Analysis Date2015-12-18 17:00:06
MD5b80f7da1e065a1f5339d3b91a6bee37a
SHA1851050d8acfdf23010f1dfd83a1a01273b06c7d2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 963eb40b7155d266ce14398a43b96d47 sha1: 9894b1f507ad2721dd82a46e994b89b1102e904f size: 122368
Section.rdata md5: 8f000f6bf70cc2470d8d32755f31becd sha1: 8e297dd593b6a480f8d45a8fd88287c6d5032c6c size: 14336
Section.data md5: 49150f8ffb34d7d4c2230ff8c88b6bc2 sha1: 3ee906d7c9fe29c4932c069ea480de5ca1056068 size: 73728
Section.rsrc md5: f5bf13db9b22183b16671ebaee83c9b9 sha1: 0887ea1140b74e506272e42e2358d010d316f965 size: 92160
Timestamp2015-11-12 05:41:46
PackerMicrosoft Visual C++ ?.?
PEhashf50495e29efb879c206ff870b8cffbc2c3a1f265
IMPhashfc62a09f0a5fb5a1a3a4a9995fce3629
AVF-SecureTrojan.GenericKD.2867222
AVAlwil (avast)Dorder-C [Trj]
AVZillya!no_virus
AVBullGuardTrojan.GenericKD.2867222
AVEset (nod32)Win32/Kryptik.EEYM
AVAd-AwareTrojan.GenericKD.2867222
AVRising0x5972b404
AVVirusBlokAda (vba32)Backdoor.Androm
AVBitDefenderTrojan.GenericKD.2867222
AVClamAVno_virus
AVAvira (antivir)TR/Crypt.Xpack.317204
AVTrend MicroTROJ_WAUCHOS.SIL
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Androm.r4
AVMicroWorld (escan)Trojan.GenericKD.2867222
AVSymantecTrojan.Gen
AVTwisterno_virus
AVK7Trojan ( 004d69cb1 )
AVArcabit (arcavir)Trojan.GenericKD.2867222
AVIkarusTrojan.Win32.Crypt
AVGrisoft (avg)Pakes2_c.BSHX
AVKasperskyBackdoor.Win32.Androm.iqsk
AVFrisk (f-prot)no_virus
AVMalwareBytesError Scanning File
AVDr. WebTrojan.Siggen6.32796
AVMcafeeRDN/Generic BackDoor
AVEmsisoftTrojan.GenericKD.2867222
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVFortinetW32/WAUCHOS.SIL!tr
AVAuthentiumW32/Agent.XL.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\117296
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
94.228.220.14
DNSeurope.pool.ntp.org
Type: A
212.70.148.13
DNSeurope.pool.ntp.org
Type: A
46.254.216.9
DNSeurope.pool.ntp.org
Type: A
79.175.127.142
DNSnorth-america.pool.ntp.org
Type: A
38.229.71.1
DNSnorth-america.pool.ntp.org
Type: A
50.116.36.122
DNSnorth-america.pool.ntp.org
Type: A
132.163.4.101
DNSnorth-america.pool.ntp.org
Type: A
208.79.89.249
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.197
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSsouth-america.pool.ntp.org
Type: A
186.71.75.78
DNSsouth-america.pool.ntp.org
Type: A
190.228.30.178
DNSasia.pool.ntp.org
Type: A
129.250.35.251
DNSasia.pool.ntp.org
Type: A
192.248.1.162
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSoceania.pool.ntp.org
Type: A
202.127.210.37
DNSoceania.pool.ntp.org
Type: A
45.114.116.62
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSafrica.pool.ntp.org
Type: A
197.82.150.123
DNSafrica.pool.ntp.org
Type: A
197.157.194.21
DNSafrica.pool.ntp.org
Type: A
196.223.19.3
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSpool.ntp.org
Type: A
209.244.0.4
DNSpool.ntp.org
Type: A
108.61.73.244
DNSpool.ntp.org
Type: A
131.107.13.100
DNSpool.ntp.org
Type: A
132.163.4.102
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSdfs.knowmark.it
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings