Analysis Date2015-12-24 06:03:33
MD5b62f58a64945d560d6fb38880325c2dd
SHA1e073bf854ad6ff8dd0229933b97649bb707e2da8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 282dc4f949bc690194f3bcd00a1c4104 sha1: 07cb8fcdea0b81273be9a4d96c28b1ccd24ea557 size: 147968
Section.rdata md5: 1f37887ae9ca4c90ce90aac6ac9e6dd1 sha1: 8a8b65f7a79876002058cc0eb347be4d0254c932 size: 19456
Section.data md5: a6443a0bbb7d8eed62b4e2128e608215 sha1: b39c251d8097c5da8c4966682465ce3cd429d7f4 size: 74240
Section.rsrc md5: 5b8600f9b28d131d5eaa8e394d9f4598 sha1: f3d89967520667e191fbdccb78b3be9a19e0755c size: 50688
Timestamp2015-11-14 19:14:46
PackerMicrosoft Visual C++ ?.?
PEhashf43b42c67d098fab220a03712e2d3bf199391c59
IMPhashc9962ec9b760b9fd7cb29b15ebbfd0cc
AVZillya!Backdoor.Androm.Win32.29894
AVEset (nod32)Win32/Kryptik.EEYE
AVVirusBlokAda (vba32)Trojan.Bublik
AVBullGuardTrojan.GenericKDZ.31203
AVArcabit (arcavir)Trojan.GenericKDZ.31203
AVFortinetW32/Androm.EEYE!tr.bdr
AVSymantecBackdoor.Trojan
AVTwisterno_virus
AVCA (E-Trust Ino)no_virus
AVAlwil (avast)Dorder-C [Trj]
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKDZ.31203
AVBitDefenderTrojan.GenericKDZ.31203
AVRisingno_virus
AVMicroWorld (escan)Trojan.GenericKDZ.31203
AVCAT (quickheal)Worm.Gamarue.r4
AVTrend Microno_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVGrisoft (avg)Crypt5.LUJ
AVK7Trojan ( 004d6cf01 )
AVIkarusTrojan.Crypt
AVDr. WebBackDoor.Andromeda.662
AVClamAVno_virus
AVAd-AwareTrojan.GenericKDZ.31203
AVMalwareBytesTrojan.MalPack
AVEmsisoftTrojan.GenericKDZ.31203
AVMcafeeDrixed-FBW!B62F58A64945
AVAvira (antivir)TR/Crypt.Xpack.319742
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVKasperskyBackdoor.Win32.Androm.irdr

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\119656
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
77.243.43.213
DNSeurope.pool.ntp.org
Type: A
94.23.32.122
DNSeurope.pool.ntp.org
Type: A
217.198.219.102
DNSeurope.pool.ntp.org
Type: A
5.9.80.113
DNSnorth-america.pool.ntp.org
Type: A
208.75.89.4
DNSnorth-america.pool.ntp.org
Type: A
67.219.95.113
DNSnorth-america.pool.ntp.org
Type: A
108.59.2.24
DNSnorth-america.pool.ntp.org
Type: A
178.18.16.124
DNSsouth-america.pool.ntp.org
Type: A
164.73.227.4
DNSsouth-america.pool.ntp.org
Type: A
200.1.19.16
DNSsouth-america.pool.ntp.org
Type: A
200.1.22.6
DNSsouth-america.pool.ntp.org
Type: A
131.0.232.2
DNSasia.pool.ntp.org
Type: A
160.16.101.116
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSasia.pool.ntp.org
Type: A
139.162.20.174
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSpool.ntp.org
Type: A
108.61.73.243
DNSpool.ntp.org
Type: A
209.244.0.4
DNSpool.ntp.org
Type: A
50.116.55.65
DNSpool.ntp.org
Type: A
66.79.167.34
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSand13.dexterwasanicemoviesz1.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings