Analysis Date2014-06-15 09:22:06
MD5a83e3c1b70e32979609760218c884a2c
SHA1b774f144502e4203aa80e68feb42f979f1acba9b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 792a0e898b1917c5e98eb35fae5eef2f sha1: 92fe861ab832887339ba93b5252ecb3f2be4fe86 size: 162304
Section.rdata md5: 038a5881c4b8cdb54ee16f5e2b529ed7 sha1: 660af03590ba7ba209ac4a5324d452ef9a97a4bf size: 2048
Section.data md5: db4ae1b4090ae806ff138c5e728e2967 sha1: f019b7302c2a85585b49bb47fc39655cb985b38e size: 18944
Section.lib md5: 75a3c0c7578e1a85c90de16c6e5c5bde sha1: 6e7070a48c26fae4fa1108b09d91bfa05a5880a8 size: 512
Timestamp2005-09-23 05:38:36
VersionPrivateBuild: 1396
PEhash68da84e90f990c0e20c2f5ad991b43a66d7e42f7
IMPhash3673e6297b5ecf221a8c68aa878b2f46
AV360 SafeGen:Trojan.Heur.KS.1
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Kazy.12933.psa
AVAvira (antivir)TR/Kazy.12933.psa
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-13
AVClamAVTrojan.Diple-13
AVDr. WebTrojan.Packed.21442
AVDr. WebTrojan.Packed.21442
AVEmsisoftGen:Trojan.Heur.KS.1
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.KVW
AVEset (nod32)Win32/Kryptik.KVW
AVFortinetW32/FraudLoad.MK!tr
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.KS.1
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Generic_r.FN
AVGrisoft (avg)Generic_r.FN
AVIkarusTrojan-Spy.Win32.Zbot
AVIkarusTrojan-Spy.Win32.Zbot
AVKasperskyTrojan.Win32.Diple.das
AVKasperskyTrojan.Win32.Diple.das
AVMalwareBytesSpyware.Passwords.XGen
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.i
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BP
AVNormanwinpe/Cycbot.BP
AVRisingTrojan.Win32.Generic.128AB488
AVRisingTrojan.Win32.Generic.128AB488
AVSophosMal/FakeAV-IS
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SMX
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)Trojan.Diple

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSstellasystemsonline.com
Winsock DNS127.0.0.1
Winsock DNSzonekg.com
Winsock DNSweb20ikastaroa.wikispaces.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSwikispaces.com
Type: A
75.126.104.177
DNSwikispaces.com
Type: A
208.43.192.33
DNSweb20ikastaroa.wikispaces.com
Type: A
DNSzonekg.com
Type: A
DNSstellasystemsonline.com
Type: A
HTTP GEThttp://web20ikastaroa.wikispaces.com/file/view/Observa2.jpg/45498543/Observa2.jpg?v85=4&tq=gHZutDyMv5rJeyG1J8K%2B1MWCJbP4lltXIA%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 75.126.104.177:80

Raw Pcap
0x00000000 (00000)   47455420 2f66696c 652f7669 65772f4f   GET /file/view/O
0x00000010 (00016)   62736572 7661322e 6a70672f 34353439   bserva2.jpg/4549
0x00000020 (00032)   38353433 2f4f6273 65727661 322e6a70   8543/Observa2.jp
0x00000030 (00048)   673f7638 353d3426 74713d67 485a7574   g?v85=4&tq=gHZut
0x00000040 (00064)   44794d76 35724a65 7947314a 384b2532   DyMv5rJeyG1J8K%2
0x00000050 (00080)   42314d57 434a6250 346c6c74 58494125   B1MWCJbP4lltXIA%
0x00000060 (00096)   33442533 44204854 54502f31 2e300d0a   3D%3D HTTP/1.0..
0x00000070 (00112)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000080 (00128)   650d0a48 6f73743a 20776562 3230696b   e..Host: web20ik
0x00000090 (00144)   61737461 726f612e 77696b69 73706163   astaroa.wikispac
0x000000a0 (00160)   65732e63 6f6d0d0a 41636365 70743a20   es.com..Accept: 
0x000000b0 (00176)   2a2f2a0d 0a557365 722d4167 656e743a   */*..User-Agent:
0x000000c0 (00192)   206d6f7a 696c6c61 2f322e30 0d0a0d0a    mozilla/2.0....
0x000000d0 (00208)                                         


Strings
...4..F.b.
.P...9{
_.I.
K.X.....TU.'.
]
. jY...
..*....]..q..i'...|
..
..
.
.0l.
.B.(..
EF7....
N
..
..
.....L.`.r
fC;T..&i..q{...:...Y..%Pa..).$
....m./.;gU
..2..a...
.i.
&..:..
ZA..|.6..
...
xy-H.
040904b0
1396
Fe'`
fGd2
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
0;VqX]
1Mm\'<
2c6FY$
2Gg&Bi
4(J[}N
>4?|;m
](5^9;
6+lmx@
(/7Kvx
9:T]v@
A7H`I/
>#a{LZ
CallNextHookEx
ChildWindowFromPoint
ClipCursor
COMCTL32.dll
comdlg32.dll
CompareStringW
CreateFiber
@.data
DefWindowProcW
DestroyCursor
DestroyIcon
DrawEdge
?-dv B
EmptyClipboard
EnumResourceNamesW
:EoX{	d-
FG;Fb(
FileTimeToLocalFileTime
FileTimeToSystemTime
FindResourceExA
FlushFileBuffers
]g@!0Fx
GEJ<5z]
GetFileAttributesA
GetFileTime
GetFileTitleA
GetFileType
GetProfileStringW
GetSysColor
GetSysColorBrush
GetSystemDirectoryW
GetSystemTime
GetUserDefaultLangID
GetVersionExW
GetVolumeInformationW
h<[	{7
hmZefP	
.ifpJs
i:_{?L
ImageList_Add
ImageList_Create
ImageList_Destroy
ImageList_DrawEx
ImageList_GetIconSize
IsClipboardFormatAvailable
IsDBCSLeadByte
J5%~%.
JRichu
/jXZz@
KERNEL32.dll
K	LO`]s;!
KT/=y8t
l<7+2>
LocalAlloc
LockFile
lyy_i`
M-KW|=
mn	+S}
MonitorFromWindow
NdrClientCall
nFbp1?
<:N=~W
)oOHVo
oO:_(k
.O_Z[=^
P|04m^uC"
PathCanonicalizeW
PathCombineW
PathIsRelativeW
PathIsRootW
PathIsURLW
PathStripToRootW
pJ0<<qS
	pqe>~
`.rdata
RegisterClassW
RpcBindingFromStringBindingA
RpcBindingSetAuthInfoA
RPCRT4.dll
RpcStringBindingComposeA
RpcStringFreeA
SearchPathW
s}E#Hr
SetClipboardData
SetEndOfFile
SetScrollRange
SetWindowPos
SetWindowsHookExW
SHLWAPI.dll
S^VPc7i
t'A\Y;(
!This program cannot be run in DOS mode.
ToAscii
.TUu<n
UnhookWindowsHookEx
UnlockFile
(UN{Se
USER32.dll
<u<Xxc
VerLanguageNameW
<-v?Ho 
vp>d%R
!\v|_U
<vWK&{7
WinHelpW
WriteFileGather
<X6[?6
Xa%+I5t4
~[Xi0n-
XI<N8M
/~|)Xs
Yu[5JDkg
Y'@ZX%)e