Analysis Date2015-11-26 05:56:34
MD5ae6b1171df529890d8b697c679840376
SHA14c8fb715eae41f5933245b9cd906e7bf15994f32

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3db0392331978983b0eae683f202f97b sha1: 7ea673b3f614f3e5e0279ac1effe0129fc492c23 size: 30208
Section.rdata md5: 1bf4fdf9b819df1025ac686ce24f485e sha1: 82f881ca627f5da945ab992e6cfa08a865a6c2fe size: 37888
Section.data md5: 07b5435a68a9662097fe29c0a41aca37 sha1: 378352a8b0c10a6c856db122296b347a01a2b044 size: 11264
Timestamp2015-11-07 12:30:52
PackerMicrosoft Visual C++ ?.?
PEhash6d044606cc45866185b4a6140b2c8d2eda3a1fe5
IMPhash321dbde1b4664b24e8fdf7b956a1fbf1
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)no_virus
AVTwisterno_virus
AVAd-AwareTrojan.GenericKD.2856187
AVAlwil (avast)Dorder-D [Trj]
AVEset (nod32)Win32/Kryptik.EECK
AVGrisoft (avg)Generic_r.GGE
AVSymantecTrojan.Gen
AVFortinetW32/Androm.IQCS!tr.bdr
AVBitDefenderTrojan.GenericKD.2856187
AVK7Trojan ( 004d654e1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.GenericKD.2856187
AVMalwareBytesBackdoor.Andromeda
AVAuthentiumW32/Trojan.OXSI-7004
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.GenericKD.2856187
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.iqcs
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.2856187
AVArcabit (arcavir)Trojan.GenericKD.2856187
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.49890
AVF-SecureTrojan.GenericKD.2856187
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)no_virus
AVTwisterno_virus
AVAd-AwareTrojan.GenericKD.2856187
AVAlwil (avast)Dorder-D [Trj]
AVEset (nod32)Win32/Kryptik.EECK
AVGrisoft (avg)Generic_r.GGE
AVSymantecTrojan.Gen
AVFortinetW32/Androm.IQCS!tr.bdr
AVBitDefenderTrojan.GenericKD.2856187
AVK7Trojan ( 004d654e1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.GenericKD.2856187
AVMalwareBytesBackdoor.Andromeda
AVAuthentiumW32/Trojan.OXSI-7004
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\1824656
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
37.59.119.229
DNSeurope.pool.ntp.org
Type: A
85.25.105.105
DNSeurope.pool.ntp.org
Type: A
85.119.80.233
DNSeurope.pool.ntp.org
Type: A
193.224.65.147
DNSnorth-america.pool.ntp.org
Type: A
204.2.134.163
DNSnorth-america.pool.ntp.org
Type: A
54.83.7.186
DNSnorth-america.pool.ntp.org
Type: A
66.96.96.29
DNSnorth-america.pool.ntp.org
Type: A
192.155.90.13
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
192.188.53.26
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.197
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSasia.pool.ntp.org
Type: A
194.225.150.25
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
92.61.176.134
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSoceania.pool.ntp.org
Type: A
54.252.129.186
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
196.223.19.3
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
41.204.120.137
DNSpool.ntp.org
Type: A
66.228.59.187
DNSpool.ntp.org
Type: A
74.120.8.2
DNSpool.ntp.org
Type: A
209.244.0.3
DNSpool.ntp.org
Type: A
209.244.0.4
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSoutsphere.com
Type: A
77.120.113.58
DNSbenezramarketing.com
Type: A
HTTP POSThttp://outsphere.com/wp-content/plugins/xcalendar/data/system4_1030.php
User-Agent: Mozilla/4.0
Flows UDP192.168.1.1:1044 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1045 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1047 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1048 ➝ 77.120.113.58:80
Flows UDP192.168.1.1:1049 ➝ 8.8.4.4:53

Raw Pcap

Strings