Analysis Date2015-11-14 21:41:59
MD5240cd5def85d6250f9668db423def18d
SHA1530797339242303f6b6e5a32979b64dd4ab41390

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f28bf6a820165614341c1543ad9d44de sha1: 4e17bc547883bc02d82d118289803fa256b40c36 size: 29696
Section.rdata md5: c30d5a9511d7515014c638f09e2f9cbe sha1: 22c63f5b741660d5179d812e2c82002134029bd6 size: 15872
Section.data md5: f3bc92df16ab01d86de1e4d1bf87e463 sha1: 6a16472b8ca7377066397b28fc02ca2b927e8f3f size: 3584
Section.veywb md5: 16a36af48d8ec9883eb2e050042de262 sha1: 11558f810d0ed6d8b9a7ae1b4fe9be7fa8289d03 size: 31232
Section.reloc md5: 023fb69cc2ce64a4447b5108124b364c sha1: bb0a41b3897431b1ad40e40c4082a722d0ab1af2 size: 4096
Timestamp2015-11-04 14:00:52
PackerMicrosoft Visual C++ ?.?
PEhash2a456e0229764bfc5b2291f0ec048d3acaa9a46e
IMPhash12c0745368cf9731a611e73c2d6a6df0
AVF-SecureTrojan.GenericKD.2851231
AVAuthentiumW32/Trojan.TNFB-9021
AVMalwareBytesWorm.Gamarue
AVDr. WebTrojan.DownLoader17.40933
AVGrisoft (avg)Crypt_s.JVY
AVMalwareBytesWorm.Gamarue
AVEset (nod32)Win32/Kryptik.EDPJ
AVMicroWorld (escan)Trojan.GenericKD.2851231
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareTrojan.GenericKD.2851231
AVEset (nod32)Win32/Kryptik.EDPJ
AVBitDefenderTrojan.GenericKD.2851231
AVMicroWorld (escan)Trojan.GenericKD.2851231
AVAvira (antivir)TR/AD.Gamarue.Y.1480
AVAlwil (avast)Rootkit-gen [Rtk]
AVFortinetW32/Androm.EDPJ!tr.bdr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVIkarusTrojan.Win32.Crypt
AVKasperskyBackdoor.Win32.Androm.iplg
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Trojan.GenericKD.2851231
AVMcafeeno_virus
AVTwisterno_virus
AVAvira (antivir)TR/AD.Gamarue.Y.1480
AVAlwil (avast)Rootkit-gen [Rtk]
AVSymantecTrojan.Gen.2
AVFortinetW32/Androm.EDPJ!tr.bdr
AVK7Trojan ( 004d5ff11 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVRisingno_virus
AVMcafeeno_virus
AVTwisterno_virus
AVAd-AwareTrojan.GenericKD.2851231
AVGrisoft (avg)Crypt_s.JVY
AVSymantecTrojan.Gen.2
AVBitDefenderTrojan.GenericKD.2851231
AVK7Trojan ( 004d5ff11 )
AVAuthentiumW32/Trojan.TNFB-9021
AVFrisk (f-prot)no_virus
AVEmsisoftTrojan.GenericKD.2851231
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.2851231
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\113906
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
176.58.109.199
DNSeurope.pool.ntp.org
Type: A
192.33.96.102
DNSeurope.pool.ntp.org
Type: A
5.83.190.253
DNSeurope.pool.ntp.org
Type: A
77.66.33.146
DNSnorth-america.pool.ntp.org
Type: A
208.75.88.4
DNSnorth-america.pool.ntp.org
Type: A
104.131.53.252
DNSnorth-america.pool.ntp.org
Type: A
104.232.3.3
DNSnorth-america.pool.ntp.org
Type: A
173.255.246.13
DNSsouth-america.pool.ntp.org
Type: A
200.20.186.76
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSsouth-america.pool.ntp.org
Type: A
66.60.22.202
DNSasia.pool.ntp.org
Type: A
211.233.84.186
DNSasia.pool.ntp.org
Type: A
52.69.228.202
DNSasia.pool.ntp.org
Type: A
192.248.1.162
DNSasia.pool.ntp.org
Type: A
202.112.31.197
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
202.22.158.30
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSafrica.pool.ntp.org
Type: A
197.82.150.123
DNSafrica.pool.ntp.org
Type: A
41.231.7.85
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSpool.ntp.org
Type: A
72.14.188.52
DNSpool.ntp.org
Type: A
97.107.129.217
DNSpool.ntp.org
Type: A
104.131.53.252
DNSpool.ntp.org
Type: A
64.113.32.5
DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 134.170.188.221:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings