Analysis Date2015-12-29 20:22:56
MD50d9206779f547a15a2cf0bfa3f7c3aa4
SHA124e8c53e4e192edbc88370ec9b78bdaec0632df8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 46faf3401e92304f40308e251f27c92b sha1: 2a99028004d2e931de1b8d7191c191fc15f40ee7 size: 29696
Section.rdata md5: cdfd8994378c24fdac94c34b27c2d895 sha1: a836ae80a5e122cf1241c32c40ae493be712ccea size: 15872
Section.data md5: f3bc92df16ab01d86de1e4d1bf87e463 sha1: 6a16472b8ca7377066397b28fc02ca2b927e8f3f size: 3584
Section.veywb md5: 943a3112dd0f17e80391e93b9c167ed8 sha1: a42a633fccd2e84d15ad6a62de683ffc11f8a364 size: 31232
Section.reloc md5: 023fb69cc2ce64a4447b5108124b364c sha1: bb0a41b3897431b1ad40e40c4082a722d0ab1af2 size: 4096
Timestamp2015-11-04 14:15:43
PackerMicrosoft Visual C++ ?.?
PEhash2a456e0229764bfc5b2291f0ec048d3acaa9a46e
IMPhash12c0745368cf9731a611e73c2d6a6df0
AVAd-AwareGen:Variant.Kazy.764156
AVGrisoft (avg)Crypt_s.JVY
AVSymantecTrojan.Gen
AVCAT (quickheal)Worm.Gamarue.r5
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVK7Trojan ( 004d5ff11 )
AVClamAVno_virus
AVTwisterno_virus
AVZillya!no_virus
AVAuthentiumW32/S-d1a8399f!Eldorado
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVDr. WebTrojan.DownLoader17.40933
AVBullGuardGen:Variant.Kazy.764156
AVIkarusTrojan.Win32.Crypt
AVKasperskyBackdoor.Win32.Androm.ipin
AVMcafeeno_virus
AVRisingno_virus
AVEmsisoftGen:Variant.Kazy.764156
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Yakes
AVEset (nod32)Win32/Kryptik.EDPJ
AVFortinetW32/Kryptik.EEAE!tr
AVAlwil (avast)Dorder-E [Trj]
AVFrisk (f-prot)no_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.764156
AVMalwareBytesWorm.Gamarue
AVBitDefenderGen:Variant.Kazy.764156
AVArcabit (arcavir)Gen:Variant.Kazy.764156
AVAvira (antivir)TR/AD.Gamarue.Y.1587

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\115531
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
31.130.200.2
DNSeurope.pool.ntp.org
Type: A
129.70.132.33
DNSeurope.pool.ntp.org
Type: A
130.236.254.102
DNSeurope.pool.ntp.org
Type: A
193.150.34.2
DNSnorth-america.pool.ntp.org
Type: A
52.10.158.52
DNSnorth-america.pool.ntp.org
Type: A
67.18.187.111
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.133
DNSnorth-america.pool.ntp.org
Type: A
208.53.158.34
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSsouth-america.pool.ntp.org
Type: A
186.71.75.78
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSasia.pool.ntp.org
Type: A
139.162.20.174
DNSasia.pool.ntp.org
Type: A
211.233.84.186
DNSasia.pool.ntp.org
Type: A
218.186.3.36
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSoceania.pool.ntp.org
Type: A
202.127.210.37
DNSoceania.pool.ntp.org
Type: A
54.252.129.186
DNSoceania.pool.ntp.org
Type: A
115.126.160.4
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSpool.ntp.org
Type: A
198.110.48.12
DNSpool.ntp.org
Type: A
204.2.134.162
DNSpool.ntp.org
Type: A
97.107.128.58
DNSpool.ntp.org
Type: A
108.61.73.244
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.96.52.53:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings