Analysis Date2015-12-02 03:06:38
MD508a699efa60ccd07c44a4d69c334aa48
SHA18382f6ae77c60c3417bf800ea8092969366c218c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8acf831af7e1c7c08bd5dd420ecab1a3 sha1: ad97b05d9636ee5aae915f00ebe8db9ac2a3c14d size: 29184
Section.rdata md5: dfa8c68d00bfac05adabb123162a3e29 sha1: 3841722103d55a8dff25592660977c2bcebb2804 size: 28672
Section.data md5: 5747dc90a29b08c71e2d089e34a97e1f sha1: 70227fbe8b7e78deffb9d2f6bca1e246c1e3bb01 size: 20992
Timestamp2015-11-08 06:31:26
PackerMicrosoft Visual C++ ?.?
PEhashe13d29bf8b0a634b76c7d875860d58825bb7e9f1
IMPhash41784a6167480aeca284fcb1f8f0020e
AVKasperskyBackdoor.Win32.Androm.iqjr
AVPadvishno_virus
AVF-SecureGen:Variant.Kazy.768581
AVKasperskyBackdoor.Win32.Androm.iqjr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Gen:Variant.Kazy.768581
AVFortinetW32/Kryptik.EEOP!tr
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d68461 )
AVMcafeeno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Gen:Variant.Kazy.768581
AVEset (nod32)Win32/Kryptik.EEOP
AVEset (nod32)Win32/Kryptik.EEOP
AVFortinetW32/Kryptik.EEOP!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.768581
AVGrisoft (avg)Generic_r.GGD
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d68461 )
AVMalwareBytesTrojan.Agent
AVMalwareBytesTrojan.Agent
AVAd-AwareGen:Variant.Kazy.768581
AVBullGuardGen:Variant.Kazy.768581
AVBullGuardGen:Variant.Kazy.768581
AVAlwil (avast)Dorder-E [Trj]
AVAuthentiumW32/Trojan.MUVH-8145
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Trojan.MUVH-8145
AVAlwil (avast)Dorder-E [Trj]
AVCAT (quickheal)no_virus
AVCAT (quickheal)no_virus
AVAd-AwareGen:Variant.Kazy.768581
AVAvira (antivir)TR/Crypt.ZPACK.205748
AVClamAVno_virus
AVClamAVno_virus
AVAvira (antivir)TR/Crypt.ZPACK.205748
AVGrisoft (avg)Generic_r.GGD
AVDr. WebTrojan.DownLoader17.52819
AVDr. WebTrojan.DownLoader17.52819
AVArcabit (arcavir)Gen:Variant.Kazy.768581
AVBitDefenderGen:Variant.Kazy.768581
AVEmsisoftGen:Variant.Kazy.768581
AVEmsisoftGen:Variant.Kazy.768581
AVBitDefenderGen:Variant.Kazy.768581
AVArcabit (arcavir)Gen:Variant.Kazy.768581
AVPadvishno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\119562
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
84.2.46.19
DNSeurope.pool.ntp.org
Type: A
94.125.129.7
DNSeurope.pool.ntp.org
Type: A
146.185.130.223
DNSeurope.pool.ntp.org
Type: A
193.228.143.12
DNSnorth-america.pool.ntp.org
Type: A
97.107.129.217
DNSnorth-america.pool.ntp.org
Type: A
198.55.111.5
DNSnorth-america.pool.ntp.org
Type: A
204.2.134.164
DNSnorth-america.pool.ntp.org
Type: A
207.5.137.134
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSasia.pool.ntp.org
Type: A
103.245.79.18
DNSasia.pool.ntp.org
Type: A
129.250.35.250
DNSasia.pool.ntp.org
Type: A
160.16.101.116
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSoceania.pool.ntp.org
Type: A
202.60.94.11
DNSoceania.pool.ntp.org
Type: A
203.19.252.4
DNSoceania.pool.ntp.org
Type: A
119.252.27.44
DNSafrica.pool.ntp.org
Type: A
168.167.252.243
DNSafrica.pool.ntp.org
Type: A
197.84.150.123
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
41.204.120.137
DNSpool.ntp.org
Type: A
204.2.134.163
DNSpool.ntp.org
Type: A
209.244.0.3
DNSpool.ntp.org
Type: A
171.66.97.126
DNSpool.ntp.org
Type: A
192.52.183.249
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.40.211.35:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings