Analysis Date2014-10-13 23:08:16
MD561a924eeab59734f5598b93fbf66a4c8
SHA186a2df5670017be3b96e3c57fd8119560d6d9586

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 42102a9fd7a29cc5d97a8ca95b75b9ab sha1: cadb24289ce38b131e3c75d62b9dc2e11cc8d3f3 size: 93696
Section.rdata md5: 918245dc6e5cfa122988bda1710bfe59 sha1: 557f2491cb15719dc1b31b5ceed64a9753abe125 size: 7168
Section.data md5: f822c3f9db6800c83b9adea2eb6081c5 sha1: e7974371729dbab63978767e7bf55f2a620c32c8 size: 37888
Section.rscr md5: ca0a867c21c37cff3f6e0b9266e22efe sha1: e3ad34d7f4421d0564da50012ca28893a40b9e01 size: 512
Timestamp2005-09-23 07:00:42
VersionPrivateBuild: 1129
PEhash1db3ee67bb54598f8bcb32f1b0d62fa04f1c1d66
IMPhash31829d8554a753dab25a7deef3f1bbc9
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Gbot.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-164090
AVDr. WebTrojan.DownLoader1.54090
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.JJB
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Agent.5.BR
AVIkarusTrojan-Downloader.Win32.FraudLoad
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwin32/Cycbot.BH
AVRisingno_virus
AVSophosTroj/Agent-PXS
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997
AVYara APTno_virus
AVZillya!Downloader.FraudLoad.Win32.24249

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSfreemonitoringservers.com
Winsock DNSsharewareconnection.com
Winsock DNShothintspotonline.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSsharewareconnection.com
Type: A
216.240.159.81
DNSxibudific.cn
Type: A
DNSfreemonitoringservers.com
Type: A
DNShothintspotonline.com
Type: A
HTTP GEThttp://sharewareconnection.com/images/ubar_1.jpg?tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUwZtEfqHXarVJ%2BQhhYGg%3D
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1031 ➝ 216.240.159.81:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 75626172   GET /images/ubar
0x00000010 (00016)   5f312e6a 70673f74 713d674a 34574b25   _1.jpg?tq=gJ4WK%
0x00000020 (00032)   32465355 68355442 68524d77 39594c4a   2FSUh5TBhRMw9YLJ
0x00000030 (00048)   6d4d5354 55697671 67346155 775a7445   mMSTUivqg4aUwZtE
0x00000040 (00064)   66714858 6172564a 25324251 68685947   fqHXarVJ%2BQhhYG
0x00000050 (00080)   67253344 20485454 502f312e 300d0a43   g%3D HTTP/1.0..C
0x00000060 (00096)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000070 (00112)   0d0a486f 73743a20 73686172 65776172   ..Host: sharewar
0x00000080 (00128)   65636f6e 6e656374 696f6e2e 636f6d0d   econnection.com.
0x00000090 (00144)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000a0 (00160)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000b0 (00176)   2e330d0a 0d0a                         .3....


Strings

040904b0
1129
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
"#\{	%
 0b:eA
)^0JL/
1(ez5@
1TqaH[
%2u+5S
	3,![Fr
3g2PNH
3I#G6iX
4O;+P<
4OqUMU
~}*4=_R
5=OZ6/
5;?zoV9
681ebp
6;#H:~q
8{O<ey
8O&~J)
-8v}~_
;9B<)mYq
9"fn"pl
}9M}.<
9VkeB]
a3\X}Y
AccessCheck
AddAccessAllowedAce
AddAccessDeniedAce
AddAce
AdjustTokenPrivileges
ADVAPI32.dll
A+eUPV
AllocateAndInitializeSid
aV	luw^
Cgk$jq
ChangeServiceConfigA
CharNextA
CharUpperA
ClearCommError
CloseHandle
CloseServiceHandle
CLSIDFromString
CoCreateGuid
CoCreateInstance
CoDisconnectObject
CoGetCallContext
CoGetClassObject
CoImpersonateClient
CoInitializeEx
CoInitializeSecurity
CompareStringA
CompareStringW
ControlService
CopySid
CoQueryProxyBlanket
CoRegisterClassObject
CoRevertToSelf
CoRevokeClassObject
CoSetProxyBlanket
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoUninitialize
CreateDirectoryA
CreateEventA
CreateFileA
CreateFileMappingA
CreateMutexA
CreateProcessA
CreateProcessW
CreateServiceA
CreateThread
@.data
~&'db:>
DeleteCriticalSection
DeleteService
DeregisterEventSource
DispatchMessageA
DuplicateHandle
DuplicateToken
DuplicateTokenEx
E&/l/{
EnterCriticalSection
EnumResourceNamesW
EnumWindows
EqualSid
/{ex6x
ExitProcess
E:Yn&R5
FindClose
FindFirstFileA
FindResourceA
FindResourceExA
FlushFileBuffers
FormatMessageA
FPXF,Z
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeSid
F}sM,	
GetAce
GetAclInformation
GetACP
GetCommandLineA
GetComputerNameA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetExitCodeProcess
GetFileAttributesA
GetFileType
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetLastError
GetLengthSid
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetPrivateProfileIntA
GetPrivateProfileSectionA
GetPrivateProfileSectionNamesA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetProcessTimes
GetProfileStringA
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorLength
GetSecurityDescriptorOwner
GetSecurityDescriptorSacl
GetSidLengthRequired
GetSidSubAuthority
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemInfo
GetSystemTimeAsFileTime
GetThreadLocale
GetTickCount
GetTokenInformation
GetUserNameA
GetVersion
GetVersionExA
GetWindowTextA
GetWindowThreadProcessId
gJ1K^d
*H!4MF
h<a&hS
:hB/9}
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
hhlFre
+hhLibr
hzo^)=w4y
~I6g&O
_*i"e#
I&hdU@
IJ6=-h
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
InitializeSid
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsDBCSLeadByte
IsValidSecurityDescriptor
IsValidSid
IsWindowVisible
'Jg|zW
JhJ6Vo
jVYJ=D
JZ'EaMz%
-k20+i;
KERNEL32.dll
KillTimer
kUc{[[v1=EEd
'$L0 B
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LoadLibraryW
LoadResource
LoadStringA
LocalAlloc
LocalFree
LocalSize
LockResource
LookupAccountNameA
LookupAccountSidA
LookupAccountSidW
LookupPrivilegeValueA
lstrcatA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
lstrlenW
m9ktvd
MakeAbsoluteSD
MakeSelfRelativeSD
MapViewOfFile
MessageBoxA
***MHb
+mhL]#
MultiByteToWideChar
~n%%	]
NdrClientCall
n$&h4P@
N<&h8c@
NL:YJh
NQ1|Q{$r!{
NSfo0w
ntT;B'
N^uETz
O0(6|L
O	1ww&
)OaSJp.
ObcLQk
ole32.dll
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenServiceA
OpenThreadToken
o*tfK!
:P<1W7{\
PathFindExtensionA
PeekMessageA
PostThreadMessageA
PrivilegeCheck
*q4diHb
> QasJd
QueryPerformanceCounter
QueryServiceStatus
r64ncY
RaiseException
Rb^0)_
`.rdata
ReadFile
ReadProcessMemory
RegCloseKey
RegConnectRegistryA
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyA
RegEnumKeyExA
RegEnumValueA
RegisterEventSourceA
RegisterServiceCtrlHandlerA
RegOpenKeyExA
RegOpenKeyExW
RegQueryInfoKeyA
RegQueryValueExA
RegQueryValueExW
RegSetKeySecurity
RegSetValueExA
ReleaseMutex
ReportEventA
RichTZ
RpcBindingFromStringBindingA
RpcBindingSetAuthInfoA
RPCRT4.dll
RpcStringBindingComposeA
RpcStringFreeA
(r)&S`r
RtlUnwind
&S.`(#
sDKE-=
SetEndOfFile
SetEnvironmentVariableA
SetErrorMode
SetEvent
SetFilePointer
SetHandleCount
SetLastError
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
SetSecurityDescriptorSacl
SetServiceStatus
SetStdHandle
SetThreadToken
SetTimer
SetUnhandledExceptionFilter
SHLWAPI.dll
SizeofResource
SRK)tJ
StartServiceCtrlDispatcherA
StringFromCLSID
StringFromGUID2
StringFromIID
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
ThlAll
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
_:t?Z&
ub1^">
U;GG-F
UnhandledExceptionFilter
UnmapViewOfFile
USER32.dll
u`t#Y3
;UW*{aq
uZu^tf
v^*_,#
VerQueryValueA
VERSION.dll
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
v}=kip
WaitForSingleObject
W&h?I@
WideCharToMultiByte
WriteFile
WritePrivateProfileStringA
WriteProfileStringA
wsprintfA
wsprintfW
Y./1!t
Y)3F/krJ
y7FtG?>
|_=y)8
`'Z2`k0
z!40YV|
}*ZE\!W0M
zF\:x"
Zj^Bs;
Z}Q}FHx