Analysis Date2014-07-03 17:50:05
MD55d2a5ff2c862afaa9814b2d8a2630055
SHA10fc9aff52138bfe2496af5294e4622ecfef83fc7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: deab66079ee72470b9e3f28df5b122e5 sha1: 66c172486b49c0c7a702fed6d94958ce615b2fcd size: 168448
Section.rdata md5: 077f0936ec1cdb91e56866fbbc90595d sha1: 984fe9a00682ed2c8a60f984ee604a3f9054b8f1 size: 2048
Section.data md5: a9a64bb2366af93a9581164dd27b0cc1 sha1: 02d0999119b6163a446e3d7412119ae3a9d9c308 size: 23552
Section.tls md5: c8de4abac9bb9204f040a3c0f493e31e sha1: 6d96bcfc463eb1590b438d0c5bca5b0317069095 size: 512
Timestamp2005-10-01 08:38:42
VersionPrivateBuild: 1532
PEhash2b9cf31ba9b2ea17e00d3e238e505bc4b894e3d2
IMPhash36e2a3d7f029f10bcd0c16d8b1901082
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)BDS/Cycbot.E.1.B
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-64793
AVDr. WebBackDoor.Gbot.20
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.KVW
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Generic_r.FO
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BP
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVKasperskyTrojan.Win32.Generic
AVF-SecureGen:Trojan.Heur.KS.1
AVDr. WebBackDoor.Gbot.20
AVK7Backdoor ( 003210941 )
AVClamAVWin.Trojan.Agent-64793
AVFortinetW32/FraudLoad.MK!tr
AVArcabit (arcavir)no_virus
AVSymantecBackdoor.Cycbot!gen3
AVGrisoft (avg)Generic_r.FO
AVCAT (quickheal)Backdoor.Cycbot.B
AVVirusBlokAda (vba32)no_virus
AVEset (nod32)Win32/Kryptik.KVW
AVAlwil (avast)Cybota [Trj]
AV360 SafeGen:Trojan.Heur.KS.1
AVTrend MicroBKDR_CYCBOT.SME3
AVAd-AwareGen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVEmsisoftGen:Trojan.Heur.KS.1
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVIkarusTrojan-Spy.Win32.Zbot
AVNormanwinpe/Cycbot.BP
AVAvira (antivir)BDS/Cycbot.E.1.B
AVMalwareBytesSpyware.Passwords.XGen
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVMcafeeBackDoor-EXI.gen.i
AVRisingno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSzonewl.com
Winsock DNS127.0.0.1
Winsock DNSweb20ikastaroa.wikispaces.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSwikispaces.com
Type: A
208.43.192.33
DNSwikispaces.com
Type: A
75.126.104.177
DNSweb20ikastaroa.wikispaces.com
Type: A
DNSzonewl.com
Type: A
HTTP GEThttp://web20ikastaroa.wikispaces.com/file/view/Observa2.jpg/45498543/Observa2.jpg?v22=12&tq=gKZEtzy8R0X3wr5ADiDZZ8aczJjxmZ%2BEAOQ3u1GUdXWFgKIHSN2c8VQA5hifXUaFBEFWbPZ%2Fuu4sFMz8XYNxmYCtmBIaiFVocth8zntmKhEUnXBGZpRCew6JDSdJNU4UYwuR%2BoLy6ZDmOT6PioK2tDA9Y7nWhoKz%2B20%2BE36JG%2B7IBpn%2B4%2B%2B1b6aytlwomqTsWm6pM%2FCV232jKAP7kT3nw8SPK4%2FnkBbnopI7fms8St8gvC6ttO80zyw73bd7jWrM8mmdFU%2FohHTl5Uw%2BdXWEuD6g72RMqRKDaGd1GyDAsuFcvg6V7YL%2FnY6lfyjCCZB0JxztqoBs7JarbOfaO2mNnY3yr3bFzWXHSOzs4d%2FUWBY8DGo2fcsW2s6vnsC9FxUk9FiZ56IgF%2BJ2wvcP2wnDb8K
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 208.43.192.33:80

Raw Pcap
0x00000000 (00000)   47455420 2f66696c 652f7669 65772f4f   GET /file/view/O
0x00000010 (00016)   62736572 7661322e 6a70672f 34353439   bserva2.jpg/4549
0x00000020 (00032)   38353433 2f4f6273 65727661 322e6a70   8543/Observa2.jp
0x00000030 (00048)   673f7632 323d3132 2674713d 674b5a45   g?v22=12&tq=gKZE
0x00000040 (00064)   747a7938 52305833 77723541 4469445a   tzy8R0X3wr5ADiDZ
0x00000050 (00080)   5a386163 7a4a6a78 6d5a2532 4245414f   Z8aczJjxmZ%2BEAO
0x00000060 (00096)   51337531 47556458 5746674b 4948534e   Q3u1GUdXWFgKIHSN
0x00000070 (00112)   32633856 51413568 69665855 61464245   2c8VQA5hifXUaFBE
0x00000080 (00128)   46576250 5a253246 75753473 464d7a38   FWbPZ%2Fuu4sFMz8
0x00000090 (00144)   58594e78 6d594374 6d424961 6946566f   XYNxmYCtmBIaiFVo
0x000000a0 (00160)   63746838 7a6e746d 4b684555 6e584247   cth8zntmKhEUnXBG
0x000000b0 (00176)   5a705243 6577364a 4453644a 4e553455   ZpRCew6JDSdJNU4U
0x000000c0 (00192)   59777552 2532426f 4c79365a 446d4f54   YwuR%2BoLy6ZDmOT
0x000000d0 (00208)   3650696f 4b327444 41395937 6e57686f   6PioK2tDA9Y7nWho
0x000000e0 (00224)   4b7a2532 42323025 32424533 364a4725   Kz%2B20%2BE36JG%
0x000000f0 (00240)   32423749 42706e25 32423425 32422532   2B7IBpn%2B4%2B%2
0x00000100 (00256)   42316236 6179746c 776f6d71 5473576d   B1b6aytlwomqTsWm
0x00000110 (00272)   36704d25 32464356 3233326a 4b415037   6pM%2FCV232jKAP7
0x00000120 (00288)   6b54336e 77385350 4b342532 466e6b42   kT3nw8SPK4%2FnkB
0x00000130 (00304)   626e6f70 4937666d 73385374 38677643   bnopI7fms8St8gvC
0x00000140 (00320)   3674744f 38307a79 77373362 64376a57   6ttO80zyw73bd7jW
0x00000150 (00336)   724d386d 6d644655 2532466f 6848546c   rM8mmdFU%2FohHTl
0x00000160 (00352)   35557725 32426458 57457544 36673732   5Uw%2BdXWEuD6g72
0x00000170 (00368)   524d7152 4b446147 64314779 44417375   RMqRKDaGd1GyDAsu
0x00000180 (00384)   46637667 36563759 4c253246 6e59366c   Fcvg6V7YL%2FnY6l
0x00000190 (00400)   66796a43 435a4230 4a787a74 716f4273   fyjCCZB0JxztqoBs
0x000001a0 (00416)   374a6172 624f6661 4f326d4e 6e593379   7JarbOfaO2mNnY3y
0x000001b0 (00432)   72336246 7a575848 534f7a73 34642532   r3bFzWXHSOzs4d%2
0x000001c0 (00448)   46555742 59384447 6f326663 73573273   FUWBY8DGo2fcsW2s
0x000001d0 (00464)   36766e73 43394678 556b3946 695a3536   6vnsC9FxUk9FiZ56
0x000001e0 (00480)   49674625 32424a32 77766350 32776e44   IgF%2BJ2wvcP2wnD
0x000001f0 (00496)   62384b20 48545450 2f312e30 0d0a436f   b8K HTTP/1.0..Co
0x00000200 (00512)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000210 (00528)   0a486f73 743a2077 65623230 696b6173   .Host: web20ikas
0x00000220 (00544)   7461726f 612e7769 6b697370 61636573   taroa.wikispaces
0x00000230 (00560)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x00000240 (00576)   2a0d0a55 7365722d 4167656e 743a206d   *..User-Agent: m
0x00000250 (00592)   6f7a696c 6c612f32 2e300d0a 0d0a       ozilla/2.0....


Strings