Analysis Date2015-11-29 20:46:06
MD5c19510e4a4344e4d3279d43eafa5d172
SHA1dcd15de613267c864b579445e840ff8c71661496

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 973b13e528eef4bc4146d827b2bdd822 sha1: 17342fa8e0d14474f8310a039e81d5f48b895c59 size: 30208
Section.rdata md5: dd8e7636d33811eefacce9037d45faee sha1: 24e619d6aca9b963e44e83affd7095b5f407f428 size: 9216
Section.data md5: ad46b414d2d97dcdb5ee7c205bb5a998 sha1: f5321be4a5c89ccd2e820aa1e41cb2d28145bebb size: 8704
Section.trhdtr md5: 15a0c5ba7ddc0ef2823a1558c7909f04 sha1: 58ae8088cf9d5d38bf4b247946896e1051a6813c size: 31232
Section.reloc md5: 0d3e21ab50eeb05b337ddc1363d5ce28 sha1: 2d5ffc701cd42e36641faa20bf2e1497b7b3b6f0 size: 4096
Timestamp2015-11-01 08:15:10
PackerMicrosoft Visual C++ ?.?
PEhash2cbe74486000bb34d4a78910e055dd3a47a2f0a5
IMPhash21b47e89b6d6b4cfc176fe29a25670ad
AVF-SecureTrojan.Agent.BNYH
AVAuthentiumW32/S-d1a8399f!Eldorado
AVMalwareBytesWorm.Gamarue
AVDr. WebTrojan.DownLoader17.39726
AVGrisoft (avg)Crypt_s.JTF
AVMalwareBytesWorm.Gamarue
AVEset (nod32)Win32/Kryptik.EDEZ
AVMicroWorld (escan)Trojan.Agent.BNYH
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareTrojan.Agent.BNYH
AVEset (nod32)Win32/Kryptik.EDEZ
AVBitDefenderTrojan.Agent.BNYH
AVMicroWorld (escan)Trojan.Agent.BNYH
AVAvira (antivir)TR/Crypt.Xpack.318685
AVAlwil (avast)Dorder-E [Trj]
AVFortinetW32/Kryptik.EEAE!tr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVIkarusTrojan.Win32.Crypt
AVKasperskyBackdoor.Win32.Androm.iord
AVVirusBlokAda (vba32)Backdoor.Androm
AVArcabit (arcavir)Trojan.Agent.BNYH
AVMcafeeRDN/Generic BackDoor
AVTwisterTrojan.Girtk.EDEZ.aswa
AVAvira (antivir)TR/Crypt.Xpack.318685
AVAlwil (avast)Dorder-E [Trj]
AVSymantecTrojan.Gen
AVFortinetW32/Kryptik.EEAE!tr
AVK7Trojan ( 004d5ba51 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVTwisterTrojan.Girtk.EDEZ.aswa
AVAd-AwareTrojan.Agent.BNYH
AVGrisoft (avg)Crypt_s.JTF
AVSymantecTrojan.Gen
AVBitDefenderTrojan.Agent.BNYH
AVK7Trojan ( 004d5ba51 )
AVAuthentiumW32/S-d1a8399f!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftTrojan.Agent.BNYH
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardTrojan.Agent.BNYH
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\1856953
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
195.186.1.101
DNSeurope.pool.ntp.org
Type: A
5.9.80.113
DNSeurope.pool.ntp.org
Type: A
95.104.192.10
DNSeurope.pool.ntp.org
Type: A
144.76.115.197
DNSnorth-america.pool.ntp.org
Type: A
108.61.73.243
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.28
DNSnorth-america.pool.ntp.org
Type: A
23.99.222.162
DNSnorth-america.pool.ntp.org
Type: A
72.20.40.62
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSasia.pool.ntp.org
Type: A
118.67.200.10
DNSasia.pool.ntp.org
Type: A
123.108.225.6
DNSasia.pool.ntp.org
Type: A
202.156.0.34
DNSasia.pool.ntp.org
Type: A
62.201.225.9
DNSoceania.pool.ntp.org
Type: A
202.22.158.30
DNSoceania.pool.ntp.org
Type: A
202.127.210.37
DNSoceania.pool.ntp.org
Type: A
203.99.128.34
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSafrica.pool.ntp.org
Type: A
168.167.71.131
DNSafrica.pool.ntp.org
Type: A
41.222.88.32
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSpool.ntp.org
Type: A
104.232.3.3
DNSpool.ntp.org
Type: A
173.44.32.10
DNSpool.ntp.org
Type: A
66.7.96.1
DNSpool.ntp.org
Type: A
69.164.201.165
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSexpediteddocs.com
Type: A
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1046 ➝ 104.40.211.35:80
Flows UDP192.168.1.1:1047 ➝ 8.8.4.4:53

Raw Pcap

Strings