Analysis Date2013-11-10 06:46:42
MD5dcf701b565a1d50217bb56a7d53d4eb5
SHA1efedffec3f10ddb9bd1f21b0965a882659cedc56

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: cb35b6d5fa42464b44ddc343f19112ce sha1: f7f807c49dd9291c878a3cb1c83f619c579edd68 size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
AVavgWorm/Generic2.BLRH
AVaviraBDS/Backdoor.Gen
AVmcafeeW32/Generic.worm!p2p
AVmsseWorm:Win32/Ainslot.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{71EDABE1-1A68-BDBE-BDFE-F27F01BE8CF8}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{71EDABE1-1A68-BDBE-BDFE-F27F01BE8CF8}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Windows Defender ➝
C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\8SG5DGFQAM ➝
November 10, 2013\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\8SG5DGFQAM ➝
TheOldWarrior's Bo\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\w3\sana
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates Mutex8SG5DGFQAM

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\\malware.exe ➝
C:\\malware.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe ➝
C:\Documents and Settings\Administrator\Application Data\w3\9J73RFBH80.exe:*:Enabled:Windows Messanger\\x00

Network Details:

DNSsymantic.no-ip.biz
Type: A
192.168.15.4
DNS1symantic.no-ip.biz
Type: A
Flows TCP192.168.1.1:1031 ➝ 192.168.15.4:1604
Flows TCP192.168.1.1:1035 ➝ 192.168.15.4:1604

Raw Pcap

Strings
PERS
SETTINGS
00G0rE
%0;dch
&]*0DFs:
&0jdjA
0|@&ph
0r(If8
0t#i '
0zhU$g
1234\r
15dF8F91AEE<A
1A42|]
1Bv!k"DT
1c2->a"6
1Igd;4
~.:1]K_
)1|l -97u
1LjGyL
}\1q@Gu
(>*1s0
20C<|0d
22A368949C0a
#2AP_uy
2>e%Xdq
2F062D2BD
2`r,L{
)  2S!C2E
2Ziz<p]
32a2;N.	
32EDE121D9E
 3>>F6>R
3FG/m;
: 3gFO
=[3#hh
40vk1\
413A647A4B6739316C4F5B5C5*14
%&'()*456789:CDj
4[cv4=bGa
4G/I\Hs
4gzF>[
4H4sg%
4\<s1vt
@4TA!^]
4?`W B
4$WrEX
4#]<xi[
!4yvT")
501E:9~
54*m~S
54rUN(1%
5Async?f
*5bccP1V
:5jq;!
+@5RLwC
@5\@roi
5tSd `\)
68Z?kZ
>6*e	 
~6ENC^fADClifSteam
((/6	G{
6iH(D6
&6j0(u
6mm63o
6n1?e:-VS
6qm%g7
6X-`G*
6xjhd>
;7;4716^
774NE55*237X
7b8x3 P
@7(HOB
7IsoBY
=7Kajt8
7niffOS4\V
7S^ONv
7(xBit
86)\Mic*soft Visual St.
884O`i
8\AHDOR
8>c}`^
8fa _2
<8HX5n2
8LfSK2Q
!8M1~LL
8_O6F6
8Rb.H~i
'92_'C
96W`Ik#D~7
9KTIvZ
)9ppDD
9(UxW/
Acce++.B
AddMsg
AdjuFP
aha %D
^aH#b'
ais{pQ
akq`d6K
(%.alb
alUpda
A)ox^=
@ap)"e
a	[QA5
aQQX'I
Ar\'//+
Audio.
awuois=
b1]_A*
'b7V/G
b86mswi
}*b)cd
\Bg.<f\
biM;{.
bjBd@Fv?,
Bo6DD$
bss_ser'
bv)#v"J
bwn_62
;]C9H-
CallBa
C`(aS4
C<F6E4ZF7C8
/Chat'
CHAT_ADDMSG
cImage'%cap
<Ciuqa
;cNP1lz
:c{N&w
Compzb7
C:\Prog
CP~}xW:z
cSubClHi
!ct38-k
CTH-A<
^`D08?f
-d0/bS
D6@X&i
D8bP~QNj
"(Dc0l
DG88kADNO
DI#08[
diFFFdTTD
d@l^] 
d|lNx/
DlwH5pKl
d@NDLx@Fv
Dn;I;t
DragQuery
\d(#t\.
dt|\No
&d:toQl\;
dU<sl.
|DZPp_|
E4:|	"=
E4Do'N3fB'
E.4TM83$-mf
<e4ym5
eA1/RP
ect?TorrentS
$'`eD[
EFB$9$xU
EFGHIJSTUVWXYZcdefg
eInvokeV
E/L7wW
Empty6
?enmP]
E#ONFt0
+e.pZr
EqPK '5
EsuI?x0
EVENT_SI
'EV?L_]
ExitProcess
E/$yEJ
F0[pZ2
:f.C)G
fD_/aS
]FDt}T
F> FDD
>f.=f,yhK
.F_^GE
FGw{.wM
f_h'n;
 Files (x
Fj-8Cr
$,FLLe
#)$<Fo0
*#&f>qqq
frmMain
F\sOuQ'Sd
f?SU+a
fUYl1X4cr
Fy.#fbv
f>Z/._;
G$7T3N2$$
/+g#8f
#(g##;A
GA!VD'
gcmdtf
GetProcAddress
)>G?GT$
gH1j{`D
gHgD'*
gHija.
GlTBnK
Gook?RS`curity
GrlK<l
gwbAuz
GWSOCKu
>@*GWY
G#yeWv
H0{g%S
h3``h\
]h3l/A,
H 6;08 
 h8d(A
h99yN`
h9/U@0
Hd&Bzx\
h' #FX
 hGed "
hglIF`
hgp*j`"
H/H47h7
}?H,<j^-
	HLV#D
^hm5;O&
=HMMgG%_
h.mpKJ8tj
hNGZdNeo
Hs=NjO
~hunkS
hZRJ<c
'-\.i.
I0/w(+
/(I(aR
I`BUn8
icalDr
ICk)S%
I(' H|
ii{c3hl
i\JT:d
"#\[I#k
IK6z&V
_img;0`
InfoTO
ISPfrN
:J~>c G
jdRaf`
jfXB+?
Jgs/cy
JN2  X&r
.j"nWq
+JQ:[\
j/,q/!f
j&U8/H
J #Vc 
/JWX9:
K]>1h-
k1jLtA
K3ACi7
K6&?SC
K789\r
K9g%J\.i.|&<
kc_13B
KERNEL32.DLL
@@Kjka)
kkW\+	
kOe+$]bQ
ksl/=I<
|*}<kV
kvGxZ0G
L0P$PH
L2 '4<
\L2 'dllp
laK&]j"a
Lau&hF
L&d/O<=
ldt&L0
LH8g&n
	*&*lHXSh
.#lICd
l@-jNv
Lla+(B
l&N(q6
Lntlt!!
LoadLibraryA
lobalA
_loseHandJ
L~'(P~=
!lR&F*
L{.ToPlPb!
lXJB:,v
!}ly_;}-
L)^Y"aA
._@$_m
m2rT<-N4
m	5N{a
MedoIDp
^__^Mkok$P
mm9UCn
	mMl%6`
mMQ[H(E{
mnK{Vf
modFucrons
/MP`@`` 
.'MQ[P
MS SaX`
\msvbvm60
MSVBVM60.DLL
MSVBVM60UX
Mv#(i(WC
M&Xu%:]
MY)`q|
N2 #`h
n2WvVa
n3+HJV-l
`!`:N7
@N<@B:
N<dp>hu .
n-GxhC
N$>,q	j
NTDLLD
@NuI^g
(,o}2>
O4cJ^m%w 
*O8^.N
Of')9%
O[_FACEBOOK_START
offF`l<8
}O@:<F(:,x
OGON/_B
Oha"jJd
!OHHHN%
#oI&Qg
O$jZ	l
(Oo'/N
os#+Om
+oTBN2pw\
O^T)M_S
oWaiqSx
owIIn:
O*WTask
oXCCCC
oX|l|.
O-\#Xl
*(?|&^P
`p0*Rz
p5HBITMAP
P.99yN	
P/\d.0PiT4J%
(p`:e<}
PEs/\42$e
p*<#GN
picThumb
pJz8Ck
pLlE{g
-PlzhD
`'P=@p2
pQValu
PRINTA
PSBlj(
p WD8k
#Q1(FGe-
"QB0S{O!
qC|['d
)=Qeyy
Q(G_,I
q$nUHVS
"@queezer
qVRv^Y
q@}ZD"e
"\$r/ 
.r@_0%
`r4B`(04A
R")5TZ
r6033l
^r9dd4
rAUb9]^9t]
Rd^#|)&I
Rd:\SysWOW64\
rDVG|L2 '@H
rJvj_Vd
RK-ew11
r Lir 
rO#WJH
rrHHPr4^
/Rr@M<
,r%Sm6n
"r Tft
rXu"pS*-6yV
ryW/G!
s2r@!$
S/5j'P
:ScanLz
s cb!@
#SCManPr
s:.cpV
Screensho
$$$se&
SER_FB77
's<e/SrcLef+
sG\bo`
SGUfhG
S`j,,(@
Socket
$SolB&
s.op-/EaxZRv
SrJ,pxr]
s the p@R
STRUCTIO
stV&y<
sw[kLlct
SZoM7Pn`
t1lLH<C
t)5H%a"
T73&97
t,:8,(
tA/uVi.
!This program cannot be run in DOS mode.
tKlpDp	
tmrLivLogg+
Tn`jjPUL?
`tPp=+7Z
tqV:8H
`T r%9(
tRarZ0
TRs{6TXW
TS2D"O
t(Tn(_
?tU+yF
tX.-hu
#U@32A
.&u^8uF
UAOo^6`
;)uHR2\?
Un@cvssPATH_WINL0
UQGH&P
UrlCache
URLDVnlg
u~r'xSpMm
 usiid
U #SL/X@
#U|Wk.Z
-UZElIA
V!4@f1
V9`he;Rq
v.Bf&|
vBIV9*O
vf'$sT
]V'H?,!t
vieframe.dl
VirtualAlloc
VirtualFree
VirtualProtect
@vJUm]	
.v(<k7p
vl&XTOc
VNNNno
vQWdv $
;vr4DkP
v@${T4`
VtHTL5P
v[*/TrX
VUc!V_0
VVwCtl~ebBrow
V$wN$N$w'
vXN\$:
-<w^1$
<W9j`#
W!/9n)
wapMo~
w*B <(
WD.0KC0
_WebHide
w"[ik:
-_WMqo
|WmZvnwSi
;@'}WR
WW23g[
wxJN2 
W&(xnW
x'-84)kx
	X95&BS
}\xEm>
xG0WoK
,X`HIM
xhXHJF-
^X]J<W
.'~XJW)
x/Kc.B
xl<`33h^NJ5
x$O0C!lx
xo.104
XPTPSW
x-t_;2
+XT<L26!!9
_${x	tq
xu5sx4
"X?[W)
xYOasq
@Y'a6t
yGrabbOg	V
 Yk/ q6G
yNXT,i
YP+:S@@2
yTPLHD
yvh[_AmI
YX"")fv.:
,z2>ir
Z|+:4	
Zo`.@]
Z$}tw3
ZXOct2