Analysis Date2014-10-16 19:38:29
MD5f7a12fdb7eded856addf640da8886685
SHA1bafb24cb54803e93387a224f82683722bf3267ed

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 067b65147a5090162dca26dd80bee0bc sha1: 1ef76483f2ffb4c9ceddb250f41529be130e90f2 size: 97280
Section.tls md5: e38d5e4a469c28ad10afd9b8681982d3 sha1: 97edfeb537f82c2de368f109f41f163a06b49029 size: 1536
Section.data md5: 6a31aac6ace5fa3ac8a2809c0974e1ba sha1: 8a90e0e07ef62521042415be5d4f4e350abe3631 size: 68096
Section.reloc md5: d58d90a8ec1ed8a55e13a39835bfd496 sha1: f8b4a30e2bba63154764524770348b6a3ec26650 size: 1024
Timestamp2005-10-01 14:43:16
PEhashb0a9698d89d68d0147705f5529b2d6f7fb394851
IMPhash4b76b359049862f760519a47a1053f7b
AV360 SafeGen:Heur.Conjar.9
AVAd-AwareGen:Heur.Conjar.9
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.J.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Heur.Conjar.9
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-380350
AVDr. WebTrojan.DownLoader4.15907
AVEmsisoftGen:Heur.Conjar.9
AVEset (nod32)Win32/Cycbot.AH.Gen
AVFortinetW32/Cycbot.AF!tr.dldr
AVFrisk (f-prot)W32/Goolbot.J.gen!Eldorado
AVF-SecureGen:Heur.Conjar.9
AVGrisoft (avg)Win32/Heri
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.k
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.9
AVNormanwinpe/Cycbot.DC
AVRisingno_virus
AVSophosTroj/FakeAV-EFL
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!Backdoor.Gbot.Win32.1891

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNS127.0.0.1
Winsock DNSonlinedatingsecretfriends.com
Winsock DNShappyratatuy.com
Winsock DNSsuperaudiosysrem.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSonlinedatingsecretfriends.com
Type: A
DNSsuperaudiosysrem.com
Type: A
DNShappyratatuy.com
Type: A

Raw Pcap

Strings
"
hb.!
.
.....
.
Y
k.
.
.
080904b0
1.0.0.1
1860
FileVersion
&No Exit  Shift+N
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
&Yes
<,&?..
]08=5|e
0h>0hc
0h8Kbh
'0h=n1]
0h;/vF
;}0h!W
0Wjw'`8T
145fC_2h)9
1@h=7j
~2hBho/
2hkzv6
<2huuXh
2m.y['\Q
2w]84eN~&
>3^ako
3bhzQW
3#k;D(
3Ojfq|
3Ph9',
}3SFUa
3VZ47I&
3w&'{2
4Djq/W
<4dk%SR
=52hI h
57&I;t
(5 h0h
5"h9Ok
5j"hwCSI
:5j^t4E
5SMtG%
60hph6
"6P?NOk
6P*UH&
6Rhj/3
6*xn^&
'70hf2h
75F1%K}
7dE	?|>
7.Rich
)7Z>.'
>^8%3M
8;_6'M
8\>%,E
8i"g|e
{8)nF1NmEa
*$956YS1yIsKyn
|	9Bh3
9BO!}Z
[9	g}bX
9gc0HL
9"TL>-
9w )Dw
a71rhv
a@`DFq
a$D,xiL`h
aj$`h~Z}
AkrhCXl
ak<t8o
AlphaBlend
}?A	Rh)y(
a	-S@A
A==\+s%R
$B0nM\wX
*)^>bBK.Z9
bh0hsw+6z
#Bh2h"hyLHM
&bh3]\	f_
Bh`h7q8T
[BhiZ_A@h
bh}lbh
bhMMs0h
bhphzK@h7U
bhX'UmA
B(RA^lLE
c6y	@N
C9Bh9N.
Cd`hJ~*
(c@h&F
CJt{_7
c*^L3c/
CoCreateInstance
CoGetMalloc
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CreateFontIndirectA
c	rhS0h<w%
cs"tqI<
cuu~ph
c{V2U}t~
Cwx/Ax2
cxrhphwphj
D	2hS/
D2`Pw3
d/."84
@.data
dD2hPh
ddE7i3
-D~E]'
DeleteCriticalSection
DeleteObject
~$dgR'
Dph_Rh
~dT4>/
DZ$}rh
e3Ho>6
e]<csNX
)eesaj
e|$LH	r|^
EnterCriticalSection
EnumResourceTypesA
E\phF6
Eph"h~
Ev8[ h=^
eWk!hX
|||e_Z
f]7`ha
.F>9H]g
f)$C#	
fdpk\"p/
fEph`h`hA
-F"h(l
fi11,W
fi@h`h
F~phg}
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FrjUqdb
Fs<~E9
fSJT`h
GA&<lE
gBWP}0'x^I!)
GCv.o&
GDI32.dll
GetACP
GetCPInfo
GetCPInfoExW
GetCurrentProcessId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastError
GetLocaleInfoA
GetOEMCP
GetStartupInfoA
GetStdHandle
GetTextExtentPointA
GetTextMetricsA
GetThreadLocale
GetTickCount
GetVersionExA
-Gl{|t
GPA'~G
gqn=f0^
gu{_l"h
( gwcA
H,0h$6
h,0h_C"h
h0hwPh
 h	32h
h4Bhrh
h7K8iq&
h	85I!
h8 !%x
h8zbhCf?
h90hV{-fN
h<A.qK*
hA*z]ha
hbh1GY
hbh*2hz!
hbh?5^jV%
"h}Bh6
hbh= h
hbh^"hQ
"h(bh:M"h
`hbhRhO,
hC{bhY
`h(%Ce
hcph"hOc
] hcu0hVH
hcX]}{
:"hd()E
h+%dH\
hd$H%i
h$DIgi-
"hE]_a
HeapSize
hE*H(@h
@h%e%k
 hEwYF
hf;0hz
hFf\Bh
@hg=_ h
hgq='V
,"h(@h
h"h3$ h
h"h40h
h.{`h'7
h-`hbh
h@hBh4s
h`he=h
h@h+en
"h"h@h
h-`h@hG
h@h"hSK
@h@h*j
`h`hsZ
h hU=.
hHve+c
hi2h2h
"hIPht7*OE
hIPhu0h~
hJ2hdphm
hjWic;
h~$JZ@h
h-Kd'0h
hkFx/a
h=krhRhX
( hL0hd
hL9*@hCg
"hlBhi
hlc}{q
H^lFAgf
hLh(_'
`hLhY!
h{<LlG
hnH0hn>
h.&n-N
h&:Nnf
h,N&Ph:
hN;q/ h
`hnrhg0h
ho2hSM6
 h-OQ'
-HO,@v5
`h!_Ph
h#ph}gK
hphhCq
hPhNmY
hq7([rh\N
h&QFz0h
`h-?Qo
h:QZo,~
hrh2h	
"hrhqIq
hRh%U0h
hrh&&Y/Rh
hs2hty
"hSxDciV
hu15Ec
H(u9 h
hv0hRh
hv3k	t
hVbhV"h7X[
hWq3(E
hX\d^+
 h(XG9
hX`hdA
h*x>s=
hxS[h5
h(]xu4o!
HY hRhZ
hyj/>[
hzcBhX
"hZ`h/
hZ]VhY'a@h9^
#I0h(X!
i2hTAg
if:i]a
,i`j*`
iL<~]cI
]")_IM
InitializeCriticalSection
InterlockedExchange
InterlockedIncrement
iphT@h`h
ivSbh2hG$]
_jc0hoFV{Ph
jDh,?#
J@h3em
j h}fs
ji_a"5z
J#m.&R
,J	p}s
J.QD[}K
-)J]Qj
jRhQsx
;	jSLf
 @j=vPp
,JYbx;
'jYnL}D
K3ph`h h
K8|UQN
kBmH>)~
k<"C8dv
kC/UOgNHUZ
KERNEL32.dll
KK{ubXK0<
Kl2h:S
klw3_$
ku`hyl
l0hkS.
L2h(rhZO!
l3FEPh
^L8ph.!>U"h
LdqzRh
LeaveCriticalSection
LisRhy18
Lj-%p&
;=l:|m6Y
lstrlenW
l.$]*T@
 lvS~1^E
m7$bh3
M~^{BC
M|e	G6
mGahVf
M/HyoZ
M`hZMuy
*mPhLJ
MSIMG32.dll
MultiByteToWideChar
Mz3@h>c3
n}]2h}
NBhZ`h
{=NHMN
N,QoBh
'NSH`h6
nv'\o&j
?{/)#o
O0hNY<
o?e3FTh
ogKVb3x
oh8e@h
oH/(O/
ole32.dll
OXEK{h
oXph?K
p?~3ZN
|p$%h	
ph??~[
ph0hi`hC
Ph~<cY{
PhF*"h
~&!Phg
ph<g(bh
?ph`hMa
Phhnphn
%PhLBh
Ph,&ph
#ph}qQ
Phqw2h
phRh(%:
ph?rhC
PhrhK_
>#phXBh
]Pi+o<
pOw}t=]Q?q
PsBbx/
@px 6%
py3yS[c
q1Z1*U~&_	
Q4>y-I?
Q5l/u=
Q8I6\3u
qc3rhYLk1
/^Q?h1
QueryPerformanceCounter
RaiseException
.reloc
rh|')10h
Rh2hc$O3j
rhbhSk
%rhENo78
rhF0h"h
rhj> h
rhM%eLx
rh]n#N9
Rhph+l
>rhphQSYH8
RhQjBh
rhRh&?
rhrhvo
?Rh]%X
rhXIPh	
(.rhz53O
RjxSR|
RnsZUzW3
Ro	+V_
^:-R{ULI 
' s5yMo
SelectObject
SetHandleCount
:!S hF3}mI
sJZ/{TuY
,S\os?
StringFromGUID2
SUp>	Gc
sYnE\	r
T4R?G*
t6*dx.;
T?bD8W
!This program cannot be run in DOS mode.
TlsGetValue
TlsSetValue
Tm|QcY0h
TQbhUbh
TransparentBlt
{:tX\z
tYs'U{
u-"hGx
UI w@+
Uk4rh@h
u#K`hL
=UmPhz
UnhandledExceptionFilter
uPc'_M
uph9'@h2h
]Urh^N
/U%&-tD
~UXS^$
V8yz~C
V\a15D
Vm0(_o
Vp?9PN
VqBhwd h
vXGSqm
WideCharToMultiByte
wRh'UQM
WriteFile
wt}=w#
~]WV`G
WY@h~Z2h
WZbo%Tu
:x/!*D
xF2c?C
X>Hn5A8u
XI9rOS
-~XK?i
={xn!G
XqG\nPhVG
]xuQqx
X_z13}V
Y{0herh
Y`4det
:yBh;[k
+'Y"h.D
Y!Phrh
YU#`ma iPF$@
yX&5)n>R
Z3|u`hH
z9(e4hL:
~ZBhddd
ZlfEY"h
:^zPh'
>.}zPhi7)
z~pXic
zRhAiph\Y
}ZRhE+o
Z#u,g[