Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: "Malicious"
- [*] MalScore: 10.0
- [*] File Name: "Gozi_f544068a7fc24552d9219c8bee06aabd.doc"
- [*] File Size: 620032
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "0eaa4c797ede1afd32f2cfce63999cb3b375773f4805cd42e006f5d805985091"
- [*] MD5: "f544068a7fc24552d9219c8bee06aabd"
- [*] SHA1: "a91c76138d9437a445dd622145f60727e1c78f5b"
- [*] SHA512: "604c005f0c0afcab42a7674d4f4dfa3a4f77f9ee290e70d1308012f4208d83bbcf87ca5ea305fc1048775c7b3f39f4923cf764e6166d348612d15a3b26f29a78"
- [*] CRC32: "78A270A6"
- [*] SSDEEP: "12288:3eUyF7BbJdVNKQPhYc9BKSBXPOs1h8DevXp0Pz4SS:uUyFVP/KQPhYmBKSn1h8DYp0L"
- [*] Process Execution: [
- "Gozi_f544068a7fc24552d9219c8bee06aabd.doc",
- "control.exe",
- "rundll32.exe",
- "explorer.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details": [
- {
- "process": "control.exe, PID 2668"
- }
- ]
- },
- {
- "Description": "Deletes its original binary from disk",
- "Details": []
- },
- {
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details": [
- {
- "Injection": "Gozi_f544068a7fc24552d9219c8bee06aabd.doc(1368) -> control.exe(2668)"
- }
- ]
- },
- {
- "Description": "Sniffs keystrokes",
- "Details": [
- {
- "SetWindowsHookExA": "Process: explorer.exe(1940)"
- }
- ]
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "Gozi_f544068a7fc24552d9219c8bee06aabd.doc (1368) called API GlobalMemoryStatus 2155336 times"
- }
- ]
- },
- {
- "Description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
- "Details": [
- {
- "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\Client32"
- },
- {
- "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\Client64"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\aecaM1M0"
- },
- {
- "data": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\ApiMM1M0\\aeevpisp.exe"
- }
- ]
- },
- {
- "Description": "File has been identified by 19 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "Cylance": "Unsafe"
- },
- {
- "Symantec": "Packed.Generic.525"
- },
- {
- "APEX": "Malicious"
- },
- {
- "Paloalto": "generic.ml"
- },
- {
- "Alibaba": "Packed:Application/Generic.3d1fc793"
- },
- {
- "Avast": "FileRepMetagen [Malware]"
- },
- {
- "Qihoo-360": "HEUR/QVM10.1.EA21.Malware.Gen"
- },
- {
- "Invincea": "heuristic"
- },
- {
- "McAfee-GW-Edition": "BehavesLike.Win32.MultiPlug.jh"
- },
- {
- "FireEye": "Generic.mg.f544068a7fc24552"
- },
- {
- "SentinelOne": "DFI - Suspicious PE"
- },
- {
- "Endgame": "malicious (high confidence)"
- },
- {
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- },
- {
- "Acronis": "suspicious"
- },
- {
- "Malwarebytes": "Trojan.MalPack.GS.Generic"
- },
- {
- "Rising": "Trojan.Kryptik!8.8/N3#84% (RDM+:cmRtazqxLDGHFa5ZcZyZKeFvyTFJ)"
- },
- {
- "AVG": "FileRepMetagen [Malware]"
- },
- {
- "Cybereason": "malicious.38d943"
- },
- {
- "CrowdStrike": "win/malicious_confidence_90% (D)"
- }
- ]
- },
- {
- "Description": "Creates a copy of itself",
- "Details": [
- {
- "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\ApiMM1M0\\aeevpisp.exe"
- }
- ]
- }
- ]
- [*] Started Service: []
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement