Analysis Date2015-12-25 20:45:26
MD59579e0183e43cab86ce0e3048b6c4ca1
SHA1167bfac43b18bac33908a989301ac9d0ee61a0e2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d7bed9494191e0bf3368fafe7b3d53a3 sha1: d741c352fc8601923a49a3e22a7df765f9372a41 size: 82432
Section.rdata md5: a98bcb95a9460fc5bec78259baf58971 sha1: a6b956c7ca8ac21a728b6153bf6e3e9ea9dbcdcd size: 36352
Section.data md5: 5be5016df8e25d0f235cffa160e6dd0f sha1: a166fa775f5094bd4370ecce01a9c9725603f688 size: 74752
Section.rsrc md5: ad87bba51b395476c6cec7db057b1df7 sha1: ff8069817162a7bb481806cdfbec84a01e554750 size: 65536
Timestamp2015-11-01 20:55:58
PackerMicrosoft Visual C++ ?.?
PEhashb4b2e656978a2456d43934f76803088444769329
IMPhash887e5aebff0b3fe3fb73f283b7e07294
AVDr. WebTrojan.Siggen6.24906
AVFortinetW32/Kryptik.EGLA!tr
AVZillya!no_virus
AVAlwil (avast)Dorder-C [Trj]
AVArcabit (arcavir)Trojan.GenericKD.2842575
AVMicroWorld (escan)Trojan.GenericKD.2842575
AVSymantecBackdoor.Trojan
AVVirusBlokAda (vba32)Trojan.Yakes
AVIkarusTrojan.Win32.Crypt
AVBullGuardTrojan.GenericKD.2842575
AVClamAVno_virus
AVMalwareBytesno_virus
AVBitDefenderTrojan.GenericKD.2842575
AVRisingno_virus
AVK7Trojan ( 004d59e51 )
AVFrisk (f-prot)no_virus
AVTwisterTrojan.Girtk.EDAQ.jmkd
AVAuthentiumW32/Trojan.JVGM-3543
AVCA (E-Trust Ino)no_virus
AVGrisoft (avg)Crypt5.IRF
AVF-SecureTrojan.GenericKD.2842575
AVCAT (quickheal)Worm.Gamarue.r4
AVTrend MicroTROJ_WA.8818582F
AVAd-AwareTrojan.GenericKD.2842575
AVKasperskyBackdoor.Win32.Androm.ioqc
AVEmsisoftTrojan.GenericKD.2842575
AVMcafeeRDN/Swizzor.gen
AVAvira (antivir)TR/Crypt.ZPACK.201037
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVEset (nod32)Win32/Kryptik.EDAQ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\114906
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSand12.thesuchivestfishmarketeat111.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
85.114.132.52
DNSeurope.pool.ntp.org
Type: A
178.18.118.14
DNSeurope.pool.ntp.org
Type: A
176.9.102.215
DNSeurope.pool.ntp.org
Type: A
147.251.48.140
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.28
DNSnorth-america.pool.ntp.org
Type: A
108.61.194.85
DNSnorth-america.pool.ntp.org
Type: A
104.131.51.97
DNSnorth-america.pool.ntp.org
Type: A
216.152.240.220
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.197
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSasia.pool.ntp.org
Type: A
160.16.101.116
DNSasia.pool.ntp.org
Type: A
82.200.209.236
DNSasia.pool.ntp.org
Type: A
52.69.228.202
DNSasia.pool.ntp.org
Type: A
185.23.153.237
DNSoceania.pool.ntp.org
Type: A
45.114.116.62
DNSoceania.pool.ntp.org
Type: A
203.97.218.196
DNSoceania.pool.ntp.org
Type: A
59.167.170.228
DNSoceania.pool.ntp.org
Type: A
54.252.161.68
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSafrica.pool.ntp.org
Type: A
41.73.42.10
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSpool.ntp.org
Type: A
67.207.128.163
DNSpool.ntp.org
Type: A
50.116.52.97
DNSpool.ntp.org
Type: A
23.92.29.245
DNSpool.ntp.org
Type: A
108.61.56.35
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSand12.thesuchivestfishmarketeat111.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.96.52.53:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings