Analysis Date2015-11-25 00:34:23
MD5c57e44ccbf1a065757891a4b00bda662
SHA1aed4327a0ac340e80cae18a444afc2dd5ef522b7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8d8cab7ad11f54c8b02428685b1efee5 sha1: 43bbc9305d8360abf59c78be7d0424b63636d607 size: 30208
Section.rdata md5: 68793d97e9e45933359860d1ef550d03 sha1: bdaaa89892ff71d6834360df68bdf72c5602fad7 size: 29184
Section.data md5: 8123ae9d2b14111ab45785e327205fa6 sha1: a3563f0f5a40ee092ecc10cacdd7aecb5e36db23 size: 20480
Timestamp2015-11-07 06:15:35
PackerMicrosoft Visual C++ ?.?
PEhash1e580cd6b37888831bf45d65d84cd5be5d43364a
IMPhash74e57f20bc599fe65591936e8962bf2d
AVClamAVno_virus
AVMcafeeRDN/Generic BackDoor
AVFrisk (f-prot)no_virus
AVBullGuardGen:Variant.Kazy.768581
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVAvira (antivir)TR/AD.Gamarue.Y.1604
AVF-SecureGen:Variant.Kazy.768581
AVMicroWorld (escan)Gen:Variant.Kazy.768581
AVDr. WebTrojan.DownLoader17.48888
AVAlwil (avast)Dorder-E [Trj]
AVGrisoft (avg)Crypt_r.AJT
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVEmsisoftGen:Variant.Kazy.768581
AVIkarusTrojan.Win32.Crypt
AVAuthentiumW32/Trojan.ERHX-8877
AVBitDefenderGen:Variant.Kazy.768581
AVSymantecTrojan.Gen.2
AVK7Trojan ( 004d65f21 )
AVEset (nod32)Win32/Kryptik.EEAE
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVKasperskyBackdoor.Win32.Androm.iqab
AVTwisterno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.768581
AVFortinetW32/Androm.IQAB!tr.bdr
AVVirusBlokAda (vba32)Backdoor.Androm
AVMalwareBytesTrojan.Injector
AVAd-AwareGen:Variant.Kazy.768581
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\115500
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
178.18.118.14
DNSeurope.pool.ntp.org
Type: A
193.225.121.131
DNSeurope.pool.ntp.org
Type: A
46.165.212.204
DNSeurope.pool.ntp.org
Type: A
134.0.16.1
DNSnorth-america.pool.ntp.org
Type: A
64.71.128.26
DNSnorth-america.pool.ntp.org
Type: A
108.59.2.24
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.29
DNSnorth-america.pool.ntp.org
Type: A
192.95.20.208
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSasia.pool.ntp.org
Type: A
59.149.185.193
DNSasia.pool.ntp.org
Type: A
62.201.225.9
DNSasia.pool.ntp.org
Type: A
103.16.199.21
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSoceania.pool.ntp.org
Type: A
202.80.33.11
DNSoceania.pool.ntp.org
Type: A
202.127.210.37
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSafrica.pool.ntp.org
Type: A
41.222.88.32
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSpool.ntp.org
Type: A
128.138.141.172
DNSpool.ntp.org
Type: A
132.163.4.102
DNSpool.ntp.org
Type: A
50.116.36.122
DNSpool.ntp.org
Type: A
66.228.59.187
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings