Examples of Troj/Zbot-DMB include:
Example 1
File Information
- Size
- 165K
- SHA-1
- 11ed277d8ce4d4d139c871b89a95ade7555ba3eb
- MD5
- f0d0c924ef3bcfa357853c4744785635
- CRC-32
- abf03e9f
- File type
- Windows executable
- First seen
- 2013-02-02
Example 2
File Information
- Size
- 551K
- SHA-1
- 9cc38cb099cf4fa1fd1a99e2a58524d26e0672e7
- MD5
- ebd9c2f7ea857f895d954d778d34802d
- CRC-32
- a2ee0c63
- File type
- Windows executable
- First seen
- 2013-02-02
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Application Data\Liisma\ipmiu.teu
- Size
- 477
- SHA-1
- 1879a386f2c990d1992683756ca8a19a1f35be3c
- MD5
- bd0b8731440cbf4f437abf48f4eccac4
- CRC-32
- 37d65d14
- File type
- Unspecified binary - probably data
- First seen
- 2013-02-02
- c:\Documents and Settings\test user\Application Data\Ryun\tamay.exe
- Size
- 165K
- SHA-1
- 423b7b3a919392aa93db81995a0a4e74d7c8c198
- MD5
- 913953bdf6309c0a367e270afdcf0421
- CRC-32
- 2f5db842
- File type
- Windows executable
- First seen
- 2013-02-02
- c:\Documents and Settings\test user\Application Data\gmon.out
- Size
- 4.1K
- SHA-1
- 5f983505c9da2490cb9ac35cf2921802da306f85
- MD5
- fda481ce03aa599726b4b3be094ef3e9
- CRC-32
- 5859f5b6
- File type
- Unspecified binary - probably data
- First seen
- 2013-02-02
- c:\Documents and Settings\test user\Local Settings\Temp\gmon.out
- Size
- 4.1K
- SHA-1
- f73b17a53409ae47fd018832df823b21369b8367
- MD5
- 1b23b9acd8d6df5ba53cbb8eb8fd3249
- CRC-32
- c133d24a
- File type
- Unspecified binary - probably data
- First seen
- 2013-02-02
Modified Files
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
- HKCU\Identities
- Identity Login
- 0x00098053
- HKCU\Software\Microsoft\Vuqek
- Ryuc
- □l□□0□0□□□C□@□□F□□□□P□□□I□□□□□□□□B□□□□□□□ □□□□□□(□@□□0□□p□□0□□p□□□ □□□□□□□□□□ □□□□□□□□□□□`^□□□□□L□0□□□}□`K□□□□□□□ □□□□□□□□□□□□-□□6□0Q□p□□P□□□□□□t□□□□□]□□M□□i□0d□□□□p□□@□□□%□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- {B5900658-B683-C128-79C7-9C7C8F41D583}
- "c:\Documents and Settings\test user\Application Data\Ryun\tamay.exe"
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
Registry Keys Modified
- HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
- Compact Check Count
- 0x00000008
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
- TimeStamp
- 8e 3b fb 58 fd 00 ce 01
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
Processes Created
- c:\Documents and Settings\test user\application data\ryun\tamay.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://l-cx.org/vices/cfg.bin
- http://www.google.bg/webhp
- http://www.google.com/webhp
DNS Requests
- l-cx.org
- www.google.bg
- www.google.com