Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2376
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "AgentTesla_e15bab28504f2cdb4bbfe599210011e6.exe"
- * File Size: 946176
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "97eb5d2a978dd05b4166c88ebdbb41a5f41e34363b464e680cab603ec531977f"
- * MD5: "e15bab28504f2cdb4bbfe599210011e6"
- * SHA1: "14db79114c1abf11e0d8e5a491f0ccea10a22aa3"
- * SHA512: "c9b6d24bb6464476151bc194c9c6d0f729814ca2e0e35b11c8cd41aa7da2d6710d70a7ef63a4536fff0d94e2612d6488f9ecf74884d67ce7cc8c1562784bdf2e"
- * CRC32: "F09E7F3F"
- * SSDEEP: "12288:qWowpLgjfTmUbnmxiS2cSDz5FzNzprbzvf5l9vsXmji7QF+YyUaM3:rwSynmxILNt3i7QF+YyUz3"
- * Process Execution:
- "ffpZntrZL.exe",
- "ffpZntrZL.exe",
- "reg.exe",
- "services.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "lsass.exe",
- "taskhost.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\ffpZntrZL.exe\"",
- "REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr /t REG_DWORD /d 1 /f",
- "C:\\Windows\\system32\\lsass.exe"
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "ffpZntrZL.exe tried to sleep 769 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "ffpZntrZL.exe(2936) -> ffpZntrZL.exe(1408)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "ffpZntrZL.exe(2936) -> ffpZntrZL.exe(1408)"
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe:Zone.Identifier"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "ffpZntrZL.exe (2936) called API GetLocalTime 351701 times"
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 6489625 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyApp"
- "data": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
- "Description": "File has been identified by 13 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.e15bab28504f2cdb"
- "Cylance": "Unsafe"
- "Cybereason": "malicious.8504f2"
- "Symantec": "Packed.Generic.535"
- "APEX": "Malicious"
- "Trapmine": "malicious.moderate.ml.score"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "Endgame": "malicious (high confidence)"
- "Acronis": "suspicious"
- "McAfee": "Fareit-FPZ!E15BAB28504F"
- "ESET-NOD32": "a variant of Win32/GenKryptik.DTDZ"
- "CrowdStrike": "win/malicious_confidence_60% (D)"
- "Qihoo-360": "HEUR/QVM03.0.F7BD.Malware.Gen"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
- "Description": "Attempts to disable System Restore",
- "Details":
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Uses suspicious command line tools or Windows utilities",
- "Details":
- "command": "REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
- * Started Service:
- "VaultSvc"
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\WMIDataDevice",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe:Zone.Identifier"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyApp",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr"
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement