Analysis Date2015-11-01 06:15:08
MD54ec6d0b85a3dbdbb7e22b2462e0999fd
SHA1f42feae34346e07d07231249f1fa9e2c15bc4859

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.text1 md5: 5bcbceb53caad73d629770074ca15092 sha1: d8e70aa7e9e1447358f4cac702b7571ecbba7f98 size: 385024
Section.adata md5: 938d6d97628275a512e07c66be5ccecf sha1: 97e468e47489e38b33b0f14714a775c619ba9a90 size: 53248
Section.data1 md5: 4206c4d0f54a1a218440ebd684029e77 sha1: 0da8e4fd1610f61dde9bd1e802b0383796ee2aed size: 77824
Section.pdata md5: b53e870020192a37a405868554456f1e sha1: fb8a7f03e2a9950fce3a06a959c85b97f95ee018 size: 1187840
Section.rsrc md5: e6c22f2a6ccd60086a7777f17e3ab328 sha1: bcc291f5e8fa9093b12732fadf380d9f070d7426 size: 28672
Timestamp2009-12-29 22:50:08
VersionLegalCopyright: microsoft compiler
InternalName: al
FileVersion: 1.02.0057
CompanyName: microsoft
Comments: microsoft
ProductName: microsoft dll loader
ProductVersion: 1.02.0057
FileDescription: dll loader
OriginalFilename: al.exe
PackerMicrosoft Visual C++ ?.?
PEhash37f4db4885043f2bdced556efde75cf21ad79eb0
IMPhash0539a31253f066f6315e4c0a3a3568dd
AVAd-AwareTrojan.Generic.6338166
AVGrisoft (avg)Generic18.AYWF
AVCAT (quickheal)no_virus
AVIkarusBackdoor.Win32.Bifrose
AVAvira (antivir)TR/Dropper.Gen
AVK7P2PWorm ( 0005d61f1 )
AVClamAVTrojan.Typic
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Trojan.Generic.6338166
AVMalwareBytesTrojan.Downloader.WCA
AVDr. WebBackDoor.Siggen.49051
AVMcafeeno_virus
AVBitDefenderTrojan.Generic.6338166
AVMicrosoft Security EssentialsTrojan:Win32/Toga!rfn
AVEmsisoftTrojan.Generic.6338166
AVMicroWorld (escan)Trojan.Generic.6338166
AVAlwil (avast)VB-AHIE [Trj]
AVPadvishMalware.Trojan.Typic
AVEset (nod32)Win32/VB.NVS worm
AVRisingno_virus
AVBullGuardTrojan.Generic.6338166
AVFortinetW32/Generic.NVS!tr
AVSymantecTrojan.Gen
AVAuthentiumW32/Typic.A.gen!Eldorado
AVTrend MicroTROJ_DR.045D828D
AVFrisk (f-prot)W32/Typic.A.gen!Eldorado
AVTwisterBackdoor.DDA501D481E62633
AVCA (E-Trust Ino)Win32/Fruspam.GF
AVVirusBlokAda (vba32)TrojanDownloader.VB
AVF-SecureTrojan.Generic.6338166
AVZillya!Dropper.Typic.Win32.736

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Licenses\{R7C0DB872A3F777C0} ➝
NULL
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\tob\x\x ➝
x\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{F7920A59-A57C-32D5-44B9-04FEA547B88C}\ ➝
PSFactoryBuffer\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
Creates FileSCSI0:
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xxxc.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates MutexRAL0343850B
Creates Mutex0343850B::WK
Creates MutexDBWinMutex

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe

RegistryHKEY_LOCAL_MACHINE\Software\Licenses\{IF41747BB2672C200} ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
RegistryHKEY_CLASSES_ROOT\CLSID\{F7920A59-A57C-32D5-44B9-04FEA547B88C}\Zztfdqhq ➝
Bm\E^LV_{c]oL\U|X\\x7fGpSlo`zgfaR
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\wocualts.exe
Creates FileC:\Documents and Settings\All Users\Application Data\TEMP:C9C13817
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll
Creates FileSCSI0:
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\key.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip
Creates FileC:\WINDOWS\system32\vbzip11.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\readm.txt
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\Install.exe
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates MutexRAL0343850B
Creates Mutex0343850B::WK
Creates MutexDBWinMutex
Winsock URLhttp://ns2.thebuisness.com/zip.zip
Winsock URLhttp://google.com

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip

Network Details:

DNSgoogle.com
Type: A
173.194.37.64
DNSgoogle.com
Type: A
173.194.37.78
DNSgoogle.com
Type: A
173.194.37.73
DNSgoogle.com
Type: A
173.194.37.72
DNSgoogle.com
Type: A
173.194.37.71
DNSgoogle.com
Type: A
173.194.37.70
DNSgoogle.com
Type: A
173.194.37.69
DNSgoogle.com
Type: A
173.194.37.68
DNSgoogle.com
Type: A
173.194.37.67
DNSgoogle.com
Type: A
173.194.37.66
DNSgoogle.com
Type: A
173.194.37.65
DNSns2.thebuisness.com
Type: A
198.71.232.3
HTTP GEThttp://google.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://ns2.thebuisness.com/zip.zip
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 173.194.37.64:80
Flows TCP192.168.1.1:1032 ➝ 198.71.232.3:80

Raw Pcap

Strings