XCDXSED_COMPROBANTE_NSHSG_82829N_2019_msi_2019-08-15_09_30.txt

1.  
2. * MalFamily: "Sload"
3.  
4. * MalScore: 8.1
5.  
6. * File Name: "XCDXSED_COMPROBANTE_NSHSG_82829N_2019.msi"
7. * File Size: 28672
8. * File Type: "Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Installer, Author: cfyveqkn, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Installer., Template: Intel;1033, Revision Number: FF7C1356-1066-4504-9B96-F11732241BBE Create Time/Date: Tue Aug 13 02:22:50 2019, Last Saved Time/Date: Tue Aug 13 02:22:50 2019, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2"
9. * SHA256: "b03641f8ced65f0977feb0c13a3609e976818c47a4fdaafbd65cf5197ab10cb0"
10. * MD5: "5f44643f4c331503d3a4b64f72097b3a"
11. * SHA1: "b2e17c918abe854493a9210867f97065795f820f"
12. * SHA512: "3563ad26f556044a4444114fbd0175a1bd037352c63a96601c2ff0e1550ee5edcea947e380676487b63b84317178760219dee079264e577ed24046374160b611"
13. * CRC32: "A609AA71"
14. * SSDEEP: "192:ST+1Tgcw4VdT+lnPqFCQeIg5njLOnEoXlZENjH4wxF:11T9w4jTmnSFbTg5P9oXgNs6F"
15.  
16. * Process Execution:
17. "msiexec.exe"
18.  
19.  
20. * Executed Commands:
21.  
22. * Signatures Detected:
23.  
24. "Description": "File has been identified by 2 Antiviruses on VirusTotal as malicious",
25. "Details":
26.  
27. "Kaspersky": "HEUR:Trojan-Downloader.VBS.SLoad.gen"
28.  
29.  
30. "ZoneAlarm": "HEUR:Trojan-Downloader.VBS.SLoad.gen"
31.  
32.  
33.  
34.  
35. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
36. "Details":
37.  
38. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
39.  
40.  
41. "http_version_old": "HTTP traffic uses version 1.0"
42.  
43.  
44. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
45.  
46.  
47. "suspicious_request": "http://3.15.160.35/v14/thu1.php"
48.  
49.  
50. "suspicious_request": "http://3.15.160.35/v14/mqxa.php"
51.  
52.  
53. "suspicious_request": "http://3.15.160.35/v14/m/mqx160.thu"
54.  
55.  
56. "suspicious_request": "http://3.15.160.35/v14/mqxa1.thu"
57.  
58.  
59. "suspicious_request": "http://3.15.160.35/v14/mqxasq.thu"
60.  
61.  
62. "suspicious_request": "http://3.15.160.35/v14/mqxasl.thu"
63.  
64.  
65. "suspicious_request": "http://3.15.160.35/v14/mqxass.thu"
66.  
67.  
68. "suspicious_request": "http://3.15.160.35/v14/"
69.  
70.  
71.  
72.  
73. "Description": "Performs some HTTP requests",
74. "Details":
75.  
76. "url": "http://3.15.160.35/v14/thu1.php"
77.  
78.  
79. "url": "http://3.15.160.35/v14/mqxa.php"
80.  
81.  
82. "url": "http://3.15.160.35/v14/m/mqx160.thu"
83.  
84.  
85. "url": "http://3.15.160.35/v14/mqxa1.thu"
86.  
87.  
88. "url": "http://3.15.160.35/v14/mqxasq.thu"
89.  
90.  
91. "url": "http://3.15.160.35/v14/mqxasl.thu"
92.  
93.  
94. "url": "http://3.15.160.35/v14/mqxass.thu"
95.  
96.  
97. "url": "http://3.15.160.35/v14/"
98.  
99.  
100.  
101.  
102. "Description": "Created network traffic indicative of malicious activity",
103. "Details":
104.  
105. "signature": "ET USER_AGENTS PTsecurity Possible Trojan.Downloader UserAgent (binary_getter)"
106.  
107.  
108.  
109.  
110.  
111. * Started Service:
112.  
113. * Mutexes:
114. "CicLoadWinStaWinSta0",
115. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
116. "Global\\_MSIExecute"
117.  
118.  
119. * Modified Files:
120.  
121. * Deleted Files:
122.  
123. * Modified Registry Keys:
124.  
125. * Deleted Registry Keys:
126.  
127. * DNS Communications:
128.  
129. * Domains:
130.  
131. * Network Communication - ICMP:
132.  
133. * Network Communication - HTTP:
134.  
135. "count": 2,
136. "body": "",
137. "uri": "http://3.15.160.35/v14/thu1.php",
138. "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
139. "method": "POST",
140. "host": "3.15.160.35",
141. "version": "1.1",
142. "path": "/v14/thu1.php",
143. "data": "POST /v14/thu1.php HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: 3.15.160.35\r\nContent-Length: 3\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
144. "port": 80
145.  
146.  
147. "count": 1,
148. "body": "",
149. "uri": "http://3.15.160.35/v14/mqxa.php",
150. "user-agent": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)",
151. "method": "GET",
152. "host": "3.15.160.35",
153. "version": "1.1",
154. "path": "/v14/mqxa.php",
155. "data": "GET /v14/mqxa.php HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/xml\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: 3.15.160.35\r\n\r\n",
156. "port": 80
157.  
158.  
159. "count": 1,
160. "body": "",
161. "uri": "http://3.15.160.35/v14/m/mqx160.thu",
162. "user-agent": "binary_getter/1.0",
163. "method": "GET",
164. "host": "3.15.160.35",
165. "version": "1.1",
166. "path": "/v14/m/mqx160.thu",
167. "data": "GET /v14/m/mqx160.thu HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: binary_getter/1.0\r\nHost: 3.15.160.35\r\n\r\n",
168. "port": 80
169.  
170.  
171. "count": 1,
172. "body": "",
173. "uri": "http://3.15.160.35/v14/mqxa1.thu",
174. "user-agent": "binary_getter/1.0",
175. "method": "GET",
176. "host": "3.15.160.35",
177. "version": "1.1",
178. "path": "/v14/mqxa1.thu",
179. "data": "GET /v14/mqxa1.thu HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: binary_getter/1.0\r\nHost: 3.15.160.35\r\n\r\n",
180. "port": 80
181.  
182.  
183. "count": 1,
184. "body": "",
185. "uri": "http://3.15.160.35/v14/mqxasq.thu",
186. "user-agent": "binary_getter/1.0",
187. "method": "GET",
188. "host": "3.15.160.35",
189. "version": "1.1",
190. "path": "/v14/mqxasq.thu",
191. "data": "GET /v14/mqxasq.thu HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: binary_getter/1.0\r\nHost: 3.15.160.35\r\n\r\n",
192. "port": 80
193.  
194.  
195. "count": 1,
196. "body": "",
197. "uri": "http://3.15.160.35/v14/mqxasl.thu",
198. "user-agent": "binary_getter/1.0",
199. "method": "GET",
200. "host": "3.15.160.35",
201. "version": "1.1",
202. "path": "/v14/mqxasl.thu",
203. "data": "GET /v14/mqxasl.thu HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: binary_getter/1.0\r\nHost: 3.15.160.35\r\n\r\n",
204. "port": 80
205.  
206.  
207. "count": 1,
208. "body": "",
209. "uri": "http://3.15.160.35/v14/mqxass.thu",
210. "user-agent": "binary_getter/1.0",
211. "method": "GET",
212. "host": "3.15.160.35",
213. "version": "1.1",
214. "path": "/v14/mqxass.thu",
215. "data": "GET /v14/mqxass.thu HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: binary_getter/1.0\r\nHost: 3.15.160.35\r\n\r\n",
216. "port": 80
217.  
218.  
219. "count": 1,
220. "body": "",
221. "uri": "http://3.15.160.35/v14/",
222. "user-agent": "Mozilla/3.0 (compatible; Indy Library)",
223. "method": "POST",
224. "host": "3.15.160.35",
225. "version": "1.0",
226. "path": "/v14/",
227. "data": "POST /v14/ HTTP/1.0\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 238\r\nHost: 3.15.160.35\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Encoding: identity\r\nUser-Agent: Mozilla/3.0 (compatible; Indy Library)\r\n\r\n",
228. "port": 80
229.  
230.  
231.  
232. * Network Communication - SMTP:
233.  
234. * Network Communication - Hosts:
235.  
236. * Network Communication - IRC: