Analysis Date2015-01-17 13:28:20
MD57619968635ca7f97a5f0a3479d62ad7e
SHA19d662bbbf683fb3a8ed0c0e06d25391eaf887e3b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 58f007a3df6aa9ed70479ce73dc38277 sha1: 7bf67a104e99715219fb78dde42811d48bdd4279 size: 106496
Section.rdata md5: 18e807de1ac21ecafe063e68274b8722 sha1: 8faf98da5b2179822d255b39844bc638f0f48080 size: 1024
Section.data md5: ebe489aed67185f012e7caab5db220a4 sha1: 98d06d93509d6a7d886236cbe13d78344e838d4f size: 22016
Section.rsrc md5: 33ccc9e14c4d97ac865276a060e676c6 sha1: 81a4109ba7ed097d7e5896169ec2bacf77cf8c28 size: 1024
Timestamp2005-11-12 08:43:38
VersionPrivateBuild: 1102
PEhashe8e44f4c184d95f1211060eee3f828e6111b7754
IMPhashee616c913ed0af27d823a3b593e2ed54
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-19
AVDr. WebBackDoor.Gbot.2403
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.IVA
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Agent.5.BJ
AVIkarusPacked.Win32.Krap
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.bs
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosTroj/FakeAV-CDG
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSzoneck.com
Winsock DNSwww.google.com
Winsock DNSdolbyaudiodevice.com
Winsock DNSmotherboardstest.com
Winsock DNS127.0.0.1
Winsock DNSfreeonlinedatingtips.net
Winsock DNSzonejm.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSfreeonlinedatingtips.net
Type: A
204.197.252.70
DNSwww.google.com
Type: A
173.194.37.83
DNSwww.google.com
Type: A
173.194.37.84
DNSwww.google.com
Type: A
173.194.37.80
DNSwww.google.com
Type: A
173.194.37.81
DNSwww.google.com
Type: A
173.194.37.82
DNSmotherboardstest.com
Type: A
204.11.56.45
DNSzonejm.com
Type: A
23.239.15.54
DNSzoneck.com
Type: A
208.79.234.132
DNSdolbyaudiodevice.com
Type: A
DNSxibudific.cn
Type: A
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://freeonlinedatingtips.net/images/dating1.jpg?tq=gHZutDyMv5rJej7ia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://motherboardstest.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz2uw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz2uw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im135.jpg?tq=gL4SK%2FSUh7zEpRMw9JGd5dGwJk6s0824xLMjS9rWwLWyxSE6qaKxpMa1C2m51bCwxbNQK%2B%2FbxUqRSfkIYUhF
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUq1ujbwvgS917V65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1033 ➝ 173.194.37.83:80
Flows TCP192.168.1.1:1034 ➝ 204.197.252.70:80
Flows TCP192.168.1.1:1035 ➝ 173.194.37.83:80
Flows TCP192.168.1.1:1036 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1037 ➝ 23.239.15.54:80
Flows TCP192.168.1.1:1038 ➝ 23.239.15.54:80
Flows TCP192.168.1.1:1039 ➝ 208.79.234.132:80

Raw Pcap

Strings
?
040904b0
1102
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
~=08BK*o
1qb;_-#y
4FX'Xq
4kkK++
4:%X8c
4ZfX$X
5}3>A{
5c(_J>>
[^5^DX
_5LfX,r
6\v9>EX
]7Hj\c
8(}^9vB
8"N"8L
9|eX\t
9N%XFX
:,AB[m.fb
BW}F&0
B]XBWv
cccY8Hl
CloseHandle
c+n2_I
,cNud"
CreateEventA
CreateSemaphoreA
CreateStdAccessibleObject
CreateThread
cTYvFX
cYjT>x
=czBY~
@.data
d/bF*?P>
!]DCz\/
DeleteCriticalSection
?~Df&1Q	
'dty]|b
DX	8/kU
DXX<:2
DX'XV$X
EnterCriticalSection
EnumResourceNamesA
<eX8&X
ExitProcess
-{eX_q
(eXvfX
-EX*--&X
/EX'XFX
FindClose
FindFirstFileW
FreeEnvironmentStringsA
fX=GXi!
fXJW>r
.fX{UWp
FXx\[t
g5vF>3\r
G?6a%,
GetDriveTypeW
GetLastError
GetLocalTime
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadPriority
Gr4%)7lI
;gXdX9
GXfX$X
GX{FX$Xk
gXGX(q
GXgX	$XgX
gXhRh[
~gXI}>
G-}xIwr
gXl{7fX
GXMdX{
GX|.UC
hhLocah
Hl|ky>dXb
hLoadh
?)Ht:%Xq
H,*|&X\FX4
IBJo?i 
i|EX}[
IeXDX>HdX
i|eXX3
~(Ii/y
InitializeCriticalSection
J	fX9#
jJqY/UR
\=K7dX
KERNEL32.dll
KEXKu9
.k~F&@
kFXEX}
KGX)5K
kgX&XgX
kn'Xt*
KZloirs
]Kzwbo
LeaveCriticalSection
lM.5_x
LoadLibraryA
LresultFromObject
L$XJ^M
meXJ%X
mEXY&X
:m)#hs
mN}4TC
	mN[_NN
mWFX]K
nT_h8L@
NU'XDX<;
nwDX5+
n%XxeX
*N%X'Xw
nziN0D~55
O9FX,Z
OLEACC.dll
_ox	.Z
^P<uWX
`.rdata
ReadFile
ReleaseSemaphore
 rg0Hj
SetEndOfFile
SetEvent
SetFilePointer
sXwU"(
T86xjldX
tdXZvL
TFh1U@
!This program cannot be run in DOS mode.
tHLT`#
u/Ov-sO
U_p1dh
U.(%XQ
Vin}.	
V[nM,eX
V>[^%X
V%Xh/w
WaitForMultipleObjects
WaitForSingleObject
W|~?eXp
wfXdX%X
WriteFile
WR^KT*!
W`?/uq
w	:'X4
W&X4DX
|wZIhjfH]1
X4:FX|GXX
X4t8T2
X4'XdX
X5~8/TQ
X5%Xy=
_'X>7k
X9_%XJ
XdX6?[Y
'XdXeX
X/dXeX
XdXfXQ
X-dXuo[
&XdXvY
^|&XEX3
XEXigXz{
XeXWGX
XFX\[,
XFX4FX
XfX7T;
x.fX:.A
X_fXdXio*
XfXeXv
XfXgXEX
XFX|_n
&XFXoJgXC
X-FX%X
XfXY'X
X}gX\0
XGX6&X\>}
XGX8Mt
'XGX	b
XgXDX?
X~gXGX"
X}HEXFX'XzP
%XhhlFre
XhhLoca
%Xhhoc
XhPhfe@
XIij-h/|0
XiK,)a
$Xi$Xl
XJ7EXM
X[-JFX
XJFXU3
X](JJU
XK6i	zq
XK;FXDXt(hR
X<k&X!
Xk&Xkx
XlzW2r-
XmX)eX
XNDXeXS
XNHfX1
XoeX,.\
X(\ogX
$XOOdX
XoteX	9V
x^-{ty
&X+V)@
Xv:;'X
Xv&X){
X]W-GX2
XWk.wW
%XxDX^!
X$XdX 
X'XeX}
X'XEX`
X'XEXV2
X'XfXb
X%X*GX
X%XGX	a
X$XIdXt
X%X[LfX
Xx/n&X
Xx%X9'X
&X=yeX
Xz<I<Hn
.ya<3s
*^Y~-EX
Ym=DX<
"Y_u.n
YY8CHcB
^z7jHc
)Z7o_Qo
)ZI,$X
ZKfX$X
[ZudX0