Analysis Date2014-10-13 02:42:30
MD5e905d033e769a0bff01368d52457e04b
SHA1c6009ac711936b427d754c4d6d2607edbaef65dc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4874cb78e5f8c880bfe5ddfbdcf8eaf0 sha1: d3ea2e05cd93197e9162964d5114a03b057b4a4a size: 144384
Section.rdata md5: 61b506f0835b0772ab6a6c8cfc42b564 sha1: 94f86b73ad677c357877c00004dabb0513c13f5c size: 1536
Section.data md5: 1e07fffa93868002acafdc9f224ee011 sha1: 5ee577b32eb143075cb6ed89bea0939fa0f665ee size: 20992
Section.crt md5: f3a7918ddbd55c1a25480c874a7c4fbf sha1: b242d0de57009a63344f1b3267d7adecde6301de size: 512
Timestamp2005-10-20 08:45:03
VersionPrivateBuild: 1087
PEhashfb3aed106225b29485c55ff6fe4b3c51f4393986
IMPhash93b0f64fffbcd09ffbda394d94205b3d
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)BDS/Gbot.qt.457
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Gbot.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-3008
AVDr. WebBackDoor.Gbot.2442
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Cycbot.AD
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Cryptic.CAZ
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.qt
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BH
AVRisingTrojan.Win32.Generic.12741B19
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen.2
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)Backdoor.Gbot
AVYara APTno_virus
AVZillya!Trojan.FakeAV.Win32.44992

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbigspiderwomen.com
Winsock DNSsmallspiderwomen.com
Winsock DNS127.0.0.1
Winsock DNSblenderartists.org
Winsock DNSzonedg.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSblenderartists.org
Type: A
198.41.249.137
DNSblenderartists.org
Type: A
162.159.251.137
DNSzonedg.com
Type: A
141.8.225.80
DNSzonetf.com
Type: A
141.8.225.80
DNSzonetf.com
Type: A
141.8.225.80
DNSzonetf.com
Type: A
141.8.225.80
DNSsmallspiderwomen.com
Type: A
DNSbigspiderwomen.com
Type: A
HTTP GEThttp://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvQi0%2BjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: iamx/3.11
HTTP GEThttp://blenderartists.org/external/Banners/facebook2.jpg?tq=gJ4WK%2FSUh%2FzMhRMw9YLJ8MSTUivqg4b8wpBEfqHXarVJ%2BQhhCA0%3D
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNzVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 198.41.249.137:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1038 ➝ 141.8.225.80:80

Raw Pcap

Strings
.
.
R
040904b0
1087
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
0|'w3{g
~0YB)Wo
42|??&
4^P4	9
5;CoO\
6p$liMa
aBZiT<~
ADVAPI32.dll
AlphaBlend
^at]'MDP
AYrF|u
b=`w){.	:
CharLowerA
CharNextA
CharUpperA
CloseHandle
CompareStringA
CompareStringW
CreateFileW
CreateMutexA
c_vr!2\
<c}X`$),
cy},u`z
@.data
E&*HN@
eLM}=t
EnumResourceNamesW
ExitProcess
EX}P8<
*fd}*;
FlushFileBuffers
FreeLibrary
GetKeyState
GetLastError
GetModuleFileNameA
GetProcAddress
GetTempPathW
GetThreadIOPendingFlag
GetTopWindow
h2<gl:
$.h<G@
\hhlFre
h}(J,f
.h-OXM
hU'VM^St
*=}HV3
I>(L	Zj
InterlockedDecrement
InterlockedIncrement
IsBadReadPtr
`'(I!x
~J(hNA
,J?i^*
k~8EZ0U
KERNEL32.dll
khH.h#k@
K+nwmK)R
^\L.|8
^liNW1
lJdyy2IB
LoadLibraryA
LoadLibraryW
MessageBoxA
~?_mRA
MSIMG32.dll
mTa.hR
MultiByteToWideChar
N+~}[bs
n}U'|n
ODe`.	A
Pee2e5
PgHe}VqG,
Pm	k	\
QN6CF{B
.r0)N$
`.rdata
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
SetEndOfFile
SetEnvironmentVariableA
SetStdHandle
t56%KJ
T`.h1|@
!This program cannot be run in DOS mode.
ThlAll
ThLibr
TransmitCommChar
TransparentBlt
TT.hSW@
[TU;=/x
(`	uhQ
UMKk\X
U$n;E=
USER32.dll
UXuTX.h
.uX]VtT
VB,"(;
<vd2N/
**VH>[,-
VI;=(E
=V,|IkM)
'-$v lv
v/=;nw]
)WHN"R~
WideCharToMultiByte
~;WNZD
WriteFile
wsprintfA
wsprintfW
w:~[zX,g
x	_sm+\
*yloZO
Y +NSm'
*Z((^=
Z]6k?P
zBf>OQ
z?\)ZZ