API tools faq
paste
Advertisement
guelfoweb

Trojan Backoff POS - Rapid analysis with PEframe

guelfoweb
Aug 29th, 2014
9,441
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.65 KB | None | 0 0
raw download clone embed print report
  1. $ ./peframe.py 842E903B955E134AE281D09A467E420A.bin
  2.  
  3. Short information
  4. ------------------------------------------------------------
  5. File Name 842E903B955E134AE281D09A467E420A.bin
  6. File Size 32256 byte
  7. Compile Time 2014-03-28 16:21:40
  8. DLL False
  9. Sections 5
  10. Hash MD5 842e903b955e134ae281d09a467e420a
  11. Hash SHA-1 b169758a8c605d1de310811b93390e206d2ab980
  12. Imphash 20d312c40b57fdae2e35b5936593696c
  13. Detected Anti Debug
  14. Directory Import
  15.  
  16. Anti Debug discovered [2]
  17. ------------------------------------------------------------
  18. Function Process32First
  19. Function Process32Next
  20.  
  21. Suspicious API discovered [44]
  22. ------------------------------------------------------------
  23. Function CopyFileA
  24. Function CreateDirectoryA
  25. Function CreateFileA
  26. Function CreateProcessA
  27. Function CreateRemoteThread
  28. Function CreateThread
  29. Function CreateToolhelp32Snapshot
  30. Function DeleteFileA
  31. Function GetCommandLineA
  32. Function GetComputerNameA
  33. Function GetCurrentProcess
  34. Function GetCurrentProcessId
  35. Function GetFileAttributesA
  36. Function GetFileSize
  37. Function GetModuleFileNameA
  38. Function GetProcAddress
  39. Function GetTempPathA
  40. Function GetTickCount
  41. Function GetUserNameA
  42. Function GetVersionExA
  43. Function LoadLibraryA
  44. Function OpenProcess
  45. Function OpenProcessToken
  46. Function Process32First
  47. Function Process32Next
  48. Function ReadProcessMemory
  49. Function RegCloseKey
  50. Function RegCreateKeyExA
  51. Function RegDeleteValueA
  52. Function RegOpenKeyExA
  53. Function Sleep
  54. Function VirtualAlloc
  55. Function VirtualAllocEx
  56. Function VirtualFree
  57. Function WSAStartup
  58. Function WriteFile
  59. Function WriteProcessMemory
  60. Function closesocket
  61. Function connect
  62. Function recv
  63. Function recvfrom
  64. Function send
  65. Function sendto
  66. Function socket
  67.  
  68. Suspicious Sections discovered [1]
  69. ------------------------------------------------------------
  70. Section .bss
  71. Hash MD5 d41d8cd98f00b204e9800998ecf8427e
  72. Hash SHA-1 da39a3ee5e6b4b0d3255bfef95601890afd80709
  73.  
  74. File name discovered [28]
  75. ------------------------------------------------------------
  76. Text \AdobeFlashPlayer\Log.txt
  77. Executable LogonUI.exe
  78. Executable \AdobeFlashPlayer\mswinhost.exe
  79. Executable \winserv.exe
  80. Executable alg.exe
  81. Executable chrome.exe
  82. Executable csrss.exe
  83. Executable devenv.exe
  84. Executable explorer.exe
  85. Executable firefox.exe
  86. Executable iexplore.exe
  87. Executable lsass.exe
  88. Executable mysqld.exe
  89. Executable services.exe
  90. Executable smss.exe
  91. Executable spoolsv.exe
  92. Executable taskhost.exe
  93. Executable winlogon.exe
  94. Executable wmiprvse.exe
  95. Executable wuauclt.exe
  96. Web Page /aero3/fly.php
  97. Data \AdobeFlashPlayer\Local.dat
  98. Library advapi32.dll
  99. Library kernel32.dll
  100. Library msvcrt.dll
  101. Library shell32.dll
  102. Library user32.dll
  103. Library ws2_32.dll
  104.  
  105. Url discovered [3]
  106. ------------------------------------------------------------
  107. Url msoffice365net.com
  108. Url pop3smtp5imap3.com
  109. Url pop3smtp5imap4.ru
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!