Analysis Date2014-10-15 20:09:56
MD5bda931d9b7157440d207b2488af618f3
SHA19b7d9353eac54fdf5dede0f85ddcf9e51582ed2e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a02ef19426391f1f150ffea30e5c87f6 sha1: eb07d2952fd7dc97749ea0f5f5a27ba646567893 size: 145408
Section.rdata md5: abb1d9f0f4ec83a63ceddcd46f3f11e2 sha1: 1e865a5f661b9adbfac47d0c303f298a68db1e51 size: 3584
Section.data md5: 50f2286fd2062ad1ba7e8d5b47638250 sha1: 7d93c449055ff14d5dddf18b4397a91ae90da6d8 size: 25088
Section.crt md5: 989730a450fbe35cf533edc29c111e58 sha1: 2a6439527822100974fa4f653b4c0ff4fcddc454 size: 512
Timestamp2005-10-08 13:39:34
VersionPrivateBuild: 1481
PEhash99f3428f7a939bcae02d986c707a83daf4ba0c7e
IMPhash82b53f6f395149f7e69b79d5be9890ee
AVVirusBlokAda (vba32)Backdoor.Gbot
AVIkarusBackdoor.Win32.Cycbot
AVZillya!No Virus
AVGrisoft (avg)Cryptic.CAM
AVCAT (quickheal)Backdoor.Cycbot.B
AVKasperskyBackdoor.Win32.Gbot.qt
AV360 SafeNo Virus
AVBullGuardGen:Trojan.Heur.KS.1
AVSUPERAntiSpywareTrojan.Agent/Gen-FakeAlert[PB]
AVMcafeeBackDoor-EXI.gen.h
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado
AVDr. WebBackDoor.Gbot.2442
AVNANOTrojan.Win32.Gbot.bsinh
AVWindows DefenderBackdoor:Win32/Cycbot.G
AVRisingError Scanning File
AVPadvishMalware.Trojan.Agent-199202
AVK7Backdoor ( 003210941 )
AVEmsisoftGen:Trojan.Heur.KS.1
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVClamAVWin.Trojan.Agent-264886
AVAd-AwareGen:Trojan.Heur.KS.1
AVMalwareBytesError Scanning File
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVTwisterTrojan.558BEC5681ECDC010.mg
AVF-SecureGen:Trojan.Heur.KS.1
AVBitDefenderGen:Trojan.Heur.KS.1
AVAvira (antivir)BDS/Gbot.qt.457
AVEset (nod32)Win32/Cycbot.AF
AVTrend MicroBKDR_CYCBOT.SMIB
AVCA (E-Trust Ino)Gen:Trojan.Heur.KS.1
AVSymantecBackdoor.Cycbot!gen2
AVFortinetW32/FakeAV.PACK!tr
AVAlwil (avast)Cybota [Trj]
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSsmallspiderwomen.com
Winsock DNS127.0.0.1
Winsock DNSzoneij.com
Winsock DNSzonedg.com
Winsock DNSpcdocpro.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSpcdocpro.com
Type: A
209.59.161.20
DNSzonedg.com
Type: A
141.8.225.80
DNSzonetf.com
Type: A
141.8.225.80
DNSsmallspiderwomen.com
Type: A
DNSzoneij.com
Type: A
HTTP GEThttp://pcdocpro.com/images/logo-1.jpg?tq=gHZutDyMv5rJeTbia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: iamx/3.11
HTTP GEThttp://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvAi1ejbwvgS917W65rJqlLfgPiWW1cg
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNwFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 209.59.161.20:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80

Raw Pcap

Strings
.
.
...

040904b0
1481
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
=| 0?'@
0?vT'O_
~19,_-
1Cp;>U
2IZWsb/;
4QJ+7I
4w:i._KZ
4W?<oLI
?5^[?a
,6+YMq
<8!3`@
8YYUm|D
9O0)qv
9?{zI=M
ADVAPI32.dll
AlphaBlend
B--[su
B!?}tf
CharLowerA
CharNextA
CharUpperA
Ch?Fb1
CloseHandle
CompareStringA
CompareStringW
CreateFileMappingA
CreateFileW
CreateMutexA
CreateSemaphoreA
CreateThread
{C@Rw4
D\&1Y#
"*d8rO
@.data
DeleteCriticalSection
DL}A96
DT	x]O
:dz&l%
Eg|Q|j
EnterCriticalSection
EnumResourceNamesW
ExitProcess
ExitThread
FileTimeToLocalFileTime
FileTimeToSystemTime
`FKcjZ
FlushFileBuffers
fn5D_=
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentThreadId
GetDiskFreeSpaceExA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetFullPathNameA
GetFullPathNameW
GetKeyState
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetPriorityClass
GetPrivateProfileStringA
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetTempFileNameA
GetTempPathA
GetTempPathW
GetThreadIOPendingFlag
GetThreadPriority
GetTickCount
GetTimeZoneInformation
GetUserDefaultLCID
GlobalAlloc
GlobalFree
GlobalUnlock
g(#n1"
gt@[L?:v=
|$ .h4e@
$.hDu@
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
$.h!Q@
[<.h.U@
InitializeCriticalSection
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
iP,a!R
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsDBCSLeadByte
jE~!(K
JfV]{^
jhhlAll
Jku\).~
*+)Jl^
KERNEL32.dll
KeTKph
K&P_kD
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
lstrcmpA
lstrcmpW
lstrcpyA
lU)}QHy
MapViewOfFile
MessageBoxA
M]:M	3
MSIMG32.dll
~M*U^jX
MultiByteToWideChar
mz5	/z
|nL4l{M
NUAH@w
{O>i2`
oT_.hLw@
_}O+U!
OutputDebugStringA
*` !$p/
P2M:]ZWY"
PathAddBackslashA
[PD)~I{
P.hBQ@
RaiseException
`.rdata
/rD.B@
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseSemaphore
ResetEvent
rHL?&kd
)%rp1S
RtlUnwind
s6$-kP
sA%kZ}
SetEndOfFile
SetEnvironmentVariableA
SetEvent
SetHandleCount
SetLastError
SetPriorityClass
SetStdHandle
SetUnhandledExceptionFilter
SHLWAPI.dll
s'jA{E
Ta.h6w@
TerminateProcess
T_.h.[@
!This program cannot be run in DOS mode.
Tj@.hQ
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TransmitCommChar
TransparentBlt
UnhandledExceptionFilter
UnmapViewOfFile
U}qqg|
USER32.dll
U.Ut~w
_U<V9=
u!z Qk%
V.hKE@
vJ<b`6
w1*B|9.
-W5(e*
WaitForSingleObject
WideCharToMultiByte
WriteFile
WritePrivateProfileStringA
wsprintfA
wsprintfW
XC#%?G
xh+D1(
xP/oF0
Xv"iQ*
\YE]Jt
Y.hZa@
:]?Y;X
!ZG=R#
z. pXf
ZThLibr