Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "Exes_d9c1839aad5ff736496aa10b1f272877.exe"
- * File Size: 802816
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "2d72e3ed09bccf9ca691ef6b1afc6f1c459f2040b9dc2f07afb452066f4674a3"
- * MD5: "d9c1839aad5ff736496aa10b1f272877"
- * SHA1: "cf8a5b24eee6a89042aa5555b130202d1971e59a"
- * SHA512: "290c8200c84e6463ba07605e113d6d182ec0ba702519ba0816d87e3e3b403f49834bb6c5c23f6a24fb212ba4312ae824506c159cfc55d28b87d25360ea59806f"
- * CRC32: "3A2102CC"
- * SSDEEP: "12288:sqlfclfkv5VcJ2fbiL7z1E1CzBcQjizI+QZDy7EFpxyybkbgDT:sjfkv5Vc+K7e+BcQjB+QZYUpkFgDT"
- * Process Execution:
- "Exes_d9c1839aad5ff736496aa10b1f272877.exe",
- "services.exe"
- * Executed Commands:
- "C:\\Windows\\system32\\lsass.exe"
- * Signatures Detected:
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP": "72.21.91.29:80"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D"
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAOoHjPI2Syt64osWkBNCqQ%3D"
- "url": "http://crl3.digicert.com/CloudFlareIncECCCA2.crl"
- "url": "http://crl3.digicert.com/Omniroot2025.crl"
- "url": "http://crl4.digicert.com/CloudFlareIncECCCA2.crl"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 13011276 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "Attempts to access Bitcoin/ALTCoin wallets",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- * Started Service:
- "VaultSvc"
- * Mutexes:
- "s3v9x9w8v7v9x9w8v7"
- * Modified Files:
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C1B3CC7FF1466C71640A202F8258105B_7097A2893174CF9A7CFB8A9FD8374DB8",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C1B3CC7FF1466C71640A202F8258105B_7097A2893174CF9A7CFB8A9FD8374DB8",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\82CB34DD3343FE727DF8890D352E0D8F",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\82CB34DD3343FE727DF8890D352E0D8F",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\92F19EEA1C7470751B930A266D48D497",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\92F19EEA1C7470751B930A266D48D497",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\AA1B18F976B26BF831B2714B8138987D",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\AA1B18F976B26BF831B2714B8138987D"
- * Deleted Files:
- * Modified Registry Keys:
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "predatorhigh.xyz",
- "answers":
- "data": "104.27.171.240",
- "type": "A"
- "data": "104.27.170.240",
- "type": "A"
- "type": "A",
- "request": "crl3.digicert.com",
- "answers":
- "data": "cs9.wac.phicdn.net",
- "type": "CNAME"
- "data": "72.21.91.29",
- "type": "A"
- "type": "A",
- "request": "crl4.digicert.com",
- "answers":
- "data": "cs9.wac.phicdn.net",
- "type": "CNAME"
- "data": "72.21.91.29",
- "type": "A"
- * Domains:
- "ip": "104.27.170.240",
- "domain": "predatorhigh.xyz"
- "ip": "72.21.91.29",
- "domain": "crl4.digicert.com"
- "ip": "72.21.91.29",
- "domain": "crl3.digicert.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAOoHjPI2Syt64osWkBNCqQ%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAOoHjPI2Syt64osWkBNCqQ%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAOoHjPI2Syt64osWkBNCqQ%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- "count": 2,
- "body": "",
- "uri": "http://crl3.digicert.com/CloudFlareIncECCCA2.crl",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "crl3.digicert.com",
- "version": "1.1",
- "path": "/CloudFlareIncECCCA2.crl",
- "data": "GET /CloudFlareIncECCCA2.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl3.digicert.com\r\n\r\n",
- "port": 80
- "count": 2,
- "body": "",
- "uri": "http://crl3.digicert.com/Omniroot2025.crl",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "crl3.digicert.com",
- "version": "1.1",
- "path": "/Omniroot2025.crl",
- "data": "GET /Omniroot2025.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl3.digicert.com\r\n\r\n",
- "port": 80
- "count": 2,
- "body": "",
- "uri": "http://crl4.digicert.com/CloudFlareIncECCCA2.crl",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "crl4.digicert.com",
- "version": "1.1",
- "path": "/CloudFlareIncECCCA2.crl",
- "data": "GET /CloudFlareIncECCCA2.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl4.digicert.com\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement