Analysis Date2015-11-24 20:51:59
MD5e455b47d25d2adddcb00be29af832132
SHA191f42f8783fce9f77ad9ce6df3de3ba6adf2b296

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d97f6a7c328459486e8d0bd5d8f14708 sha1: da3aff08c99ebaeebcea57419889809e1cfc5211 size: 30208
Section.rdata md5: 3f97932dd341961804856352d617039e sha1: 2052a7ea02066deaef86c13c99387449345240e7 size: 14336
Section.data md5: 3e5b3745a9340b2c817125c09cb5c5fe sha1: 6acb84b926a211c0efca7ec442689c3988a41049 size: 3072
Section.veywb md5: b65cc61fb12d6aa684b93b7af556d5b4 sha1: 3f3bc7f6af64efe224334ee96c398cac698dd6c8 size: 31232
Section.reloc md5: ecfc8cf04eeffcf18ca5912aaec87bd8 sha1: 7eb3eb34c1023aacd198c27c7bb340039e19c70c size: 4096
Timestamp2015-11-04 22:18:34
PackerMicrosoft Visual C++ ?.?
PEhash7e15121ebd09148a93bc9f2b809ca485399bd9ec
IMPhash83b20a385aaeb684ddb772d111eebab4
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVAvira (antivir)TR/AD.Gamarue.Y.1597
AVTwisterTrojan.Girtk.EDPX.fswr
AVAd-AwareGen:Variant.Kazy.764156
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.EDPX
AVGrisoft (avg)Crypt_s.JVZ
AVSymantecTrojan.Gen.2
AVFortinetW32/Kryptik.EEAE!tr
AVBitDefenderGen:Variant.Kazy.764156
AVK7Trojan ( 004d5ecc1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVMalwareBytesWorm.Gamarue
AVAuthentiumW32/S-d1a8399f!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Kazy.764156
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.ipkq
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.764156
AVArcabit (arcavir)Gen:Variant.Kazy.764156
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.41351
AVF-SecureGen:Variant.Kazy.764156
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVAvira (antivir)TR/AD.Gamarue.Y.1597
AVTwisterTrojan.Girtk.EDPX.fswr
AVAd-AwareGen:Variant.Kazy.764156
AVAlwil (avast)Dorder-D [Trj]
AVEset (nod32)Win32/Kryptik.EDPX
AVGrisoft (avg)Crypt_s.JVZ
AVSymantecTrojan.Gen.2
AVFortinetW32/Kryptik.EEAE!tr
AVBitDefenderGen:Variant.Kazy.764156
AVK7Trojan ( 004d5ecc1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVMalwareBytesWorm.Gamarue
AVAuthentiumW32/S-d1a8399f!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\115328
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
178.23.124.2
DNSeurope.pool.ntp.org
Type: A
95.46.198.21
DNSeurope.pool.ntp.org
Type: A
81.94.123.16
DNSeurope.pool.ntp.org
Type: A
212.83.131.33
DNSnorth-america.pool.ntp.org
Type: A
104.131.51.97
DNSnorth-america.pool.ntp.org
Type: A
208.53.158.34
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.132
DNSnorth-america.pool.ntp.org
Type: A
104.131.118.129
DNSsouth-america.pool.ntp.org
Type: A
192.188.53.26
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSasia.pool.ntp.org
Type: A
118.189.211.186
DNSasia.pool.ntp.org
Type: A
106.185.48.114
DNSasia.pool.ntp.org
Type: A
80.241.0.72
DNSoceania.pool.ntp.org
Type: A
59.167.135.82
DNSoceania.pool.ntp.org
Type: A
45.114.116.62
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSoceania.pool.ntp.org
Type: A
116.68.13.156
DNSafrica.pool.ntp.org
Type: A
197.82.150.123
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSafrica.pool.ntp.org
Type: A
196.223.19.2
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSpool.ntp.org
Type: A
66.79.167.34
DNSpool.ntp.org
Type: A
64.113.44.57
DNSpool.ntp.org
Type: A
209.118.204.201
DNSpool.ntp.org
Type: A
74.117.238.11
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.100.122.175:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings