Analysis Date2015-12-05 02:34:46
MD5764a6090a860bb1026285e976e4e1637
SHA1870f7332cfd5d57aaf65d63a1af1b5c8c9e25ff2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 86f3e05a303f384cef3e02c778ee79e8 sha1: 41e441fc3e04c3db4b327c4f797b2c8bcfd60762 size: 158720
Section.rdata md5: 32b979105d025c860522dc6ff6de943f sha1: 6b23e59a95753041adb119a0ab89e8cbb3ad73ed size: 36352
Section.data md5: c3c7ab8bb2d64525c5c6ff30aaf5984f sha1: d2d5a9c5d16872a503ea1b40ae8579fb66a3cbb8 size: 29696
Section.rsrc md5: 74431fa02a4d83d93ab0d90434ed5686 sha1: 9b7f96cc399b172b56c1bb89ed2259e4f22f0d5c size: 58368
Timestamp2015-11-15 19:01:38
PackerMicrosoft Visual C++ ?.?
PEhash59328254306f22a837c3fde4beb400d23271686f
IMPhashf47d603899dfc7638fa9ccca5c59992c
AVKasperskyTrojan.Win32.Yakes.njgb
AVRisingno_virus
AVF-SecureTrojan.GenericKD.2874266
AVKasperskyTrojan.Win32.Yakes.njgb
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.GenericKD.2874266
AVFortinetPossibleThreat.VEX.99
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d6dbd1 )
AVMcafeeRDN/Sdbot.worm
AVMcafeeRDN/Sdbot.worm
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.GenericKD.2874266
AVEset (nod32)Win32/Kryptik.EFAH
AVEset (nod32)Win32/Kryptik.EFAH
AVFortinetPossibleThreat.VEX.99
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2874266
AVGrisoft (avg)Crypt_r.ALE
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d6dbd1 )
AVMalwareBytesno_virus
AVMalwareBytesno_virus
AVAd-AwareTrojan.GenericKD.2874266
AVBullGuardTrojan.GenericKD.2874266
AVBullGuardTrojan.GenericKD.2874266
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVCAT (quickheal)no_virus
AVCAT (quickheal)no_virus
AVAd-AwareTrojan.GenericKD.2874266
AVAvira (antivir)TR/Crypt.Xpack.320128
AVClamAVno_virus
AVClamAVno_virus
AVAvira (antivir)TR/Crypt.Xpack.320128
AVGrisoft (avg)Crypt_r.ALE
AVDr. WebBackDoor.IRC.NgrBot.566
AVDr. WebBackDoor.IRC.NgrBot.566
AVArcabit (arcavir)Trojan.GenericKD.2874266
AVBitDefenderTrojan.GenericKD.2874266
AVEmsisoftTrojan.GenericKD.2874266
AVEmsisoftTrojan.GenericKD.2874266
AVBitDefenderTrojan.GenericKD.2874266
AVRisingno_virus
AVArcabit (arcavir)Trojan.GenericKD.2874266

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\115921
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSand13.dexterwasanicemoviesz1.com
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
62.75.254.179
DNSeurope.pool.ntp.org
Type: A
130.208.87.152
DNSeurope.pool.ntp.org
Type: A
193.225.118.129
DNSeurope.pool.ntp.org
Type: A
213.154.236.182
DNSnorth-america.pool.ntp.org
Type: A
199.182.221.110
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.131
DNSnorth-america.pool.ntp.org
Type: A
129.250.35.250
DNSnorth-america.pool.ntp.org
Type: A
132.163.4.102
DNSsouth-america.pool.ntp.org
Type: A
200.1.19.4
DNSsouth-america.pool.ntp.org
Type: A
200.1.22.6
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSasia.pool.ntp.org
Type: A
129.250.35.250
DNSasia.pool.ntp.org
Type: A
129.250.35.251
DNSasia.pool.ntp.org
Type: A
82.200.209.236
DNSasia.pool.ntp.org
Type: A
128.199.84.169
DNSoceania.pool.ntp.org
Type: A
45.114.116.62
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
130.102.128.23
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
197.84.150.123
DNSafrica.pool.ntp.org
Type: A
168.167.71.131
DNSafrica.pool.ntp.org
Type: A
196.25.1.5
DNSpool.ntp.org
Type: A
64.71.128.26
DNSpool.ntp.org
Type: A
64.113.44.54
DNSpool.ntp.org
Type: A
74.122.204.3
DNSpool.ntp.org
Type: A
132.163.4.102
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSand13.dexterwasanicemoviesz1.com
Type: A
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings