Analysis Date2015-12-02 06:59:55
MD53a2beecbc73d9ece338d2d2fc911f350
SHA1772e114fe733f1ee3fd4beb7b2ce52d89f60ed74

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7650777eb8fcb71262a188067e9a6254 sha1: fd76325108e1a38ccd8aee4c0351bf0fb81eb01d size: 28160
Section.rdata md5: 3b7552ec5c4c2f8d4dcbc3f6ce86e561 sha1: dd6d0314b50e5a7e8a94de8b0d51e3a5a87a3681 size: 9728
Section.data md5: 008b7129881f15e60f1c31849cdac18b sha1: f523c26a1fc142937eb9dacd3f76dfce8a3c3fa2 size: 8704
Section.trhdtr md5: 54b0d28e06c250b6e7297ba36f2baff2 sha1: 9696604087c6f7912dc9485a55e2f487f27ee6d7 size: 31232
Section.reloc md5: 0150951f6f0b13122e794e9833d8de9a sha1: f6a7bdaf826a74f8ae09e209ce058857866141ef size: 3072
Timestamp2015-11-04 03:40:16
PackerMicrosoft Visual C++ ?.?
PEhasha36ab282eb16fd73f8881165932dcfaeadb0678d
IMPhash6bea9c8abcc2e0cd8b3d88d260b91848
AVCA (E-Trust Ino)no_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Agent.BNYE
AVAuthentiumW32/S-d1a8399f!Eldorado
AVAvira (antivir)TR/Crypt.Xpack.321390
AVEmsisoftTrojan.Agent.BNYE
AVTrend Microno_virus
AVDr. WebTrojan.DownLoader17.40602
AVGrisoft (avg)Crypt5.JGA
AVMalwareBytesWorm.Gamarue
AVFortinetW32/Kryptik.EEAE!tr
AVAd-AwareTrojan.Agent.BNYE
AVBullGuardTrojan.Agent.BNYE
AVZillya!no_virus
AVIkarusTrojan.Win32.Crypt
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)Backdoor.Androm
AVClamAVno_virus
AVTwisterTrojan.Girtk.EDJW.gmgj
AVEset (nod32)Win32/Kryptik.EDJW
AVBitDefenderTrojan.Agent.BNYE
AVMicroWorld (escan)Trojan.Agent.BNYE
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVK7Trojan ( 004d5dd61 )
AVSymantecTrojan.Gen
AVAlwil (avast)Dorder-E [Trj]
AVMcafeeno_virus
AVArcabit (arcavir)Trojan.Agent.BNYE
AVCAT (quickheal)no_virus
AVRising0x59562fcd

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\115531
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
83.151.158.44
DNSeurope.pool.ntp.org
Type: A
176.9.102.215
DNSeurope.pool.ntp.org
Type: A
194.239.123.230
DNSeurope.pool.ntp.org
Type: A
46.254.216.9
DNSnorth-america.pool.ntp.org
Type: A
66.96.96.29
DNSnorth-america.pool.ntp.org
Type: A
108.61.194.85
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.28
DNSnorth-america.pool.ntp.org
Type: A
208.75.89.4
DNSsouth-america.pool.ntp.org
Type: A
200.1.22.6
DNSsouth-america.pool.ntp.org
Type: A
200.20.186.76
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSsouth-america.pool.ntp.org
Type: A
200.1.19.16
DNSasia.pool.ntp.org
Type: A
91.201.214.3
DNSasia.pool.ntp.org
Type: A
92.61.176.134
DNSasia.pool.ntp.org
Type: A
129.250.35.250
DNSasia.pool.ntp.org
Type: A
218.234.23.44
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSafrica.pool.ntp.org
Type: A
41.204.120.137
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSpool.ntp.org
Type: A
129.6.15.30
DNSpool.ntp.org
Type: A
199.233.217.27
DNSpool.ntp.org
Type: A
66.79.136.235
DNSpool.ntp.org
Type: A
66.228.42.59
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings