Analysis Date2016-02-27 07:24:58
MD5c593c119ac148215a23f8cd8e6b244ba
SHA1d2ce22021e44bbe987d2dee7d2bb06199efa26a2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 577c40424f9aaf8da4e0d2507e30432a sha1: 287f3e10d3902d5e74bfcd98235f0721f82c6933 size: 117248
Sectionerterte md5: c5fed12ab254127a1f0ec1093572d742 sha1: eb08b41d44393d1b27941793f50df3d74f8f8192 size: 512
Section.rdata md5: 3e3ce428df4dcaa17a465cf9893c8378 sha1: d4430d3a7c0e602c023a5124f9da0f5cf94b51c6 size: 31744
Section.data md5: 5b456d9be1dc54a78008c1376ff5e988 sha1: dbf2e2fce9316413337d118e2b95340d9044711c size: 20992
Sectiontext md5: 0a6fc5bbb3e6e20375b26a7f5c663e99 sha1: 91bf005f93daeb34741070ec529a2325fa04dd6f size: 4096
Section.rdtfyu md5: 182755b3ac81d63fbe255408e2a8da96 sha1: c9f56ea709ed7b5c622587036c43bce77e9494d7 size: 3584
Section.teext md5: 8023df5c79cc54db2eb579b759c2a23f sha1: d745e977df1b0b423835bc67ef4380dcf4e86455 size: 1024
Sectiontexte md5: 1d77b59d170c276345c2291a1a1689ff sha1: c70a7aa96af435b418e64ef63de3704f4d09e851 size: 5120
Sectionatexit md5: 031c89ee616921ce86cdbe13e9e87884 sha1: f01a421ee5e7ca8c144c1cef4eeb7a64f4e8090e size: 4608
Section.cctype md5: 20d00f5f8bf2b4191fdc9fad90043485 sha1: 6fa542a4b5fadd5e2b1015e2e4d26b6584a24a02 size: 6144
Section.rsrc md5: 45c46674e823fa411261aaacd2368e25 sha1: ae3fd49463602f99a59d8a4827eb3ce863077b27 size: 35328
Timestamp2016-01-15 14:58:20
PackerMicrosoft Visual C++ ?.?
PEhash70aaa277a17f4fa44e4cb9e78e40126c5e5a1c9b
IMPhash2d8771a485806d89d94233e88de67530
AVRisingNo Virus
AVMcafeeRDN/Generic.hbg
AVAvira (antivir)TR/Crypt.Xpack.403455
AVTwisterNo Virus
AVAd-AwareTrojan.Generic.15772720
AVAlwil (avast)Dorder-S [Trj]
AVEset (nod32)Win32/Kryptik.EKRH
AVGrisoft (avg)Crypt_r.ASD
AVSymantecBackdoor.Trojan
AVFortinetW32/Kasidet.DOJ!tr.bdr
AVBitDefenderTrojan.Generic.15772720
AVK7Trojan ( 004dbd731 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.Generic.15772720
AVMalwareBytesTrojan.Crypt
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVEmsisoftTrojan.Generic.15772720
AVFrisk (f-prot)W32/Agent.XL.gen!Eldorado
AVIkarusTrojan.Win32.Crypt
AVZillya!Backdoor.Kasidet.Win32.1298
AVKasperskyBackdoor.Win32.Kasidet.doj
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)Ransom.Crowti.WR7
AVBullGuardTrojan.Generic.15772720
AVArcabit (arcavir)Trojan.Generic.15772720
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader18.58793
AVF-SecureTrojan.Generic.15772720
AVCA (E-Trust Ino)Trojan.Generic.15772720

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\3056609
Deletes FileC:\D2CE22~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSand18.f16zakitchenboy1.com
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
109.75.223.1
DNSeurope.pool.ntp.org
Type: A
178.32.186.153
DNSeurope.pool.ntp.org
Type: A
212.85.158.10
DNSeurope.pool.ntp.org
Type: A
82.78.227.6
DNSnorth-america.pool.ntp.org
Type: A
208.75.88.4
DNSnorth-america.pool.ntp.org
Type: A
69.164.194.139
DNSnorth-america.pool.ntp.org
Type: A
104.131.53.252
DNSnorth-america.pool.ntp.org
Type: A
199.102.46.78
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSsouth-america.pool.ntp.org
Type: A
200.1.22.6
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSasia.pool.ntp.org
Type: A
128.199.236.60
DNSasia.pool.ntp.org
Type: A
129.250.35.251
DNSasia.pool.ntp.org
Type: A
202.112.29.82
DNSasia.pool.ntp.org
Type: A
118.189.211.186
DNSoceania.pool.ntp.org
Type: A
125.255.139.115
DNSoceania.pool.ntp.org
Type: A
116.66.166.117
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSafrica.pool.ntp.org
Type: A
196.10.54.57
DNSafrica.pool.ntp.org
Type: A
196.223.19.2
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSpool.ntp.org
Type: A
64.113.32.5
DNSpool.ntp.org
Type: A
171.66.97.126
DNSpool.ntp.org
Type: A
199.102.46.74
DNSpool.ntp.org
Type: A
45.79.109.111
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSand18.f16zakitchenboy1.com
Type: A
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1046 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1047 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1048 ➝ 8.8.4.4:53

Raw Pcap

Strings