Examples of Troj/Zbot-DFI include:
Example 1
File Information
- Size
- 145K
- SHA-1
- 6ce3020cb04ebcc1502c82e457bc0b929bf21036
- MD5
- 5b8630e63dcd301c609fdf8ded4fe512
- CRC-32
- afea7bb9
- File type
- Windows executable
- First seen
- 2012-12-11
Example 2
File Information
- Size
- 145K
- SHA-1
- a3f2bd90428e62b730df9b27a9a26bd15eaed988
- MD5
- 8511dd542d272d10028574cac07ab616
- CRC-32
- 5819b6a1
- File type
- Windows executable
- First seen
- 2012-12-11
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Application Data\Xaytaw\orwo.exe
- Size
- 145K
- SHA-1
- fcb13b274b8713097e6090c3e8a900d81509c921
- MD5
- e124dda3c3c534f9c4a797ca37559696
- CRC-32
- b935e466
- File type
- Windows executable
- First seen
- 2012-12-11
Registry Keys Created
- HKCU\Software\Microsoft\Ikvya
- Ecesxog
- □0□□□□□k□□9□□u□□L□ □□□-□□j□□□□□□□`□□□□□□I□`h□0e□□R□0□□□4□ (□p□□□H□□□□P□□p□□p$□□v□□□□□□□□*□□o□`:□□□□`^□□□□□E□□□□□e□□2□□□□□□□p□□`□□0□□p□□□□□□p□ □□p□□□□□@□□0]□@□□pp□□□□0$□P□□□p□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- orwo.exe
- "c:\Documents and Settings\test user\Application Data\Xaytaw\orwo.exe"
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- 1A10
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1A10
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
Processes Created
- c:\Documents and Settings\test user\application data\xaytaw\orwo.exe
- c:\windows\system32\cmd.exe
DNS Requests