Analysis Date2016-02-09 20:48:58
MD54fc7e9ea56b4aae49f147edc15c45de1
SHA1ec91f516ee3e9de29a6fb6aba8e531400c8f5fc2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 82355c29d8188b96b063b8ba713e88e6 sha1: a11ac245fe5e15aaf90869ef01aca058b8a852db size: 54272
Section.rdata md5: f63cfef9cc58d220ee3f1ca00c001010 sha1: 600687b0d882e97eb21c08b9bd477043f3f14d5f size: 56832
Section.data md5: e02a8e62cab12aa99b738637c2302255 sha1: dd0fd5f23df9f45d028e0803868533c24dbacb9a size: 4608
Section.rey md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.reloc md5: baade0034d2430c63a1d5bfd3c4fad3b sha1: b915f6be31c54a9d031e2bd1f5af025510d38b8f size: 4608
Timestamp2016-02-04 22:15:06
PackerMicrosoft Visual C++ ?.?
PEhashc78be477a0bc05a4532f335d58e30aee6cf5bff4
IMPhash0603adceb2c2635aa90fbcccaa88014f
AVCA (E-Trust Ino)Gen:Variant.Razy.12031
AVF-SecureGen:Variant.Razy.12031
AVDr. WebTrojan.DownLoader19.19872
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.12031
AVBullGuardGen:Variant.Razy.12031
AVCAT (quickheal)Worm.Gamarue.WR6
AVVirusBlokAda (vba32)No Virus
AVKasperskyTrojan.Win32.Yakes.oybp
AVZillya!No Virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)No Virus
AVEmsisoftGen:Variant.Razy.12031
AVAuthentiumNo Virus
AVMalwareBytesWorm.Gamarue
AVMicroWorld (escan)Gen:Variant.Razy.12031
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVK7Trojan ( 004dd87d1 )
AVBitDefenderGen:Variant.Razy.12031
AVFortinetW32/Yakes.OYBP!tr
AVSymantecTrojan.Gen.2
AVGrisoft (avg)Crypt5.AGIC
AVEset (nod32)Win32/Kryptik.EMRH
AVAlwil (avast)Dorder-J [Trj]
AVAd-AwareGen:Variant.Razy.12031
AVTrend MicroNo Virus
AVTwisterNo Virus
AVAvira (antivir)TR/Crypt.Xpack.393552
AVMcafeeBackDoor-FDCL!4FC7E9EA56B4
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\114859
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\EC91F5~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSringplanet.eu
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
148.251.69.59
DNSeurope.pool.ntp.org
Type: A
46.165.212.205
DNSeurope.pool.ntp.org
Type: A
85.25.44.219
DNSeurope.pool.ntp.org
Type: A
91.224.149.41
DNSnorth-america.pool.ntp.org
Type: A
50.116.52.97
DNSnorth-america.pool.ntp.org
Type: A
108.61.194.85
DNSnorth-america.pool.ntp.org
Type: A
128.113.28.67
DNSnorth-america.pool.ntp.org
Type: A
4.53.160.75
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSsouth-america.pool.ntp.org
Type: A
192.188.53.26
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
62.201.225.9
DNSasia.pool.ntp.org
Type: A
128.199.236.60
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSoceania.pool.ntp.org
Type: A
115.126.160.4
DNSoceania.pool.ntp.org
Type: A
202.6.248.11
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSpool.ntp.org
Type: A
24.56.178.140
DNSpool.ntp.org
Type: A
104.131.51.97
DNSpool.ntp.org
Type: A
209.244.0.3
DNSpool.ntp.org
Type: A
4.53.160.75
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSringplanet.eu
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings