Analysis Date2015-12-28 11:34:26
MD5e0d611e554f9e7dcf0ee7d6cfe76624b
SHA15cf746da535ba40190ec44f76a0edf2b1f6e85be

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 052b62250b2f5d32a311fdd091ff2c5e sha1: 8b44b442f61dafed6626ca447ce197992bdfec55 size: 122368
Section.rdata md5: c94b2e9bdd9e77af1c3112692520b7ac sha1: 2e397a0c3fcba10cac922ca5b8f9f337e2b7c7d6 size: 14336
Section.data md5: 12704da8a71934c88e255ca6e8e79ceb sha1: 962d53fdf93625188926e2ba12016a2cd61e9a83 size: 73216
Section.rsrc md5: 832b4383bcc448c7a806b24aa11199c4 sha1: afe9152fe144819eba3117f3f60408052bbb5b61 size: 94208
Timestamp2015-11-12 05:53:44
PackerMicrosoft Visual C++ ?.?
PEhash7bdbc81b516654d504960b2a2985d52c44075837
IMPhashfc62a09f0a5fb5a1a3a4a9995fce3629
AVVirusBlokAda (vba32)Trojan.Agentb
AVCAT (quickheal)Backdoor.Androm.r4
AVRising0x5972a045
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.iqsj
AVClamAVno_virus
AVIkarusTrojan.Win32.Crypt
AVMicroWorld (escan)Trojan.GenericKD.2867250
AVTwisterno_virus
AVEset (nod32)Win32/Kryptik.EEYM
AVMcafeeRDN/Generic BackDoor
AVK7Trojan ( 004d69cb1 )
AVAvira (antivir)TR/Crypt.Xpack.317189
AVEmsisoftTrojan.GenericKD.2867250
AVGrisoft (avg)Pakes2_c.BSHS
AVMalwareBytesTrojan.MalPack
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVSymantecBackdoor.Trojan
AVTrend MicroTROJ_IN.C95A2FC2
AVBullGuardTrojan.GenericKD.2867250
AVF-SecureTrojan.GenericKD.2867250
AVArcabit (arcavir)Trojan.GenericKD.2867250
AVBitDefenderTrojan.GenericKD.2867250
AVFortinetW32/INJECT.XXUVX!tr
AVDr. WebTrojan.Siggen6.32796
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVAlwil (avast)Dorder-C [Trj]
AVAd-AwareTrojan.GenericKD.2867250
AVFrisk (f-prot)no_virus
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\117984
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
91.206.8.36
DNSeurope.pool.ntp.org
Type: A
185.90.153.252
DNSeurope.pool.ntp.org
Type: A
78.47.226.8
DNSeurope.pool.ntp.org
Type: A
85.252.162.7
DNSnorth-america.pool.ntp.org
Type: A
50.16.201.39
DNSnorth-america.pool.ntp.org
Type: A
66.175.211.68
DNSnorth-america.pool.ntp.org
Type: A
108.59.2.24
DNSnorth-america.pool.ntp.org
Type: A
4.53.160.75
DNSsouth-america.pool.ntp.org
Type: A
200.186.125.195
DNSsouth-america.pool.ntp.org
Type: A
170.155.148.1
DNSsouth-america.pool.ntp.org
Type: A
170.210.222.2
DNSsouth-america.pool.ntp.org
Type: A
186.103.182.15
DNSasia.pool.ntp.org
Type: A
77.235.14.49
DNSasia.pool.ntp.org
Type: A
103.31.248.249
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSasia.pool.ntp.org
Type: A
31.193.144.2
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSoceania.pool.ntp.org
Type: A
54.252.161.68
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSpool.ntp.org
Type: A
108.61.194.85
DNSpool.ntp.org
Type: A
184.105.182.7
DNSpool.ntp.org
Type: A
209.114.111.1
DNSpool.ntp.org
Type: A
50.116.36.122
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSdfs.knowmark.it
Type: A
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.96.52.53:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings