Analysis Date2016-02-12 15:02:49
MD5cc26c56657bf66f01dd7b93a35e07f14
SHA1a76eca55a439f969f3d500adcfacfe7cc78c3560

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash6a4205d58525be8faf51c8b7e9191fe493e0176a
IMPhash
AVCA (E-Trust Ino)Gen:Trojan.Heur.TP.biX@bOnhvle
AVRising0x599f8065
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVTwisterTrojanDldr.Wauchos.BD.rqvg
AVAd-AwareGen:Trojan.Heur.TP.biX@bOnhvle
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/TrojanDownloader.Wauchos.BD
AVGrisoft (avg)Downloader.Small.QNL
AVSymantecSuspicious.MH690
AVFortinetW32/Generic.BD!tr
AVBitDefenderGen:Trojan.Heur.TP.biX@bOnhvle
AVK7Trojan-Downloader ( 004cf8051 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Gen:Trojan.Heur.TP.biX@bOnhvle
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Trojan.KELJ-0073
AVEmsisoftGen:Trojan.Heur.TP.biX@bOnhvle
AVFrisk (f-prot)No Virus
AVIkarusTrojan-Downloader.Win32.Wauchos
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Trojan.Heur.TP.biX@bOnhvle
AVArcabit (arcavir)Gen:Trojan.Heur.TP.biX@bOnhvle
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.13156
AVF-SecureGen:Trojan.Heur.TP.biX@bOnhvle

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\116109
Deletes FileC:\A76ECA~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSdll.istitutobancariopagamentielettronici.com
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
87.195.109.106
DNSeurope.pool.ntp.org
Type: A
94.154.96.7
DNSeurope.pool.ntp.org
Type: A
213.209.109.45
DNSeurope.pool.ntp.org
Type: A
5.135.3.88
DNSnorth-america.pool.ntp.org
Type: A
209.208.79.69
DNSnorth-america.pool.ntp.org
Type: A
50.116.55.65
DNSnorth-america.pool.ntp.org
Type: A
199.182.221.110
DNSnorth-america.pool.ntp.org
Type: A
209.114.111.1
DNSsouth-america.pool.ntp.org
Type: A
192.188.53.26
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.197
DNSsouth-america.pool.ntp.org
Type: A
201.49.148.135
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSasia.pool.ntp.org
Type: A
118.189.211.186
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSasia.pool.ntp.org
Type: A
62.201.225.9
DNSasia.pool.ntp.org
Type: A
80.241.0.72
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSoceania.pool.ntp.org
Type: A
202.22.158.30
DNSoceania.pool.ntp.org
Type: A
202.127.210.37
DNSoceania.pool.ntp.org
Type: A
223.252.23.219
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
197.157.194.21
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSafrica.pool.ntp.org
Type: A
41.231.7.85
DNSpool.ntp.org
Type: A
204.9.54.119
DNSpool.ntp.org
Type: A
66.228.42.59
DNSpool.ntp.org
Type: A
168.235.71.66
DNSpool.ntp.org
Type: A
173.255.246.13
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSdll.istitutobancariopagamentielettronici.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings