API tools faq
paste
Advertisement
paladin316

807Exes_ba81ab7dfed9fd03b0426016ba1df452_exe_2019-09-03_11_30.txt

paladin316
Sep 3rd, 2019
1,893
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.11 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 807
  3. * MalFamily: "Aaxz"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_ba81ab7dfed9fd03b0426016ba1df452.exe"
  8. * File Size: 502784
  9. * File Type: "PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows"
  10. * SHA256: "7d48a6706013036266dbcd44aa7528d9e9331de0e9214b564255b96b5767b282"
  11. * MD5: "ba81ab7dfed9fd03b0426016ba1df452"
  12. * SHA1: "95b62aeef3c551d7aebd348cdf09533859e48171"
  13. * SHA512: "4eb6ef23809cbeb1d9f52ff7c087c0308043878250cf292a2080cd7081f1576a038d059d0b398e01df1b1dae3444c2e1b2fe8b9fa7571850d5cb0910c9f088e2"
  14. * CRC32: "AB38E09C"
  15. * SSDEEP: "12288:Ydngx3PPKMCG2/zZwHiNg2qFbH+as6YwYHaqwb:YdnwPS3G2/NmiNg2qFbH+as6YwiaqQ"
  16.  
  17. * Process Execution:
  18. "P9LnqhGHmEUV.exe",
  19. "XFEdTi5QxS.exe",
  20. "XFEdTi5QxS.exe",
  21. "cmd.exe",
  22. "PING.EXE",
  23. "cmd.exe",
  24. "tasklist.exe",
  25. "cmd.exe",
  26. "NETSTAT.EXE",
  27. "cmd.exe",
  28. "PING.EXE",
  29. "cmd.exe",
  30. "PING.EXE",
  31. "svchost.exe",
  32. "WMIADAP.exe"
  33.  
  34.  
  35. * Executed Commands:
  36. "\"C:\\ProgramData\\XFEdTi5QxS.exe\"",
  37. "\"C:\\Users\\user\\AppData\\Local\\Temp\\Q1b6ZN721OBhbpGYMV84kn.bat\"",
  38. "\"C:\\ProgramData\\XFEdTi5QxS.exe\" iVpm9y1TCXZs88F06wHg080oNk",
  39. "C:\\Windows\\system32\\PING.EXE ping -n 2 127.0.0.1",
  40. "\"C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat\"",
  41. "\"C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat\"",
  42. "\"C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat\"",
  43. "\"C:\\Users\\user\\AppData\\Local\\Temp\\f3zsSd781Dvh07U4oY8YK3.bat\"",
  44. "C:\\Windows\\system32\\PING.EXE ping -n 3 127.0.0.1",
  45. "tasklist",
  46. "C:\\Windows\\system32\\NETSTAT.EXE netstat -ano"
  47.  
  48.  
  49. * Signatures Detected:
  50.  
  51. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  52. "Details":
  53.  
  54.  
  55. "Description": "Possible date expiration check, exits too soon after checking local time",
  56. "Details":
  57.  
  58. "process": "NETSTAT.EXE, PID 1476"
  59.  
  60.  
  61.  
  62.  
  63. "Description": "Anomalous file deletion behavior detected (10+)",
  64. "Details":
  65.  
  66. "DeletedFile": "C:\\ProgramData\\XFEdTi5QxS.exedat"
  67.  
  68.  
  69. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\iVpm9y1TCXZs88F06wHg080oNk"
  70.  
  71.  
  72. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\P9LnqhGHmEUV.exe"
  73.  
  74.  
  75. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\Q1b6ZN721OBhbpGYMV84kn.bat"
  76.  
  77.  
  78. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat"
  79.  
  80.  
  81. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\kdxbFpgtRdaCuys2428j514g.txt"
  82.  
  83.  
  84. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat"
  85.  
  86.  
  87. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\h7n3u8eZ6yxQ0S2Lr7lUolo4O.txt"
  88.  
  89.  
  90. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat"
  91.  
  92.  
  93. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\d6ru7kbXr43nm7a64d0F4.txt"
  94.  
  95.  
  96. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat"
  97.  
  98.  
  99. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat"
  100.  
  101.  
  102. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat"
  103.  
  104.  
  105. "DeletedFile": "C:\\ProgramData\\XFEdTi5QxS.exe"
  106.  
