Analysis Date2015-11-17 14:38:40
MD5bf9328876652a2a216153257d56ba0b8
SHA1489c23e337ff65fdc4745c4f19c920038e95b679

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f58cb4ad9486ec857345adeab91b6131 sha1: 92e09b0ae0da48e5a51248d1b0062286e1a15cbf size: 28160
Section.rdata md5: 3b7552ec5c4c2f8d4dcbc3f6ce86e561 sha1: dd6d0314b50e5a7e8a94de8b0d51e3a5a87a3681 size: 9728
Section.data md5: a928d8bed2d43d466d2fede8386dd956 sha1: c1b77b8f6570b4543bbbd3499561fe778320f692 size: 8704
Section.trhdtr md5: 0db53c8d5d5ae76a062566db2f836c33 sha1: 910d2904240c37d45ac815654fb6753e66caaf1c size: 31232
Section.reloc md5: 0150951f6f0b13122e794e9833d8de9a sha1: f6a7bdaf826a74f8ae09e209ce058857866141ef size: 3072
Timestamp2015-11-03 22:20:51
PackerMicrosoft Visual C++ ?.?
PEhasha36ab282eb16fd73f8881165932dcfaeadb0678d
IMPhash6bea9c8abcc2e0cd8b3d88d260b91848
AVF-SecureTrojan.Agent.BNYE
AVAuthentiumW32/S-d1a8399f!Eldorado
AVMalwareBytesWorm.Gamarue
AVDr. WebTrojan.DownLoader17.40602
AVGrisoft (avg)Crypt5.JGA
AVMalwareBytesWorm.Gamarue
AVEset (nod32)Win32/Kryptik.EDJW
AVMicroWorld (escan)Trojan.Agent.BNYE
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareTrojan.Agent.BNYE
AVEset (nod32)Win32/Kryptik.EDJW
AVBitDefenderTrojan.Agent.BNYE
AVMicroWorld (escan)Trojan.Agent.BNYE
AVAvira (antivir)TR/Crypt.Xpack.316830
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Kryptik.EEAE!tr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVIkarusTrojan.Win32.Crypt
AVKasperskyBackdoor.Win32.Androm.ipfb
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Trojan.Agent.BNYE
AVMcafeeRDN/Generic BackDoor
AVTwisterTrojan.Girtk.EDJW.gmgj
AVAvira (antivir)TR/Crypt.Xpack.316830
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVSymantecno_virus
AVFortinetW32/Kryptik.EEAE!tr
AVK7Trojan ( 004d5dd61 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVTwisterTrojan.Girtk.EDJW.gmgj
AVAd-AwareTrojan.Agent.BNYE
AVGrisoft (avg)Crypt5.JGA
AVSymantecno_virus
AVBitDefenderTrojan.Agent.BNYE
AVK7Trojan ( 004d5dd61 )
AVAuthentiumW32/S-d1a8399f!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftTrojan.Agent.BNYE
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardTrojan.Agent.BNYE
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\114312
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
176.9.100.86
DNSeurope.pool.ntp.org
Type: A
188.165.255.179
DNSeurope.pool.ntp.org
Type: A
212.92.16.193
DNSeurope.pool.ntp.org
Type: A
81.88.24.155
DNSnorth-america.pool.ntp.org
Type: A
209.118.204.201
DNSnorth-america.pool.ntp.org
Type: A
66.79.167.34
DNSnorth-america.pool.ntp.org
Type: A
73.37.183.90
DNSnorth-america.pool.ntp.org
Type: A
206.209.110.2
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSasia.pool.ntp.org
Type: A
118.67.200.10
DNSasia.pool.ntp.org
Type: A
59.106.180.168
DNSasia.pool.ntp.org
Type: A
80.241.0.72
DNSasia.pool.ntp.org
Type: A
103.16.182.23
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSoceania.pool.ntp.org
Type: A
202.127.210.37
DNSoceania.pool.ntp.org
Type: A
125.255.139.115
DNSafrica.pool.ntp.org
Type: A
196.25.1.5
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSafrica.pool.ntp.org
Type: A
197.157.194.21
DNSpool.ntp.org
Type: A
97.107.129.217
DNSpool.ntp.org
Type: A
199.102.46.75
DNSpool.ntp.org
Type: A
209.244.0.3
DNSpool.ntp.org
Type: A
50.22.155.163
DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 134.170.188.221:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings