Analysis Date2015-11-26 17:07:36
MD5d9244b2c7dc7b2a236f7e07768a2145e
SHA199adb7497abe920bf74667510e156925b5472532

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4ffedad464fd5ca6664111e7b427118c sha1: 275421c2c5dabe205fe2ba5441bc513ce6686d5b size: 98304
Section.rdata md5: a7eedea411aa38e0851b52c3ad01068a sha1: d3187a2b89113dff8c06cc33a1c59b33d6066ccf size: 28672
Section.data md5: b9ff397bd1fef08fcd50fa2108a5d146 sha1: 3906a874227f5c4c66a48450961e9ef821ec2437 size: 20480
Section.reloc md5: c7bb7f34460830713c2df7f0886d21f1 sha1: 6d914a65f7999258b287b4860ace93e4ef1efb95 size: 8192
Section.rsrc md5: 5456e687a7b442d8c09361258b98dbec sha1: 9c0ec64027ba8a70fa870ca4376f0c3617d1fdcb size: 1048576
Timestamp2015-10-09 14:43:25
PackerMicrosoft Visual C++ ?.?
PEhash32dabdcd8b9135d3a66e05df048bf5939108e832
IMPhash14496e5ba4b3471eff31c55b29cdd65b
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Agent.1209240.1
AVTwisterno_virus
AVAd-AwareTrojan.Rajbot.Gen.1
AVAlwil (avast)MalOb-LV [Cryp]
AVEset (nod32)Win32/Kryptik.EBTG
AVGrisoft (avg)BackDoor.Generic19.UIN
AVSymantecno_virus
AVFortinetW32/Kryptik.DVSX!tr
AVBitDefenderTrojan.Rajbot.Gen.1
AVK7Trojan ( 004d55671 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Trojan.Rajbot.Gen.1
AVMalwareBytesno_virus
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.Rajbot.Gen.1
AVZillya!Dropper.Agent.Win32.220227
AVKasperskyTrojan.Win32.Wauchos.a
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVPadvishno_virus
AVBullGuardTrojan.Rajbot.Gen.1
AVArcabit (arcavir)Trojan.Rajbot.Gen.1
AVClamAVno_virus
AVDr. WebBackDoor.Andromeda.614
AVF-SecureTrojan:W32/Gamarue.F
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Agent.1209240.1
AVTwisterno_virus
AVAd-AwareTrojan.Rajbot.Gen.1
AVAlwil (avast)MalOb-LV [Cryp]
AVEset (nod32)Win32/Kryptik.EBTG
AVGrisoft (avg)BackDoor.Generic19.UIN
AVSymantecno_virus
AVFortinetW32/Kryptik.DVSX!tr
AVBitDefenderTrojan.Rajbot.Gen.1
AVK7Trojan ( 004d55671 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Trojan.Rajbot.Gen.1
AVMalwareBytesno_virus
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\~
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
78.193.216.180
DNSeurope.pool.ntp.org
Type: A
85.236.36.4
DNSeurope.pool.ntp.org
Type: A
176.9.102.215
DNSeurope.pool.ntp.org
Type: A
5.148.175.134
DNSnorth-america.pool.ntp.org
Type: A
209.244.0.3
DNSnorth-america.pool.ntp.org
Type: A
50.116.38.157
DNSnorth-america.pool.ntp.org
Type: A
96.126.105.86
DNSnorth-america.pool.ntp.org
Type: A
108.61.194.85
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
116.58.172.182
DNSasia.pool.ntp.org
Type: A
157.7.154.23
DNSasia.pool.ntp.org
Type: A
160.16.101.116
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSoceania.pool.ntp.org
Type: A
202.6.116.123
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSpool.ntp.org
Type: A
128.138.141.172
DNSpool.ntp.org
Type: A
209.118.204.201
DNSpool.ntp.org
Type: A
50.116.36.122
DNSpool.ntp.org
Type: A
97.107.128.58

Raw Pcap

Strings