Analysis Date2016-03-31 15:26:44
MD5b87f5e0669514ec9996b09bb82451490
SHA1fda1e684b3895c2cf20881bda329ac156703d646

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fbab8924c2e5f838788ad03f38035bb2 sha1: f473bfc6ce05aeee4e72767cdc15717f08000492 size: 28672
Section.rdata md5: b35e788fb0be483174d16fdd3abf1519 sha1: 39a7b792aa9306e2f9f5902b0ed6c447e24d5a58 size: 4096
Section.data md5: 41e3889992533039b09b595608b177f9 sha1: b7f2912be9b29a00068a6cbc497601f7dbf20a78 size: 4096
Section.rsrc md5: ee48b7992ae8ac148136939c3cf54866 sha1: 1a2a633834a1bcad0359cd690cacc502f836d92c size: 32768
Timestamp2004-02-03 21:11:33
VersionLegalCopyright: Copyright (C) 2015
InternalName: Oneness
FileVersion: 100, 123, 232, 153
CompanyName: r2 studios
LegalTrademarks:
ProductName: Formic Inimical
ProductVersion: 74, 45, 206, 139
FileDescription: Mobile
OriginalFilename: Omen.exe
PackerMicrosoft Visual C++ 5.0
PEhashe8fe9b8080b7281bb9941c494c91df50143f4e9b
IMPhashba51ed2a0df460f52e85383c91917d8d
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AR
AVRisingNo Virus
AVMcafeeGenericR-GOW!B87F5E066951
AVMicroWorld (escan)Trojan.Cripack.Gen.1
AVMalwareBytesBackdoor.Bot
AVAvira (antivir)Worm/Gamarue.1123184.7
AVIkarusNo Virus
AVFrisk (f-prot)No Virus
AVAuthentiumNo Virus
AVEmsisoftTrojan.Cripack.Gen.1
AVTwisterNo Virus
AVAd-AwareTrojan.Cripack.Gen.1
AVZillya!Backdoor.Androm.Win32.30369
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVAlwil (avast)Dorder-H [Trj]
AVEset (nod32)Win32/TrojanDownloader.Wauchos.AW
AVGrisoft (avg)Downloader.Small.QLI
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVSymantecNo Virus
AVBullGuardTrojan.Cripack.Gen.1
AVArcabit (arcavir)Trojan.Cripack.Gen.1
AVFortinetW32/Kryptik.EFAD!tr
AVClamAVNo Virus
AVBitDefenderTrojan.Cripack.Gen.1
AVDr. WebTrojan.Siggen.65341
AVK7No Virus
AVF-SecureTrojan:W32/Gamarue.F
AVCA (E-Trust Ino)Trojan.Cripack.Gen.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\~
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
129.70.132.35
DNSeurope.pool.ntp.org
Type: A
195.43.138.123
DNSeurope.pool.ntp.org
Type: A
213.154.229.24
DNSeurope.pool.ntp.org
Type: A
91.121.90.6
DNSnorth-america.pool.ntp.org
Type: A
104.156.99.226
DNSnorth-america.pool.ntp.org
Type: A
132.163.4.101
DNSnorth-america.pool.ntp.org
Type: A
173.230.149.23
DNSnorth-america.pool.ntp.org
Type: A
199.182.221.110
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.86
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSsouth-america.pool.ntp.org
Type: A
186.103.182.15
DNSasia.pool.ntp.org
Type: A
80.241.0.72
DNSasia.pool.ntp.org
Type: A
103.245.79.18
DNSasia.pool.ntp.org
Type: A
128.199.75.1
DNSasia.pool.ntp.org
Type: A
211.233.84.186
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSoceania.pool.ntp.org
Type: A
202.22.158.30
DNSoceania.pool.ntp.org
Type: A
202.127.210.37
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSafrica.pool.ntp.org
Type: A
196.223.19.3
DNSafrica.pool.ntp.org
Type: A
41.204.120.137
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
196.10.54.57
DNSpool.ntp.org
Type: A
50.116.55.65
DNSpool.ntp.org
Type: A
104.131.51.97
DNSpool.ntp.org
Type: A
107.170.224.8
DNSpool.ntp.org
Type: A
45.79.10.228
DNSupdate.microsoft.com
Type: A
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53

Raw Pcap

Strings