Analysis Date2016-01-28 05:23:47
MD5b2fbe52bb537c79c169d984f65a2786a
SHA1012d7e4f822a5cfc18868b936b9c48adeaa5272f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0204cf4045f9116d7d722af3c786fefd sha1: 038b98d30467e8536f35dc4dce11c693fb7f097c size: 40448
Section.rdata md5: 1f393c08002315e4578ff192d0f0b290 sha1: 782a0e750af6f45aadcc66707a110b556173b881 size: 11264
Section.data md5: bc1cd7db4aaa05e4bc0e374fe355a2d4 sha1: 035a528d6e60381799d273f1a868e94e558cab0e size: 45568
Section.reloc md5: cbfa3376cc71f744f394e80e01ed2b39 sha1: 9b5279a0fd8218d6244d2993eb55211c817a9199 size: 4608
Timestamp2015-12-31 07:03:04
PackerMicrosoft Visual C++ ?.?
PEhashe13da2c17415c91cd9d79d94f0562c15afcc2ec5
IMPhashb902dd238c5e71374dec2baa72997cd3
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.389440
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.174788
AVAlwil (avast)Dorder-E [Trj]
AVEset (nod32)Win32/Kryptik.EJRB
AVGrisoft (avg)Crypt5.XTV
AVSymantecNo Virus
AVFortinetW32/Kryptik.EJRB!tr
AVBitDefenderGen:Variant.Zusy.174788
AVK7Trojan ( 004dad0d1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.174788
AVMalwareBytesBackdoor.Andromeda
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusNo Virus
AVEmsisoftGen:Variant.Zusy.174788
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Zusy.174788
AVArcabit (arcavir)Gen:Variant.Zusy.174788
AVClamAVNo Virus
AVDr. WebTrojan.MulDrop6.18634
AVF-SecureGen:Variant.Zusy.174788
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\116156
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\012D7E~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSringplanet.eu
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
78.46.107.140
DNSeurope.pool.ntp.org
Type: A
176.31.109.7
DNSeurope.pool.ntp.org
Type: A
178.32.186.153
DNSeurope.pool.ntp.org
Type: A
193.225.121.161
DNSnorth-america.pool.ntp.org
Type: A
128.138.141.172
DNSnorth-america.pool.ntp.org
Type: A
199.19.167.36
DNSnorth-america.pool.ntp.org
Type: A
45.79.78.173
DNSnorth-america.pool.ntp.org
Type: A
108.61.73.243
DNSsouth-america.pool.ntp.org
Type: A
170.155.148.1
DNSsouth-america.pool.ntp.org
Type: A
190.64.134.52
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSasia.pool.ntp.org
Type: A
192.248.1.162
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
91.201.214.3
DNSasia.pool.ntp.org
Type: A
103.245.79.2
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
202.6.116.123
DNSafrica.pool.ntp.org
Type: A
196.10.52.57
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
41.204.120.137
DNSpool.ntp.org
Type: A
45.79.78.173
DNSpool.ntp.org
Type: A
50.116.52.97
DNSpool.ntp.org
Type: A
173.255.229.240
DNSpool.ntp.org
Type: A
216.218.254.202
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSringplanet.eu
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.40.211.35:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings