Analysis Date2015-12-06 02:31:05
MD5fa813735d90fa467a45958b06338af51
SHA1310ed143fc31c47c675a04a1cee4460fc602b5f3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fd3cddbcbae7f3c2c97961f47b6c9f13 sha1: 6fffd91bf8388f562cd55bc7c97b079d570afc6b size: 120832
Section.rdata md5: d3a93c30f0b756009ee1b64e728d417d sha1: 8968f3939f4b7b1019b552c8d9134e8348f2b0f3 size: 21504
Section.data md5: d95fda65cae1b5646471694bbed32d54 sha1: c56b1a9c9356991f388312638eb5beb906e1e86f size: 27648
Section.rsrc md5: 4edeaf2a19a6c4591385b89173d57c10 sha1: 2331d06007fc0d0aa9f7c5d26c63b1e9cefc8440 size: 75776
Timestamp2015-11-16 22:17:19
PackerMicrosoft Visual C++ ?.?
PEhash34b7f9cca2d605314308d727b86c49453d19ef5f
IMPhasha248afa639147742cf9978f137c512aa
AVKasperskyBackdoor.Win32.Androm.irlz
AVRisingno_virus
AVF-SecureTrojan.Lethic.Gen.9
AVKasperskyBackdoor.Win32.Androm.irlz
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVFortinetPossibleThreat.VEX.89
AVFrisk (f-prot)no_virus
AVIkarusBackdoor.Win32.Androm
AVK7Trojan-Downloader ( 004cfc7c1 )
AVMcafeeno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVEset (nod32)Win32/TrojanDownloader.Wauchos.BD
AVEset (nod32)Win32/TrojanDownloader.Wauchos.BD
AVFortinetPossibleThreat.VEX.89
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Lethic.Gen.9
AVGrisoft (avg)Crypt_r.ALO
AVIkarusBackdoor.Win32.Androm
AVK7Trojan-Downloader ( 004cfc7c1 )
AVMalwareBytesTrojan.Zbot
AVMalwareBytesTrojan.Zbot
AVAd-AwareTrojan.Lethic.Gen.9
AVBullGuardTrojan.Lethic.Gen.9
AVBullGuardTrojan.Lethic.Gen.9
AVAlwil (avast)Dorder-G [Trj]
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVAlwil (avast)Dorder-G [Trj]
AVCAT (quickheal)no_virus
AVCAT (quickheal)no_virus
AVAd-AwareTrojan.Lethic.Gen.9
AVAvira (antivir)TR/Crypt.Xpack.321518
AVClamAVno_virus
AVClamAVno_virus
AVAvira (antivir)TR/Crypt.Xpack.321518
AVGrisoft (avg)Crypt_r.ALO
AVDr. WebTrojan.PWS.Siggen1.43350
AVDr. WebTrojan.PWS.Siggen1.43350
AVArcabit (arcavir)Trojan.Lethic.Gen.9
AVBitDefenderTrojan.Lethic.Gen.9
AVEmsisoftTrojan.Lethic.Gen.9
AVEmsisoftTrojan.Lethic.Gen.9
AVBitDefenderTrojan.Lethic.Gen.9
AVRisingno_virus
AVArcabit (arcavir)Trojan.Lethic.Gen.9

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\120015
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
212.83.131.33
DNSeurope.pool.ntp.org
Type: A
46.165.212.204
DNSeurope.pool.ntp.org
Type: A
93.157.10.210
DNSeurope.pool.ntp.org
Type: A
195.154.41.195
DNSnorth-america.pool.ntp.org
Type: A
207.210.46.249
DNSnorth-america.pool.ntp.org
Type: A
173.44.32.10
DNSnorth-america.pool.ntp.org
Type: A
198.60.73.8
DNSnorth-america.pool.ntp.org
Type: A
198.211.106.151
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
190.228.30.178
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSasia.pool.ntp.org
Type: A
118.67.200.10
DNSasia.pool.ntp.org
Type: A
118.189.211.186
DNSasia.pool.ntp.org
Type: A
203.114.224.252
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
202.60.94.11
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSafrica.pool.ntp.org
Type: A
41.231.7.85
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSpool.ntp.org
Type: A
129.6.15.28
DNSpool.ntp.org
Type: A
198.144.194.12
DNSpool.ntp.org
Type: A
45.79.10.228
DNSpool.ntp.org
Type: A
66.219.116.140
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53

Raw Pcap

Strings