Analysis Date2013-11-24 01:45:35
MD5daf1e3191ceab8ec01f30bc864d87ba2
SHA1f9367e2ab4271ff2bb81fc0156c53f6e4ca7b4df

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f5ee04ab7991421f4cd705de24ab14f2 sha1: 152a8e4d012e93f3121be82db1ef092d42796593 size: 16384
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: dac707885fe10323261a3dbba48b1f58 sha1: 6ff487fb539b1a703ef513e6e60f6153ea37280f size: 24576
Section.kdata md5: a6c80aad3643e2f2cb2bb14346d0eaf4 sha1: 99769a444ffbb5dbc233b45f1b88468e6abe92d7 size: 69632
Timestamp2009-08-01 00:16:15
VersionInternalName: W3tM7wazj78
FileVersion: 6.05.0008
CompanyName: ThAxvcgL972NkMU
ProductName: Tn237O5j3xTAdl
ProductVersion: 6.05.0008
OriginalFilename: W3tM7wazj78.exe
PEhashdd425f1eacb2d0fe9bcaaf16a5e65fd22e3c469b
AVavgWin32/Tanatos.M
AVaviraW32/Sality.Y
AVclamavW32.Sality-65
AVmcafeeW32/Sality.gen.z
AVmsseVirus:Win32/Sality.AM

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Administrator914\-993627007\1768776769 ➝
48
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:ipsec
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\SYSTEM.INI
Creates ProcessC:\malware.exe
Creates Mutexsvchost.exeM_1212_
Creates Mutexservices.exeM_616_
Creates Mutexspoolsv.exeM_1300_
Creates Mutexcsrss.exeM_548_
Creates Mutexsvchost.exeM_852_
Creates Mutexsvchost.exeM_804_
Creates Mutexsmss.exeM_464_
Creates Mutexlsass.exeM_628_
Creates MutexOp1mutx9
Creates Mutexwinlogon.exeM_572_
Creates Mutexsvchost.exeM_1108_
Creates Mutexsvchost.exeM_1020_

Process
↳ C:\malware.exe

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{77BCK2V0-3HKJ-89VV-XAF2-88KL5R9896622}\StubPath ➝
c:\RE\BACK\BcK.exe
Creates File\Device\Afd\Endpoint

Network Details:

DNSreback.psybnc.cz
Type: A
82.98.86.174
DNSreback.helldark.biz
Type: A
DNSreback.ircdevils.net
Type: A
Flows TCP192.168.1.1:1032 ➝ 82.98.86.174:3211
Flows TCP192.168.1.1:1033 ➝ 82.98.86.174:3211
Flows TCP192.168.1.1:1034 ➝ 82.98.86.174:3211
Flows TCP192.168.1.1:1035 ➝ 82.98.86.174:3211

Raw Pcap
0x00000000 (00000)   50415353 20566972 75730d0a 4e49434b   PASS Virus..NICK
0x00000010 (00016)   20566972 55732d6b 76666471 6a67780d    VirUs-kvfdqjgx.
0x00000020 (00032)   0a555345 52205669 72557320 22222022   .USER VirUs "" "
0x00000030 (00048)   6b626122 203a2003 322c3102 03345265   kba" : .2,1..4Re
0x00000040 (00064)   4261636b 2003374d 79200337 53686974   Back .7My .7Shit
0x00000050 (00080)   532e2e0d 0a                           S....

0x00000000 (00000)   50415353 20566972 75730d0a 4e49434b   PASS Virus..NICK
0x00000010 (00016)   20566972 55732d72 66767a65 6f6e6f0d    VirUs-rfvzeono.
0x00000020 (00032)   0a555345 52205669 72557320 22222022   .USER VirUs "" "
0x00000030 (00048)   626a6c22 203a2003 322c3102 03345265   bjl" : .2,1..4Re
0x00000040 (00064)   4261636b 2003374d 79200337 53686974   Back .7My .7Shit
0x00000050 (00080)   532e2e0d 0a                           S....

0x00000000 (00000)   50415353 20566972 75730d0a 4e49434b   PASS Virus..NICK
0x00000010 (00016)   20566972 55732d6c 6e74706e 766d770d    VirUs-lntpnvmw.
0x00000020 (00032)   0a555345 52205669 72557320 22222022   .USER VirUs "" "
0x00000030 (00048)   65746422 203a2003 322c3102 03345265   etd" : .2,1..4Re
0x00000040 (00064)   4261636b 2003374d 79200337 53686974   Back .7My .7Shit
0x00000050 (00080)   532e2e0d 0a                           S....

0x00000000 (00000)   50415353 20566972 75730d0a 4e49434b   PASS Virus..NICK
0x00000010 (00016)   20566972 55732d6d 6f687471 6264620d    VirUs-mohtqbdb.
0x00000020 (00032)   0a555345 52205669 72557320 22222022   .USER VirUs "" "
0x00000030 (00048)   67637922 203a2003 322c3102 03345265   gcy" : .2,1..4Re
0x00000040 (00064)   4261636b 2003374d 79200337 53686974   Back .7My .7Shit
0x00000050 (00080)   532e2e0d 0a                           S....


Strings
040904B0
6.05.0008
*\AC:\Documents and Settings\crystal\Desktop\BADudjbnBKrP1NvxHjIV.vbp
amknsrcpl_kc
Apc_rcNpmacqqU
asppclrsqcp
Bcd,
b`efcjn,bjj
Bpgtcpq
Bpmn
CompanyName
Cvnjmpcp
CvnjmpcpZGCVNJMPC,CVC
dgjc
DglbCvcasr_`jcU
EcrKmbsjcDgjcL_kc?
EcrKmbsjcF_lbjcU
EcrRfpc_bAmlrcvr
FileVersion
/,frkj
icplcj10
InternalName
_lbw
lmprgle.
LMPRGLE.
lmprglem
LMPRGLEM
lrbjj
LrSlk_nTgcuMdQcargml
MLK6I5k5kiB1SJSEyXeJ7I9
n_lb_
npmep_kdgjcq
OriginalFilename
PcqskcRfpc_b
@pmuqcp
PrjKmtcKckmpw
ProductName
ProductVersion
Qafkgbrg
Qcptgacq
QcrRfpc_bAmlrcvr
qfcjj10
QfcjjCvcasrcU
Q`gcBjj,bjj
Qjccn
q_knjc
Qtafmqr
QUqdNgRcMBlP1SVikXcVGhOjBIkQ4y
Qwqrck
Qwqrck10
rckn
Rcknmp_pw
Rfgq
SPJBmuljm_bRmDgjcU
spjkml
sqcpl_kc
SQCPL?KC
?SRM
StringFileInfo
Tgprs_j?jjmaCv
ThAxvcgL972NkMU
Tn237O5j3xTAdl
Translation
uglbgp
Uglbmuq
UpgrcNpmacqqKckmpw
VarFileInfo
VNQN1
VS_VERSION_INFO
W3tM7wazj78
W3tM7wazj78.exe
Zcvnjmpcp,cvc
ZGlrcplcr
Zqwqrck
Zqwqrck10
Zqwqrck10Zbpgtcpq
Zqwqrck10Zqcptgacq,cvc
Zqwqrck10Zqtafmqr,cvc
"!##&%&
&%&,"!"
%$&$)()
0Tf<?l
1b//lg
1~\h`0
1-k&	f
"!#$211E
211i*)*
29)($P:
2^Js+*Wn
2QUqdNgRcMBlP1SVikXcVGhOjBIkQ4yUTocgKINBFsu21QUqdNgRcMBlP1SVikXcVGhOjBIkQ4y
31nVt:QD<
3(h5gv^
3+%MXF|y_
:4n@a:PHC
58'wR0z
5&Bd]o
5{!C,>|
,@!5J9
5+JO_+
<5.!Wj
6af}[o
6&D%#{
6`_i%	
$6vo5$
755dCAA
767	><=
7xeyAn
8A'x=%]
8C9iDH
8Ps)/Ps
8	yGpe
$#%9! !
988-,+,
9$FwZT
!/!9~J
.[9qI5`3r
>;;A"!#
A`6~C"
A>>A'%'
AmU497cWR
A@@p:89
AT3nGv9YQM3QBf
A?>W?==n
Bn}I>i
.bpGrE
BsSHDs
B,UN^E
Byp/8E
BzFd8F
c1ebYf
C2OY&*H/
CallWindowProcA
CA@WC@@V"!"
c!koMO
'>CRL8
CRZ65r 
C:\WINDOWS\system32\msvbvm60.dll\3
=<<D('(
D-^0/.
D9GGtGVBIWpum
; dkMK
DllFunctionCall
D*@rQUqdNgRcMBlP1SVikXcVGhOjBIkQ4yuXQUqdNgRcMBlP1SVikXcVGhOjBIkQ4y
Ds|gOs[NDs
{dy6>M
+Dz/vg
eaD/V)
ef4F\4
Ef9lGM55XSZzCD8N
EU6KdBIj3kw
 E&v}$)
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
eX{9.<x
-f6c[}
f^	E86	nR
FF\&1O&z
fWf*pPf:
GetProcAddress
Glc4Gx51Z2ktPty
'gNC4ML
<.Gu,g
<)H`%b
HdQQxxIdWLnQW
! "I(''
&$&i1/0
I{69x_
I8IQPq
[if~]X
IGGP/./
	I+	Hfz(
IM$hIe
Iq!J|"
^]$=j|
JjD]^{~
JVq1ZakTKFya
:j>wlI
@.kdata
KE}4S-
kernel32
KhZL3CAJKgijwSl
}KJi$/b
k' +k^
{Kk\="\
KpBMUP7B6zNj
k>=v:$
kW#Jp<
\!L1@X
LKKGRPP
LoadLibraryA
`.L>%X
L&yrb@
#"$m423
m>aYyeU
{mbcq2
MethCallEngine
~m=&_I
MJrL'#
MLK6I5k5kiB1SJSEyXeJ7I9
MSVBVM60.DLL
MtA;5v
nkhT`][
nki0[XVNA??K)()%! "
NLL#NLK FED
N[|qEj
NrNQA%
N'Z2z&DX
"/O_@D
opiT5e
o]W6^(R
p+1bEL?_
p[5I+-"
p"6\K8
$:*PC9'
PCM!ulZ
ProcCallEngine
	,Pun@O
Q,6_$d:
Q6~]zB<p1
QI>	}+
QsibPs
/QUqdNgRcMBlP1SVikXcVGhOjBIkQ4yAGITeezQUqdNgRcMBlP1SVikXcVGhOjBIkQ4yMLK6I5k5kiB1SJSEyXeJ7I91MLK6I5k5kiB1SJSEyXeJ7I9.MLK6I5k5kiB1SJSEyXeJ7I9.MLK6I5k5kiB1SJSEyXeJ7I90MLK6I5k5kiB1SJSEyXeJ7I9.MLK6I5k5kiB1SJSEyXeJ7I9
QUqdNgRcMBlP1SVikXcVGhOjBIkQ4yBTG6QdNAQUqdNgRcMBlP1SVikXcVGhOjBIkQ4y
RGso*/tG
R.}I4E
RlatqAc
! "RMKJ
RPO<NLLROMMNOMM1GEF	
RPPR?>>
RQp3OKp2Yic
rR*f-O
RtlMoveMemory
R}u"wZ
(#.#S(
S7YQ=|XK
@[Sa6V
Sbt3QqllgeBGE2h
siGcha
sM%i<X
??snI$
S;N[K4
s'tj(;
+SW4p`
\+(SX-d
T\cIA+
"t`Efd
!This program cannot be run in DOS mode.
TRR	KIIY<:;
ttL!0[
TTV(l+[
UggUaBdVQZ4jSTlDa
u-_HKQ
user32
[U]VQP
VBA6.DLL
__vbaExceptHandler
V?C]0P	*
VDBfra
V~%nmX
V%?VLCI
vZKRoU
w8a	$/
Wc39Hl9CPJ7i5yw4
WGkjfN[9
~\WKuL
w:(N0W
W%ZVIB
X;]B:lnG
$xIp(Z
X"v#|w
XYyAT0XHrE8uJM1
XYYYY@
x=zTd^
_y~bs.G"?
*Yh3A,
Y.>i3BS
`.*YIc
,);YWlF\
yy!d*2
?z{>?@2zJM
Z9B#K:
ZBwV8i
zc*/[u
ZP6F%.
ZV9 `]
z}(X28
>`*zZM