Analysis Date2015-11-25 06:49:40
MD5f87908babdc92d7ea025d336ae8152f1
SHA13000ab7201ffbe734ee57f1835ab1a50465c0f38

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 66073cbf7471e40e7cc391b679ff7a42 sha1: d998585a4ca55d175cb56aa2b6e7728abce2ce6b size: 30208
Section.rdata md5: c42c61d43775738daf6960a1b94ec85b sha1: 2593ac3ea0ae9a1cbc8974d44a9026487c48c869 size: 35840
Section.data md5: b7e960c77f30a861397247ab82fdc936 sha1: 080940505e58f1c9ca1500a3f6501500f8f4a48f size: 13824
Timestamp2015-11-06 23:45:19
PackerMicrosoft Visual C++ ?.?
PEhashee6e8a865aef6eef1e1f0283bef3dd99f201ba2e
IMPhash74e57f20bc599fe65591936e8962bf2d
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/AD.Gamarue.Y.1616
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.768581
AVAlwil (avast)Dorder-D [Trj]
AVEset (nod32)Win32/Kryptik.EEAE
AVGrisoft (avg)Crypt_r.AJT
AVSymantecno_virus
AVFortinetW32/Androm.EEAE!tr.bdr
AVBitDefenderGen:Variant.Kazy.768581
AVK7Trojan ( 004d65f21 )
AVMicrosoft Security EssentialsTrojan:Win32/Bagsu!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.768581
AVMalwareBytesTrojan.Injector
AVAuthentiumW32/Trojan.LMCK-9165
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Kazy.768581
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.ipxs
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.768581
AVArcabit (arcavir)Gen:Variant.Kazy.768581
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.48831
AVF-SecureGen:Variant.Kazy.768581
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/AD.Gamarue.Y.1616
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.768581
AVAlwil (avast)Dorder-D [Trj]
AVEset (nod32)Win32/Kryptik.EEAE
AVGrisoft (avg)Crypt_r.AJT
AVSymantecno_virus
AVFortinetW32/Androm.EEAE!tr.bdr
AVBitDefenderGen:Variant.Kazy.768581
AVK7Trojan ( 004d65f21 )
AVMicrosoft Security EssentialsTrojan:Win32/Bagsu!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.768581
AVMalwareBytesTrojan.Injector
AVAuthentiumW32/Trojan.LMCK-9165
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\113703
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
193.219.61.110
DNSeurope.pool.ntp.org
Type: A
131.188.3.220
DNSeurope.pool.ntp.org
Type: A
83.137.98.96
DNSeurope.pool.ntp.org
Type: A
194.54.80.28
DNSnorth-america.pool.ntp.org
Type: A
45.79.10.228
DNSnorth-america.pool.ntp.org
Type: A
216.218.220.101
DNSnorth-america.pool.ntp.org
Type: A
104.41.150.68
DNSnorth-america.pool.ntp.org
Type: A
97.107.129.217
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSsouth-america.pool.ntp.org
Type: A
186.103.182.15
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSasia.pool.ntp.org
Type: A
103.245.79.2
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSasia.pool.ntp.org
Type: A
203.160.128.3
DNSasia.pool.ntp.org
Type: A
123.108.200.124
DNSoceania.pool.ntp.org
Type: A
130.102.128.23
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
60.241.92.80
DNSoceania.pool.ntp.org
Type: A
203.97.218.196
DNSafrica.pool.ntp.org
Type: A
41.222.88.32
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSafrica.pool.ntp.org
Type: A
196.25.1.5
DNSafrica.pool.ntp.org
Type: A
154.127.59.231
DNSpool.ntp.org
Type: A
173.220.95.86
DNSpool.ntp.org
Type: A
24.56.178.140
DNSpool.ntp.org
Type: A
128.138.141.172
DNSpool.ntp.org
Type: A
132.163.4.101
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.40.211.35:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings