Analysis Date2015-11-16 19:11:31
MD56b3dba58809f68d6745b5c81960b2890
SHA19e3afca0ba7216c531c512d5f99d7a48848ba2ab

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4cb581fa6fca06e5b2495f5ff7c7f16e sha1: d8e55f2ff7d2857394655beb3645ab7aa41a11b4 size: 34816
Section.rdata md5: 39720c80735d835bbfbf41f1698c0ab7 sha1: e3ce3923488f070c5d46a766529ca132929aebe8 size: 29696
Section.data md5: 46b4a5395c289f9f557a549fde9418bf sha1: c2a85b3d67c1f3fd189545270591e7cf3d8b97ad size: 19968
Timestamp2015-11-09 17:38:51
PackerMicrosoft Visual C++ ?.?
PEhashfdf81837e8b74da717c9602edbadf1f1b5c5415c
IMPhash38c819a087d858d35ba5e3449e009a77
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/AD.Gamarue.Y.1547
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.168966
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.EEHY
AVGrisoft (avg)Crypt5.KRM
AVSymantecno_virus
AVFortinetW32/Androm.EEHY!tr.bdr
AVBitDefenderGen:Variant.Kazy.768581
AVK7Trojan ( 004d684a1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)no_virus
AVMalwareBytesTrojan.MalPack
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Downloader.Win32.Fosniw
AVEmsisoftGen:Variant.Zusy.168966
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.iqpj
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.168966
AVArcabit (arcavir)Gen:Variant.Zusy.168966
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.47277
AVF-SecureGen:Variant.Zusy.168966
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/AD.Gamarue.Y.1547
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.168966
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.EEHY
AVGrisoft (avg)Crypt5.KRM
AVSymantecno_virus
AVFortinetW32/Androm.EEHY!tr.bdr
AVBitDefenderGen:Variant.Kazy.768581
AVK7Trojan ( 004d684a1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)no_virus
AVMalwareBytesTrojan.MalPack
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Downloader.Win32.Fosniw

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\119296
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
130.236.254.17
DNSeurope.pool.ntp.org
Type: A
176.221.42.125
DNSeurope.pool.ntp.org
Type: A
195.138.69.242
DNSeurope.pool.ntp.org
Type: A
46.20.246.106
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.132
DNSnorth-america.pool.ntp.org
Type: A
97.107.128.58
DNSnorth-america.pool.ntp.org
Type: A
97.107.129.217
DNSnorth-america.pool.ntp.org
Type: A
159.203.8.72
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSasia.pool.ntp.org
Type: A
124.41.86.200
DNSasia.pool.ntp.org
Type: A
157.7.152.213
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSasia.pool.ntp.org
Type: A
103.245.79.2
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
203.97.218.196
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
202.22.158.30
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSafrica.pool.ntp.org
Type: A
197.84.150.123
DNSpool.ntp.org
Type: A
209.141.41.127
DNSpool.ntp.org
Type: A
216.229.0.49
DNSpool.ntp.org
Type: A
64.71.128.26
DNSpool.ntp.org
Type: A
132.163.4.102
DNSmicrosoft.com
Type: A
134.170.185.46
DNSmicrosoft.com
Type: A
134.170.188.221
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 134.170.185.46:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings