API tools faq
paste
Advertisement
paladin316

1310Exes_3a3d8f2ab075fc4f6f4459b990122893_exe_2019-09-07_19_30.txt

paladin316
Sep 8th, 2019
2,127
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 27.63 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 1310
  3. * MalFamily: "Nanocore"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_3a3d8f2ab075fc4f6f4459b990122893.exe"
  8. * File Size: 1418533
  9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  10. * SHA256: "2d24a45f5f85c0bfc188f4ccdd3fe76fe01a5380206eac7f2aff58bee2461aab"
  11. * MD5: "3a3d8f2ab075fc4f6f4459b990122893"
  12. * SHA1: "c90e5ba80f7094d0d7fc26de275d37e2b1595793"
  13. * SHA512: "9c915b840c32b405df9bbd3c3d237ed7477676f631e2ba047ffd5ad3ca4eca3dcb2a7f319de8c803f87c72c0edcba3dd913c8481e5080d9e424f6b858797662e"
  14. * CRC32: "22419E4F"
  15. * SSDEEP: "24576:8NA3R5drXgJ2tpFEhaxEeD8+N79kpOw/hu0n7ybw1ju1h6LId7nT1RMwaMm3CfBH:95E2vX1HN79k0Ou0QQS1h6LIdzTXM76x"
  16.  
  17. * Process Execution:
  18. "38p47io7S3g3K7P.exe",
  19. "wscript.exe",
  20. "ihb.exe",
  21. "RegSvcs.exe"
  22.  
  23.  
  24. * Executed Commands:
  25. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cmw.vbs\"",
  26. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cmw.vbs ",
  27. "\"C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe\" glb=cwb",
  28. "ihb.exe glb=cwb"
  29.  
  30.  
  31. * Signatures Detected:
  32.  
  33. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  34. "Details":
  35.  
  36.  
  37. "Description": "Behavioural detection: Executable code extraction",
  38. "Details":
  39.  
  40.  
  41. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  42. "Details":
  43.  
  44. "IP_ioc": "41.189.44.89:2016 (Cote D'Ivoire)"
  45.  
  46.  
  47.  
  48.  
  49. "Description": "Guard pages use detected - possible anti-debugging.",
  50. "Details":
  51.  
  52.  
  53. "Description": "Detected script timer window indicative of sleep style evasion",
  54. "Details":
  55.  
  56. "Window": "WSH-Timer"
  57.  
  58.  
  59.  
  60.  
  61. "Description": "A process attempted to delay the analysis task.",
  62. "Details":
  63.  
  64. "Process": "RegSvcs.exe tried to sleep 814 seconds, actually delayed analysis time by 0 seconds"
  65.  
  66.  
  67.  
  68.  
  69. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
  70. "Details":
  71.  
  72. "ioc": "v2.0.50727"
  73.  
  74.  
  75.  
  76.  
  77. "Description": "Reads data out of its own binary image",
  78. "Details":
  79.  
  80. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00000000, length: 0x00000007"
  81.  
  82.  
  83. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00000000, length: 0x00002000"
  84.  
  85.  
  86. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00000007, length: 0x0015a51e"
  87.  
  88.  
  89. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00001ff0, length: 0x00002000"
  90.  
  91.  
  92. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00003fe0, length: 0x00002000"
  93.  
  94.  
  95. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00005fd0, length: 0x00002000"
  96.  
  97.  
  98. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00007fc0, length: 0x00002000"
  99.  
  100.  
  101. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00009fb0, length: 0x00002000"
  102.  
  103.  
  104. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0000bfa0, length: 0x00002000"
  105.  
  106.  
  107. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0000df90, length: 0x00002000"
  108.  
  109.  
  110. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0000ff80, length: 0x00002000"
  111.  
  112.  
  113. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00011f70, length: 0x00002000"
  114.  
  115.  
  116. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00013f60, length: 0x00002000"
  117.  
  118.  
  119. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00015f50, length: 0x00002000"
  120.  
  121.  
  122. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00017f40, length: 0x00002000"
  123.  
  124.  
  125. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00019f30, length: 0x00002000"
  126.  
  127.  
  128. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0001bf20, length: 0x00002000"
  129.  
  130.  
  131. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0001df10, length: 0x00002000"
  132.  
  133.  
  134. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0001ff00, length: 0x00002000"
  135.  
  136.  
  137. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00021ef0, length: 0x00002000"
  138.  
  139.  
  140. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00023ee0, length: 0x00002000"
  141.  
  142.  
  143. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00025ed0, length: 0x00002000"
  144.  
  145.  
  146. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00027ec0, length: 0x00002000"
  147.  
  148.  
  149. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00029eb0, length: 0x00002000"
  150.  
  151.  
  152. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0002bea0, length: 0x00002000"
  153.  
  154.  
  155. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0002de90, length: 0x00002000"
  156.  
  157.  
  158. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0002fe80, length: 0x00002000"
  159.  
  160.  
  161. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00031e70, length: 0x00002000"
  162.  
  163.  
  164. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00033e60, length: 0x00002000"
  165.  
  166.  
  167. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00035e50, length: 0x00002000"
  168.  
  169.  
  170. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00037e40, length: 0x00002000"
  171.  
  172.  
  173. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00039e30, length: 0x00002000"
  174.  
  175.  
  176. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0003be20, length: 0x00002000"
  177.  
  178.  
  179. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0003de10, length: 0x00002000"
  180.  
  181.  
  182. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0003fe00, length: 0x00002000"
  183.  
  184.  
  185. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00041df0, length: 0x00002000"
  186.  
  187.  
  188. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00043de0, length: 0x00002000"
  189.  
  190.  
  191. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00045600, length: 0x0010e97e"
  192.  
  193.  
  194. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154134, length: 0x00000028"
  195.  
  196.  
  197. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015433f, length: 0x00000028"
  198.  
  199.  
  200. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154548, length: 0x00000028"
  201.  
  202.  
  203. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154725, length: 0x00000028"
  204.  
  205.  
  206. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154919, length: 0x00000028"
  207.  
  208.  
  209. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154b1c, length: 0x00000028"
  210.  
  211.  
  212. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154d0e, length: 0x00000028"
  213.  
  214.  
  215. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154ee9, length: 0x00000028"
  216.  
  217.  
  218. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001550e4, length: 0x00000028"
  219.  
  220.  
  221. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001552c2, length: 0x00000028"
  222.  
  223.  
  224. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001554ed, length: 0x00000028"
  225.  
  226.  
  227. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001556c1, length: 0x00000029"
  228.  
  229.  
  230. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001558b8, length: 0x00000028"
  231.  
  232.  
  233. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00155ab9, length: 0x00000028"
  234.  
  235.  
  236. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00155c82, length: 0x00000028"
  237.  
  238.  
  239. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00155e5d, length: 0x00000028"
  240.  
  241.  
  242. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015604c, length: 0x00000028"
  243.  
  244.  
  245. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015624d, length: 0x00000028"
  246.  
  247.  
  248. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00156424, length: 0x00000028"
  249.  
  250.  
  251. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00156647, length: 0x00000029"
  252.  
  253.  
  254. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015686e, length: 0x00000028"
  255.  
  256.  
  257. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00156a5d, length: 0x00000028"
  258.  
  259.  
  260. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00156c55, length: 0x00000028"
  261.  
  262.  
  263. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00156e4a, length: 0x00000028"
  264.  
  265.  
  266. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157065, length: 0x00000028"
  267.  
  268.  
  269. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015727f, length: 0x00000028"
  270.  
  271.  
  272. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157450, length: 0x00000028"
  273.  
  274.  
  275. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157626, length: 0x00000028"
  276.  
  277.  
  278. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001577fc, length: 0x00000028"
  279.  
  280.  
  281. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001579d1, length: 0x00000027"
  282.  
  283.  
  284. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157bad, length: 0x00000028"
  285.  
  286.  
  287. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157da0, length: 0x00000028"
  288.  
  289.  
  290. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157fa3, length: 0x00000028"
  291.  
  292.  
  293. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015817c, length: 0x00000028"
  294.  
  295.  
  296. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158361, length: 0x00000028"
  297.  
  298.  
  299. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015854a, length: 0x00000028"
  300.  
  301.  
  302. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158730, length: 0x00000028"
  303.  
  304.  
  305. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158919, length: 0x00000028"
  306.  
  307.  
  308. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158b21, length: 0x00000028"
  309.  
  310.  
  311. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158cf4, length: 0x00000028"
  312.  
  313.  
  314. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158ef1, length: 0x00000028"
  315.  
  316.  
  317. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001590df, length: 0x00000028"
  318.  
  319.  
  320. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001592cc, length: 0x00000028"
  321.  
  322.  
  323. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001594a3, length: 0x00000028"
  324.  
  325.  
  326. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00159679, length: 0x00000028"
  327.  
  328.  
  329. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015986c, length: 0x00000028"
  330.  
  331.  
  332. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00159a4e, length: 0x00000028"
  333.  
  334.  
  335. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00159c49, length: 0x00000028"
  336.  
  337.  
  338. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00159e5a, length: 0x00000028"
  339.  
  340.  
  341. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015a028, length: 0x00000028"
  342.  
  343.  
  344. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015a22b, length: 0x00000028"
  345.  
  346.  
  347. "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015a434, length: 0x0000001b"
  348.  
  349.  
  350. "self_read": "process: wscript.exe, pid: 1504, offset: 0x00000000, length: 0x00000040"
  351.  
  352.  
  353. "self_read": "process: wscript.exe, pid: 1504, offset: 0x000000f0, length: 0x00000018"
  354.  
  355.  
  356. "self_read": "process: wscript.exe, pid: 1504, offset: 0x000001e8, length: 0x00000078"
  357.  
  358.  
  359. "self_read": "process: wscript.exe, pid: 1504, offset: 0x00018000, length: 0x00000020"
  360.  
  361.  
  362. "self_read": "process: wscript.exe, pid: 1504, offset: 0x00018058, length: 0x00000018"
  363.  
  364.  
  365. "self_read": "process: wscript.exe, pid: 1504, offset: 0x000181a8, length: 0x00000018"
  366.  
  367.  
  368. "self_read": "process: wscript.exe, pid: 1504, offset: 0x00018470, length: 0x00000010"
  369.  
  370.  
  371. "self_read": "process: wscript.exe, pid: 1504, offset: 0x00018640, length: 0x00000012"
  372.  
  373.  
  374. "self_read": "process: RegSvcs.exe, pid: 3036, offset: 0x00000000, length: 0x00001000"
  375.  
  376.  
  377. "self_read": "process: RegSvcs.exe, pid: 3036, offset: 0x00000080, length: 0x00000200"
  378.  
  379.  
  380. "self_read": "process: RegSvcs.exe, pid: 3036, offset: 0x00000178, length: 0x00000200"
  381.  
  382.  
  383. "self_read": "process: RegSvcs.exe, pid: 3036, offset: 0x00005b20, length: 0x00000200"
  384.  
  385.  
  386. "self_read": "process: RegSvcs.exe, pid: 3036, offset: 0x00005b3c, length: 0x00000200"
  387.  
  388.  
  389.  
  390.  
  391. "Description": "A scripting utility was executed",
  392. "Details":
  393.  
  394. "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cmw.vbs\""
  395.  
  396.  
  397.  
  398.  
  399. "Description": "Behavioural detection: Injection (Process Hollowing)",
  400. "Details":
  401.  
  402. "Injection": "ihb.exe(2796) -> RegSvcs.exe(3036)"
  403.  
  404.  
  405.  
  406.  
  407. "Description": "Executed a process and injected code into it, probably while unpacking",
  408. "Details":
  409.  
  410. "Injection": "ihb.exe(2796) -> RegSvcs.exe(3036)"
  411.  
  412.  
  413.  
  414.  
  415. "Description": "Behavioural detection: Injection (inter-process)",
  416. "Details":
  417.  
  418.  
  419. "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
  420. "Details":
  421.  
  422.  
  423. "Description": "Installs itself for autorun at Windows startup",
  424. "Details":
  425.  
  426. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windowsxxxxxxcccd"
  427.  
  428.  
  429. "data": "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\GLB_CW~1"
  430.  
  431.  
  432.  
  433.  
  434. "Description": "Exhibits behavior characteristic of Nanocore RAT",
  435. "Details":
  436.  
  437.  
  438. "Description": "Stack pivoting was detected when using a critical API",
  439. "Details":
  440.  
  441. "process": "38p47io7S3g3K7P.exe:2540"
  442.  
  443.  
  444.  
  445.  
  446. "Description": "Creates a hidden or system file",
  447. "Details":
  448.  
  449. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe"
  450.  
  451.  
  452. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\00881883"
  453.  
  454.  
  455. "file": "C:\\Users\\user\\temp"
  456.  
  457.  
  458.  
  459.  
  460. "Description": "File has been identified by 25 Antiviruses on VirusTotal as malicious",
  461. "Details":
  462.  
  463. "K7AntiVirus": "Riskware ( 0040eff71 )"
  464.  
  465.  
  466. "K7GW": "Riskware ( 0040eff71 )"
  467.  
  468.  
  469. "Cybereason": "malicious.80f709"
  470.  
  471.  
  472. "APEX": "Malicious"
  473.  
  474.  
  475. "ClamAV": "Win.Malware.Mycop-6983471-0"
  476.  
  477.  
  478. "Kaspersky": "HEUR:Trojan-Dropper.Win32.Generic"
  479.  
  480.  
  481. "Invincea": "heuristic"
  482.  
  483.  
  484. "McAfee-GW-Edition": "BehavesLike.Win32.Backdoor.tc"
  485.  
  486.  
  487. "Trapmine": "suspicious.low.ml.score"
  488.  
  489.  
  490. "FireEye": "Generic.mg.3a3d8f2ab075fc4f"
  491.  
  492.  
  493. "Cyren": "W32/AutoIt.EN.gen!Eldorado"
  494.  
  495.  
  496. "Avira": "DR/AutoIt.Gen"
  497.  
  498.  
  499. "Antiy-AVL": "TrojanArcBomb/Win32.Agent"
  500.  
  501.  
  502. "Microsoft": "Trojan:Win32/AutoitInject.BI!MTB"
  503.  
  504.  
  505. "AegisLab": "Trojan.BAT.Crypter.tqa8"
  506.  
  507.  
  508. "ZoneAlarm": "HEUR:Trojan-Dropper.Win32.Generic"
  509.  
  510.  
  511. "AhnLab-V3": "Malware/Win32.RL_Generic.R286428"
  512.  
  513.  
  514. "Malwarebytes": "Trojan.MalPack.AISFX"
  515.  
  516.  
  517. "Zoner": "Probably RARAutorun"
  518.  
  519.  
  520. "ESET-NOD32": "VBS/Runner.NHZ"
  521.  
  522.  
  523. "Rising": "Trojan.Pack-RAR!1.BB61 (CLASSIC)"
  524.  
  525.  
  526. "Yandex": "Trojan.Agent!nS7qVYN4VgU"
  527.  
  528.  
  529. "Fortinet": "W32/Generic.AC.45A0E1!tr"
  530.  
  531.  
  532. "CrowdStrike": "win/malicious_confidence_80% (D)"
  533.  
  534.  
  535. "Qihoo-360": "HEUR/QVM10.1.BB1B.Malware.Gen"
  536.  
  537.  
  538.  
  539.  
  540. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  541. "Details":
  542.  
  543. "target": "clamav:Win.Malware.Mycop-6983471-0, sha256:2d24a45f5f85c0bfc188f4ccdd3fe76fe01a5380206eac7f2aff58bee2461aab, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  544.  
  545.  
  546. "dropped": "clamav:Win.Trojan.Autoit-6922942-0, sha256:fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b , guest_paths:C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  547.  
  548.  
  549.  
  550.  
  551. "Description": "Drops a binary and executes it",
  552. "Details":
  553.  
  554. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe"
  555.  
  556.  
  557.  
  558.  
  559. "Description": "Collects information to fingerprint the system",
  560. "Details":
  561.  
  562.  
  563.  
  564. * Started Service:
  565.  
