Analysis Date2016-01-28 06:03:44
MD5c70fad2165954610ff3e9b931e7133cf
SHA1df06fa33cc2dfbe0e2a106cd60148b4245e51522

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 98b953c09b1984c354768873d3650b4f sha1: 93510719058aed374819b9469136e420b1850469 size: 73216
Section.rdata md5: 5c04567f395652867600a66f7a0fa5e3 sha1: b03f1fb3215bec1e7adbcb539006c0257626d182 size: 26112
Section.data md5: c001ee8bb61cf1e17ac61cfdb133d775 sha1: 7cf2050c581167c48ffdb38178d4fc4275f3fba6 size: 32256
Section.reloc md5: 2dfb2a1fc0951e1fb867504522d95b2e sha1: 90d62b5cdc780ae20b0460d709e3a0e2d65e7441 size: 5120
Timestamp2015-12-18 20:45:06
PackerMicrosoft Visual C++ ?.?
PEhash1ea956a8f9e7590fa9ca31ac3bf624906aa64792
IMPhashc62d1f27669d41d761817dc1a5e45000
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)No Virus
AVTwisterNo Virus
AVAd-AwareTrojan.Agent.BPHY
AVAlwil (avast)Dorder-E [Trj]
AVEset (nod32)Win32/Kryptik.EJAM
AVGrisoft (avg)Crypt5.WWB
AVSymantecNo Virus
AVFortinetW32/Kryptik.EIXX!tr
AVBitDefenderTrojan.Agent.BPHY
AVK7No Virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Trojan.Agent.BPHY
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.Agent.BPHY
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardTrojan.Agent.BPHY
AVArcabit (arcavir)Trojan.Agent.BPHY
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureTrojan.Agent.BPHY
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\112390
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\DF06FA~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSringplanet.eu
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
85.214.194.162
DNSeurope.pool.ntp.org
Type: A
178.79.160.57
DNSeurope.pool.ntp.org
Type: A
195.154.41.195
DNSeurope.pool.ntp.org
Type: A
37.187.107.140
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.30
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.28
DNSnorth-america.pool.ntp.org
Type: A
96.244.96.19
DNSnorth-america.pool.ntp.org
Type: A
50.116.55.65
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSsouth-america.pool.ntp.org
Type: A
201.49.148.135
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSasia.pool.ntp.org
Type: A
157.7.235.92
DNSasia.pool.ntp.org
Type: A
104.41.190.151
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSoceania.pool.ntp.org
Type: A
219.88.71.36
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSafrica.pool.ntp.org
Type: A
41.73.42.10
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSafrica.pool.ntp.org
Type: A
196.10.52.57
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSpool.ntp.org
Type: A
132.163.4.102
DNSpool.ntp.org
Type: A
108.61.73.244
DNSpool.ntp.org
Type: A
96.244.96.19
DNSpool.ntp.org
Type: A
209.208.79.69
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSringplanet.eu
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.96.52.53:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings