Analysis Date2014-12-14 14:46:29
MD5aefd199832cf579fd912c662a7e2e6c7
SHA13cc5042c3e68164e46e61d38f030a94139faf5e5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: c52a7d0ede44aeea41ced6dd4a4b7f41 sha1: b1c7a13d19a9c29849996d6dc64940fb3a65c8d5 size: 120832
Section.rdata md5: b1e22aa94fdec58091a7dbfc132402b4 sha1: eb88906a218ac569686ef52be7a2f02c95473324 size: 1024
Section.data md5: e9d065cbb17671350b66414eb2c9164b sha1: 0e49dcc34778db201cde630bfcbd2ebf97440c56 size: 57344
Section.apexi md5: f1138e33e995d987ebdfaf5e30c73553 sha1: 693c98002ab6b29a1efcb1f393ce3ee9d5888337 size: 1024
Timestamp2005-09-12 13:21:35
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1484
PEhash384eb201fc7b77acb22bda7bc754d9d27f08e33e
IMPhash7e0ec4297ccf1f3ce068f8bdc7836bc6
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.G.gen!Eldorado
AVAvira (antivir)BDS/Gbot.aida
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Gbot-392
AVDr. WebBackDoor.Gbot.31
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.MIA
AVFortinetW32/Gbot.B!tr.bdr
AVFrisk (f-prot)W32/Goolbot.G.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Win32/Heri
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.IJ
AVVirusBlokAda (vba32)Trojan.Jorik.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\19b9_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1360 -e 132 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 176

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 176

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1360 -e 132 -g

Network Details:


Raw Pcap

Strings
..
.}ky
q.
........
*.}..o.....
..
....'bWY=
....3
.|..N
......1...j..goA.LQ29*
..d!..
....Z.t....;4)....S......QL^M.^W.o
.]
.CJ'.........
.
.p
.a.D.
..
.
040904b0
0csr
1.0.0.3
1484
2c#D
2cGS
A2D0T
B#Wr
FileVersion
jjjjjj
PrivateBuild
ProductVersion
q2Pc
sBCs
StringFileInfo
TIMES NEW ROMAN
Translation
UA3@
VarFileInfo
VS_VERSION_INFO
1jV(J_|n
~}1 O6
3.j[=t_
)4xyMzj
.-5]59`
5Nk<BF
5ZsN746
6*A6uQU
.6|Y9;K3s
&9;6P$xB[
+9=@dZ
9J(jL]
.apexi
aqp_i3k
]ard?,
BCoPA7
bkHjtX
bL2=@"
CheckRemoteDebuggerPresent
	CiR=`
CreateWindowExW
@.data
DocumentPropertiesW
Dy$`0m}
eDMp5QF
Ei"@DRX
EndDialog
EnumResourceTypesW
F5]`',A
>F5BOb
f9>&C}
f<H7YC
@)fM?@
F+shFn
fxM 7W
G8s;~T
g9$XV6
GetAncestor
GetFileType
GetStartupInfoA
GetWindowInfo
}gH*,\
gl>`S(
Gt=c	J
Hj9Y/f{\D
h;M?5c
hU_d75
{hwv/z
iE"8QP
I'@G]j
"*IjtE
:	ILkt
IM8	pf)
InitializeCriticalSection
i?.T=3
i[\)u$m
 ;"&j6<
j86qG4
&j9_OD
{J!&l~
Jmb.yC
k3J`>j
&K),\-5q
KERNEL32.dll
*Kg?<Q
=Ktw\-
%k/w84
kZ|8O5E
LoadCursorW
L>OiiQ
lP"-5b
LsP%:8
lstrcpynW
m\3XP h
M6MdOF
MessageBoxW
m-H*:l
	mVl4"
/MZr:m
)nJ0`I
n'$-_-r
n;S_X(S
NtE|#N
nxQ\6e,'
nZOO*~n
O$67'7
O#}BDS~
>oI)Xi
%OjJi)
+O;oH{
P<#Ej@
)]PO8l3{hqi
<pyWp	
QICBu3
Q_LiF=
?QOQ>5
`.rdata
RegisterClassExW
]#~Roi
,Ru	J(
_R&XI3
S?6j?8}
sFeMoA<
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
*/#u}?A?
u-Bv[H
UKBse]
u:l	My
:{%}ur
USER32.dll
u?x:NV>
V&}9eGl(
v}cQh|
v}V#@x}E
<Vyj^	
vyYi[a
\?W2Bq
$WC.a+
WINSPOOL.DRV
W"U'|s
	w-Z66
x\j!T2S
,	-xx2
/]Y\eL
Y.sO?mW
`z3X;*
$Z+7y,
zCATxg
]Zj:$/	)U
$ZSgvp
Z{T80s
Z}:TM;r