  566. * Mutexes:
  567. "DefaultTabtip-MainUI",
  568. "Local\\ZoneAttributeCacheCounterMutex",
  569. "Local\\ZonesCacheCounterMutex",
  570. "Local\\ZonesLockedCacheCounterMutex",
  571. "Global\\CLR_PerfMon_WrapMutex",
  572. "Global\\CLR_CASOFF_MUTEX",
  573. "Global\\c54fcd61-c763-48a4-a02b-9edc721c5ec9",
  574. "Global\\.net clr networking"
  575.  
  576.  
  577. * Modified Files:
  578. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\__tmp_rar_sfx_access_check_26294765",
  579. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cqe.mp3",
  580. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\glb=cwb",
  581. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cmw.vbs",
  582. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe",
  583. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\gtb.dll",
  584. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\krh.exe",
  585. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cim.xl",
  586. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\vcu.ini",
  587. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\bak.dat",
  588. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\qgu.jpg",
  589. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\csk.ppt",
  590. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\qox.ico",
  591. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\jwe.icm",
  592. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\kes.ini",
  593. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\hdk.docx",
  594. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dfo.exe",
  595. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\nhe.pdf",
  596. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ntv.jpg",
  597. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\jho.mp3",
  598. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\gol.dll",
  599. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cak.mp3",
  600. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\pob.mp3",
  601. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\gme.dat",
  602. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\wpg.dat",
  603. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\gfu.txt",
  604. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\bem.ppt",
  605. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\oxn.txt",
  606. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dxo.jpg",
  607. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dde.xml",
  608. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\uja.ico",
  609. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\gpl.xml",
  610. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\jct.mp3",
  611. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\rdi.docx",
  612. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\jho.ico",
  613. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\uqc.cpl",
  614. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\vjj.bmp",
  615. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\mwl.msc",
  616. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\kvo.bin",
  617. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\wvi.icm",
  618. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dex.icm",
  619. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ntr.docx",
  620. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\qdb.exe",
  621. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\aat.pdf",
  622. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\mvl.xls",
  623. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\evw.dll",
  624. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\lhv.mp3",
  625. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\fxr.icm",
  626. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cwh.bin",
  627. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\trg.bmp",
  628. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dof.ini",
  629. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\mcp.xl",
  630. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\tpi.icm",
  631. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\rpa.jpg",
  632. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cdw.msc",
  633. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\tkg.mp3",
  634. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\awg.icm",
  635. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\omt.msc",
  636. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\brv.txt",
  637. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\fgk.dll",
  638. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\njk.xls",
  639. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dnk.xls",
  640. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\rvl.xml",
  641. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ktl.txt",
  642. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\pfm.log",
  643. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\oqx.msc",
  644. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\xnj.xls",
  645. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\rwf.msc",
  646. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ssh.log",
  647. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\jfh.mp3",
  648. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\nqm.cpl",
  649. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\xap.bin",
  650. "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ecn.log",
  651. "C:\\Users\\user\\temp\\cqe.mp3",
  652. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat"
  653.  
  654.  
  655. * Deleted Files:
  656.  
  657. * Modified Registry Keys:
  658. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  659. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  660. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  661. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windowsxxxxxxcccd"
  662.  
  663.  
  664. * Deleted Registry Keys:
  665. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  666. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  667. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  668. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
  669.  
  670.  
  671. * DNS Communications:
  672.  
  673. "type": "A",
  674. "request": "bloc2020.ddns.net",
  675. "answers":
  676.  
  677. "data": "41.189.44.89",
  678. "type": "A"
  679.  
  680.  
  681.  
  682.  
  683.  
  684. * Domains:
  685.  
  686. "ip": "41.189.44.89",
  687. "domain": "bloc2020.ddns.net"
  688.  
  689.  
  690.  
  691. * Network Communication - ICMP:
  692.  
  693. * Network Communication - HTTP:
  694.  
  695. * Network Communication - SMTP:
  696.  
  697. * Network Communication - Hosts:
  698.  
  699. "country_name": "Cote D'Ivoire",
  700. "ip": "41.189.44.89",
  701. "inaddrarpa": "",
  702. "hostname": "bloc2020.ddns.net"
  703.  
  704.  
  705.  
  706. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!