Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Hawkeye"
- * MalScore: 10.0
- * File Name: "cb1ec5c1b339212b3a8ff5da6abfd44ae3b5251d68c921d8e70bb156dc4c92f8"
- * File Size: 1473536
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "cb1ec5c1b339212b3a8ff5da6abfd44ae3b5251d68c921d8e70bb156dc4c92f8"
- * MD5: "c0a9ccb2cdb3fbc68c515ac9eb45fc86"
- * SHA1: "4879244bb6224c497d8f3db3325015221629b078"
- * SHA512: "f4878ba3f39fb3ae1a361234aac1c659b3971633f7ec76a73ed1123c1b86ce41464b48fadc590f3632e603f572063c63b7911880e8442318394098f60c003a5c"
- * CRC32: "51B663DA"
- * SSDEEP: "24576:jAHnh+eWsN3skA4RV1Hom2KXMmHa3BC28loWNd5be3pWCehZw91m7/vhtuM695:uh+ZkldoPK8Ya3BCnJwkCehZCgHhYT"
- * Process Execution:
- "cb1ec5c1b339212b3a8ff5da6abfd44ae3b5251d68c921d8e70bb156dc4c92f8.exe",
- "RegAsm.exe"
- * Executed Commands:
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Starts servers listening on 127.0.0.1:0",
- "Details":
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: cb1ec5c1b339212b3a8ff5da6abfd44ae3b5251d68c921d8e70bb156dc4c92f8.exe, pid: 2952, offset: 0x00000000, length: 0x00167c00"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- "suspicious_request": "http://whatismyipaddress.com/"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://whatismyipaddress.com/"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0009d600, virtual_size: 0x0009d554"
- "Description": "Looks up the external IP address",
- "Details":
- "domain": "whatismyipaddress.com"
- "Description": "Exhibits behavior characteristics of HawkEye keylogger.",
- "Details":
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\wyyxadlbvd"
- "data": "C:\\Users\\Public\\wyyxadlbvd.vbs"
- "Description": "File has been identified by 37 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.AIT.Agent.B"
- "FireEye": "Generic.mg.c0a9ccb2cdb3fbc6"
- "McAfee": "Trojan-AitInject.aq"
- "Malwarebytes": "Trojan.MalPack.AutoIt"
- "Alibaba": "Trojan:Win32/Azorult.20d9a6ce"
- "Cybereason": "malicious.bb6224"
- "Arcabit": "Trojan.AIT.Agent.B"
- "F-Prot": "W32/AutoIt.IJ.gen!Eldorado"
- "Symantec": "Packed.Generic.548"
- "APEX": "Malicious"
- "Avast": "Win32:Trojan-gen"
- "ClamAV": "Win.Malware.Autoit-7122671-0"
- "Kaspersky": "Trojan-PSW.Win32.Heye.idu"
- "BitDefender": "Trojan.AIT.Agent.B"
- "Paloalto": "generic.ml"
- "Ad-Aware": "Trojan.AIT.Agent.B"
- "Emsisoft": "Trojan.AIT.Agent.B (B)"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Downloader.tc"
- "Trapmine": "malicious.moderate.ml.score"
- "Cyren": "W32/AutoIt.IJ.gen!Eldorado"
- "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "Trojan-PSW.Win32.Heye.idu"
- "GData": "Trojan.AIT.Agent.B (2x)"
- "AhnLab-V3": "Malware/Win32.RL_Trojan.R280778"
- "Acronis": "suspicious"
- "ALYac": "Trojan.AIT.Agent.B"
- "MAX": "malware (ai score=86)"
- "Cylance": "Unsafe"
- "ESET-NOD32": "a variant of Win32/Injector.Autoit.EFM"
- "Ikarus": "Trojan.Autoit"
- "Fortinet": "AutoIt/Injector.EFM!tr"
- "AVG": "Win32:Trojan-gen"
- "CrowdStrike": "win/malicious_confidence_70% (D)"
- "Qihoo-360": "HEUR/QVM10.1.55D5.Malware.Gen"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Malware.Autoit-7122671-0, sha256:cb1ec5c1b339212b3a8ff5da6abfd44ae3b5251d68c921d8e70bb156dc4c92f8, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Malware.Autoit-7122671-0, sha256:969967bab2aac1ca5fca51b7a8d107ea284c9c5cb4635c7a3dace90a137b9de2 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\SecEdit\\ActionMgr.bat, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Creates a slightly modified copy of itself",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\SecEdit\\ActionMgr.bat"
- "percent_match": 100
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\.net clr networking"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\SecEdit\\ActionMgr.bat",
- "C:\\Users\\Public\\wyyxadlbvd.vbs",
- "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
- "C:\\Users\\user\\AppData\\Roaming\\pid.txt",
- "C:\\Users\\user\\AppData\\Roaming\\pidloc.txt"
- * Deleted Files:
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\wyyxadlbvd"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "whatismyipaddress.com",
- "answers":
- "data": "104.16.154.36",
- "type": "A"
- "data": "104.16.155.36",
- "type": "A"
- * Domains:
- "ip": "104.16.154.36",
- "domain": "whatismyipaddress.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://whatismyipaddress.com/",
- "user-agent": "",
- "method": "GET",
- "host": "whatismyipaddress.com",
- "version": "1.1",
- "path": "/",
- "data": "GET / HTTP/1.1\r\nHost: whatismyipaddress.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement