Advertisement
paladin316

Exes_b4fc1596157eb7b7900dd1da72c301c4_exe_2019-08-28_00_30.txt

Aug 27th, 2019
1,886
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.33 KB | None | 0 0
  1.  
  2. * MalFamily: "Gandcrab"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_b4fc1596157eb7b7900dd1da72c301c4.exe"
  7. * File Size: 219661
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad"
  10. * MD5: "b4fc1596157eb7b7900dd1da72c301c4"
  11. * SHA1: "e0c4095c71475036bd79f8bb926fcb575d446d36"
  12. * SHA512: "6a7f72c23344c128dc1d7c25942affedd7c36960da229caebee274c395013d07db9bcb77a24f8cf00e765cbbd1d346cb925dc67a63ac9da2c3621c49c1c1cf48"
  13. * CRC32: "C2C5EB0F"
  14. * SSDEEP: "3072:ePI88gNJMXBNO2gwvT+qaRER85N/0N9eaoRSh+KpVmytJKF7Gb:yI8FNmBJrxR85N/0N9eao+UCJsM"
  15.  
  16. * Process Execution:
  17. "WJhL3edMezLSjyf.exe",
  18. "nslookup.exe",
  19. "nslookup.exe",
  20. "nslookup.exe",
  21. "nslookup.exe",
  22. "nslookup.exe",
  23. "nslookup.exe",
  24. "nslookup.exe",
  25. "nslookup.exe",
  26. "nslookup.exe",
  27. "nslookup.exe",
  28. "nslookup.exe",
  29. "nslookup.exe",
  30. "nslookup.exe",
  31. "nslookup.exe",
  32. "nslookup.exe",
  33. "nslookup.exe",
  34. "nslookup.exe",
  35. "nslookup.exe",
  36. "nslookup.exe",
  37. "nslookup.exe",
  38. "nslookup.exe",
  39. "nslookup.exe",
  40. "nslookup.exe",
  41. "nslookup.exe",
  42. "nslookup.exe",
  43. "nslookup.exe",
  44. "nslookup.exe",
  45. "nslookup.exe",
  46. "nslookup.exe",
  47. "nslookup.exe",
  48. "nslookup.exe",
  49. "nslookup.exe",
  50. "nslookup.exe",
  51. "nslookup.exe",
  52. "nslookup.exe",
  53. "nslookup.exe",
  54. "nslookup.exe",
  55. "nslookup.exe",
  56. "nslookup.exe",
  57. "nslookup.exe",
  58. "nslookup.exe",
  59. "nslookup.exe",
  60. "nslookup.exe",
  61. "nslookup.exe",
  62. "nslookup.exe",
  63. "nslookup.exe",
  64. "nslookup.exe",
  65. "nslookup.exe",
  66. "nslookup.exe",
  67. "nslookup.exe",
  68. "nslookup.exe",
  69. "nslookup.exe",
  70. "nslookup.exe",
  71. "nslookup.exe",
  72. "nslookup.exe",
  73. "nslookup.exe",
  74. "nslookup.exe",
  75. "nslookup.exe",
  76. "nslookup.exe",
  77. "nslookup.exe",
  78. "nslookup.exe",
  79. "nslookup.exe",
  80. "nslookup.exe",
  81. "nslookup.exe",
  82. "nslookup.exe",
  83. "nslookup.exe",
  84. "nslookup.exe",
  85. "nslookup.exe",
  86. "nslookup.exe",
  87. "nslookup.exe",
  88. "nslookup.exe",
  89. "nslookup.exe",
  90. "nslookup.exe",
  91. "nslookup.exe",
  92. "nslookup.exe",
  93. "nslookup.exe",
  94. "nslookup.exe",
  95. "nslookup.exe",
  96. "nslookup.exe"
  97.  
  98.  
  99. * Executed Commands:
  100. "nslookup carder.bit ns1.wowservers.ru",
  101. "nslookup ransomware.bit ns2.wowservers.ru",
  102. "nslookup carder.bit ns2.wowservers.ru",
  103. "nslookup ransomware.bit ns1.wowservers.ru"
  104.  
  105.  
  106. * Signatures Detected:
  107.  
  108. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  109. "Details":
  110.  
  111.  
  112. "Description": "Behavioural detection: Executable code extraction",
  113. "Details":
  114.  
  115.  
  116. "Description": "A process attempted to delay the analysis task.",
  117. "Details":
  118.  
  119. "Process": "WJhL3edMezLSjyf.exe tried to sleep 380 seconds, actually delayed analysis time by 0 seconds"
  120.  
  121.  
  122.  
  123.  
  124. "Description": "Reads data out of its own binary image",
  125. "Details":
  126.  
  127. "self_read": "process: WJhL3edMezLSjyf.exe, pid: 1528, offset: 0x00000000, length: 0x00035a0d"
  128.  
  129.  
  130.  
  131.  
  132. "Description": "Performs some HTTP requests",
  133. "Details":
  134.  
  135. "url": "http://carder.bit/"
  136.  
  137.  
  138.  
  139.  
  140. "Description": "The binary likely contains encrypted or compressed data.",
  141. "Details":
  142.  
  143. "section": "name: .rsrc, entropy: 7.77, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00021400, virtual_size: 0x000213e8"
  144.  
  145.  
  146.  
  147.  
  148. "Description": "Uses Windows utilities for basic functionality",
  149. "Details":
  150.  
  151. "command": "nslookup carder.bit ns1.wowservers.ru"
  152.  
  153.  
  154. "command": "nslookup ransomware.bit ns2.wowservers.ru"
  155.  
  156.  
  157. "command": "nslookup carder.bit ns2.wowservers.ru"
  158.  
  159.  
  160. "command": "nslookup ransomware.bit ns1.wowservers.ru"
  161.  
  162.  
  163.  
  164.  
  165. "Description": "Installs itself for autorun at Windows startup",
  166. "Details":
  167.  
  168. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\mjmpdzutmwx"
  169.  
  170.  
  171. "data": "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\odpbdk.exe\""
  172.  
  173.  
  174.  
  175.  
  176. "Description": "Stack pivoting was detected when using a critical API",
  177. "Details":
  178.  
  179. "process": "WJhL3edMezLSjyf.exe:1528"
  180.  
  181.  
  182.  
  183.  
  184. "Description": "CAPE detected the Gandcrab malware family",
  185. "Details":
  186.  
  187.  
  188. "Description": "File has been identified by 63 Antiviruses on VirusTotal as malicious",
  189. "Details":
  190.  
  191. "MicroWorld-eScan": "Trojan.GenericKD.30997249"
  192.  
  193.  
  194. "FireEye": "Generic.mg.b4fc1596157eb7b7"
  195.  
  196.  
  197. "CAT-QuickHeal": "Trojan.Mauvaise.SL1"
  198.  
  199.  
  200. "ALYac": "Trojan.Ransom.GandCrab"
  201.  
  202.  
  203. "Malwarebytes": "Trojan.MalPack.Generic"
  204.  
  205.  
  206. "Zillya": "Trojan.GandCrypt.Win32.445"
  207.  
  208.  
  209. "SUPERAntiSpyware": "Trojan.Agent/Gen-Kryptik"
  210.  
  211.  
  212. "K7AntiVirus": "Trojan ( 0053305e1 )"
  213.  
  214.  
  215. "Alibaba": "VirTool:Win32/CeeInject.80aada57"
  216.  
  217.  
  218. "K7GW": "Trojan ( 0053305e1 )"
  219.  
  220.  
  221. "Cybereason": "malicious.6157eb"
  222.  
  223.  
  224. "Arcabit": "Trojan.Generic.D1D8FB01"
  225.  
  226.  
  227. "Invincea": "heuristic"
  228.  
  229.  
  230. "F-Prot": "W32/S-00ee55d1!Eldorado"
  231.  
  232.  
  233. "Symantec": "Ransom.GandCrab"
  234.  
  235.  
  236. "APEX": "Malicious"
  237.  
  238.  
  239. "Avast": "Win32:RansomX-gen Ransom"
  240.  
  241.  
  242. "ClamAV": "Win.Ransomware.Gandcrab-6986826-0"
  243.  
  244.  
  245. "Kaspersky": "HEUR:Trojan.Win32.Generic"
  246.  
  247.  
  248. "BitDefender": "Trojan.GenericKD.30997249"
  249.  
  250.  
  251. "NANO-Antivirus": "Trojan.Win32.Encoder.fehhuu"
  252.  
  253.  
  254. "Paloalto": "generic.ml"
  255.  
  256.  
  257. "AegisLab": "Trojan.Win32.Generic.4!c"
  258.  
  259.  
  260. "Rising": "Ransom.GandCrypt!8.F33E (TFE:5:Y9LzsMtRkxR)"
  261.  
  262.  
  263. "Ad-Aware": "Trojan.GenericKD.30997249"
  264.  
  265.  
  266. "Emsisoft": "Trojan.Crypt (A)"
  267.  
  268.  
  269. "Comodo": "TrojWare.Win32.Chapak.FS@7prmd9"
  270.  
  271.  
  272. "F-Secure": "Trojan.TR/FileCoder.EV"
  273.  
  274.  
  275. "DrWeb": "Trojan.Encoder.24384"
  276.  
  277.  
  278. "VIPRE": "Trojan.Win32.Generic!BT"
  279.  
  280.  
  281. "TrendMicro": "Ransom_GANDCRAB.SMALY-3"
  282.  
  283.  
  284. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.dc"
  285.  
  286.  
  287. "Trapmine": "malicious.high.ml.score"
  288.  
  289.  
  290. "Sophos": "Mal/GandCrab-B"
  291.  
  292.  
  293. "SentinelOne": "DFI - Malicious PE"
  294.  
  295.  
  296. "Cyren": "W32/S-00ee55d1!Eldorado"
  297.  
  298.  
  299. "Jiangmin": "Trojan.PSW.Coins.nk"
  300.  
  301.  
  302. "Webroot": "W32.Trojan.Gen"
  303.  
  304.  
  305. "Avira": "TR/FileCoder.EV"
  306.  
  307.  
  308. "Antiy-AVL": "TrojanPSW/Win32.Coins"
  309.  
  310.  
  311. "Microsoft": "VirTool:Win32/CeeInject.AIB!bit"
  312.  
  313.  
  314. "Endgame": "malicious (high confidence)"
  315.  
  316.  
  317. "ViRobot": "Trojan.Win32.GandCrab.Gen.A"
  318.  
  319.  
  320. "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
  321.  
  322.  
  323. "GData": "Trojan.GenericKD.30997249"
  324.  
  325.  
  326. "TACHYON": "Ransom/W32.GandCrab.219661"
  327.  
  328.  
  329. "AhnLab-V3": "Win-Trojan/Gandcrab02.Exp"
  330.  
  331.  
  332. "Acronis": "suspicious"
  333.  
  334.  
  335. "McAfee": "GenericRXGJ-JL!B4FC1596157E"
  336.  
  337.  
  338. "MAX": "malware (ai score=100)"
  339.  
  340.  
  341. "VBA32": "BScope.TrojanPSW.Stealer"
  342.  
  343.  
  344. "Cylance": "Unsafe"
  345.  
  346.  
  347. "Zoner": "Trojan.Win32.68915"
  348.  
  349.  
  350. "ESET-NOD32": "Win32/Filecoder.GandCrab.B"
  351.  
  352.  
  353. "TrendMicro-HouseCall": "Ransom_GANDCRAB.SMALY-3"
  354.  
  355.  
  356. "Tencent": "Win32.Ransomware.Gandcrab.Auto"
  357.  
  358.  
  359. "Yandex": "Trojan.PWS.Coins!"
  360.  
  361.  
  362. "Ikarus": "Trojan-Ransom.GandCrab"
  363.  
  364.  
  365. "Fortinet": "W32/GenKryptik.CNAR!tr"
  366.  
  367.  
  368. "AVG": "Win32:RansomX-gen Ransom"
  369.  
  370.  
  371. "Panda": "Trj/Genetic.gen"
  372.  
  373.  
  374. "CrowdStrike": "win/malicious_confidence_100% (W)"
  375.  
  376.  
  377. "Qihoo-360": "Win32/Trojan.Multi.daf"
  378.  
  379.  
  380.  
  381.  
  382. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  383. "Details":
  384.  
  385.  
  386. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  387. "Details":
  388.  
  389. "target": "clamav:Win.Ransomware.Gandcrab-6986826-0, sha256:0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  390.  
  391.  
  392. "dropped": "clamav:Win.Ransomware.Gandcrab-6986826-0, sha256:2b5d9fdd18783e48c626d26181573ec4c4b99b1a56286c7ef2178b5f409ae654 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\Microsoft\\odpbdk.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  393.  
  394.  
  395.  
  396.  
  397. "Description": "Creates a slightly modified copy of itself",
  398. "Details":
  399.  
  400. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\odpbdk.exe"
  401.  
  402.  
  403. "percent_match": 99
  404.  
  405.  
  406.  
  407.  
  408. "Description": "Anomalous binary characteristics",
  409. "Details":
  410.  
  411. "anomaly": "Actual checksum does not match that reported in PE header"
  412.  
  413.  
  414.  
  415.  
  416. "Description": "Created network traffic indicative of malicious activity",
  417. "Details":
  418.  
  419. "signature": "ET TROJAN Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)"
  420.  
  421.  
  422. "signature": "ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M1"
  423.  
  424.  
  425. "signature": "ET CURRENT_EVENTS DNS Query Domain .bit"
  426.  
  427.  
  428. "signature": "ET TROJAN Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup)"
  429.  
  430.  
  431.  
  432.  
  433.  
  434. * Started Service:
  435.  
  436. * Mutexes:
  437. "CicLoadWinStaWinSta0",
  438. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  439. "Global\\pc_group=WORKGROUP&ransom_id=d863cd4ec1c5b64f",
  440. "IESQMMUTEX_0_208"
  441.  
  442.  
  443. * Modified Files:
  444. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\odpbdk.exe",
  445. "\\Device\\NamedPipe"
  446.  
  447.  
  448. * Deleted Files:
  449.  
  450. * Modified Registry Keys:
  451. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\mjmpdzutmwx",
  452. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings"
  453.  
  454.  
  455. * Deleted Registry Keys:
  456.  
  457. * DNS Communications:
  458.  
  459. "type": "A",
  460. "request": "ipv4bot.whatismyipaddress.com",
  461. "answers":
  462.  
  463. "data": "66.171.248.178",
  464. "type": "A"
  465.  
  466.  
  467.  
  468.  
  469. "type": "A",
  470. "request": "ns1.wowservers.ru",
  471. "answers":
  472.  
  473. "data": "",
  474. "type": "NXDOMAIN"
  475.  
  476.  
  477.  
  478.  
  479. "type": "PTR",
  480. "request": "8.8.8.8.in-addr.arpa",
  481. "answers":
  482.  
  483. "data": "dns.google",
  484. "type": "PTR"
  485.  
  486.  
  487.  
  488.  
  489. "type": "A",
  490. "request": "carder.bit",
  491. "answers":
  492.  
  493.  
  494. "type": "AAAA",
  495. "request": "carder.bit",
  496. "answers":
  497.  
  498.  
  499. "type": "A",
  500. "request": "ns2.wowservers.ru",
  501. "answers":
  502.  
  503.  
  504. "type": "A",
  505. "request": "ransomware.bit",
  506. "answers":
  507.  
  508.  
  509. "type": "AAAA",
  510. "request": "ransomware.bit",
  511. "answers":
  512.  
  513.  
  514.  
  515. * Domains:
  516.  
  517. "ip": "",
  518. "domain": "ns1.wowservers.ru"
  519.  
  520.  
  521. "ip": "",
  522. "domain": "carder.bit"
  523.  
  524.  
  525. "ip": "",
  526. "domain": "ns2.wowservers.ru"
  527.  
  528.  
  529. "ip": "",
  530. "domain": "ransomware.bit"
  531.  
  532.  
  533. "ip": "66.171.248.178",
  534. "domain": "ipv4bot.whatismyipaddress.com"
  535.  
  536.  
  537.  
  538. * Network Communication - ICMP:
  539.  
  540. * Network Communication - HTTP:
  541.  
  542. "count": 1,
  543. "body": "",
  544. "uri": "http://carder.bit/",
  545. "user-agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  546. "method": "GET",
  547. "host": "carder.bit",
  548. "version": "1.1",
  549. "path": "/",
  550. "data": "GET / HTTP/1.1\r\nHost: carder.bit\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nCache-Control: no-cache\r\n\r\n",
  551. "port": 80
  552.  
  553.  
  554.  
  555. * Network Communication - SMTP:
  556.  
  557. * Network Communication - Hosts:
  558.  
  559. "country_name": "United States",
  560. "ip": "66.171.248.178",
  561. "inaddrarpa": "",
  562. "hostname": "ipv4bot.whatismyipaddress.com"
  563.  
  564.  
  565.  
  566. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement