Analysis Date2014-08-08 03:09:11
MD56d64f040d2ac23c15330403a748be715
SHA1747bb4f8c2116130aaf52092e528974494ba7166

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: d57e14d80e7590f3317899151e0cbe56 sha1: e4663412a7b64f2d25b94bb174d0c895dd162bf0 size: 120832
Section.rdata md5: 5635ae1aaa1724111750932ba9c81c8b sha1: 8c8bafaa9017e4ed2c729d13bca36f40465269a8 size: 1024
Section.data md5: 923f8966e5e9898e32295040abd8809c sha1: de04e07f36aac573902a2b4818829fa2f87f6053 size: 54272
Section.apexi md5: 9925ade31034c2e6bcc5d42ace7117a9 sha1: d5baa8395d253b5abc7964ed3fd77a5bb76ff026 size: 1024
Timestamp2005-11-17 01:49:24
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1573
PEhash9761f8f0ddb66b1c3309b3d082e10411fc6768dc
IMPhash05f3b311a2e4cee248c2050d72d24620
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.G.gen!Eldorado
AVAvira (antivir)BDS/Gbot.aida
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-2205
AVDr. WebTrojan.DownLoader2.28084
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.MIA
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.G.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Win32/Heri
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BP
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSfreechatnow.com
Winsock DNShardsystemtwo.com
Winsock DNShardsystemone.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSfreechatnow.com
Type: A
162.159.244.183
DNSfreechatnow.com
Type: A
162.159.243.183
DNShardsystemtwo.com
Type: A
DNShardsystemone.com
Type: A
HTTP GEThttp://freechatnow.com/2.gif?v82=59&tq=gJ4WK%2FSUh%2FTNhRMw9YLJ%2BMSTUivqg4b0w5dEfqHUarVJ%2BQhhAAQ%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 162.159.244.183:80

Raw Pcap
0x00000000 (00000)   47455420 2f322e67 69663f76 38323d35   GET /2.gif?v82=5
0x00000010 (00016)   39267471 3d674a34 574b2532 46535568   9&tq=gJ4WK%2FSUh
0x00000020 (00032)   25324654 4e68524d 7739594c 4a253242   %2FTNhRMw9YLJ%2B
0x00000030 (00048)   4d535455 69767167 34623077 35644566   MSTUivqg4b0w5dEf
0x00000040 (00064)   71485561 72564a25 32425168 68414151   qHUarVJ%2BQhhAAQ
0x00000050 (00080)   25334420 48545450 2f312e30 0d0a436f   %3D HTTP/1.0..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000070 (00112)   0a486f73 743a2066 72656563 6861746e   .Host: freechatn
0x00000080 (00128)   6f772e63 6f6d0d0a 41636365 70743a20   ow.com..Accept: 
0x00000090 (00144)   2a2f2a0d 0a557365 722d4167 656e743a   */*..User-Agent:
0x000000a0 (00160)   206d6f7a 696c6c61 2f322e30 0d0a0d0a    mozilla/2.0....
0x000000b0 (00176)                                         


Strings
j..u
!..2.2rZ.0...`.
..H..|
0.....Z
.U
yd-
._..
W..
7
..
...8+.f
...k...j.
.E
J9.^7......
.d
....n
..:M\..j..>.....t...
{......E
.
.
.
.
..
040904b0
1.0.0.3
1573
1T"P
3pCq
FileVersion
FU`s
jjjjjj
oCrT
!p"p
PrivateBuild
ProductVersion
s3@D
s3EQB
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
"WsGA
0mpb1VV
0o%Y`>
1@}0;M
1~!z&U
!2eSoO:
{4\6eU
,4a%@7
4aXh2Vc
4r8?NWx
4V!1~_
5^m-~B
5uZ \J/
678-M_"
6@Ax_@
6/I;Y-7
\(6OhDo;
6S}.~M<
 \)'7U
8<>CO`w<
.apexi
a_#XAqC
B{8v__
+B'NB{
B`xwZ1
By7~N@!
;c&"1i
Ce4l*w
CheckRemoteDebuggerPresent
CreateWindowExW
C`T%>-
d%3r:*TO8
da\Kql'-
@.data
d\O4Ip
DocumentPropertiesW
dQO1Kt
D"@	SclVS
/.d	tl\
_d	_UR\
D.YH,~
)+$e$;
E<hW.%
EndDialog
EnumResourceTypesW
e'q{\W>
F1lXC,
]FVeR&W
f?xnZMJ
Fz:5PA
G?d*XS
GetAncestor
GetFileType
GetStartupInfoA
GetWindowInfo
&g{HgF
;gU;.2
gZ\@:&*?
hA1}zN
hu) 1#y
I6gnm	Y
i7d~'4GF
(iBZx"{
i('m^c
InitializeCriticalSection
itmso&
iY1C>v
iyyk8U
[|.J(@
J	24Ts
\j*;7:
je;\_k
JHLN/&!
jnq(%x
Jux.:(
|"J%WmJk
jz-9%hX
KERNEL32.dll
Kk:{jB
K/q'O{
L}:mkt
LoadCursorW
lstrcpynW
M8ieMJP
MessageBoxW
?Mf/ L
MFQ4,V
mhN5xL
Mx_-)E
N6	F4F~
=*	-NE
NKZ[71
 ='OC'
&O@gr5
o`\G\y
O[k[*i}B
/o#M##>m0
!OQ	`r
o;WqV-
P'3XtJ
p?a4Po
Pg=V s
+*pmmF
{PnIO,
pP0xR)]q
P"ve;N
 ~]q(!"
Q~?	1t
q*bVm?
:Qg	Q8T
Qus^~9A@
q<UtM!
`.rdata
RegisterClassExW
+rvZ7#
S0p9#:
S2u{O	
>(s8F|v
-sDp-&
sv=mPo
tDX]F!
!This program cannot be run in DOS mode.
ti=XNY2
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
$tXfgC:AX
TYTOT#"
<+u<-3
USER32.dll
U;Zi	#
v89.zm
)+&v<c
vI>]LE
VnXv[-W
VWzuMJ
w1!l;P
WINSPOOL.DRV
WIy DQ
(w)'&j
WWHKY%t
\.W@y"+
*}|\X^
	x;fG/?
X.^Mt*G
XWh(	|
y;)%~!
y^7hJW
%y_LM|
zd56v7:{h
z?>tlIP-Zy;
z|vYe 
zWy_y9zu