Analysis Date2015-12-06 05:29:41
MD57caa6f55cec7f35441ee3e1e9cfcf72b
SHA16419c5551df7ef4d88a0defe062f37c33a1433c5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c11bf578baf39b89a37246c4b9d22c7d sha1: 76d1bb83afcb09503a6b6b0eca0473263c432f44 size: 30208
Section.rdata md5: 07b91fe2cb4d79e6215f5008907d2f12 sha1: cdad16a01824acca1b31d03c6864b6278701e54d size: 25088
Section.data md5: b8e8ff817bd4293980a2ece3f7d2c192 sha1: f48e7c4e0d2679a00e2f742fb904ae0c6ca723f7 size: 24576
Timestamp2015-11-07 03:15:32
PackerMicrosoft Visual C++ ?.?
PEhash4aea323ec70ab7a2d9aad146b1b9b466f3d3a1b9
IMPhash74e57f20bc599fe65591936e8962bf2d
AVKasperskyBackdoor.Win32.Androm.ipyl
AVMicroWorld (escan)Gen:Variant.Kazy.768581
AVGrisoft (avg)Crypt_r.AJT
AVKasperskyBackdoor.Win32.Androm.ipyl
AVMcafeeRDN/Generic BackDoor
AVMicroWorld (escan)Gen:Variant.Kazy.768581
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.768581
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d65f21 )
AVMalwareBytesTrojan.Injector
AVMcafeeRDN/Generic BackDoor
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVFortinetW32/Androm.EEAE!tr.bdr
AVFortinetW32/Androm.EEAE!tr.bdr
AVCAT (quickheal)Backdoor.Androm.r3
AVF-SecureGen:Variant.Kazy.768581
AVClamAVno_virus
AVGrisoft (avg)Crypt_r.AJT
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d65f21 )
AVDr. WebTrojan.DownLoader17.48951
AVMalwareBytesTrojan.Injector
AVAd-AwareGen:Variant.Kazy.768581
AVDr. WebTrojan.DownLoader17.48951
AVEmsisoftGen:Variant.Kazy.768581
AVAvira (antivir)TR/AD.Gamarue.Y.1608
AVAvira (antivir)TR/AD.Gamarue.Y.1608
AVEmsisoftGen:Variant.Kazy.768581
AVEset (nod32)Win32/Kryptik.EEAE
AVEset (nod32)Win32/Kryptik.EEAE
AVArcabit (arcavir)Gen:Variant.Kazy.768581
AVBitDefenderGen:Variant.Kazy.768581
AVBitDefenderGen:Variant.Kazy.768581
AVArcabit (arcavir)Gen:Variant.Kazy.768581
AVCAT (quickheal)Backdoor.Androm.r3
AVFrisk (f-prot)no_virus
AVAd-AwareGen:Variant.Kazy.768581
AVBullGuardGen:Variant.Kazy.768581
AVBullGuardGen:Variant.Kazy.768581
AVAlwil (avast)Dorder-E [Trj]
AVAlwil (avast)Dorder-E [Trj]
AVClamAVno_virus
AVAuthentiumW32/Trojan.FPAF-8969
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Trojan.FPAF-8969
AVRisingno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\113187
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
78.140.251.2
DNSeurope.pool.ntp.org
Type: A
185.14.186.127
DNSeurope.pool.ntp.org
Type: A
194.177.4.1
DNSeurope.pool.ntp.org
Type: A
78.46.81.38
DNSnorth-america.pool.ntp.org
Type: A
74.120.8.2
DNSnorth-america.pool.ntp.org
Type: A
207.192.73.151
DNSnorth-america.pool.ntp.org
Type: A
50.116.36.122
DNSnorth-america.pool.ntp.org
Type: A
70.85.157.106
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSasia.pool.ntp.org
Type: A
185.23.153.237
DNSasia.pool.ntp.org
Type: A
31.193.144.2
DNSasia.pool.ntp.org
Type: A
118.189.211.186
DNSoceania.pool.ntp.org
Type: A
45.114.116.62
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
196.223.19.3
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSafrica.pool.ntp.org
Type: A
196.43.1.5
DNSpool.ntp.org
Type: A
69.164.201.165
DNSpool.ntp.org
Type: A
98.213.66.22
DNSpool.ntp.org
Type: A
129.6.15.28
DNSpool.ntp.org
Type: A
209.114.111.1
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.40.211.35:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings