Analysis Date2015-12-08 07:35:09
MD57af5fe76b07143cb3e4ea581b77d09d5
SHA1e7039c63174769c34714388f2f8a0f6f317c5886

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bbfa19af756e7c6f559d7aeef4183ac1 sha1: 9974876217dc47e8080a12649d8aab504f4c9b7f size: 131584
Section.rdata md5: 1fe828c717b4a06e5bba365ea4729f68 sha1: a2a21fb8dbbe9c27845b81c4c20e25cd39cf5f74 size: 11776
Section.data md5: 57340922ddaa23b786ff78ffe1838283 sha1: bd0310cf738b67556dae263e25678307ed4361d3 size: 50688
Section.rsrc md5: 13683ffdb2e175fa045dfff70b23c9c8 sha1: 2ce1bfe5c9d38e2f46efda59d9fd84863cde8b2e size: 46080
Timestamp2015-10-22 06:51:35
VersionLegalCopyright: Copyright (c) 1999-2012 Cortado AG
InternalName: TPAutoConnect
FileVersion: 8,8,465,1
CompanyName: Cortado AG
ProductName: TPAutoConnect
ProductVersion: 8,8,465,1
FileDescription: ThinPrint AutoConnect printer creation service
OriginalFilename: TPAutoConnSvc.exe
PackerMicrosoft Visual C++ ?.?
PEhash45ffb9ee5b4930d49107af578f83613f7a78bae8
IMPhash02c3edcbb7999a997fd7718f7a4040cb
AVMalwareBytesBackdoor.BetaBot
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVMalwareBytesBackdoor.BetaBot
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVFortinetW32/Farfli.ABKA!tr.bdr
AVGrisoft (avg)Crypt_r.AGC
AVK7Trojan ( 004d48ed1 )
AVKasperskyTrojan.Win32.Generic
AVMcafeeRDN/Generic BackDoor
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVF-SecureTrojan.Lethic.Gen.9
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVEset (nod32)Win32/Kryptik.EBQR
AVEset (nod32)Win32/Kryptik.EBQR
AVFrisk (f-prot)no_virus
AVGrisoft (avg)Crypt_r.AGC
AVFortinetW32/Farfli.ABKA!tr.bdr
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d48ed1 )
AVKasperskyTrojan.Win32.Generic
AVF-SecureTrojan.Lethic.Gen.9
AVMcafeeRDN/Generic BackDoor
AVAd-AwareTrojan.Lethic.Gen.9
AVBullGuardTrojan.Lethic.Gen.9
AVBullGuardTrojan.Lethic.Gen.9
AVAlwil (avast)Androp [Drp]
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVAlwil (avast)Androp [Drp]
AVCAT (quickheal)Worm.Gamarue.r4
AVCAT (quickheal)Worm.Gamarue.r4
AVAd-AwareTrojan.Lethic.Gen.9
AVAvira (antivir)TR/Crypt.Xpack.306020
AVClamAVno_virus
AVClamAVno_virus
AVAvira (antivir)TR/Crypt.Xpack.306020
AVFrisk (f-prot)no_virus
AVDr. WebBackDoor.IRC.NgrBot.42
AVDr. WebBackDoor.IRC.NgrBot.42
AVArcabit (arcavir)Trojan.Lethic.Gen.9
AVBitDefenderTrojan.Lethic.Gen.9
AVEmsisoftTrojan.Lethic.Gen.9
AVEmsisoftTrojan.Lethic.Gen.9
AVBitDefenderTrojan.Lethic.Gen.9
AVRisingno_virus
AVArcabit (arcavir)Trojan.Lethic.Gen.9

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
94.125.132.7
DNSeurope.pool.ntp.org
Type: A
46.249.42.14
DNSeurope.pool.ntp.org
Type: A
91.212.112.71
DNSeurope.pool.ntp.org
Type: A
91.240.0.5
DNSnorth-america.pool.ntp.org
Type: A
208.74.136.34
DNSnorth-america.pool.ntp.org
Type: A
209.244.0.4
DNSnorth-america.pool.ntp.org
Type: A
67.18.187.111
DNSnorth-america.pool.ntp.org
Type: A
74.120.8.2
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSsouth-america.pool.ntp.org
Type: A
179.60.247.252
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSasia.pool.ntp.org
Type: A
59.106.180.168
DNSasia.pool.ntp.org
Type: A
82.200.209.194
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSafrica.pool.ntp.org
Type: A
196.223.19.3
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
146.231.129.81

Raw Pcap

Strings