Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "5B537D77"
- * MalScore: 10.0
- * File Name: "Exes_55610ca97ada08b87127917dfc931435.exe"
- * File Size: 935424
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "efcc24a10495c7d9ed4445e99661edb28a40afaf59fb2289cab0c10b26572d39"
- * MD5: "55610ca97ada08b87127917dfc931435"
- * SHA1: "431377a44732665861cb9ed1c0d728d4fa7faec6"
- * SHA512: "2e66fed38189ca83c4ff4a8f0ffb20c794e8703c9515703c2c1bd8b2c45105dea279b54c4af3c54a6f74e3eecf3bfe57056023caf992269da8ee913f1f36d194"
- * CRC32: "5B537D77"
- * SSDEEP: "24576:nrIKt0CU+YM7oG2VB+XwK6G9o47GQuWc+DVn:PKNVB0a+xn"
- * Process Execution:
- "Exes_55610ca97ada08b87127917dfc931435.exe",
- "Exes_55610ca97ada08b87127917dfc931435.exe",
- "images.exe",
- "images.exe",
- "cmd.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_55610ca97ada08b87127917dfc931435.exe\"",
- "\"C:\\ProgramData\\images.exe\""
- * Signatures Detected:
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP": "159.122.133.231:5200"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "cmd.exe tried to sleep 264 seconds, actually delayed analysis time by 0 seconds"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "images.exe -> C:\\Windows\\System32\\cmd.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\ProgramData\\images.exe"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "Exes_55610ca97ada08b87127917dfc931435.exe(2356) -> Exes_55610ca97ada08b87127917dfc931435.exe(1948)"
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\ProgramData\\images.exe:Zone.Identifier"
- "Description": "Code injection with CreateRemoteThread in a remote process",
- "Details":
- "Injection": "images.exe(1580) -> cmd.exe(2756)"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
- "data": "C:\\ProgramData\\images.exe"
- "Description": "File has been identified by 21 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.55610ca97ada08b8"
- "TrendMicro": "TrojanSpy.Win32.LOKI.SMDD.hp"
- "Symantec": "Packed.Generic.516"
- "APEX": "Malicious"
- "Kaspersky": "UDS:DangerousObject.Multi.Generic"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.dh"
- "Trapmine": "malicious.high.ml.score"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "AhnLab-V3": "Win-Trojan/Delphiless.Exp"
- "Acronis": "suspicious"
- "Cylance": "Unsafe"
- "TrendMicro-HouseCall": "TrojanSpy.Win32.LOKI.SMDD.hp"
- "Rising": "Trojan.Injector!1.AFE3 (CLASSIC)"
- "SentinelOne": "DFI - Suspicious PE"
- "Fortinet": "W32/Injector.EGKJ!tr"
- "Cybereason": "malicious.447326"
- "CrowdStrike": "win/malicious_confidence_90% (D)"
- "Qihoo-360": "HEUR/QVM05.1.9663.Malware.Gen"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\ProgramData\\images.exe"
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
- * Started Service:
- * Mutexes:
- * Modified Files:
- "C:\\ProgramData\\images.exe"
- * Deleted Files:
- "C:\\ProgramData\\images.exe:Zone.Identifier"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\1FFK5KMT5B",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\1FFK5KMT5B\\inst",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "masterprof.warzonedns.com",
- "answers":
- "data": "159.122.133.231",
- "type": "A"
- * Domains:
- "ip": "159.122.133.231",
- "domain": "masterprof.warzonedns.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement