Analysis Date2015-11-22 06:56:50
MD5ee01930cdbbb2289f2276fea4f69e85d
SHA16f9a289de6d9197a612b327ed11a5c4e1cfae2b5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: eb973098b2787cbc78c80a5ced5a90bc sha1: f9d94a6a4c064e18081defaa09baf2aed67ff598 size: 28672
Section.rdata md5: e6eae8cae22d3348b3e47997760aac68 sha1: 0a93fe6e467deb3ba2371b5186082e788cf9ba99 size: 32256
Section.data md5: 0c1014c42019a577afcc9c0b4f137936 sha1: 01cf949db6a50fd9402d51a3bc3ae217b280bc95 size: 17408
Timestamp2015-11-08 15:46:21
PackerMicrosoft Visual C++ ?.?
PEhash8691506240b66bd2199dd886ca439f843cb55795
IMPhashda0d9a49493aee4c0be3e5da3adf5d23
AVF-SecureGen:Variant.Kazy.380722
AVAuthentiumW32/Trojan.UOST-9364
AVMalwareBytesTrojan.Agent
AVDr. WebTrojan.DownLoader17.46610
AVGrisoft (avg)Inject3.OIJ
AVMalwareBytesTrojan.Agent
AVEset (nod32)Win32/Kryptik.EEDZ
AVMicroWorld (escan)Gen:Variant.Kazy.380722
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareGen:Variant.Kazy.380722
AVEset (nod32)Win32/Kryptik.EEDZ
AVBitDefenderGen:Variant.Zusy.169053
AVMicroWorld (escan)Gen:Variant.Kazy.380722
AVAvira (antivir)TR/AD.Gamarue.Y.1530
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Androm.EEDZ!tr.bdr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVIkarusTrojan.Win32.Crypt
AVKasperskyBackdoor.Win32.Androm.iqft
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Zusy.169053
AVMcafeeno_virus
AVTwisterno_virus
AVAvira (antivir)TR/AD.Gamarue.Y.1530
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVSymantecno_virus
AVFortinetW32/Androm.EEDZ!tr.bdr
AVK7Trojan ( 004d68671 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVRisingno_virus
AVMcafeeno_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.380722
AVGrisoft (avg)Inject3.OIJ
AVSymantecno_virus
AVBitDefenderGen:Variant.Zusy.169053
AVK7Trojan ( 004d68671 )
AVAuthentiumW32/Trojan.UOST-9364
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Kazy.380722
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.380722
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\1552296
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
78.46.53.8
DNSeurope.pool.ntp.org
Type: A
37.187.56.220
DNSeurope.pool.ntp.org
Type: A
62.116.162.126
DNSeurope.pool.ntp.org
Type: A
77.232.189.1
DNSnorth-america.pool.ntp.org
Type: A
209.118.204.201
DNSnorth-america.pool.ntp.org
Type: A
72.20.40.62
DNSnorth-america.pool.ntp.org
Type: A
104.232.3.3
DNSnorth-america.pool.ntp.org
Type: A
171.66.97.126
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
164.73.227.4
DNSsouth-america.pool.ntp.org
Type: A
170.210.222.2
DNSsouth-america.pool.ntp.org
Type: A
186.71.75.78
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
59.149.185.193
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
197.82.150.123
DNSafrica.pool.ntp.org
Type: A
168.167.71.131
DNSpool.ntp.org
Type: A
73.208.216.139
DNSpool.ntp.org
Type: A
198.211.106.151
DNSpool.ntp.org
Type: A
69.46.30.167
DNSpool.ntp.org
Type: A
72.249.38.88
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1045 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1047 ➝ 8.8.4.4:53

Raw Pcap

Strings