Analysis Date2015-12-24 14:27:28
MD50fe0536d6317e2ef4266117df7b1385a
SHA1cc5b4960cf412be0747b45ec82c9730f383ff263

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a55c89b39591834b01de413700bbaf26 sha1: a66403d6900a4a500797c7d1befad4cb7e0e883b size: 30720
Section.rdata md5: e149e979669d2b98fe2cfd152549fda7 sha1: b042273aa28d64d3683a9b435d1d0c5aa39ea5d5 size: 14848
Section.data md5: 428e6dded81dd4e6ce78c4871d10defb sha1: c75fadf2195833c5e2fd629285cd4d22e8151eb9 size: 3072
Section.bnert md5: 433019fabc789c8a91a5d88fde10b79a sha1: 4a0bd0304bb4927b72f017da9dc35965e6a268fb size: 31232
Section.reloc md5: 61ca30e1e61a5b3fc08998fc39b0f0d6 sha1: 9b3fa3aae98e448fcd27592b88d442ef4a1b78ef size: 4096
Timestamp2015-11-05 19:15:06
PackerMicrosoft Visual C++ ?.?
PEhashb668734eacb9cabfd1c9e0738277b1c933f263e0
IMPhash4296eaa0bac0fa50f53e3dca801fef5d
AVArcabit (arcavir)Gen:Variant.Kazy.764156
AVCAT (quickheal)no_virus
AVTwisterno_virus
AVKasperskyBackdoor.Win32.Androm.ipsj
AVRisingno_virus
AVClamAVno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVTrend Microno_virus
AVBullGuardGen:Variant.Kazy.764156
AVMcafeeno_virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVF-SecureGen:Variant.Kazy.764156
AVGrisoft (avg)Crypt5.JWH
AVAvira (antivir)TR/Crypt.Xpack.315009
AVEmsisoftGen:Variant.Kazy.764156
AVMalwareBytesTrojan.Injector
AVSymantecTrojan.Gen
AVZillya!Backdoor.Androm.Win32.30177
AVFortinetW32/Androm.IPSJ!tr.bdr
AVK7Trojan ( 004d61661 )
AVEset (nod32)Win32/Kryptik.EEHY
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVBitDefenderGen:Variant.Kazy.764156
AVIkarusTrojan.Win32.Crypt
AVDr. WebTrojan.DownLoader17.41409
AVAuthentiumW32/S-d1a8399f!Eldorado
AVAlwil (avast)Dorder-E [Trj]
AVAd-AwareGen:Variant.Kazy.764156
AVFrisk (f-prot)no_virus
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\1332703
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
195.186.1.100
DNSeurope.pool.ntp.org
Type: A
46.249.42.14
DNSeurope.pool.ntp.org
Type: A
62.112.195.55
DNSeurope.pool.ntp.org
Type: A
91.198.87.229
DNSnorth-america.pool.ntp.org
Type: A
204.2.134.163
DNSnorth-america.pool.ntp.org
Type: A
50.116.55.65
DNSnorth-america.pool.ntp.org
Type: A
52.0.56.137
DNSnorth-america.pool.ntp.org
Type: A
108.61.73.243
DNSsouth-america.pool.ntp.org
Type: A
190.64.134.52
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSsouth-america.pool.ntp.org
Type: A
200.186.125.195
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSasia.pool.ntp.org
Type: A
62.201.225.9
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
211.233.84.186
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSoceania.pool.ntp.org
Type: A
130.102.128.23
DNSoceania.pool.ntp.org
Type: A
202.6.116.123
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSafrica.pool.ntp.org
Type: A
197.157.194.21
DNSafrica.pool.ntp.org
Type: A
196.10.55.57
DNSafrica.pool.ntp.org
Type: A
196.223.19.2
DNSpool.ntp.org
Type: A
209.118.204.201
DNSpool.ntp.org
Type: A
71.19.145.222
DNSpool.ntp.org
Type: A
107.170.224.8
DNSpool.ntp.org
Type: A
204.9.54.119
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.40.211.35:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings