Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2322
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Emotet_f7a31719c91770d2f7f945c5acba4116.2"
- * File Size: 528384
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29"
- * MD5: "f7a31719c91770d2f7f945c5acba4116"
- * SHA1: "ac2162d2ae066bf9067ad7f8bf3697a78154ea68"
- * SHA512: "1375dced5b7a646461d632d7069d40d69aaca2e008f16f6bbcb22ea8304ebaaa6f8d26d05da45dbe3c79b89fea9e3c048da5bd3c8823eafe7bb7376182b6a38d"
- * CRC32: "B5F7D6CB"
- * SSDEEP: "6144:0LMvSfAq5a1dCC8DGNJTMvFC94iMdl01J4t3j1udHi9y0mF831cP2UKoVtI1X63v:0L5Aq5GqSjovFCaffFKKmFzpVi1Wgo"
- * Process Execution:
- "8FW1mu.exe",
- "8FW1mu.exe",
- "8FW1mu.exe",
- "8FW1mu.exe",
- "explorer.exe",
- "services.exe",
- "historymachine.exe",
- "historymachine.exe",
- "historymachine.exe",
- "historymachine.exe",
- "WmiApSrv.exe",
- "svchost.exe",
- "svchost.exe",
- "taskhost.exe",
- "WmiPrvSE.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\8FW1mu.exe\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\8FW1mu.exe --7c612dab",
- "\"C:\\Windows\\SysWOW64\\historymachine.exe\"",
- "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
- "C:\\Windows\\system32\\svchost.exe -k netsvcs",
- "C:\\Windows\\SysWOW64\\historymachine.exe --81d93c85"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Communicates with IPs located across a large number of unique countries",
- "Details":
- "country": "France"
- "country": "United Arab Emirates"
- "country": "India"
- "country": "Kenya"
- "country": "Czech Republic"
- "country": "United Kingdom"
- "country": "Belgium"
- "country": "Argentina"
- "country": "Mexico"
- "country": "Germany"
- "country": "Canada"
- "country": "United States"
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "historymachine.exe, PID 3044"
- "Description": "Mimics the system's user agent string for its own requests",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url_ioc": "190.18.146.70:80/sym/site/loadan/merge/"
- "url_ioc": "187.147.50.167:8080/guids/stubs/results/"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "8FW1mu.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\8FW1mu.exe"
- "Process": "8FW1mu.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\8FW1mu.exe"
- "Process": "historymachine.exe -> C:\\Windows\\SysWOW64\\historymachine.exe"
- "Process": "historymachine.exe -> C:\\Windows\\SysWOW64\\historymachine.exe"
- "Description": "File has been identified by 3 Antiviruses on VirusTotal as malicious",
- "Details":
- "APEX": "Malicious"
- "Emsisoft": "Trojan.Agent (A)"
- "Endgame": "malicious (moderate confidence)"
- "Description": "Multiple direct IP connections",
- "Details":
- "direct_ip_connections": "Made direct connections to 15 unique IP addresses"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.15, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0001d000, virtual_size: 0x0001ccec"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Windows\\SysWOW64\\historymachine.exe:Zone.Identifier"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 14590753 times"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "service name": "historymachine"
- "service path": "\"C:\\Windows\\SysWOW64\\historymachine.exe\""
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Windows\\SysWOW64\\historymachine.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Windows\\SysWOW64\\historymachine.exe"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 1"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 3"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 11"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 16"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 18"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 23"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 24"
- * Started Service:
- "historymachine",
- "wmiApSrv"
- * Mutexes:
- "Global\\IC1C5B64F",
- "Global\\MC1C5B64F",
- "IESQMMUTEX_0_208",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Flag",
- "Global\\WmiApSrv"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
- "C:\\Windows\\SysWOW64\\historymachine.exe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
- "C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_00000000-0000-0000-0000-000000000000",
- "\\??\\WMIDataDevice",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER"
- * Deleted Files:
- "C:\\Windows\\SysWOW64\\khmerflows.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\8FW1mu.exe",
- "C:\\Windows\\SysWOW64\\historymachine.exe:Zone.Identifier"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDEChannel\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDEChannel\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "France",
- "ip": "92.222.125.16",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United Arab Emirates",
- "ip": "86.98.25.30",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "India",
- "ip": "45.123.3.54",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Kenya",
- "ip": "41.220.119.246",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Czech Republic",
- "ip": "37.157.194.134",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United Kingdom",
- "ip": "31.172.240.91",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Belgium",
- "ip": "31.12.67.62",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Argentina",
- "ip": "201.250.11.236",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Argentina",
- "ip": "190.18.146.70",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Mexico",
- "ip": "189.209.217.49",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Mexico",
- "ip": "187.147.50.167",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Mexico",
- "ip": "187.144.189.58",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Germany",
- "ip": "178.254.6.27",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Canada",
- "ip": "142.44.162.209",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "104.131.11.150",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement