Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2288
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "Emotet_e895b1432632b5f3900ba28d5d176377.5"
- * File Size: 413696
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "6bbc1fc04607dc91b4bc52faafb15b3c5a51778bc59487684d3dfa64a1c85a71"
- * MD5: "e895b1432632b5f3900ba28d5d176377"
- * SHA1: "6cbfecfa88875b829a48ac33ed08557b3d0219e3"
- * SHA512: "b0b83680bd588f5d15f09861a8d40006c6e718cce25b0f8eeac2db407a0f0edb7c4d5d142e5bbfa123adde3652e23a802c05adc040a3ee6459c118b5d7335b9b"
- * CRC32: "F6741077"
- * SSDEEP: "6144:yGqCzZ+I7NhNEMxrE6CC0x1/hkVTIX8XrA7PI0TOwUhYtEJxKIRYzV:7qSJLEcrrJqvXAA7PIruyxrRYzV"
- * Process Execution:
- "fEWPFx.exe",
- "fEWPFx.exe",
- "fEWPFx.exe",
- "fEWPFx.exe",
- "explorer.exe",
- "services.exe",
- "historymachine.exe",
- "historymachine.exe",
- "historymachine.exe",
- "historymachine.exe",
- "svchost.exe",
- "WerFault.exe",
- "WmiApSrv.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "mscorsvw.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\fEWPFx.exe\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\fEWPFx.exe --e1138505",
- "\"C:\\Windows\\SysWOW64\\historymachine.exe\"",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
- "C:\\Windows\\system32\\svchost.exe -k netsvcs",
- "C:\\Windows\\SysWOW64\\historymachine.exe --81d93c85",
- "C:\\Windows\\system32\\WerFault.exe -u -p 2044 -s 4032"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "At least one process apparently crashed during execution",
- "Details":
- "Description": "Communicates with IPs located across a large number of unique countries",
- "Details":
- "country": "United Kingdom"
- "country": "France"
- "country": "Iran, Islamic Republic of"
- "country": "Germany"
- "country": "Bangladesh"
- "country": "Argentina"
- "country": "United States"
- "country": "Singapore"
- "country": "Ecuador"
- "country": "Azerbaijan"
- "country": "Canada"
- "country": "India"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "historymachine.exe, PID 2820"
- "Description": "Mimics the system's user agent string for its own requests",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url_ioc": "87.106.136.232:8080/rtm/"
- "url_ioc": "59.152.93.46:443/jit/arizona/forced/merge/"
- "url_ioc": "186.4.172.5:443/bml/usbccid/forced/"
- "url_ioc": "198.199.88.162:8080/scripts/between/"
- "url_ioc": "178.62.37.188:443/usbccid/img/forced/"
- "url_ioc": "142.44.162.209:8080/attrib/"
- "url_ioc": "185.129.92.210:7080/results/"
- "url_ioc": "91.92.191.134:8080/vermont/balloon/pdf/"
- "url_ioc": "92.222.125.16:7080/img/attrib/"
- "url_ioc": "188.166.253.46:8080/attrib/xian/forced/"
- "url_ioc": "178.254.6.27:7080/scripts/"
- "Description": "Expresses interest in specific running processes",
- "Details":
- "process": "WerFault.exe"
- "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
- "Details":
- "Description": "A process created a hidden window",
- "Details":
- "Process": "fEWPFx.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\fEWPFx.exe"
- "Process": "fEWPFx.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\fEWPFx.exe"
- "Process": "historymachine.exe -> C:\\Windows\\SysWOW64\\historymachine.exe"
- "Process": "historymachine.exe -> C:\\Windows\\SysWOW64\\historymachine.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Windows\\SysWOW64\\historymachine.exe"
- "Description": "Multiple direct IP connections",
- "Details":
- "direct_ip_connections": "Made direct connections to 14 unique IP addresses"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.17, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0001d000, virtual_size: 0x0001ccfc"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Windows\\SysWOW64\\historymachine.exe:Zone.Identifier"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 9867663 times"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "service name": "historymachine"
- "service path": "\"C:\\Windows\\SysWOW64\\historymachine.exe\""
- "Description": "File has been identified by 12 Antiviruses on VirusTotal as malicious",
- "Details":
- "Invincea": "heuristic"
- "APEX": "Malicious"
- "Kaspersky": "UDS:DangerousObject.Multi.Generic"
- "Paloalto": "generic.ml"
- "Emsisoft": "Trojan.Agent (A)"
- "Microsoft": "Trojan:Win32/Trickbot.GN"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "ESET-NOD32": "a variant of Win32/Kryptik.GWNL"
- "Tencent": "Win32.Trojan.Inject.Auto"
- "Webroot": "W32.Trojan.Emotet"
- "AVG": "FileRepMalware"
- "CrowdStrike": "win/malicious_confidence_60% (D)"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Windows\\SysWOW64\\historymachine.exe"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 3"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 2"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 5"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 10"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 15"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 16"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 24"
- * Started Service:
- "historymachine",
- "WerSvc",
- "wmiApSrv"
- * Mutexes:
- "Global\\IC1C5B64F",
- "Global\\MC1C5B64F",
- "Local\\WERReportingForProcess2044",
- "Global\\\\xe5\\x88\\x90\\xcc\\xbe",
- "IESQMMUTEX_0_208",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Flag",
- "Global\\WmiApSrv"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
- "C:\\Windows\\SysWOW64\\historymachine.exe",
- "C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_00000000-0000-0000-0000-000000000000",
- "\\??\\WMIDataDevice",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
- * Deleted Files:
- "C:\\Windows\\SysWOW64\\khmerflows.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\fEWPFx.exe",
- "C:\\Windows\\SysWOW64\\historymachine.exe:Zone.Identifier"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\UIHandles",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\UIHandles\\RestartDialog",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\UIHandles",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\UIHandles\\RestartDialog",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United Kingdom",
- "ip": "95.128.43.213",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "France",
- "ip": "92.222.125.16",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Iran, Islamic Republic of",
- "ip": "91.92.191.134",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Germany",
- "ip": "87.106.136.232",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Bangladesh",
- "ip": "59.152.93.46",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Argentina",
- "ip": "201.212.57.109",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "198.199.88.162",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Singapore",
- "ip": "188.166.253.46",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Ecuador",
- "ip": "186.4.172.5",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Azerbaijan",
- "ip": "185.129.92.210",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United Kingdom",
- "ip": "178.62.37.188",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Germany",
- "ip": "178.254.6.27",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Canada",
- "ip": "142.44.162.209",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "India",
- "ip": "117.197.124.36",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement