Static Analysis

PE Compile Time

2009-12-21 17:36:57

PE Imphash

d6ebb38fec25832d438423d4037579e8

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x0000dfce 0x0000e000 6.51591742521
.rdata 0x0000f000 0x00002836 0x00002a00 5.66106675728
.data 0x00012000 0x00001d40 0x00000600 3.55145256715
.reloc 0x00014000 0x000013ca 0x00001400 6.47574445051
.data1 0x00016000 0x000003ba 0x00000200 6.08399460342

Imports

Library KERNEL32.dll:
!This program cannot be run in DOS mode.
`.rdata
@.data
.reloc
B.data1
SWWWWj
G;=@'A
t3h('A
t~Vh('A
F;5@'A
\SVWhp
T$4RSSP
|$8Z%a
T$@RSP
T$DRSP
T$PRSP
GGF;|$
t9<&u)+
VVj2Vh
Ht-Ht!Ht
D$(PSS
SSSS8]
SSVSVh
VVj2Vh
PSSSSSV
tRHt8Ht+Ht
SVj}Xf
ALj{Xf
EPPWWW
EdPWWW
EdPSWW
t#VhTi@
VVj2Vhmr@
uDVWjmXjsf
WtJj@V
PSSSSSS
PSSSSSS
9^$v@W3
<0|<9
s j0j9X
\$,9\$ptJ
\$49X(
L$DQjd
D$ Y_^[
SVWj<ZR3
uxj<ZR3
YYt,9}
YY9>w`
PPSWSQPP
t*95t8A
t"95l8A
}@u^j&V
9Mhua3
uGF@;
lWSSSS
<SVWj<ZR
El|UVP
127.0.0.1
PopOpO03-3331111
Path: %s
PStoreCreateInstance
pstorec.dll
IE Cookies:
script
user32.dll
wininet.dll
ws2_32.dll
wsocks32.dll
ntdll.dll
GetClipboardData
TranslateMessage
WSASendTo
WSASend
closesocket
sendto
HttpQueryInfoW
HttpQueryInfoA
InternetCloseHandle
InternetQueryDataAvailable
InternetReadFileExA
InternetReadFileExW
InternetReadFile
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestA
HttpSendRequestW
NtQueryDirectoryFile
LdrGetProcedureAddress
LdrLoadDll
NtCreateThread
09ck_=ldfuihpfre
!!!0-0=9-0=23434
Start Page
software\microsoft\internet explorer\main
3208()_*09303333
0928394074595794
809dslffsdfsdfgg
~23324m'm434dKkl
3709128dk0023444
Unknown command at line %u.
Syntax error at line %u.
Script already executed.
Internal command error at line %u.
!213KJhndkmnihjd
%s|%s|%s
|zkrvvcnmaebNUf\VWXIT<AKG<B;
Ik{wvAapcgd1)%
xq{q|qie0cmi)[]]RWZ
#ILE+7<1;7-
.|cg`T8;
~u|oylkh
d\ajaS`
|zkrvvcnmaebNbcZ
fk{vtelpp]hg[_\HaQTPQGMJ
fk{vtelpp]hg[_\HXMZ[QRI
eh``NT
}Q4_cWQ*?44= Ueh\eke
LoadLibraryA
GetProcAddress
Software
\Microsoft\Windows\CurrentVersion\Internet Settings
%s\Zones\%d
%s\Lockdown_Zones\%d
*<select
*<option selected
*<input *value="
%%0%uu
#423,f;342423423
cabinet.dll
FCICreate
FCIAddFile
FCIFlushCabinet
FCIDestroy
Mozilla/4.0 (compatible; MSIE 6.0; Win32; xyx)
HTTP/1.1
CLSIDFromString
StringFromGUID2
CoCreateInstance
GetIconInfo
DrawIcon
GetCursorPos
LoadCursorW
SetThreadDesktop
CloseDesktop
OpenDesktopA
SetProcessWindowStation
CloseWindowStation
OpenWindowStationA
GetForegroundWindow
GetWindowThreadProcessId
DispatchMessageW
MsgWaitForMultipleObjects
GetKeyboardState
ToUnicode
GetKeyState
DispatchMessageA
PeekMessageW
CharLowerBuffA
ExitWindowsEx
CharToOemW
WSAGetLastError
connect
inet_ntoa
WSASetLastError
select
WSAIoctl
recvfrom
getsockname
freeaddrinfo
gethostbyname
getaddrinfo
shutdown
WSACleanup
WSAStartup
accept
listen
socket
getpeername
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptAcquireContextW
DuplicateTokenEx
CreateProcessAsUserW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegEnumKeyExW
RegDeleteValueW
RegSetValueExA
RegSetValueExW
RegCloseKey
RegOpenKeyExW
RegCreateKeyExA
RegCreateKeyExW
RegQueryValueExW
LookupAccountSidW
GetTokenInformation
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
GetUserNameW
DeleteUrlCacheEntryW
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
InternetSetOptionA
InternetSetStatusCallback
HttpAddRequestHeadersA
HttpAddRequestHeadersW
InternetQueryOptionA
InternetCheckConnectionA
InternetCrackUrlA
HttpOpenRequestA
InternetConnectA
InternetOpenUrlA
InternetOpenA
GetModuleFileNameExW
SHDeleteKeyA
PathMatchSpecW
PathRemoveFileSpecW
PathFileExistsW
PathRemoveBackslashW
PathAddBackslashW
PathFindFileNameW
PathCombineW
wnsprintfA
wnsprintfW
wvnsprintfA
wvnsprintfW
StrCmpNIW
StrCmpNIA
StrStrIA
StrStrW
RtlCreateUserThread
LdrGetDllHandle
NtQueryInformationProcess
NtCreateFile
NtQueryObject
ShellExecuteW
SHGetSpecialFolderPathW
ExpandEnvironmentStringsW
GlobalUnlock
GlobalLock
GetFileTime
SetFileTime
GetComputerNameW
FindClose
FindNextFileW
FindFirstFileW
GetTempFileNameW
SystemTimeToFileTime
GetSystemTime
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
ReadProcessMemory
SetLastError
IsBadWritePtr
IsBadReadPtr
GetTempPathW
CreateDirectoryW
MoveFileExW
WideCharToMultiByte
MultiByteToWideChar
GetProcessTimes
CreateProcessW
GetCurrentThreadId
GetCurrentThread
GetThreadPriority
SetThreadPriority
GetCurrentProcessId
VirtualFreeEx
VirtualProtectEx
VirtualAllocEx
VirtualQueryEx
OpenProcess
ExitProcess
ExitThread
GetExitCodeProcess
Thread32Next
Thread32First
Module32NextW
Module32FirstW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
CreateRemoteThread
CreateThread
WriteProcessMemory
DisconnectNamedPipe
GetLocalTime
FlushFileBuffers
GetFileSize
SetEndOfFile
ReadFile
WriteFile
GetTickCount
CreateNamedPipeW
SetNamedPipeHandleState
WaitNamedPipeW
ConnectNamedPipe
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
HeapCreate
SetFilePointer
CreateEventW
CreateFileW
SetEvent
WaitForSingleObject
SetFileAttributesW
DeleteFileW
CloseHandle
lstrcatA
lstrcatW
lstrcpyA
lstrcpynA
lstrcpynW
lstrcpyW
lstrcmpiA
lstrcmpiW
ReleaseMutex
OpenMutexW
CreateMutexW
GetLastError
SetFilePointerEx
GetModuleFileNameA
GetModuleFileNameW
CopyFileW
GetModuleHandleA
GetUserDefaultUILanguage
GetVersionExW
GetTimeZoneInformation
ResetEvent
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetFileSizeEx
GetDriveTypeW
GetLogicalDrives
GetCommandLineA
GetProcessHeap
GetFileAttributesW
GetProcessId
SuspendThread
FreeLibrary
OpenThread
ResumeThread
SetThreadContext
GetThreadContext
CreateTimerQueueTimer
FileTimeToDosDateTime
FileTimeToLocalFileTime
GetFileInformationByHandle
WaitForMultipleObjects
GetVolumeNameForVolumeMountPointW
GetOverlappedResult
GetEnvironmentVariableW
kernel32.dll
shell32.dll
shlwapi.dll
psapi.dll
advapi32.dll
wsock32.dll
ole32.dll
LeaveCriticalSection
EnterCriticalSection
KERNEL32.dll
1&2+2n2
3#3,3I3^3c3
3'40464p4
7)757<7M7W7^7h7
7"8*80868]8m8
9!9)949R9m9
9%:I:R:X:`:f:x:
;);>;P;
;3<9<_<f<x<
>%?+?6?S?v?
2!3P3V3
565n5y5
6)646?6Q6V6b6i6o6y6
6E7J7P7V7\7a7g7m7s7y7
8G8S8Z8
8=9\9n9
9,:M:j:p:z:
;E;L;R;_;e;m;s;
<&<7<C<O<W<\<b<t<
<8=K=W=_=f=m=
> >=>H>N>U>[>r>
?0?Q?a?v?
:0D0J0S0i0
2$2>2Q2X2_2n2
333;3Q3Y3m3
3 4G4N4T4_4d4n4
595D5J5U5{5
6+60656L6Q6V6^6l6
757:7V7^7d7q7
:;;S;`;i;
?<?L?t?
0/0?0P0
2#3>3V3n3y3
40464>4D4\4
5)5=5W5
7$7C7O7[7g7
: :*:@:
<W=]=c=
494S4f4
9?:G:~:
;;<J<q=
?1?e?t?{?
0V0b0i0v0
1+131@1
5D6n6v6
8(8=8X8_8d8j8
9 9(939A9M9
<<%<8<8===N=
>!>*>6>P>a>s>
00%0/0D0J0X0]0c0i0n0x0~0
1"1*191A1F1P1_1m1z1
2 212E2K2Q2W2p2
44%494V4q4
5*50555;5K5d5
6B6I6Z6j6q6v6{6
677m7v7
8;8C8]8}8
99:9L9\9a9~9
;';Q;`;
=,=;=D=T=g=t=
><>U>~>
0 0%020?0M0h0v0
2%2:2?2N2l2
516=6^6k6
687A7J7{7
8#8C8L8w8
=7>E>o>{>
4:4L4f4v4
7G8R8v8
9 9-9d9
:.;5;M;\;o;
=!=*=C=`=h=q=
?"?:?G?`?k?
5)5K5i5
6 6(6L6l6
7)878_8e8
9$9)91989Y9g9y9e:l:
;'<C<f<
=,=F=`=z=
>9>P>X>
5.5<5A5J5O5i5t5z5
6"6,6O6s6
88'8Y8_8k8
9,9V9c9|9
0!0)0.0B0I0O0X0^0
1!1*1/151S1[1
3"303>3X3x3
4(4@4^4
55.5o5z5
7)7/7C7I7
818M8V8
:#;<;C;
<<&<+<1<6<<<A<G<L<R<W<]<b<h<m<s<{<
=+=U=h={=
=Q>X>]>b>j>r>
6\6 7b7
6 6I6T6n6
8#8>8^8r8
:H;_;r;};
='>6>=>M>`>k>y>~>
??.?3?@?O?T?a?p?u?
h1l1p1t1x1|1
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
2$2,242<2D2L2\2d2l2t2
3 3$3,30343<3@3D3L3P3T3\3`3d3l3p3t3|3
4 4$4,40444<4@4D4L4P4T4l4p4t4|4
^}f}(@
$^}f}(@
cookie:
ie_cookies
l:StringData
Protected Storage:
Macromedia\Flash Player
mfplayer_cfg.cab
rsldps
unknown
software\microsoft\windows\currentversion\explorer
SeDebugPrivilege
32.exe
SeShutdownPrivilege
BOFA answers:
grab_%S_%02u_%02u_%02u.bin
Grabbed data from: %S
Referer: %S
%SData:
%S://%S:%S@%u.%u.%u.%u:%u/
\\.\pipe\
_H_64AD0625_
__SYSTEM__64AD0625__
AtAhA\ATALA<A0A$A
Antivirus Result
Bkav W32.Aidetectmalware
Lionic Trojan.Win32.Zbot.Kzzj
Elastic Malicious (High Confidence)
ClamAV Win.Trojan.Zbot-9789488-0
CMC None
CAT-QuickHeal Trojan.Mauvaise.Sl1
Skyhigh Behaveslike.Win32.Generic.Lh
ALYac Gen:Trojan.Userstartup.Euw@Asckw7l
Cylance Unsafe
Zillya Trojan.Zbot.Win32.1241
Sangfor Suspicious.Win32.Save.A
CrowdStrike Win/Malicious_Confidence_100% (W)
Alibaba Trojan:Win32/Starter.Ali2000005
K7GW None
K7AntiVirus None
huorong Trojanspy/Zbot.Bj
Baidu None
VirIT Trojan.Win32.Zbot.Adlm
Paloalto Generic.Ml
Symantec Ml.Attribute.Highconfidence
tehtris None
ESET-NOD32 Win32/Spy.Zbot.Jf
APEX Malicious
Avast Sf:Zbot-Cq [Trj]
Cynet Malicious (Score: 100)
Kaspersky Trojan-Spy.Win32.Zbot.Adwr
BitDefender Gen:Trojan.Userstartup.Euw@Asckw7l
NANO-Antivirus Virus.Win32.Gen.Ccmw
ViRobot None
MicroWorld-eScan Gen:Trojan.Userstartup.Euw@Asckw7l
Tencent Malware.Win32.Gencirc.11deeff4
Sophos Mal/Generic-S
F-Secure Trojan.Tr/Crypt.Xpack.Gen
DrWeb Trojan.Webmoner.61071
VIPRE Gen:Trojan.Userstartup.Euw@Asckw7l
TrendMicro Tspy_Zbot.Smrl
McAfeeD Real Protect-Ls!Ed69d9bb9335
Trapmine Suspicious.Low.Ml.Score
CTX Exe.Trojan.Generic
Emsisoft Gen:Trojan.Userstartup.Euw@Asckw7l (B)
Ikarus Trojan-Spy.Win32.Zbot
FireEye Generic.Mg.Ed69d9bb9335abe9
Jiangmin Trojanspy.Zbot.Xcj
Webroot None
Varist W32/Zbot.Abt.Gen!Eldorado
Avira Tr/Crypt.Xpack.Gen
Fortinet W32/Zbot.Jf!Tr.Spy
Antiy-AVL Trojan[Spy]/Win32.Zbot
Kingsoft Malware.Kb.A.998
Gridinsoft Spy.Win32.Keylogger.Oa!S1
Xcitium Trojware.Win32.Trojanspy.Zbot.Gen@1gso1k
Arcabit Trojan.Userstartup.E8c776
SUPERAntiSpyware None
ZoneAlarm None
Microsoft Trojan:Win32/Zbot.Ri!Mtb
Google Detected
AhnLab-V3 Worm/Win32.Ircbot.R8249
Acronis None
McAfee Genericrxmp-Lb!Ed69d9bb9335
TACHYON Trojan-Spy/W32.Zbot.76288.Ak
VBA32 Sscope.Trojan.Bofa
Malwarebytes Generic.Malware.Ai.Dds
Panda Generic Malware
Zoner None
TrendMicro-HouseCall Tspy_Zbot.Smrl
Rising Spyware.Zbot!8.16b (Tfe:1:T0ftm5gnxan)
Yandex Trojan.Genasa!Lcojkct5rig
SentinelOne Static Ai - Malicious Pe
MaxSecure Trojan.Malware.926942.Susgen
GData Gen:Trojan.Userstartup.Euw@Asckw7l
AVG Sf:Zbot-Cq [Trj]
DeepInstinct Malicious
alibabacloud Trojan[Spy]:Win/Zbot.Jf
IRMA Signature
Trend Micro SProtect (Linux) Clean
Avast Core Security (Linux) Sf:Zbot-CQ [Trj]
C4S ClamAV (Linux) Win.Trojan.Zbot-9789488-0
Trellix (Linux) GenericRXMP-LB
Sophos Anti-Virus (Linux) Mal/Generic-S
Bitdefender Antivirus (Linux) Gen:Trojan.UserStartup.euW@aScKw7l
G Data Antivirus (Windows) Virus: Gen:Trojan.UserStartup.euW@aScKw7l (Engine A)
WithSecure (Linux) Trojan.TR/Crypt.XPACK.Gen
ESET Security (Windows) Win32/Spy.Zbot.JF trojan
DrWeb Antivirus (Linux) Trojan.Webmoner.61071
ClamAV (Linux) Win.Trojan.Zbot-9789488-0
eScan Antivirus (Linux) Gen:Trojan.UserStartup.euW@aScKw7l(DB)
Kaspersky Standard (Windows) Trojan-Spy.Win32.Zbot.adwr
Emsisoft Commandline Scanner (Windows) Gen:Trojan.UserStartup.euW@aScKw7l (B)
Cuckoo

We're processing your submission... This could take a few seconds.