Analysis Date2015-01-27 09:27:12
MD5192ee11d158e53c7db60772cee12e22c
SHA10edad6ddeb227c5b26f070212022df45c468bf07

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 089c90315bc0626596179049c9104111 sha1: dc760a67c708dc24b882cebe41f73cda35b7eb74 size: 96768
Section.rdata md5: 576355e38b5991dbb31831647d30a5ad sha1: 9ad716c3d6cca5ce61b40536e324e3895c6ab6be size: 1536
Section.data md5: 8e9625b9ed99a35c8d48a69895d047bf sha1: 05f5e4e6d0f12db8d2345ce8a8b7eba64ae68cc2 size: 84992
Section.reloc md5: 26eadc4ba3531533ad9ea9737a119811 sha1: 031e34c070b49dfedddcf660901259e2cb3f7f7e size: 1024
Timestamp2005-10-13 22:38:45
PEhash41d27f49fb220599f72a12e3600299dd2af5123a
IMPhashfc91eda9d05350b362f21473687ddc13
AV360 Safeno_virus
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Heur.Conjar.5
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen8
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/FraudSecurity.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVno_virus
AVDr. WebBackDoor.Gbot.71
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.TOL
AVFortinetW32/FakeAV.ISS!tr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Agent
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.s
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)BScope.Cycbot.1213

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSworldmotoblo.com
Winsock DNS127.0.0.1
Winsock DNSonlineinstitute.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSonlineinstitute.com
Type: A
67.227.195.200
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSworldmotoblo.com
Type: A
HTTP GEThttp://onlineinstitute.com/g7/images/logo3.jpg?v9=66&tq=gJ4WK%2FSUh7zEhRMw9YLJsMSTUivqg4a8xZNTK%2B%2FbxWq1SfkIYUhF
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 67.227.195.200:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f67372f 696d6167 65732f6c   GET /g7/images/l
0x00000010 (00016)   6f676f33 2e6a7067 3f76393d 36362674   ogo3.jpg?v9=66&t
0x00000020 (00032)   713d674a 34574b25 32465355 68377a45   q=gJ4WK%2FSUh7zE
0x00000030 (00048)   68524d77 39594c4a 734d5354 55697671   hRMw9YLJsMSTUivq
0x00000040 (00064)   67346138 785a4e54 4b253242 25324662   g4a8xZNTK%2B%2Fb
0x00000050 (00080)   78577131 53666b49 59556846 20485454   xWq1SfkIYUhF HTT
0x00000060 (00096)   502f312e 300d0a43 6f6e6e65 6374696f   P/1.0..Connectio
0x00000070 (00112)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000080 (00128)   6f6e6c69 6e65696e 73746974 7574652e   onlineinstitute.
0x00000090 (00144)   636f6d0d 0a416363 6570743a 202a2f2a   com..Accept: */*
0x000000a0 (00160)   0d0a5573 65722d41 67656e74 3a206d6f   ..User-Agent: mo
0x000000b0 (00176)   7a696c6c 612f322e 300d0a0d 0a         zilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615376   OQij%2B8yjYvEaSv
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
.
.
\
mRV
.
_.
.
O
%J
.
.....
y
...

080904b0
1.0.0.1
1862
&Execute    Shift+E
FileVersion
PrivateBuild
ProductVersion
&shit menu
StringFileInfo
Translation
U. '
VarFileInfo
VS_VERSION_INFO
```````
``````````````
~~~~~~~~~~
<<<<<<<
=======
=========
===========
>'''''''
||||||||
||||||||||||
       
_____________
____!!!
------>
,,,,,,,
;;;;;;
;;;;;;;;;;
;;;;;;;;;;;;;
!!!!!!!
?????????
//////
""""""___
"""""""""""
)))))))))))
))@@@@@@@@@@@@
[[%%%%%
{{{{{{{{
{{{{{{{{{
@@@@@@
$$$$$$$$$$
$$$$$$$$$$$$$$?
******
**********
\\\\\\\
&&&&&&&&
&&&&&&&&&&
%%%%%%
+++++++++
000000000
\000000VTTTTTTT
^`0)1[
)0!3C,
0XRJMf
1!0L<a
'''''''1111
11111111111111111
2222222***
22eeeee
22{{{{{sss
333332
333333
333333333333333
"3A8(\
/_3Jd4
4	2OWy
44444444444U
444444444wwwwwwwwwww
4-6h "
4>(jJG
^|4l{~T
4M>5oJ
4/OXs_'
<4P6]m
50oM~UWIa.
555555
5}9_=OKm%
5Z`;ysl
__6666
=6h|[2
6RQ;o6
\6si@&
6,Vd'q
6X`{i6
777777
%%%%%%%777777777777iii
77HHHHH
7/CpM2b
{$@7!d,
7`;DCM
7dl\Gl/
7e!^	e
7SHuI]+
88888888888888
89!?,8X
8d3D!K
8$'?>in
_9\5-$
99__________
"9Di@{
?9eG:NR
9FRY|y
*9ID]	i=c
9nO:ZG
9;}u#~LR
A=32)~
aaaaaa
AAAAAA
AAAAAAA
AAAAAAAAAAAA
ac[yBp
ADVAPI32.dll
AL^ht@
b_____
b%4ENi93U
BBBBBBBBBkkkkkk
bbbbuuu
B@g>Hk%
B#JMa 
BL4E}OVu5
b+mFv4
bO(Ut#
bs2A|1
b+\#t37
{-b^@Tp
,# $|c
ccccccc
####ccccccc
ccccccccc
ccccccccccccccccccc```
CCCCCCttttt
#C%fE5
Cf!m;;!
Ci+]Td
CM_Get_DevNode_Status
CMP_WaitNoPendingInstallEvents
c@nbd\|
CompareStringA
CreateHardLinkW
CreateStdAccessibleObject
)Ct|=sgC
C&YF{/
#>D3=q
DaP!:M
@.data
dd|||||||||||____
DDDDDC
DDDDDDD
DDDeeeeeee
DhJrEq<
"D,/mG
eeeee/////
eeeeeee
EEEEEEEEEEEEEEEEEEEEE
eeeeeeeYYY
e%EHoE/#
E~I@R]
+e	KQ]
ekS3=o
EnumResourceNamesA
eqLTWI
ERsrq{r
F9p;U.
F_	|#a
fDGq&L
ffffff
ffffff````````````
ffffffff$$
Ffffffffffff
F|GuVT
%fiJe`
FileTimeToLocalFileTime
FileTimeToSystemTime
FindResourceExW
"F{J\t
FlushFileBuffers
fo$NSW
g5'a+:
GC}WL4
GetAtomNameW
GetFileAttributesW
GetFileTime
GetFileType
GetProfileStringA
GetSystemDirectoryA
GetUserDefaultLangID
GetVersionExA
GetVolumeInformationA
~gf:,!
||||!GG
'ggggg
....GGGGGGG
gggggggg
GGGGGGGGGGGGG
g&pe:jp
g)v>^`
+GX1>cc
g{z4y6yL'
(gzqSh
~'h1MS
H6666666666
h8G+ag
/<H&:c
hhhhhhh
HHHHHHHHHHHHHHHHHHH
hh[uMw
+hj"I\
H<Jrs3
=h|JTV
h'MUf_
#[Hn^LK
HQaI1`cc
%Hsa2q)
$^hSMe
HTTTTTTTTTTTTTTTTTTTTTT
I7iAZ~
IE3Xe7$
iiiiiii
IIIIIIII
iiiiiiiiii
iiiiiiippp
InstallCatalog
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile
iq9q8P
IsDBCSLeadByte
;J]13X
	j78w$
JE0u'I
J}	Hrr
				JJJJJ
JJJJJJJJJJJ
Jv,Ce"`
j>V;dV
KaF2|l:
KERNEL32.dll
Kg@<j 
K:Il`q1
KKKKKK!!
]]]kkkkkkkk
kkkkkkkkkkkii
kkkkkkxxxx
K.L'a$
k~LRa`A
Klr\b9
km5vGf
KNYrMv
KqD)j[e
^L1)TB
L:'!	`7
LB+;}Eu
lD-UF6
Lf@A?l+
Lj&6>zBG
|llll7777
LLLLLLLLLLLLL
llllllllllllll
LLTTTTTTTTTT
LN|w4$
LockFile
LpmDaOu
LresultFromObject
l[Uz	x5
L:V_20IV`
L=Wt=|
MFlyHT;cTE
M^/hcu
mmmmmmmmmmjjj8
MMMMMMMMMMM
mmRoV7*
*MS)+x
M=tZ#(
NdII%7t
nFA{Wa!
N"<qnh
nrrrrrr
N]~\UeYA.
]Nw-<K_Z\
n/x[!m
o9arX)B4
ohMM2/
o@^%I^
OLEACC.dll
]%(O-]N
o}&Od_
oooooooo
OOOOOOOOOOO*
oorgCC:1
orIDN)Fd_
;ORl8k
OX6k7:
!oy#/-D
p=>$_(
_P2@ O
PathAddBackslashA
pcv`K[
	PEEtf?
pFhokZ
pG+=nU
-	pM\2
pMj/^"
"Pn@90
***PPPP
PPPPPPPPjjW
pppppppppp
PPPPPPPPXX
;PrP0K\"
Pwceqzj
!;-pwF[
+}q,.^
q2dofO
\_q	+Id
qO;"dX
QQQQQQnnn
QQQQQQQQQQQQQQQQQQQQV
qRzM>|
QTlz@1
>quoS\
QXblkn
QYx5M1?
+R4`f3
r5*NyN
`.rdata
R=!Dsl|
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
[@RoQb
rrrrrr
RRRRRRRRR
RRRRRRRRRR
rrrrrrrrrrr
RRRRRRRRRRR
rrrrvv
RR ````UUUUUUU
R\;uMLC
Rz}Q((AQa
sa&RvH
Sb-EGe
sc	5~Wg
SCS.vQa>
SCW~Op
'SDNw]fd
SearchPathA
SetEndOfFile
SETUPAPI.dll
SetupDiGetDeviceRegistryPropertyW
shcs.d
SHLWAPI.dll
SnzxB3^
SoK#b(T
S$Rv#d3
Ss<KrLN
SSSSSS
su0BlH
S:uy3`#F
t0752|Yj&
T1R.iZ
T33333
T805V;
tBYzjX
}TE+21$
!This program cannot be run in DOS mode.
tpant7
TTTTTTTTTTTT
tv4q'3
u%#9u;
U9?W{+	
_UfCk?
u"FxF&J{[
UnlockFile
uuuuuuu
U%Xr'6
v0G+	V
v?K'GzC
[vlvy.
vM=F(*
'V`NZ;L$
VVVV))))
VVVVe))
vvvvvv
]]vvvvvvv
-----------vvvvvvvvv
VVVVVVVVVVVVVVVIIII
vvvvvvvvvvvvvvvvvvvvvvvvvvv
\V-/x.
	#	W5A6
^/Wa9P
WeW5JK"NlS
w(hgv`MQP]g
WININET
'wjZ.m#{
Wktz;S*
wNHb{E
WqcBBQg
wwww,,,,,
wwwwww
wwwwwwwwww
wwwwwwwwwwwwwwwwpp
#^X%(AG{~`
]XBDF#sH
XcfO7j
XD*Nu&
xepryw
xE/TgY
xEW>]C
xk#c~	r
x#K(JZwZ^
X}"\:x}
XXXXXXXX)))
**xxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXX
xxxxyyyyyyyyyyyyyyyyyy
yE+Ptp
;YGbepbP
>_yR>u579
yyyyyyyyyy
Yz"f*[
"Z_B87
@Z/czEP
zf'KKA
z[QKy_h
=Z#scs)
ZuKdQ(
#'zyrD
ZZ%%%%%%%%%%