Analysis Date2015-01-17 17:52:07
MD58f035cc0a57c7bff1e5f6443a730b8ff
SHA17ff093e06576cb2a2cc1e366e16bdefe89d5d72c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 5324b24813094104ce4615c44c48b1f4 sha1: 8c83140be94b6f08ac572ff6f6f8cf4ff5de24ad size: 105984
Section.rdata md5: 08499ec0ce9a3430fad83001acff58f5 sha1: 0618f281af56c8d716bb50c0b37bc30f0d8d4831 size: 2560
Section.data md5: 26b84301b4caed34638b45ade18eee1c sha1: 55ee1f7eff9623c4705d894c94689f87dbc79828 size: 62976
Section.idive md5: 5d6085e767cdb6dfc53c4e22669c16b3 sha1: 07a5f48f88161d1b02ab1138d66e45aa352c2e12 size: 1024
Timestamp2005-11-15 11:53:54
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1583
PEhash9fe9ad129bf385a9e3b5d14efef92699c0a54cd7
IMPhash318aeb67985443d7bb1ab66ae0f4cf41
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)BDS/Gbot.aida
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVno_virus
AVDr. WebTrojan.Packed.21587
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.LRI
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)no_virus
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)Trojan.FakeAV.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSregonlineorder.com
Winsock DNS127.0.0.1
Winsock DNSdynamicscriptinstaller.com
Winsock DNShardsystemtwo.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSdynamicscriptinstaller.com
Type: A
142.4.13.31
DNShardsystemtwo.com
Type: A
DNSregonlineorder.com
Type: A
HTTP GEThttp://dynamicscriptinstaller.com/pics/l2.jpg?v95=36&tq=gHZutDyMv5rJej7ia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 142.4.13.31:80

Raw Pcap
0x00000000 (00000)   47455420 2f706963 732f6c32 2e6a7067   GET /pics/l2.jpg
0x00000010 (00016)   3f763935 3d333626 74713d67 485a7574   ?v95=36&tq=gHZut
0x00000020 (00032)   44794d76 35724a65 6a376961 396e726d   DyMv5rJej7ia9nrm
0x00000030 (00048)   736c3667 69577a25 32424a5a 62567941   sl6giWz%2BJZbVyA
0x00000040 (00064)   25334420 48545450 2f312e30 0d0a436f   %3D HTTP/1.0..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2064 796e616d 69637363   .Host: dynamicsc
0x00000070 (00112)   72697074 696e7374 616c6c65 722e636f   riptinstaller.co
0x00000080 (00128)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000090 (00144)   55736572 2d416765 6e743a20 6d6f7a69   User-Agent: mozi
0x000000a0 (00160)   6c6c612f 322e300d 0a0d0a              lla/2.0....


Strings
..7...X..n...eQ4..
.-..0..*....`.BU
%..
~....
..:y..
....;.....31.%.......]!.h
.l.B
..i...@}0K ......U=.......
a[[........c
E.
.
.
+
(.
.

040904b0
0A"d
1.0.0.3
'13er
1583
BeeS
B#pg
dcC"
%"f3
FileVersion
p2`B
PCs`
PrivateBuild
ProductVersion
Sf#!
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
0"asvR
&%0{N\?
1qE0Lq
2CC:/gpf
-2f#ox
`2$U!G
%3h0UP
3.wE/h
*3X9, 
5N#*\*
65>nUh
"6rC4F?
`7Eb6M
7LSV5]
83b9Hi
8h%]qg
8M|,;+
9rqAqZ
ac`E"Pk
AdjustWindowRect
ADVAPI32.dll
a-P%T6
b {$ |
>b25SWKZ
b8:J]q
/BD}KE
bFobB_
B		GbGu
b;hTvE
BitBlt
c71\9%
C)9y^p9
;C*gf<
CombineRgn
COMCTL32.dll
comdlg32.dll
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCW
CreateDIBSection
CreateFileA
CreateFontW
CreatePatternBrush
CreatePen
CreateProcessW
CreateSolidBrush
Ct}.87
d=2l"k
@.data
dbx4Nb
DeleteDC
DeleteFileW
DeleteObject
dfc`pYJO
`DI*wn
ds-?4*
EcU4yx
EndDialog
EnumResourceNamesW
{es|d`
eU:IVKT
ExitProcess
ExtCreateRegion
<Fd@?RP
~%fI&d
FindClose
FindFirstFileW
FreeLibrary
[fZhw>
g7Q"{4
G_B[f+
}GB({-k!
GDI32.dll
GetCharWidthW
GetCurrentProcessId
GetDeviceCaps
GetDlgItem
GetLocalTime
GetMenuStringW
GetModuleHandleA
GetObjectW
GetProcAddress
GetSaveFileNameW
GetStockObject
GetSysColor
GetTextMetricsW
GetUserDefaultUILanguage
GetVDMCurrentDirectories
GetWindowInfo
GetWindowLongW
GetWindowRect
g.~$G'[
<h**5x(a
H?=7Xx9
^H=DPA
HeapAlloc
HeapFree
'<HKGF
[h\SI$
_hw/^A
h*wZk?Lt
h]Xw+7
H?Z=;A
hZ<zJN~B
ICInfo
idGKJ`s
.idive
)i`{I:
ImageList_Create
ImageList_Destroy
ImageList_Draw
ImageList_ReplaceIcon
iN|NFq)\
_I.Vzi
iwEMF-`Nz
jcoZ00
J@h2B|F
{j^l`L
*jZPqefL
k_ECM"&
KERNEL32.dll
Kf=9AO
kM!EW%
;:^ksu
K.W.>Y
(kXKk	
KYPFC8
 kY\Z.
LineTo
LoadLibraryW
)lR?3o C
:?,m;$*
@M`)^+
m0W,x%
~m1tEC
(M<97RiL
MessageBoxW
mjl>FQW
MoveFileW
MoveToEx
MoveWindow
^mSl(R
MSVFW32.dll
<mTSwG)
MultiByteToWideChar
njbpIqx
|N"; |K
-N;R5A(
:n,xbt=G
O]ET%%sU
+[^?On
\oRnQES>>
OutputDebugStringW
|PFn4A/y
P`O=.n
;pU)w>q
P{`ZMo
Q9-uzv
`Q+j(br.
'Qr#',
q?~xXb
QZRi6d
`.rdata
rdy&Th
ReadFile
RegCloseKey
RegCreateKeyExW
RegDeleteKeyA
RegEnumKeyW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExW
*rg?o9
Rich`x
RkYC-n
RMvM F
rrT-Py;[A4
,RY=X\
S7@Xg,0
SelectObject
SendMessageW
SetBkColor
SetBkMode
SetFilePointer
SetRect
SetTextColor
SetThreadPriorityBoost
SetUnhandledExceptionFilter
SetViewportExtEx
SetViewportOrgEx
SetWindowsHookExW
SetWindowTextW
SHELL32.dll
ShellExecuteW
StretchBlt
_t0O7fY'
T2e!A_
!This program cannot be run in DOS mode.
tOQSb7
tSQ#aPw
$t|x*V$
u.(9JfQ&
]uF-rj
%%.uoG
USER32.dll
UVY{	v
V9DJv}
v]b~**
VmRUU#
VnIe7*
V*Qi}hE
,+W~8L#
w`FO!9
WideCharToMultiByte
wp|FZJ
WriteFile
Wx#\#=
.!:]x7
Y7WKit
YHm>;:wC
yN$-Og
yw)	WQ
}=Zf$J
-<ZfNp
z<om97I