Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 819
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Dridex_d46410402a2d0b931f3bfd2d03152591.bin"
- * File Size: 352256
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "18c7e0b2be4df75f52d9292d4255537e04db4ca56499c3c40b5a4348a7a5dd08"
- * MD5: "d46410402a2d0b931f3bfd2d03152591"
- * SHA1: "42633213683207e9245d61a17c23f43e8606840a"
- * SHA512: "4d7e3c08a0e1ed9b1832e50a7c1f88e76e30a5135f8367d12d807ace9bb04a547ffd5dd6b5befe68683cadfc3860417ef3811c6542faa9def3f9ed95daeca819"
- * CRC32: "F05A0690"
- * SSDEEP: "3072:xO+0dVObj8DsxZN+yMhojFgZjPe4GfLYqexvODGEtoqBWKxINXC4cepFrOJEvkYI:PNgC+nQgbGGqEBcur6bbvjZr"
- * Process Execution:
- "QZuOFR.exe"
- * Executed Commands:
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP_ioc": "205.185.216.10:80"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "QZuOFR.exe tried to sleep 473 seconds, actually delayed analysis time by 0 seconds"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: |VT9T, entropy: 7.93, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00021000, virtual_size: 0x0002082d"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Microsoft Office Shared 64-bit MUI 2013"
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Notepad++"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office 64-bit Components 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Oracle VM VirtualBox Guest Additions 6.0.2"
- "Program": "Microsoft Office Shared 64-bit Setup Metadata MUI 2013"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Java 8 Update 201"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "File has been identified by 17 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.d46410402a2d0b93"
- "Cylance": "Unsafe"
- "K7AntiVirus": "Trojan ( 00549d461 )"
- "K7GW": "Trojan ( 00549d461 )"
- "Cybereason": "malicious.368320"
- "Invincea": "heuristic"
- "Symantec": "Trojan.Emotet"
- "APEX": "Malicious"
- "Rising": "Trojan.Generic@ML.95 (RDML:rMOXKkXVceOb9RzWegSziA)"
- "SentinelOne": "DFI - Malicious PE"
- "Microsoft": "Trojan:Win32/Casur.A!cl"
- "Endgame": "malicious (high confidence)"
- "Acronis": "suspicious"
- "VBA32": "TScope.Malware-Cryptor.SB"
- "Webroot": "W32.Trojan.Emotet"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "HEUR/QVM20.1.A409.Malware.Gen"
- "Description": "Detects VirtualBox through the presence of a registry key",
- "Details":
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"
- * Started Service:
- * Mutexes:
- "DBWinMutex"
- * Modified Files:
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015"
- * Deleted Files:
- * Modified Registry Keys:
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United States",
- "ip": "198.61.168.254",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "198.199.106.229",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "104.247.221.104",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement