detektfinding

1. 2014-11-20 12:20:40,842 - detector - INFO - Starting with process ID 4800
2. 2014-11-20 12:20:40,842 - detector - INFO - Selected Profile Name: Win7SP1x64
3. 2014-11-20 12:20:40,842 - detector - INFO - Selected Driver: C:\Users\einuser\AppData\Local\Temp\_MEI40642\drivers\winpmem64.sys
4. 2014-11-20 12:20:40,842 - detector.service - INFO - Launching service destroyer...
5. 2014-11-20 12:20:40,842 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
6. 2014-11-20 12:20:40,842 - detector.service - INFO - Trying to stop the winpmem service...
7. 2014-11-20 12:20:40,842 - detector.service - INFO - Trying to delete the winpmem service...
8. 2014-11-20 12:20:40,842 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
9. 2014-11-20 12:20:40,851 - detector.service - INFO - Trying to start the winpmem service...
10. 2014-11-20 12:20:40,861 - detector - INFO - Service started
11. 2014-11-20 12:20:40,861 - detector - INFO - Selected Yara signature file at C:\Users\einuser\AppData\Local\Temp\_MEI40642\rules\signatures.yar
12. 2014-11-20 12:20:40,861 - detector - INFO - Obtaining address space and generating config for volatility
13. 2014-11-20 12:20:41,624 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0A10ABD0>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x094B9350>
14. 2014-11-20 12:20:41,624 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x094B9330>, DTB: 0x187000
15. 2014-11-20 12:20:41,624 - detector - INFO - Starting yara scanner...
16. 2014-11-20 12:49:05,115 - detector - WARNING - Process firefox.exe (pid: 4324) matched: Xtreme at address: 0x10E3BC10, Value:
17.  
18. 58 74 72 65 6d 65 52 41 54 5a 5a 5a 5a 5a 5a 5a XtremeRATZZZZZZZ
19. 01 00 00 00 06 00 00 00 42 00 52 00 00 00 5a 5a ........B.R...ZZ
20. 00 00 00 00 20 01 87 7d 48 47 46 0c 40 47 46 0c .......}HGF.@GF.
21. d0 d2 33 6a 02 00 00 00 00 9c ac 11 5a 5a 5a 5a ..3j........ZZZZ
22. 01 00 00 00 04 00 00 00 23 00 00 00 5a 5a 5a 5a ........#...ZZZZ
23. 10 00 00 00 d0 7c d3 16 80 fb d3 15 01 00 00 80 .....|..........
24. 01 00 00 00 04 00 00 00 42 00 00 00 5a 5a 5a 5a ........B...ZZZZ
25. 00 00 00 00 d2 98 3c 91 d8 48 46 0c d0 48 46 0c ......<..HF..HF.
26. 80 ac ad 0a c0 a7 41 09 80 d6 b3 15 00 00 00 00 ......A.........
27. 00 4f 28 6a c0 e7 96 16 78 53 42 07 5a 5a 5a 5a .O(j....xSB.ZZZZ
28. 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
29. 80 d4 54 1a 05 00 00 00 03 00 00 00 00 00 00 00 ..T.............
30. 10 00 00 00 80 04 d6 16 60 fd d3 15 01 00 00 80 ........`.......
31. 13 00 00 00 70 d4 80 19 84 ab ee 10 00 00 00 00 ....p...........
32. e0 06 40 09 80 06 40 09 40 20 41 09 5a 5a 5a 5a ..@...@.@.A.ZZZZ
33. 00 4f 28 6a 40 ee 65 0a d0 b0 42 07 5a 5a 5a 5a .O(j@.e...B.ZZZZ
34.  
35. 2014-11-20 12:49:05,115 - detector - WARNING - Process firefox.exe (pid: 4324) matched: Xtreme at address: 0x10EA91B0, Value:
36.  
37. 58 74 72 65 6d 65 52 41 54 5a 5a 5a 5a 5a 5a 5a XtremeRATZZZZZZZ
38. 01 00 00 00 04 00 00 00 1e f0 00 00 5a 5a 5a 5a ............ZZZZ
39. a0 e7 a9 09 31 9e 42 09 71 5f 44 09 81 00 a2 09 ....1.B.q_D.....
40. 11 a3 1d 0b 81 0e a2 09 c1 76 3e 14 b1 aa 41 09 .........v>...A.
41. 80 00 a2 09 d1 0c a2 09 e1 72 4c 09 00 00 00 00 .........rL.....
42. 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
43. f0 d1 99 17 01 00 00 00 a0 92 ea 10 5a 5a 5a 5a ............ZZZZ
44. 29 00 00 00 80 10 78 09 00 00 00 00 01 00 00 00 ).....x.........
45. 73 69 6e 64 20 61 75 66 20 47 69 74 48 75 62 5a sind.auf.GitHubZ
46. 80 4e fc 17 00 01 00 00 00 00 00 00 5a 5a 5a 5a .N..........ZZZZ
47. 0b 00 00 00 00 93 ea 10 00 00 00 00 01 00 00 00 ................
48. 6c 9e 00 6a 20 bf 08 12 01 5a 5a 5a 5a 5a 5a 5a l..j.....ZZZZZZZ
49. 01 00 00 00 01 00 00 00 a0 7b 3b 11 5a 5a 5a 5a .........{;.ZZZZ
50. 01 00 00 00 01 00 00 00 00 00 00 00 5a 5a 5a 5a ............ZZZZ
51. 01 00 00 00 01 00 00 00 20 3e d4 11 5a 5a 5a 5a .........>..ZZZZ
52. 50 d2 99 17 01 00 00 00 e0 92 ea 10 5a 5a 5a 5a P...........ZZZZ
53.  
54. 2014-11-20 12:49:16,796 - detector - WARNING - Process firefox.exe (pid: 4324) matched: Xtreme at address: 0x1AA30320, Value:
55.  
56. 58 74 72 65 6d 65 52 41 54 5a 5a 5a 5a 5a 5a 5a XtremeRATZZZZZZZ
57. 18 77 2d 6a 00 00 00 00 09 00 00 00 20 00 00 00 .w-j............
58. 3c 00 00 00 19 00 00 00 00 00 00 00 51 00 07 82 <...........Q...
59. 48 00 da 81 4a 00 05 82 44 00 d7 81 57 00 2f 81 H...J...D...W./.
60. 4c 00 d9 80 59 00 ab 81 48 00 da 81 56 00 92 81 L...Y...H...V...
61. 6e 65 67 61 74 69 76 65 73 5a 5a 5a 5a 5a 5a 5a negativesZZZZZZZ
62. 18 77 2d 6a 00 00 00 00 09 00 00 00 20 00 00 00 .w-j............
63. 3c 00 00 00 19 00 00 00 00 00 00 00 45 00 05 82 <...........E...
64. 48 00 da 81 47 00 05 82 48 00 da 81 58 00 07 82 H...G...H...X...
65. 57 00 2f 81 48 00 da 81 57 00 2f 81 0f 00 e1 80 W./.H...W./.....
66. 62 65 64 65 75 74 65 74 2c 5a 5a 5a 5a 5a 5a 5a bedeutet,ZZZZZZZ
67. 18 77 2d 6a 00 00 00 00 09 00 00 00 20 00 00 00 .w-j............
68. 3c 00 00 00 19 00 00 00 00 00 00 00 48 00 da 81 <...........H...
69. 49 00 21 81 49 00 21 81 48 00 da 81 46 00 93 81 I.!.I.!.H...F...
70. 57 00 2f 81 4c 00 d9 80 59 00 ab 81 48 00 da 81 W./.L...Y...H...
71. 65 66 66 65 63 74 69 76 65 5a 5a 5a 5a 5a 5a 5a effectiveZZZZZZZ
72.  
73. 2014-11-20 12:49:21,836 - detector - WARNING - Process firefox.exe (pid: 4324) matched: Xtreme at address: 0x1E09D460, Value:
74.  
75. 58 74 72 65 6d 65 52 41 54 00 00 00 00 00 00 00 XtremeRAT.......
76. 00 5a ab 11 08 00 00 00 08 00 00 80 86 00 00 00 .Z..............
77. 99 00 00 00 95 00 00 00 90 00 00 00 92 00 00 00 ................
78. 93 00 00 00 94 00 00 00 96 00 00 00 7c 56 55 6a ............|VUj
79. 00 4c f1 11 00 00 00 00 00 00 00 00 00 00 00 00 .L..............
80. 00 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a .ZZZZZZZZZZZZZZZ
81. c4 d4 09 1e 01 00 00 00 08 00 00 80 4d 00 00 00 ............M...
82. 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
83. 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 7c 56 55 6a ZZZZZZZZZZZZ|VUj
84. 60 bc 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 `.:.............
85. 01 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a .ZZZZZZZZZZZZZZZ
86. 14 d5 09 1e 01 00 00 00 08 00 00 80 5b 00 00 00 ............[...
87. 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
88. 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 7c 56 55 6a ZZZZZZZZZZZZ|VUj
89. a0 bc 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 ..:.............
90. 01 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a .ZZZZZZZZZZZZZZZ
91.  
92. 2014-11-20 13:06:54,378 - detector - INFO - Scanning finished
93. 2014-11-20 13:06:54,378 - detector.service - INFO - Trying to stop the winpmem service...
94. 2014-11-20 13:06:54,378 - detector.service - INFO - Trying to delete the winpmem service...
95. 2014-11-20 13:06:54,378 - detector - INFO - Service stopped
96. 2014-11-20 13:06:54,378 - detector - INFO - Analysis finished