  107.  
  108. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\f3zsSd781Dvh07U4oY8YK3.bat"
  109.  
  110.  
  111.  
  112.  
  113. "Description": "Network anomalies occured during the analysis.",
  114. "Details":
  115.  
  116. "Anomaly": "'193.242.211.184' getaddrinfo with no actual connection to the IP."
  117.  
  118.  
  119.  
  120.  
  121. "Description": "Reads data out of its own binary image",
  122. "Details":
  123.  
  124. "self_read": "process: P9LnqhGHmEUV.exe, pid: 2936, offset: 0x00000000, length: 0x00040000"
  125.  
  126.  
  127.  
  128.  
  129. "Description": "A process created a hidden window",
  130. "Details":
  131.  
  132. "Process": "P9LnqhGHmEUV.exe -> \"C:\\ProgramData\\XFEdTi5QxS.exe\""
  133.  
  134.  
  135. "Process": "P9LnqhGHmEUV.exe -> \"C:\\Users\\user\\AppData\\Local\\Temp\\Q1b6ZN721OBhbpGYMV84kn.bat\" "
  136.  
  137.  
  138. "Process": "XFEdTi5QxS.exe -> \"C:\\ProgramData\\XFEdTi5QxS.exe\" iVpm9y1TCXZs88F06wHg080oNk"
  139.  
  140.  
  141. "Process": "XFEdTi5QxS.exe -> \"C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat\" "
  142.  
  143.  
  144. "Process": "XFEdTi5QxS.exe -> \"C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat\" "
  145.  
  146.  
  147. "Process": "XFEdTi5QxS.exe -> \"C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat\" "
  148.  
  149.  
  150. "Process": "XFEdTi5QxS.exe -> \"C:\\Users\\user\\AppData\\Local\\Temp\\f3zsSd781Dvh07U4oY8YK3.bat\" "
  151.  
  152.  
  153.  
  154.  
  155. "Description": "File has been identified by 8 Antiviruses on VirusTotal as malicious",
  156. "Details":
  157.  
  158. "McAfee": "Artemis!BA81AB7DFED9"
  159.  
  160.  
  161. "ESET-NOD32": "a variant of Win32/Agent.AAXZ"
  162.  
  163.  
  164. "Paloalto": "generic.ml"
  165.  
  166.  
  167. "AegisLab": "Trojan.Win32.Generic.4!c"
  168.  
  169.  
  170. "McAfee-GW-Edition": "Artemis!Trojan"
  171.  
  172.  
  173. "Ikarus": "Trojan.Win32.Agent"
  174.  
  175.  
  176. "Fortinet": "W32/Agent.AAXZ!tr"
  177.  
  178.  
  179. "AVG": "FileRepMalware"
  180.  
  181.  
  182.  
  183.  
  184. "Description": "Drops a binary and executes it",
  185. "Details":
  186.  
  187. "binary": "C:\\ProgramData\\XFEdTi5QxS.exe"
  188.  
  189.  
  190.  
  191.  
  192. "Description": "A ping command was executed with the -n argument possibly to delay analysis",
  193. "Details":
  194.  
  195. "command": "C:\\Windows\\system32\\PING.EXE ping -n 2 127.0.0.1"
  196.  
  197.  
  198. "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.0.0.1"
  199.  
  200.  
  201.  
  202.  
  203. "Description": "Uses Windows utilities for basic functionality",
  204. "Details":
  205.  
  206. "command": "C:\\Windows\\system32\\PING.EXE ping -n 2 127.0.0.1"
  207.  
  208.  
  209. "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.0.0.1"
  210.  
  211.  
  212. "command": "tasklist"
  213.  
  214.  
  215. "command": "C:\\Windows\\system32\\NETSTAT.EXE netstat -ano"
  216.  
  217.  
  218. "command": "C:\\Windows\\system32\\NETSTAT.EXE netstat -ano"
  219.  
  220.  
  221. "command": "C:\\Windows\\system32\\NETSTAT.EXE netstat -ano"
  222.  
  223.  
  224.  
  225.  
  226. "Description": "Deletes its original binary from disk",
  227. "Details":
  228.  
  229.  
  230. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  231. "Details":
  232.  
  233. "Spam": "P9LnqhGHmEUV.exe (2936) called API GetSystemTimeAsFileTime 128126 times"
  234.  
  235.  
  236. "Spam": "XFEdTi5QxS.exe (1720) called API GetSystemTimeAsFileTime 299429 times"
  237.  
  238.  
  239. "Spam": "XFEdTi5QxS.exe (2632) called API GetSystemTimeAsFileTime 41671 times"
  240.  
  241.  
  242.  
  243.  
  244. "Description": "Creates a copy of itself",
  245. "Details":
  246.  
  247. "copy": "C:\\ProgramData\\XFEdTi5QxS.exe"
  248.  
  249.  
  250.  
  251.  
  252. "Description": "Anomalous binary characteristics",
  253. "Details":
  254.  
  255. "anomaly": "Actual checksum does not match that reported in PE header"
  256.  
  257.  
  258.  
  259.  
  260. "Description": "Uses suspicious command line tools or Windows utilities",
  261. "Details":
  262.  
  263. "command": "tasklist"
  264.  
  265.  
  266.  
  267.  
  268.  
  269. * Started Service:
  270.  
  271. * Mutexes:
  272. "Global\\ADAP_WMI_ENTRY",
  273. "Global\\RefreshRA_Mutex",
  274. "Global\\RefreshRA_Mutex_Lib",
  275. "Global\\RefreshRA_Mutex_Flag"
  276.  
  277.  
  278. * Modified Files:
  279. "C:\\ProgramData\\XFEdTi5QxS.exe",
  280. "C:\\ProgramData\\XFEdTi5QxS.exedat",
  281. "C:\\Users\\user\\AppData\\Local\\Temp\\Q1b6ZN721OBhbpGYMV84kn.bat",
  282. "C:\\Users\\user\\AppData\\Local\\Temp\\iVpm9y1TCXZs88F06wHg080oNk",
  283. "C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat",
  284. "C:\\Users\\user\\AppData\\Local\\Temp\\kdxbFpgtRdaCuys2428j514g.txt",
  285. "C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat",
  286. "C:\\Users\\user\\AppData\\Local\\Temp\\h7n3u8eZ6yxQ0S2Lr7lUolo4O.txt",
  287. "C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat",
  288. "C:\\Users\\user\\AppData\\Local\\Temp\\d6ru7kbXr43nm7a64d0F4.txt",
  289. "C:\\Users\\user\\AppData\\Local\\Temp\\o.txt",
  290. "C:\\Users\\user\\AppData\\Local\\Temp\\f3zsSd781Dvh07U4oY8YK3.bat"
  291.  
  292.  
  293. * Deleted Files:
  294. "C:\\ProgramData\\XFEdTi5QxS.exedat",
  295. "C:\\Users\\user\\AppData\\Local\\Temp\\iVpm9y1TCXZs88F06wHg080oNk",
  296. "C:\\Users\\user\\AppData\\Local\\Temp\\P9LnqhGHmEUV.exe",
  297. "C:\\Users\\user\\AppData\\Local\\Temp\\Q1b6ZN721OBhbpGYMV84kn.bat",
  298. "C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat",
  299. "C:\\Users\\user\\AppData\\Local\\Temp\\kdxbFpgtRdaCuys2428j514g.txt",
  300. "C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat",
  301. "C:\\Users\\user\\AppData\\Local\\Temp\\h7n3u8eZ6yxQ0S2Lr7lUolo4O.txt",
  302. "C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat",
  303. "C:\\Users\\user\\AppData\\Local\\Temp\\d6ru7kbXr43nm7a64d0F4.txt",
  304. "C:\\ProgramData\\XFEdTi5QxS.exe",
  305. "C:\\Users\\user\\AppData\\Local\\Temp\\f3zsSd781Dvh07U4oY8YK3.bat"
  306.  
  307.  
  308. * Modified Registry Keys:
  309. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters",
  310. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters\\TrapPollTimeMilliSecs"
  311.  
  312.  
  313. * Deleted Registry Keys:
  314.  
  315. * DNS Communications:
  316.  
  317. "type": "A",
  318. "request": "sebains.kozow.com",
  319. "answers":
  320.  
  321. "data": "193.242.211.184",
  322. "type": "A"
  323.  
  324.  
  325.  
  326.  
  327.  
  328. * Domains:
  329.  
  330. "ip": "193.242.211.184",
  331. "domain": "sebains.kozow.com"
  332.  
  333.  
  334.  
  335. * