Analysis Date2015-11-12 10:26:27
MD575f7b64fa8b9e1896468e0d84c51d390
SHA1ea523497d519079f23614b1de2ae798f8ecb2918

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 998bc2f93be8832ba727f759181fd2a3 sha1: ea08402b0aefdb37860ef76a778e8624062fb490 size: 105984
Section.rdata md5: 92262ec63d3421e2fac6017f8d5d3593 sha1: 2238ad4aa378a0aa314f53f08043a1f310ebc406 size: 40448
Section.data md5: 1c42bc5839fad9272acdb8f2a8eb7ab6 sha1: bfeb5e1d37c8ba524dbf63b264c6f5be28bfc044 size: 36352
Section.rsrc md5: 746f099623c67595891d90bbd0244b9d sha1: d43a58f082456d11417842c097e8ed528c435c9e size: 52736
Timestamp2015-10-20 12:19:58
PackerMicrosoft Visual C++ ?.?
PEhash673948e842c6a7608394be316d3ced023478d57f
IMPhash8de03d19b91a41cdcd1b8f5d8825df1f
AVCA (E-Trust Ino)No Virus
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeGamarue-FDC!75F7B64FA8B9
AVAvira (antivir)TR/Crypt.ZPACK.201796
AVTwisterNo Virus
AVAd-AwareTrojan.GenericKDZ.30724
AVAlwil (avast)Androp [Drp]
AVEset (nod32)Win32/Injector.BNHS
AVGrisoft (avg)Crypt_r.AFM
AVSymantecNo Virus
AVFortinetW32/Kryptik.EASA!tr
AVBitDefenderTrojan.GenericKDZ.30724
AVK7Trojan ( 004cef571 )
AVMicrosoft Security EssentialsVirTool:Win32/CeeInject.LJ
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVMalwareBytesRansom.CryptoWall
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.GenericKDZ.30724
AVZillya!No Virus
AVKasperskyBackdoor.Win32.Androm.inng
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVPadvishNo Virus
AVBullGuardTrojan.GenericKDZ.30724
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVClamAVNo Virus
AVDr. WebTrojan.DownLoad3.35944
AVF-SecureTrojan.GenericKDZ.30724
AVRisingNo Virus
AVMcafeeGamarue-FDC!75F7B64FA8B9
AVAvira (antivir)TR/Crypt.ZPACK.201796
AVTwisterNo Virus
AVAd-AwareTrojan.GenericKDZ.30724
AVAlwil (avast)Androp [Drp]
AVEset (nod32)Win32/Injector.BNHS
AVGrisoft (avg)Crypt_r.AFM
AVSymantecNo Virus
AVFortinetW32/Kryptik.EASA!tr
AVBitDefenderTrojan.GenericKDZ.30724
AVK7Trojan ( 004cef571 )
AVMicrosoft Security EssentialsVirTool:Win32/CeeInject.LJ
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVMalwareBytesRansom.CryptoWall
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVFrisk (f-prot)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\103375
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpowerrembo.ru
Winsock DNSfaumoussuperstars.ru

Network Details:

DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSfaumoussuperstars.ru
Type: A
109.120.155.30
DNSpowerrembo.ru
Type: A
HTTP POSThttp://faumoussuperstars.ru/intro/data.php
User-Agent: Mozilla/4.0
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1037 ➝ 134.170.188.221:80
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1040 ➝ 109.120.155.30:80
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53

Raw Pcap

Strings