662e64 61756d2e 6e65740d 0a436f6e   uf.daum.net..Con
0x000000a0 (00160)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000b0 (00176)   6976650d 0a0d0a                       ive....


Strings
041204B0
29.75.0002
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
A*\AC:\
AOpen
attrib "
Comments
CompanyName
del "
del %0
@echo off
@echo on
.exe"
.exe" goto end
.exe" goto retry
.exe" -h -r -s
exit
FileDescription
FileVersion
\HotProject\Project1.vbp
IF EXIST "
IF NOT EXIST "
Install
Install.exe
InternalName
\Kill.bat
LegalCopyright
LegalTrademarks
OPEN
OriginalFilename
ProductName
ProductVersion
RegRead
ResponseBody
:retry
Send
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
A7885421456532
A85AD45AC98A78566
A8UUOA8845ACCJKJK
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
advapi32.dll
_allmul
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
`.data
DllFunctionCall
E977QWW7855AS9X7UP
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
GetVersionExA
Install
jXh$&@
kernel32
KillSelf
MSVBVM60.DLL
mswinsckF
MSWINSCK.OCX
MSWinsockLib
MSWinsockLib.Winsock
NC:\Windows\SysWow64\MSWINSCK.oca
Project1
RegCloseKey
RegCreateKeyA
RegDeleteKeyA
RegDeleteValueA
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
S@0DRSock
shell32.dll
ShellExecuteA
!This program cannot be run in DOS mode.
Timer1
Timer2
TT88I46AE9FF5QE98
VBA6.DLL
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryUnlock
__vbaAryVar
__vbaBoolVarNull
__vbaChkstk
__vbaDerefAry1
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFileClose
__vbaFileOpen
__vbaFPException
__vbaFPInt
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Var
__vbaI4Str
__vbaI4Var
__vbaInStr
__vbaInStrVar
__vbaLateIdCall
__vbaLateIdCallLd
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLenBstr
__vbaNew2
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaPrintFile
__vbaPutOwner3
__vbaRecAnsiToUni
__vbaRecUniToAnsi
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrI4
__vbaStrMove
__vbaStrR4
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaVar2Vec
__vbaVarCat
__vbaVarCmpEq
__vbaVarForInit
__vbaVarForNext
__vbaVarLateMemCallLd
__vbaVarMove
__vbaVarNot
__vbaVarSetVar
vsmEBZuSZUhk
Winsock
X98Z77XY44ACTTR6