Examples of Troj/Zbot-DTY include:
Example 1
File Information
- Size
- 172K
- SHA-1
- 6a510236ab7825a4eba9f6afc6b4d7a8d8b02f4f
- MD5
- 5a0df2492d10d3fd6e596d2303a93710
- CRC-32
- 2b26187b
- File type
- Windows executable
- First seen
- 2013-01-31
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Application Data\Hiuspu\iwzyq.oxe
- Size
- 477
- SHA-1
- 0a5edf73466af1a0795f422197f438a6890a6aab
- MD5
- 7bf67c370eb84035135cf4245f6f9e5c
- CRC-32
- 3afa4768
- File type
- Unspecified binary - probably data
- First seen
- 2013-01-31
- c:\Documents and Settings\test user\Application Data\Hiuspu\iwzyq.tmp
- Size
- 563
- SHA-1
- 03e5732c26fc57aff5e72d6fca7e8798f4b7f6c2
- MD5
- 0eaf1773c69b55f00524fd4e2069f186
- CRC-32
- cc78e241
- File type
- Unspecified binary - probably data
- First seen
- 2013-01-31
- c:\Documents and Settings\test user\Application Data\Omhiz\bycet.exe
- Size
- 172K
- SHA-1
- cb2cbd2dd44c090d1e534c07fbb014889dca3156
- MD5
- 17b5c4d2f5b5bca662ca38a9ca6f8562
- CRC-32
- fc4a655f
- File type
- Windows executable
- First seen
- 2013-01-31
Modified Files
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
- HKCU\Identities
- Identity Login
- 0x00098053
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
- HKCU\Software\Microsoft\Onbivu
- Gyovabos
- □i□@□□0□□□□□□<□0C□□□□0□□□r□□□□□?□□□□□i□0□□`□□P/□□□□□□□□□□□2□□m□□N□□□□□□□□-□p□□p□□pc□□□□□M□p□□□|□□□□`□□p□□□□□□□□□□□□□□□s□`O□□a□`:□□□□□□□□w□□*□□□□0□□@□□□I□□□□□□□□6□0=□□□□□=□□F□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- {A01CA728-1BE4-DDFE-913F-A1D353901F89}
- "c:\Documents and Settings\test user\Application Data\Omhiz\bycet.exe"
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
- HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
- Compact Check Count
- 0x00000008
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
- TimeStamp
- aa bb 66 05 d2 ff cd 01
Processes Created
- c:\Documents and Settings\test user\application data\omhiz\bycet.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://www.carnesviba.com/ja/images/te.bin
- http://www.google.com/webhp
IP Connections
DNS Requests
- www.carnesviba.com
- www.google.com
Example 2
File Information
- Size
- 108K
- SHA-1
- 74957f10e1599a2a232fd5b2b7503eb3b59e1f22
- MD5
- 7809d9cce6338fe4481b77291667c80b
- CRC-32
- ea4df54d
- File type
- Windows executable
- First seen
- 2013-01-31
Example 3
File Information
- Size
- 172K
- SHA-1
- cb2cbd2dd44c090d1e534c07fbb014889dca3156
- MD5
- 17b5c4d2f5b5bca662ca38a9ca6f8562
- CRC-32
- fc4a655f
- File type
- Windows executable
- First seen
- 2013-01-31