Analysis Date2016-01-28 10:09:18
MD51400a9d0660155a41eddca4d3baab519
SHA1e7773fac2fbca88d180557a58f0a0eed47264f97

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2bba762a1e1a85099bf8ef8d64184f16 sha1: 41dbc9688a20993f7e7f46936101320ff9bc5bb6 size: 30208
Section.rdata md5: d879787dc1ed68907cdfff79f59b7578 sha1: 7830c1d506436e31dd8d8852c6d875193b3ac318 size: 14336
Section.data md5: 3e5b3745a9340b2c817125c09cb5c5fe sha1: 6acb84b926a211c0efca7ec442689c3988a41049 size: 3072
Section.veywb md5: 560382dda70bf60eb7f557e3d01fe1d7 sha1: 818aa0ce9d184715fb7f08b97ecbd12184a5fc89 size: 31232
Section.reloc md5: ecfc8cf04eeffcf18ca5912aaec87bd8 sha1: 7eb3eb34c1023aacd198c27c7bb340039e19c70c size: 4096
Timestamp2015-11-04 22:07:27
PackerMicrosoft Visual C++ ?.?
PEhash7e15121ebd09148a93bc9f2b809ca485399bd9ec
IMPhash83b20a385aaeb684ddb772d111eebab4
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.316367
AVTwisterTrojan.Girtk.EDPX.fswr
AVAd-AwareGen:Variant.Kazy.764156
AVAlwil (avast)Dorder-E [Trj]
AVEset (nod32)Win32/Kryptik.EDPX
AVGrisoft (avg)Crypt_s.JVZ
AVSymantecTrojan.Gen.2
AVFortinetW32/Kryptik.EEAE!tr
AVBitDefenderGen:Variant.Kazy.764156
AVK7No Virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVMalwareBytesWorm.Gamarue
AVAuthentiumW32/S-d1a8399f!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Kazy.764156
AVZillya!No Virus
AVKasperskyBackdoor.Win32.Androm.ipkm
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVBullGuardGen:Variant.Kazy.764156
AVArcabit (arcavir)Gen:Variant.Kazy.764156
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader17.41351
AVF-SecureGen:Variant.Kazy.764156
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\116265
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
95.128.246.34
DNSeurope.pool.ntp.org
Type: A
131.188.3.220
DNSeurope.pool.ntp.org
Type: A
131.211.8.244
DNSeurope.pool.ntp.org
Type: A
213.154.236.182
DNSnorth-america.pool.ntp.org
Type: A
45.79.111.114
DNSnorth-america.pool.ntp.org
Type: A
198.60.73.8
DNSnorth-america.pool.ntp.org
Type: A
199.182.221.110
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.133
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSasia.pool.ntp.org
Type: A
103.245.79.2
DNSasia.pool.ntp.org
Type: A
120.88.46.10
DNSasia.pool.ntp.org
Type: A
123.108.200.124
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
54.252.129.186
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSpool.ntp.org
Type: A
129.6.15.28
DNSpool.ntp.org
Type: A
129.6.15.30
DNSpool.ntp.org
Type: A
23.239.26.89
DNSpool.ntp.org
Type: A
108.61.73.244
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings