Analysis Date2013-07-14 08:25:15
MD5c1157192.168.1.185959872c7426c79840
SHA1b8387cb651614a1d875a4f1da6c6d9a71b0586b9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 99527d7ce2df12a0e80ee9ae682cdab4 sha1: 9791b44dbebb9bcbb464e9adbc27afb7c908087d size: 149504
Section.rdata md5: 5dca59c3b6542eb5aca5aa670c5de37c sha1: b71fd63c76e2eee79cd163bb217b1bac03d73802 size: 2560
Section.data md5: 58fa456977db625542a08ab8dac1efdc sha1: 35b15410057adc32026b1f7fcdb2b1f7f1d36729 size: 27648
Section.lib md5: 8e2cbd4cb5dd1c8ca6caf4da37a60c79 sha1: dc65a7542eba4af1870643c16de8c5407fd67f6d size: 512
Timestamp2005-08-27 08:17:34
VersionPrivateBuild: 1123
PEhash7d488182e9e1e0b7911e8a3a06b8b4527f482f8e
AVclamavWin.Trojan.Agent-255296

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbigblueonline.com
Winsock DNS127.0.0.1
Winsock DNSzonere.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSbigblueonline.com
Type: A
173.56.67.87
DNSzonetf.com
Type: A
208.73.211.164
DNSzonere.com
Type: A
198.89.98.162
HTTP GEThttp://bigblueonline.com/images/i13.jpg?tq=gHZutDyMv5rJeSG1J8K%2B1MWCJbP4lltXIA%3D%3D
User-Agent: opera/8.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://zonere.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUo1%2BjbwvgS917W65rJqlLfgPiWW1cg
User-Agent: opera/8.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJpX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 173.56.67.87:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.164:80
Flows TCP192.168.1.1:1033 ➝ 198.89.98.162:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.164:80

Raw Pcap

Strings