Analysis Date2016-02-14 02:26:55
MD5263e8956ff8ad16393564d60e65d33a2
SHA19149884e7072a93f77a5ea7c94fb2932cc8900f1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c5ea12cc08b31b0c96825c7c13c63b05 sha1: c989580368aa053a3b8cffe5a4ce8fa6bc75acc8 size: 34816
Section.rdata md5: 46cc490149b9b378bd4442a15ba88752 sha1: 942c2aa054f18b0e978145709c6ec9650869822e size: 46080
Section.data md5: 29fda4add7ffb26ae7dd78dfd7e375a4 sha1: 608c3b74ff969e853c0ab82b8a9f41cedbfbec9b size: 4096
Section.reloc md5: b3d86ac6d1e2671abf6bc7bc6ee094d6 sha1: 8a865eff76f016124958548dfecaf6ebe411cd76 size: 4096
Timestamp2016-02-08 08:00:06
PackerMicrosoft Visual C++ ?.?
PEhashfe84156803febd694a49093b70eefa97cd596f74
IMPhash579b2d592056e6d23c54507f977c2281
AVCA (E-Trust Ino)Gen:Variant.Razy.13025
AVRisingNo Virus
AVMcafeeRDN/Generic.grp
AVAvira (antivir)TR/Crypt.Xpack.446071
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.13025
AVAlwil (avast)Dorder-U [Trj]
AVEset (nod32)Win32/Kryptik.ENDU
AVGrisoft (avg)Crypt5.AHDQ
AVSymantecTrojan.Gen.2
AVFortinetW32/Kryptik.ENDU!tr
AVBitDefenderGen:Variant.Razy.13025
AVK7No Virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Gen:Variant.Razy.13025
AVMalwareBytesBackdoor.Andromeda
AVAuthentiumNo Virus
AVEmsisoftGen:Variant.Razy.13025
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVZillya!No Virus
AVKasperskyTrojan.Win32.Yakes.ozih
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Razy.13025
AVArcabit (arcavir)Gen:Variant.Razy.13025
AVClamAVNo Virus
AVDr. WebBackDoor.Andromeda.1407
AVF-SecureGen:Variant.Razy.13025

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\113531
Creates File\Device\Afd\Endpoint
Deletes FileC:\914988~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSringplanet.eu
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
85.254.217.235
DNSeurope.pool.ntp.org
Type: A
193.141.27.6
DNSeurope.pool.ntp.org
Type: A
46.38.235.236
DNSeurope.pool.ntp.org
Type: A
82.197.164.46
DNSnorth-america.pool.ntp.org
Type: A
67.18.187.111
DNSnorth-america.pool.ntp.org
Type: A
75.149.91.89
DNSnorth-america.pool.ntp.org
Type: A
104.156.99.226
DNSnorth-america.pool.ntp.org
Type: A
198.60.22.240
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSasia.pool.ntp.org
Type: A
119.82.243.189
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
60.56.214.78
DNSoceania.pool.ntp.org
Type: A
203.19.252.1
DNSoceania.pool.ntp.org
Type: A
110.173.227.254
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSafrica.pool.ntp.org
Type: A
41.78.128.134
DNSpool.ntp.org
Type: A
108.61.73.244
DNSpool.ntp.org
Type: A
198.60.73.8
DNSpool.ntp.org
Type: A
198.110.48.12
DNSpool.ntp.org
Type: A
24.56.178.140
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSringplanet.eu
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.96.52.53:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings