Analysis Date2013-12-30 02:23:37
MD5d592db884e6265e277ba28aa67dcf69f
SHA11d80dcd54ca5cae900855b6d8a52468126d8790a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6e1d2114cab7806178e91df62e8d0dcb sha1: 56f05a1be5d928efaf16ecf962dc25c77e3699fa size: 138752
Section.rdata md5: 38657ff11331aea342f4c6cbbeea8425 sha1: a1de070fa103d36ddc94f273744f26a29d375fc8 size: 2048
Section.data md5: 1f37b9b3b7733cb3d105fb75b2437bfc sha1: e4761689b59438d8c5d1cc8882836e85f7df5e8b size: 25600
Section.crt md5: 1e187fbd40abe9209128a231b94efe60 sha1: d64bd6a1a1159718d091156fea65819f5a5aa382 size: 512
Timestamp2005-11-06 01:49:30
VersionPrivateBuild: 1508
PEhash5a7f41bb21216b68dcdf2167fecebc1542e1c3c2
AVavgCryptic.CCK
AVmcafeeBackDoor-EXI.gen.h
AVclamavWin.Trojan.Agent-65263

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSonloneservermonitoring.com
Winsock DNS127.0.0.1
Winsock DNSzonere.com
Winsock DNSregistryeasy.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSregistryeasy.com
Type: A
98.126.6.195
DNSzonere.com
Type: A
198.89.98.162
DNSzonetf.com
Type: A
208.73.211.249
DNSonloneservermonitoring.com
Type: A
Flows TCP192.168.1.1:1032 ➝ 98.126.6.195:80
Flows TCP192.168.1.1:1033 ➝ 198.89.98.162:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.249:80

Raw Pcap

Strings
040904b0
1508
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
#2cUm3
$2?Mw|
4TV^{,
4_W?Wz
$6h/0@
7?8]Ux
(7I?(&
8j7OUp
9.ZD4G
A]D_L&
ADVAPI32.dll
A`gV-2%
B2k5[)
['#bpF`a
BV:w5q
c5'dLR
CloseHandle
CreateFileA
@.data
DeleteCriticalSection
d_S};:
[E^"h!,
ekZwz5
EnterCriticalSection
EnumResourceNamesA
EnumSystemLocalesA
eUp7C0
ExitProcess
}}FnF5x}>s8
FoO9w1k;
f`VxH:N4
Fy.ryQ
'g5?0l
GetClassLongA
GetCommandLineA
GetConsoleOutputCP
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentThreadId
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetThreadPriority
GetUserDefaultLCID
GetVersionExA
GlobalAlloc
<h6h	=@
-\h^92
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
hhlAll
hhlFre
hmpvD.Q
hW6h >@
\/>)I|
I!8\It
i =juC
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
*,-iO	
IsDebuggerPresent
IsValidCodePage
IsValidLocale
j*2/U\R
JI6^jS
k0[?`E?	
KERNEL32.dll
LCMapStringA
LCMapStringW
LeaveCriticalSection
lP*tBY
"#^lV 
[l}zSk
M2vI[U
M(6h^v@
MessageBoxW
M_~h7,
MNG5X{3
MultiByteToWideChar
>>mVOgS
m	z.ade
N<6hv`@
O\46+V7!
)OAW6X`
oH";<Z
"&^pI-J+bH
PurgeComm
q,F|q1
~q|n7W
RaiseException
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RPCRT4.dll
R[QnwD
RtlUnwind
sB&w$8
SetEndOfFile
SetStdHandle
SetUnhandledExceptionFilter
SHCreateDirectoryExW
SHELL32.dll
SHFileOperationW
SHGetFolderPathW
[t(/Ai
TerminateProcess
!This program cannot be run in DOS mode.
tLKYk>
^TX2@)
t**z5a
%U-4n^
U]%`F3f
UnhandledExceptionFilter
USER32.dll
UuidCreate
V6hp}@
&**:VE
vnM)x{z
~V~=?T
w8:-6]<v
WecOA 
;;<-wH
WideCharToMultiByte
WriteConsoleA
WriteConsoleW
WriteFile
Ws]IO[s
*X!** 
Yy2o?<
{z4wTG
Z$ 57r
Z?<ly)u