Analysis Date2014-06-15 02:28:47
MD57805149545f00d57536413839c98823a
SHA17d5d7d8c1ce3f3b52126f16385f7d3d6a1ded7d1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 347f3b7068e51c89edf78a14012e7efb sha1: a60c3821c2d01293a04126ecb0132e6e37dbeb09 size: 153600
Section.rdata md5: 0c95be1ee5e657643e4d987464690554 sha1: fd7ce1259b131c3164d028d98b9e6f663619dd46 size: 2560
Section.data md5: a1178a35e15c974743123cae07fde9b2 sha1: 7a732383f5cdc496a381d08f9d6803d092e58438 size: 25088
Section.lib md5: 943fd5c6c202a2fb7cba39c9e631dbf1 sha1: 3cd37243d51203c74af8e68686187bcc73740ecf size: 512
Timestamp2005-10-20 03:29:54
VersionPrivateBuild: 1090
PEhash25ec73bbe09979e5217853ff98221bd544b167fa
IMPhashc191a1ad9e3c1611917eee0449406686
AV360 SafeGen:Trojan.Heur.KS.1
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Kazy.11333.psa
AVAvira (antivir)TR/Kazy.11333.psa
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-500186
AVClamAVWin.Trojan.Agent-500186
AVDr. WebTrojan.DownLoader2.569
AVDr. WebTrojan.DownLoader2.569
AVEmsisoftGen:Trojan.Heur.KS.1
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Cycbot.AD
AVEset (nod32)Win32/Cycbot.AD
AVFortinetW32/Kryptik.EXI!tr
AVFortinetW32/Kryptik.EXI!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.KS.1
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Win32/DH.FF820355{Mw}
AVGrisoft (avg)Win32/DH.FF820355{Mw}
AVIkarusBackdoor.Win32.Cycbot
AVIkarusBackdoor.Win32.Cycbot
AVKasperskyTrojan.Win32.Generic
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Passwords.XGen
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BH
AVNormanwinpe/Cycbot.BH
AVRisingno_virus
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SMX
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)Backdoor.Cycbot.2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSofflineservermonitoring.com
Winsock DNS127.0.0.1
Winsock DNSrossroadbags.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSrossroadbags.com
Type: A
50.56.218.189
DNSzonetf.com
Type: A
208.73.211.182
DNSzonetf.com
Type: A
208.73.211.177
DNSzonetf.com
Type: A
208.73.211.164
DNSzonetf.com
Type: A
208.73.211.249
DNSzonetf.com
Type: A
208.73.211.236
DNSofflineservermonitoring.com
Type: A
HTTP GEThttp://rossroadbags.com/images/p_thumb/3521.jpg?tq=gHZutDyMv5rJeTTia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: opera/8.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 50.56.218.189:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.182:80

Raw Pcap

Strings
.@N

040904b0
1090
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
6|{~Hy
6mOzt2
<8&i8w
:-9>/n
ADVAPI32.dll
bGyOJ6
BitBlt
b@W{K5
chBv{v
ClearCommError
CoTaskMemFree
CreateCompatibleBitmap
CreateCompatibleDC
CreateFontIndirectA
CreateRectRgn
CreateSolidBrush
CreateStdAccessibleObject
@.data
DeleteDC
DeleteMetaFile
DeleteObject
Di5'e@
~ dp;wmVm
=eGq%O
EnumFontFamiliesExA
EnumResourceNamesA
ExitProcess
fAMSH 
FG@]n1Xw
FillRect
FindClose
FindFirstFileA
GDI32.dll
GetCurrentProcessId
GetDeviceCaps
GetDlgItem
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetLocalTime
GetObjectA
GetStockObject
GetSysColor
GetTextExtentPoint32A
GetVersion
GetWindowInfo
GetWindowLongA
GetWindowsDirectoryA
?H 7 F
hhlAll
I3o>9H
InterlockedExchange
iPdqNd
=iP`]z
IsWindow
{It9Bt#t
~(@@j*h
jK(7#e
^!$%J%l}~
j&o\XR@
Jr?b29
jwli6$
k4+{+3
KERNEL32.dll
kI-_h6
LoadCursorA
LresultFromObject
lt^Il~$
lx`~fZ
LZj	:?
mciSendCommandA
#meZm;
miD5: ?
}Mi\YS
mLZj}	
MNuzuh
MoveWindow
mT+D1(
Nc2ThaG
!nO9mB"
n@wUI?w
{N)w{w
{Ob	ED
o\iut9
ole32.dll
OLEACC.dll
OVw=UY:
P*fN)V
ProgIDFromCLSID
QImTLw7e
qnJ_~q
`.rdata
Rectangle
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseCapture
ReleaseDC
RestoreDC
RI)K!]gc-
SaveDC
SelectObject
SetBkMode
SetCapture
SetCursor
SetTapeParameters
SetTextColor
SetWindowLongA
SetWindowPos
SHELL32.dll
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
sndPlaySoundA
StringFromCLSID
TextOutA
!This program cannot be run in DOS mode.
ThlFre
TT<>_hfb
USER32.dll
U(/Sgx
u/u4y,
{uW,K)
~V({{_
VerQueryValueA
VERSION.dll
*/VUYc
vV_5U[*v
VwVhW2
	}w7{Y
WINMM.dll
/	WKiB
w^N+!E9:
;W,;Un
x:~{\G
xJiU]Xa
,*XVSp
YcJml/&Q
YG4sd"
{y~kNsu
yoJ	(-Vc
YZb82-
:?Z4k3
zaT0-q
Zm:?ZL
Zz{7>#