Analysis Date2015-12-18 00:22:30
MD5e7e6588c8dc7a220e6cbb316eb25f28b
SHA1aa9fdda61e8dce9ef5f129bf4ec739ea7bc67631

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 660f1ab98e36420c4773f63550142fea sha1: 421a0ceeb612ad0bfaf57ad2340d28e549fb1d0b size: 53248
Section.rdata md5: b6abe119275ae1d8649d7a09a61cd19c sha1: 843b58abd514957815e246b0ce4674985eeff888 size: 28672
Section.data md5: 3fd1e347b07ffc92ba005d6e27e21d58 sha1: 94a7cb040bdd49ff899c2728c292d9c60251d9b1 size: 8192
Section.rsrc md5: 467eecc6fd6b60ecf5b8a40d7addb6a0 sha1: 9349f0e6a2aeef15ec6de1e7556d13b659858de6 size: 4096
Section.rsrc md5: 2a3e6254e5eeefb0a06d82c076ba8e1a sha1: 03d9d13c6e97d4360b9ad91b16e9ddc6b4ae8e30 size: 1048576
Timestamp2015-05-26 11:35:45
Pdb pathc:\Quiet\know\Melody\Support\Instrument\floor\State\FactScore.pdb
PackerMicrosoft Visual C++ ?.?
PEhash4ceeedb12437384ac2859c8d3e362a58332a8130
IMPhashef9994fe687b560f34efabc73ab23aa9
AVClamAVno_virus
AVMcafeeno_virus
AVFrisk (f-prot)no_virus
AVBullGuardTrojan.Agent.BKIP
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVAvira (antivir)Worm/Gamarue.1147800.30
AVF-SecureTrojan:W32/Gamarue.F
AVMicroWorld (escan)Trojan.Agent.BKIP
AVDr. WebTrojan.DownLoader13.58106
AVAlwil (avast)MalOb-LV [Cryp]
AVGrisoft (avg)Downloader.Small.PVO
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVEmsisoftTrojan.Agent.BKIP
AVIkarusTrojan-Downloader.Win32.Wauchos
AVAuthentiumW32/Trojan.ZIAW-4016
AVBitDefenderTrojan.Agent.BKIP
AVSymantecDownloader.Dromedan
AVK7Trojan-Downloader ( 004a98c31 )
AVEset (nod32)Win32/TrojanDownloader.Wauchos.AK
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVKasperskyTrojan.Win32.Wauchos.a
AVTwisterTrojanDldr.Wauchos.AK.hjuu
AVArcabit (arcavir)Trojan.Agent.BKIP
AVFortinetW32/Wauchos.AK!tr
AVVirusBlokAda (vba32)Backdoor.Androm
AVMalwareBytesTrojan.Upatre.Gen
AVAd-AwareTrojan.Agent.BKIP
AVZillya!Downloader.Wauchos.Win32.1462

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\~
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
37.187.7.160
DNSeurope.pool.ntp.org
Type: A
77.68.239.156
DNSeurope.pool.ntp.org
Type: A
83.170.1.42
DNSeurope.pool.ntp.org
Type: A
217.198.219.102
DNSnorth-america.pool.ntp.org
Type: A
108.61.56.35
DNSnorth-america.pool.ntp.org
Type: A
132.163.4.102
DNSnorth-america.pool.ntp.org
Type: A
96.244.96.19
DNSnorth-america.pool.ntp.org
Type: A
107.170.242.27
DNSsouth-america.pool.ntp.org
Type: A
190.19.161.192
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
190.228.30.178
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSasia.pool.ntp.org
Type: A
218.186.3.36
DNSasia.pool.ntp.org
Type: A
80.241.0.72
DNSasia.pool.ntp.org
Type: A
157.7.235.92
DNSoceania.pool.ntp.org
Type: A
203.19.252.1
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSoceania.pool.ntp.org
Type: A
202.22.158.30
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSpool.ntp.org
Type: A
69.167.160.102
DNSpool.ntp.org
Type: A
104.131.51.97
DNSpool.ntp.org
Type: A
23.239.26.89
DNSpool.ntp.org
Type: A
24.23.190.188

Raw Pcap

Strings