Analysis Date2016-01-09 16:26:06
MD56d01caa5ef00b82594c030716fa867c5
SHA11e5c092281981f5b58d8833bbf62e39a85e03d72

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fb8478b8182cf18806ee7fd269d89b84 sha1: 466ac4499a6e4182b67448b976415c9298d64287 size: 36864
Section.rdata md5: bb8a6234ac19ff6eb46fe7316f7ac5af sha1: 868927d5a0a1514db060c820650fb0d1d51b9488 size: 8192
Section.data md5: 6b78da1a3aa9c072eea6bb7bf66de861 sha1: f712dd8ab63592cb27b1ae6b700171fd2103fdde size: 32768
Section.idata md5: c1318e3a5e97fc9135c98be7219a5172 sha1: ee1116353acc9f942bb7ff5acec313f8718dc6c6 size: 8192
Section.rsrc md5: 566b1a66b6df8edd4d944ad1e1337f12 sha1: 4e7ff51a4a7d17461248b480ae827830bc6b1dac size: 12288
Section.reloc md5: c695e8655ea97771fe2c264e2889f3e1 sha1: 61acf88249a925935f5d86f7a9ad40eaccecf815 size: 4096
Timestamp2015-10-07 19:32:48
PackerMicrosoft Visual C++ 5.0
PEhashb501d8e5eff5adf6bb6fd1cdf1ef8adca8d0a0db
IMPhashce5ce9ef8296c717479a1ccd74fddde7
AVCA (E-Trust Ino)No Virus
AVF-SecureGen:Variant.Symmi.58838
AVDr. WebTrojan.Encoder.514
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Symmi.58838
AVBullGuardGen:Variant.Symmi.58838
AVVirusBlokAda (vba32)Trojan.Yakes
AVCAT (quickheal)TrojanPWS.Zbot.A4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Downloader.Dofoil.Win32.3405
AVEmsisoftGen:Variant.Symmi.58838
AVIkarusTrojan.Win32.Injector
AVFrisk (f-prot)No Virus
AVAuthentiumW32/Trojan.UUGS-7756
AVMalwareBytesTrojan.Agent.BNT
AVMicroWorld (escan)Gen:Variant.Symmi.58838
AVMicrosoft Security EssentialsTrojan:Win32/Bulta!rfn
AVK7Trojan ( 004db1cb1 )
AVBitDefenderGen:Variant.Symmi.58838
AVFortinetW32/Generic.UE!tr
AVSymantecTrojan.Gen
AVGrisoft (avg)Luhe.Fiha.A
AVEset (nod32)Win32/Injector.CKQO
AVAlwil (avast)Evo-gen [Susp]
AVRisingNo Virus
AVAd-AwareGen:Variant.Symmi.58838
AVTwisterNo Virus
AVAvira (antivir)TR/Crypt.Xpack.359808
AVMcafeeRDN/Generic.bfr

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startupx\system.pif
Creates ProcessC:\malware.exe
Creates ProcessC:\malware.exe
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\malware.exe

Process
↳ C:\malware.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\1771031
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
213.109.127.82
DNSeurope.pool.ntp.org
Type: A
81.0.208.219
DNSeurope.pool.ntp.org
Type: A
85.252.162.7
DNSeurope.pool.ntp.org
Type: A
95.213.132.254
DNSnorth-america.pool.ntp.org
Type: A
138.236.128.36
DNSnorth-america.pool.ntp.org
Type: A
159.203.31.244
DNSnorth-america.pool.ntp.org
Type: A
171.66.97.126
DNSnorth-america.pool.ntp.org
Type: A
108.61.194.85
DNSsouth-america.pool.ntp.org
Type: A
186.103.182.15
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSasia.pool.ntp.org
Type: A
129.250.35.250
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSasia.pool.ntp.org
Type: A
193.29.53.170
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
202.6.116.123
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSafrica.pool.ntp.org
Type: A
196.223.19.2
DNSafrica.pool.ntp.org
Type: A
41.73.42.10
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSafrica.pool.ntp.org
Type: A
41.222.88.32
DNSpool.ntp.org
Type: A
66.228.59.187
DNSpool.ntp.org
Type: A
129.6.15.30
DNSpool.ntp.org
Type: A
173.255.246.13
DNSpool.ntp.org
Type: A
64.6.144.6

Raw Pcap

Strings