Analysis Date2015-12-08 08:31:36
MD563b85b7c82192fbc869f14b4d239cfad
SHA12c8afba4f179bc1b4fe707b86b401fde8f8bedca

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f28eb21b686d5242daae2d33dbb6749f sha1: fb04a7a61716535699e32bd16120da6efdada25c size: 115200
Section.rdata md5: 54ff89aa2e3f1786398b17595b3ac4eb sha1: e9d59a967dfa2de151653c05a71aaaecd3840a61 size: 10752
Section.data md5: 4e2af059978e5b37fdd8500811c7c1f7 sha1: f5c549d7cd51052acfe8bf348d0f20e5861f19fb size: 28160
Section.rsrc md5: b54b0fd55a777be1201aa4a8800c300e sha1: f56ff7517041995741a5380dab38fa664b980df9 size: 55808
Timestamp2015-11-16 07:38:44
PackerMicrosoft Visual C++ ?.?
PEhash249b9d403dcd9a8d8d03c5ad639c8907ec7ca916
IMPhash060e4c93bf1ea3bc637b32c48eef20f4
AVAd-AwareTrojan.GenericKD.2875128
AVGrisoft (avg)Crypt5.MCY
AVSymantecTrojan.Gen
AVCAT (quickheal)Worm.Gamarue.r4
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVK7Trojan ( 004d6ed61 )
AVClamAVno_virus
AVTwisterno_virus
AVZillya!no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVMicroWorld (escan)Trojan.GenericKD.2875128
AVDr. WebTrojan.PWS.Siggen1.43350
AVBullGuardTrojan.GenericKD.2875128
AVIkarusTrojan.Win32.Crypt
AVKasperskyTrojan.Win32.Generic
AVMcafeeRDN/Sdbot.worm
AVRisingno_virus
AVEmsisoftTrojan.GenericKD.2875128
AVTrend Microno_virus
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo
AVEset (nod32)Win32/Kryptik.EFBB
AVFortinetW32/Kryptik.EFLY!tr
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFrisk (f-prot)no_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.GenericKD.2875128
AVMalwareBytesTrojan.Zbot
AVBitDefenderTrojan.GenericKD.2875128
AVArcabit (arcavir)Trojan.GenericKD.2875128
AVAvira (antivir)TR/Crypt.Xpack.320508

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\119203
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
147.231.100.5
DNSeurope.pool.ntp.org
Type: A
212.18.3.18
DNSeurope.pool.ntp.org
Type: A
80.92.126.65
DNSeurope.pool.ntp.org
Type: A
130.60.204.10
DNSnorth-america.pool.ntp.org
Type: A
142.54.181.202
DNSnorth-america.pool.ntp.org
Type: A
199.19.167.36
DNSnorth-america.pool.ntp.org
Type: A
69.164.194.139
DNSnorth-america.pool.ntp.org
Type: A
129.250.35.250
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
190.64.134.52
DNSsouth-america.pool.ntp.org
Type: A
192.188.53.26
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSasia.pool.ntp.org
Type: A
103.245.79.18
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
27.114.150.12
DNSasia.pool.ntp.org
Type: A
31.193.144.2
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSafrica.pool.ntp.org
Type: A
196.223.19.2
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSafrica.pool.ntp.org
Type: A
41.222.88.32
DNSpool.ntp.org
Type: A
45.79.78.173
DNSpool.ntp.org
Type: A
198.55.111.50
DNSpool.ntp.org
Type: A
208.75.89.4
DNSpool.ntp.org
Type: A
23.239.26.89
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSand13.dexterwasanicemoviesz1.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.96.52.53:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings