Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2282
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "AgentTesla_df4957fb92f40a7478b01e55242dc71e.exe"
- * File Size: 949248
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "cf02549faef08f98e623e4bec2bd4f60b2931bce249649b188bdaa63ae26f435"
- * MD5: "df4957fb92f40a7478b01e55242dc71e"
- * SHA1: "0679f9b8bd05ebe3d0dd0ab1dae22ef456800eab"
- * SHA512: "5c610763d4aff15b76bb15ef52d04cb236f8ffc0a1c52bf86c5e4376597ff9863d67f0292832482da2e8ffa01cf595341ef59a77dccac4943a722b18d39a4e45"
- * CRC32: "97F9690A"
- * SSDEEP: "24576:JhofYZe7q+mOgmwJCcFLYYNmEl+5IvjxpAjuUsxZ0WTy:Jm+bN5EkYwAyUgZq"
- * Process Execution:
- "K2QqbPnCkVhWyGs.exe",
- "K2QqbPnCkVhWyGs.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\K2QqbPnCkVhWyGs.exe\"",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "K2QqbPnCkVhWyGs.exe, PID 2172"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "K2QqbPnCkVhWyGs.exe tried to sleep 567 seconds, actually delayed analysis time by 0 seconds"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.27, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x0004a400, virtual_size: 0x0004a208"
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "K2QqbPnCkVhWyGs.exe(2172) -> K2QqbPnCkVhWyGs.exe(2684)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "K2QqbPnCkVhWyGs.exe(2172) -> K2QqbPnCkVhWyGs.exe(2684)"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Tries to unhook or modify Windows functions monitored by Cuckoo",
- "Details":
- "unhook": "function_name: NtCreateSection, type: modification"
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "svchost.exe:1804"
- "Description": "File has been identified by 38 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Gen:Variant.Ulise.68047"
- "McAfee": "GenericRXIO-PV!DF4957FB92F4"
- "Cylance": "Unsafe"
- "CrowdStrike": "win/malicious_confidence_80% (D)"
- "BitDefender": "Gen:Variant.Ulise.68047"
- "K7AntiVirus": "Riskware ( 0040eff71 )"
- "TrendMicro": "TrojanSpy.Win32.LOKI.SMDD.hp"
- "Symantec": "Packed.Generic.516"
- "ESET-NOD32": "a variant of Win32/Injector.EHVA"
- "APEX": "Malicious"
- "Avast": "Win32:Trojan-gen"
- "GData": "Gen:Variant.Ulise.68047"
- "Kaspersky": "HEUR:Trojan-PSW.Win32.Azorult.gen"
- "Ad-Aware": "Gen:Variant.Ulise.68047"
- "Sophos": "Mal/Fareit-V"
- "DrWeb": "Trojan.PWS.Siggen2.31104"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.dc"
- "Trapmine": "malicious.high.ml.score"
- "FireEye": "Generic.mg.df4957fb92f40a74"
- "Emsisoft": "Gen:Variant.Ulise.68047 (B)"
- "SentinelOne": "DFI - Malicious PE"
- "MAX": "malware (ai score=80)"
- "Endgame": "malicious (high confidence)"
- "Arcabit": "Trojan.Ulise.D109CF"
- "ZoneAlarm": "HEUR:Trojan-PSW.Win32.Azorult.gen"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "AhnLab-V3": "Trojan/Win32.Infostealer.R291746"
- "Acronis": "suspicious"
- "Malwarebytes": "Spyware.LokiBot"
- "TrendMicro-HouseCall": "TrojanSpy.Win32.LOKI.SMDD.hp"
- "Rising": "Trojan.Injector!1.AFE3 (CLASSIC)"
- "Ikarus": "Trojan-Spy.LokiBot"
- "Fortinet": "W32/Injector.EHDJ!tr"
- "Webroot": "W32.Loki.Smdd"
- "AVG": "Win32:Trojan-gen"
- "Cybereason": "malicious.8bd05e"
- "Qihoo-360": "HEUR/QVM05.1.F737.Malware.Gen"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX"
- * Modified Files:
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
- "\\??\\WMIDataDevice"
- * Deleted Files:
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement