Analysis Date2014-01-26 00:43:32
MD53d7abcbf8396f1f3c255a7aecbd6d581
SHA1f4396e58061175c01d181681b7d28e2619d28b95

Static Details:

PEhash323ba71bc6adffd8683dddc499a3efea8cb77651
AVmcafeePWS-Zbot.gen.oj
AVaviraTR/VB.Inject.kqrwa
AVmsseVirTool:Win32/VBInject.gen!LD
AVavgGeneric35.AMSE

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexjomytunnekuj
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSrewardhits.com
Winsock DNSautoma.it
Winsock DNSglmghotels.com
Winsock DNSgolfpark-moossee.ch
Winsock DNSbusiness-edge.com
Winsock DNSsortedorganizing.com
Winsock DNSslcago.org
Winsock DNSnasz-sklep.pl
Winsock DNSwww.traderush.com
Winsock DNStss.org
Winsock DNSnorakuroya.com
Winsock DNSfabianonline.de
Winsock DNSguberman.com.br
Winsock DNSfrederickallergy.com
Winsock DNSagence-des-druides.com
Winsock DNS4pipp.com
Winsock DNSpaulrenna.com
Winsock DNSistanbultarim.com.tr
Winsock DNShpp-services.com
Winsock DNSgjk.com.pl

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.162.200
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.162.200:25

Raw Pcap

Strings

_]<\\
@@,<
040904B0
-=09
/-,2
@@"4
5.00.0454
*\AD:\ytftfytfytfy\REeB.vbp
asecfrgvtfd
B.hHyRTV`H
#C6\.U1R5Q;R'Y*
c8wt
@cal\Mi
CompanyName
dfPxIb
Dino1
Dino1.exe
e651A8940-87C5-11d1-8BE3-0000F8754DA1
FileVersion
InternalName
@l\Micr
mpolkiujhy
 or da
OriginalFilename
ProductName
ProductVersion
StringFileInfo
(}%:&tDF
Translation
VarFileInfo
'V+D(
VS_VERSION_INFO
WUBHxFyvs5
xfqwXtI2D3
YU,~X$Ux
|||____
+0s0FQ0
)1:8E8+
`=_\1dE
3:5("	
3	e2gj
3s]r:!te
 4esFi16
5WNL3R
%*5wNr
"?<;8"
";81q 
8 A7Q}_
*8al85
8N:5(	
9SN:5	
al!kh#
AllowAddNew
AllowArrows
AllowDelete
AllowUpdate
Appearance
%(Apq$
astllesbwaybeih
b2%7|K
BackColor
bbd]Km
?$.Bk%	
BorderStyle
bYWTTPLI<<Ic
CloseHandle
cmbField
cmbOperator
cO	kD>f
ColumnHeaders
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Program Files (x86)\Microsoft Visual Studio\VB98\vbc22608.oca
`C:\Program Files (x86)\Microsoft Visual Studio\VB98\vbc29208.oca
C	rD(X
CreateFileW
CsMQ$t.e
+C]}tv>
CtxtParentDate
#<d^\ 
d7]}E:
DataFormats
DataGrid
DataGrid1
DataMember
DataSource
DefColWidth
DefWindowProcA
DllFunctionCall
Dq(YHq
DTPicker
DvvlAq
DXwOBZ
d*Yxxz
{{ES{_
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
Field :
ForeColor
Frame1
frameDatagrid
FreeLibrary
)&g5#9
GetModuleFileNameA
GetModuleHandleW
GetProcAddress
g^n6g5
,Hc;@*b
|||_hhh
['HJUj
i3<X( 
\I)"8x
I|&<e7
I<L\J:
:=iX3}
jnhytgbvf
jugviNCO
kernel32
kernel32.dll
kernel32.DLL
]]]?KKK?KKK?[qu?v
>kZ9qp
"L5KxN
Label1
L+dvib
L,Fio(
lj,\)oE
LoadLibraryW
-[`MaG
MD+<})
Melwpcq
mpilui
MSCOMCT2.OCX
MSComCtl2
MSComCtl2.DTPicker
MSDataGridLib
MSDataGridLib.DataGrid
MSDATGRD.OCX
MS Sans Serif
MSVBVM60.DLL
mUFfRI
_n\1~w9
NeSatbdWrk
NeSatbdWrk*5
NeSatbdWrkftukdfg56789NeSatbdWrkQ_f
,NZdMT
*O%|=`
=Of|YA
ojalja
o]')?ks
oM_jhtk
OpenProcess
ouiouiou
pc.H=k6
&=pn(l9
P[N*MJ
ProcCallEngine
Process32First
Process32Next
PropertyPage
PropertyPage1
pr`UmmXk
P~Y=} 
q=!ar`+q
Q CLS9
q@Dw2#
:qI<c^!
'R1d}'`[
R2w7z6
r${5&z
ReadFile
RightToLeft
>rKkgX
,rnodG3
RQSl{+
RtlMoveMemory
rZSU8x
SalrO*
S,*L6e
).St6m
SystemParametersInfoA
TabAcrossSplits
TabAction
TerminateProcess
!This program cannot be run in DOS mode.
TRrXtD)
txtParentDate
ublic mpilui
U>cs>[
)UjL_E
U.|m<q
UpMpl^2d.
|`Up|wk
uqE^fb
user32.dll
UserControl
UserControl1
Value :
ValUserControl1
VBA6.DLL
__vbaExceptHandler
	vW3$'(
we[Flq
WrapCellPointer
WriteProcessMemory
} xE-?
X>ebT]
{ xi7f$
XJAzTxG
X!#ZTkL
Ygggv&
Yggvv1)bnje5
Ygt]M,jnnnjI
yhIIP/
yyyobbb
y #Z{D
:Z*~|@
ZC[DpE2
-zf	e{
Z'tf'9