Download Link: hxxp://download.happytofind.com/scabar.exe File Name: scabar.exe File size: 427936 bytes MD5: fa0e2ecb3c6b02270f2d0df585740773 SHA1: 1807374151e5e8003ef47338833547631e84c5d6 PEiD: - VirusTotal Result: 3/32 (9.38%) eSafe: Win32.Bayan.b Ikarus: not-a-virus:AdWare.Win32.404Search.k Sunbelt: SC-Bar File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0008 Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818F Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 0000BE00 Size of initialized data: 00005200 Size of uninitialized data: 00000000 Address of entry point: 0000C60C Base of code: 00001000 Base of data: 0000D000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0001 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00018000 Size of headers: 00000400 Checksum: 00075BDB Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags CODE 0000BD9C 00001000 0000BE00 00000400 60000020 DATA 00001800 0000D000 00001800 0000C200 C0000040 BSS 000010B4 0000F000 00000000 0000DA00 C0000000 .idata 00000850 00011000 00000A00 0000DA00 C0000040 .tls 00000008 00012000 00000000 0000E400 C0000000 .rdata 00000018 00013000 00000200 0000E400 50000040 .reloc 000008D4 00014000 00000000 00000000 50000040 .rsrc 00002400 00015000 00002400 0000E600 50000040 Import table (libraries: 8) kernel32.dll (imports: 28) DeleteCriticalSection LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc WideCharToMultiByte TlsSetValue TlsGetValue MultiByteToWideChar GetModuleHandleA GetLastError GetCommandLineA WriteFile SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetSystemTime GetFileType ExitProcess CreateFileA CloseHandle user32.dll (imports: 1) MessageBoxA oleaut32.dll (imports: 5) VariantChangeTypeEx VariantCopyInd VariantClear SysStringLen SysAllocStringLen advapi32.dll (imports: 5) RegQueryValueExA RegOpenKeyExA RegCloseKey OpenProcessToken LookupPrivilegeValueA kernel32.dll (imports: 28) VirtualQuery VirtualProtect Sleep SetLastError SetErrorMode RemoveDirectoryA GetWindowsDirectoryA GetVersionExA GetUserDefaultLangID GetSystemInfo GetSystemDefaultLCID GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetLastError GetFullPathNameA GetFileAttributesA GetExitCodeProcess GetEnvironmentVariableA GetCurrentProcess GetCommandLineA GetCPInfo FormatMessageA DeleteFileA CreateProcessA CreateDirectoryA CloseHandle user32.dll (imports: 14) TranslateMessage SetWindowLongA PeekMessageA MsgWaitForMultipleObjects MessageBoxA LoadStringA GetSystemMetrics ExitWindowsEx DispatchMessageA DestroyWindow CreateWindowExA CallWindowProcA CharPrevA CharNextA comctl32.dll (imports: 1) InitCommonControls advapi32.dll (imports: 1) AdjustTokenPrivileges When the file is executed it creates a copy of itself in C:\TEMP folder with the name: fa0e2ecb3c6b02270f2d0df585740773.exe and launches it as a process. Process Info: Filename c:\temp\fa0e2ecb3c6b02270f2d0df585740773.exe Filesize 427936 bytes MD5 fa0e2ecb3c6b02270f2d0df585740773 Loaded DLLS: c:\temp\fa0e2ecb3c6b02270f2d0df585740773.exe C:\WINDOWS\System32\ntdll.dll C:\WINDOWS\system32\kernel32.dll C:\WINDOWS\system32\user32.dll C:\WINDOWS\system32\GDI32.dll C:\WINDOWS\system32\ADVAPI32.dll C:\WINDOWS\system32\RPCRT4.dll C:\WINDOWS\system32\oleaut32.dll C:\WINDOWS\system32\MSVCRT.DLL C:\WINDOWS\system32\OLE32.DLL C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\ C:\WINDOWS\system32\SHLWAPI.dll C:\WINDOWS\System32\wsock32.dll C:\WINDOWS\System32\WS2_32.dll C:\WINDOWS\System32\WS2HELP.dll C:\WINDOWS\System32\Wship6.dll C:\WINDOWS\System32\iphlpapi.dll C:\WINDOWS\System32\pstorec.dll C:\WINDOWS\System32\ATL.DLL C:\WINDOWS\System32\mswsock.dll C:\WINDOWS\System32\DNSAPI.dll C:\WINDOWS\System32\winrnr.dll C:\WINDOWS\system32\WLDAP32.dll C:\WINDOWS\System32\Secur32.dll .\UxTheme.dll UxTheme.dll File System Activities: Create File: c:\temp\fa0e2ecb3c6b02270f2d0df585740773.exe (OPEN_EXISTING) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-8FSAS.tmp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-8FSAS.tmp\is-B6RP8.tmp Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-8FSAS.tmp\is-B6RP8.tmp Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-8FSAS.tmp\is-B6RP8.tmp Registry Reads: Software\Microsoft\Windows\CurrentVersion\ThemeManager "Compositing" Control Panel\Desktop "LameButtonText" Process Management: Creates Process - Filename () CommandLine: (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-8FSAS.tmp\is-B6RP8.tmp /SL4 $3E00F8 c:\temp\fa0e2ecb3c6b02270f2d0df585740773.exe 413744 68096 ) As User: () Creation Flags: () System Info: Get System Time Enum Windows: Destroy Window - Class Name (Static) Window Name (InnoSetupLdrWindow)