Analysis Date2015-01-30 19:44:53
MD58c6626a49c66d5744e8a8b06386a1ca9
SHA1ff88bb8634495886f7e44c18844a4c99b694ab06

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fb2dffe70697aebf26b16e10dfc7ec8c sha1: cd3cafbc1a55e6f8f482e0bf7b1218abd69ac777 size: 105472
Section.rdata md5: e81a055cdcfb84f33ffe89e59f81b94c sha1: 7b3b8a1f5a85e72c00210467cc0f9f58ea37f2e7 size: 1024
Section.data md5: 8b70c379635a772a0e487c11014cdee0 sha1: 597ece7b7a3b09c51fcee3059d0005f851d0048d size: 23040
Section.rsrc md5: 091b91caede230e1836d84dcf7933a61 sha1: 76e5dc44f10a001c4ba262661cd8866507865a00 size: 1024
Timestamp2005-09-19 21:36:43
VersionPrivateBuild: 1123
PEhashdeb124207f040a1fb31a7a4fbe63acad2e4ca613
IMPhash3d5a10fa61498acb13b5a00c7145c6e8
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-19
AVDr. WebTrojan.DownLoader1.42568
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.IVA
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Agent.5.BJ
AVIkarusPacked.Win32.Krap
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.bs
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosTroj/FakeAV-CDG
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSzoneck.com
Winsock DNSwww.google.com
Winsock DNSdolbyaudiodevice.com
Winsock DNShistorykillerpro.com
Winsock DNS127.0.0.1

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNShistorykillerpro.com
Type: A
192.254.251.206
DNSwww.google.com
Type: A
64.233.185.103
DNSwww.google.com
Type: A
64.233.185.104
DNSwww.google.com
Type: A
64.233.185.105
DNSwww.google.com
Type: A
64.233.185.106
DNSwww.google.com
Type: A
64.233.185.147
DNSwww.google.com
Type: A
64.233.185.99
DNSzoneck.com
Type: A
208.79.234.132
DNSdolbyaudiodevice.com
Type: A
DNSxibudific.cn
Type: A
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://historykillerpro.com/img/eslogo.gif?tq=gJ4WK%2FSUh%2FzMhRMw9YLJ8MSTUivqg4b8wZFEfqHXarVJ%2BQhhCA0%3D
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://zoneck.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz%2Bvw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1032 ➝ 64.233.185.103:80
Flows TCP192.168.1.1:1033 ➝ 192.254.251.206:80
Flows TCP192.168.1.1:1034 ➝ 64.233.185.103:80
Flows TCP192.168.1.1:1035 ➝ 208.79.234.132:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a                      */*....

0x00000000 (00000)   47455420 2f696d67 2f65736c 6f676f2e   GET /img/eslogo.
0x00000010 (00016)   6769663f 74713d67 4a34574b 25324653   gif?tq=gJ4WK%2FS
0x00000020 (00032)   55682532 467a4d68 524d7739 594c4a38   Uh%2FzMhRMw9YLJ8
0x00000030 (00048)   4d535455 69767167 34623877 5a464566   MSTUivqg4b8wZFEf
0x00000040 (00064)   71485861 72564a25 32425168 68434130   qHXarVJ%2BQhhCA0
0x00000050 (00080)   25334420 48545450 2f312e30 0d0a436f   %3D HTTP/1.0..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000070 (00112)   0a486f73 743a2068 6973746f 72796b69   .Host: historyki
0x00000080 (00128)   6c6c6572 70726f2e 636f6d0d 0a416363   llerpro.com..Acc
0x00000090 (00144)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000a0 (00160)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 4c4a380a             */*....LJ8.

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a253242 76773861 336e4f51   rCiUz%2Bvw8a3nOQ
0x00000040 (00064)   4c61626e 56734d4c 45706c73 30724e61   LabnVsMLEpls0rNa
0x00000050 (00080)   3178374b 6a566a6e 616f4c65 32776463   1x7KjVjnaoLe2wdc
0x00000060 (00096)   6e4b4b37 51682532 46575234 30632532   nKK7Qh%2FWR40c%2
0x00000070 (00112)   42324e66 5338736d 69576f4e 4a253242   B2NfS8smiWoNJ%2B
0x00000080 (00128)   51686853 45552533 44204854 54502f31   QhhSEU%3D HTTP/1
0x00000090 (00144)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x000000a0 (00160)   636c6f73 650d0a48 6f73743a 207a6f6e   close..Host: zon
0x000000b0 (00176)   65636b2e 636f6d0d 0a416363 6570743a   eck.com..Accept:
0x000000c0 (00192)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000d0 (00208)   3a206762 6f742f32 2e330d0a 0d0a       : gbot/2.3....


Strings
6o

040904b0
1123
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
1Pf1vwYf.
4qw0s&
5~,}cKg
5~dXj. 
5]&OO^
5uT9U(
5$XhK[
_66jP4:
7LI8&X
'7LJ_"
7qI(CH
89<V,`
8gX&Xo
&8*M87
9dXydX
9=lxm)EXj
9M'XDX
bzp[uL~H
c4C?Rz
ccNc	7
cH'eX]%X
cHz27k
Cj+7Nhd`
c=jY_R
CkyE08;l
CloseHandle
CreateEventA
CreateSemaphoreA
CreateStdAccessibleObject
CreateThread
'^_c_s
,.D`&[<
@.data
DeleteCriticalSection
-D;k+p
dNN48*	
['dS#j
=dvFX5
dX(7xC
DX9FX[
<DX9/S
dXFX%X
DX[Mw]
DXvIDXU
[dX^%X
DX&XFX
,DX*zn
dyrf/r
e8$O+ 
]EL1rw<|*
EnterCriticalSection
EnumResourceNamesA
E_Or H#
<	~EX`
EX(EX\@
EXEX>&X
eXFX$X
]eXidX
ExitProcess
eXMEXEX
eXNFX#
eXxFXw
EXZ&XdX|
FindClose
FindFirstFileW
FreeEnvironmentStringsA
~~FX{@
^?FXdX
,FX~eX!
^FXfX[@
FXGXfX*U
+fXh;h
FXN&X.
fX$XEX
g0CoM;p/
GetDriveTypeW
GetLastError
GetLocalTime
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadPriority
[}+.GX
GX-4EXKDXi
=GXeX~
GX}EX`
>gXj+y
GXmku<
GX$X;<
HDXHxr
]HfX_{TY
hhLibr
hhLoca
HL:&X-
HwhkBv
*iA@r@
idXwGX
%IgmX>
ik&XFX/
ImvKX~
InitializeCriticalSection
'IST]TI
I~^	%X;
i%X^{x
jFXKvU
JnK'X[V1
<J	y<W
K&[*2`
KERNEL32.dll
kH'X8t
k+M'X^T
{k`SnB
:KT8DX%X
k'XH\x
KygXeX
LeaveCriticalSection
}leXoi
\l-lEX
LoadLibraryA
LresultFromObject
M9\%XeX
?M,hm{Z
ML:$;^30
;!mQp<
M?R	B$
m\%XJjC
N2z=lE
NH[0Hqh
n(@S9K
OGXK+DXnH72
OLEACC.dll
ON/Kp<
oym(-!
Pa+s}=Fv
!P.ObL{3
psR2HC
r}2zin
`.rdata
ReadFile
ReleaseSemaphore
r(hNd@
rJM33V
rw8bPG
SetEndOfFile
SetEvent
SetFilePointer
s=Q4*|>
!This program cannot be run in DOS mode.
t&KfUS
t$Xl9N
t^'Xtk
u:3@#?
uDXV{Q
u$h_^@
UiY[Y5=
|u#$*m
\uY6\^k
=v2{5@
Vm]\JB
?{<Vp5
WaitForMultipleObjects
WaitForSingleObject
WkL&Xz8
wNc5'IL
w}qDaxX
WriteFile
</w%X*4J@
wX:($X
?+)$X}
&X)},~`
]'X467
X6k(Mo
X.7=Im)
X7$X,+
X8gX-P
XDXnEX
XdXT7u
:?XEX_^
'X{EXC
XEXDXfX 
XeX}GX
X\EX^k
XeXL|9
XeX$X=7/
XEX%X8
X?eXY:c
XEXYEX
XFXJ%X
XfX*kw
X>FXZN
XGXFX0
XGXJFX5nij6n2
XGXmGX_GX+
XgX(Wc
$XGXwtr
X{gX$X
:XhhlAll
X*H;Lk
,/XHw6
XiWJ<vnA
X)I}yj
&X_k|~
X;<K5_
	&Xk[c
$X.K[x
(=/XL)
XleX{<V:
&XMt'X0
XmVY&X
Xm%X{P
Xm$X'X
%XM\<Y@
%XN(EX
XNFXeX
XN:gXw0
X{O=fX<
XOgXeX
>_(&XT
%XTJGX
XTWGXI
Xu5;8)
X_~u$X
]*'XVB
XWgXGX
XW=K&X
%XWX,C
(<:%X&X
&X;>X_
%X'X*_
X*)&X4
X<%X5EX
X$X7FX
X_X\dXy
X|&XEX
X&XeX7r
X%XeXP
X]&XhdX
X$X~)M
X%XN:K
X'XNy9Y
X'XnZs
X>X|VN
X&X%X0
X'X%XZ
X~'Xyh
X$X\Yu
XY7Lhq
XYEXFXFX
XY\fXc
XyFXgX
X{	Yi*
XY}Lwa
X:Y{]s
XYy*WOk	
XyY%Xu
XZ	=gX
XZ<KGX-t
X)z~_t
X>:|Zz
-/Y>gX%XV
Y$XdX;
z6u$Xm
ZA2wCEp
zcd8j6
ZEXJ]#
$Z:J"@!
zJI,4R
$/ZYvn=