Analysis Date2014-07-08 04:10:08
MD5dfea83d8eec26837632cfa5c03863534
SHA1990486242351aeb70383a512ec8f54f63ce436fc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 865410cb5fa0e9c8629f5c61fe3440b4 sha1: fe6aba96b46fbc698a3112349d87ac512ebce1bd size: 188928
Section.rdata md5: 8dca7e54f5db9c980b5ec199379ae02e sha1: dec96e9936a80fce6a4e2634087b4c275b280c47 size: 2048
Section.data md5: 7d64920d674e8a5265e2ed11ca3d3a05 sha1: 0e5a4742909d2c4bd73e0d8df155d8bbe7e60374 size: 14336
Section.tls md5: c2afeb5cc457ed5384f42a52e84a715f sha1: 165851c13404acf5e8c31696cb35aa1c622e2075 size: 512
Timestamp2005-09-09 21:04:55
VersionPrivateBuild: 1110
PEhash467f17dc4ed23c70b84f418a9d744cfd72459ba5
IMPhash6c084dc7126bc490f2b8fa14d7097304
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Kazy.13260.psa
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-42173
AVDr. WebTrojan.DownLoader2.13720
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.KXW
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Cryptic.CFW
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BP
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Trojan.FakeAV.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSzonewl.com
Winsock DNS127.0.0.1
Winsock DNSsmallautosite.com
Winsock DNScrazyleafdesign.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNScrazyleafdesign.com
Type: A
173.249.152.55
DNSzonetf.com
Type: A
208.73.211.250
DNSzonetf.com
Type: A
208.73.210.210
DNSzonetf.com
Type: A
208.73.211.179
DNSzonetf.com
Type: A
208.73.211.237
DNSzonetf.com
Type: A
208.73.211.240
DNSzonetf.com
Type: A
208.73.211.250
DNSzonetf.com
Type: A
208.73.210.210
DNSzonetf.com
Type: A
208.73.211.179
DNSzonetf.com
Type: A
208.73.211.237
DNSzonetf.com
Type: A
208.73.211.240
DNSzonewl.com
Type: A
DNSsmallautosite.com
Type: A
HTTP GEThttp://crazyleafdesign.com/blog/images/share/tumbl.jpg?v48=68&tq=gHZutDyMv5rJeCG1J8K%2B1MWCJbP4lltXIA%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNxVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNzFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJlX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJuX%2BSNxL5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 173.249.152.55:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.250:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.250:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.250:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.250:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.250:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.250:80
Flows TCP192.168.1.1:1039 ➝ 208.73.211.250:80

Raw Pcap

Strings
..Bw.
..x.
..@4....}>.q......K
R..m
)...
....%..h..H..C.5...@]..;....>2...
.uEX..
.Fh......O_n.x)..
.+Y.....1.V........s......SO&...P...
2?6!.
.
.s..I...t..gCL..y]N.....1......3
..URJ....c4..(.T@
.
.G..
040904b0
1110
GFgB
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
	4[[K,
5UALW:W
6bJg9o
6L{T	G
~|8e*e. 
8Wjk>uO5
AlphaBlend
aPJ|fze!
\C~}:5
ckdFi2	v
CloseHandle
CM_Get_DevNode_Status
CMP_WaitNoPendingInstallEvents
cOcaHf,
CreateFiberEx
CreateSemaphoreW
@.data
DeleteFileW
DestroyWindow
DOl \yM
eG_9y>)
EnumResourceNamesA
FlushFileBuffers
FoldStringW
FreeLibrary
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetLocaleInfoW
GetModuleFileNameW
GetModuleHandleW
GetParent
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetWindowPlacement
gt@VA}G
h:M4	@
i4l)9`
?i{Mji
Im>t:? 
InterlockedCompareExchange
InterlockedExchange
IsDebuggerPresent
IsIconic
IsWindow
IsZoomed
JRichu
k;5).%
kaaiJV
KERNEL32.dll
kY}1$e
k:YMXd
{l.2x3
)lM(Lz4hB
LoadIconW
LoadImageW
LoadLibraryA
LoadLibraryW
LocalAlloc
lo(t+\
L,WHY;Ig
MapVirtualKeyW
m_}nq"
MSIMG32.dll
n=4KCw
("nW[b
=(,o-F
ojmf(cQ
=Pn>IZ
px'V(yjjN
q#\{IMGTE
qm`Y7(
QueryPerformanceCounter
RaiseException
`.rdata
RealGetWindowClass
ReleaseSemaphore
r-v9Jy
<_/)R"x
SetForegroundWindow
SetUnhandledExceptionFilter
SETUPAPI.dll
SetupDiGetDeviceRegistryPropertyW
SetWindowPlacement
SetWindowPos
ShowWindow
S$z3Wp
TeD?rz
TerminateProcess
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TlsGetValue
?TZIk"
,u`8K 
:UkThl
UnhandledExceptionFilter
UpdateWindow
USER32.dll
V \#ir
VirtualProtect
VY*<\l
WaitForSingleObject
=xHj.9Q
Y-[6=H
~yJhmLt
~yl,Xj.
>YMK	m
z(Qi	G