Analysis Date2016-01-28 05:24:59
MD5e7bb3f13c26238092b39562a70cc65ea
SHA1b6923740a50a3b4928b5b076a5cda432bad36e06

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d81ec12ec2b65acbe508634112e3300a sha1: 2755250d277173839af6c4da413c46fee7b5401a size: 98816
Section.rdata md5: dd51ee9ba8861ca0128bab524f7a956e sha1: 6664327c7c11538328694b57561941b0a43af89a size: 49664
Section.data md5: c6e715547d563d64e5aa5f852f544bc2 sha1: 527ac524db3f51a2f70885533b192a3be8e12c71 size: 9728
Section.adsl md5: a43efb7406cf909a95efb5978698f85a sha1: 353df9a0b9580ef8bf69806033f2d5eba5641d36 size: 1536
Section.crob md5: 052bc987fdbca52d0cf9b3482a8007e4 sha1: d183b2ae78dd95b5149bb3af6e7d364c11de8abd size: 2560
Section.rsrc md5: 2d3e6108c49d4a798a16b6dc01161eec sha1: 3324db005390d1207cc2a60a6e2addc0c3e5b3af size: 146944
Timestamp2016-01-25 11:50:19
PackerMicrosoft Visual C++ ?.?
PEhash2a514f221becbdca8108e9e02b2cc06b48060297
IMPhash2c586d680c7b50ce145ccd9d853ec10f
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/AD.Gamarue.Y.1827
AVTwisterNo Virus
AVAd-AwareTrojan.GenericKD.3009499
AVAlwil (avast)Win32:Trojan-gen
AVEset (nod32)Win32/Kryptik.ELSA
AVGrisoft (avg)Crypt_r.AUA
AVSymantecNo Virus
AVFortinetW32/Kryptik.ELSA!tr
AVBitDefenderTrojan.GenericKD.3009499
AVK7No Virus
AVMicrosoft Security EssentialsNo Virus
AVMicroWorld (escan)No Virus
AVMalwareBytesRansom.CryptoWall
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftTrojan.GenericKD.3009499
AVZillya!No Virus
AVKasperskyTrojan.Win32.Yakes.ouaz
AVTrend MicroBKDR_AN.6045319C
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardTrojan.GenericKD.3009499
AVArcabit (arcavir)Trojan.GenericKD.3009499
AVClamAVNo Virus
AVDr. WebTrojan.MulDrop6.21383
AVF-SecureTrojan.GenericKD.3009499

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\117265
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\B69237~1.EXE
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
193.225.121.161
DNSeurope.pool.ntp.org
Type: A
178.32.186.153
DNSeurope.pool.ntp.org
Type: A
176.31.109.7
DNSeurope.pool.ntp.org
Type: A
78.46.107.140
DNSnorth-america.pool.ntp.org
Type: A
108.61.73.243
DNSnorth-america.pool.ntp.org
Type: A
45.79.78.173
DNSnorth-america.pool.ntp.org
Type: A
199.19.167.36
DNSnorth-america.pool.ntp.org
Type: A
128.138.141.172
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
190.64.134.52
DNSsouth-america.pool.ntp.org
Type: A
170.155.148.1
DNSasia.pool.ntp.org
Type: A
103.245.79.2
DNSasia.pool.ntp.org
Type: A
91.201.214.3
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
192.248.1.162
DNSoceania.pool.ntp.org
Type: A
202.6.116.123
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSafrica.pool.ntp.org
Type: A
41.204.120.137
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
196.10.52.57
DNSpool.ntp.org
Type: A
216.218.254.202
DNSpool.ntp.org
Type: A
173.255.229.240
DNSpool.ntp.org
Type: A
50.116.52.97
DNSpool.ntp.org
Type: A
45.79.78.173
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSdll.istitutobancariopagamentielettronici.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.100.122.175:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings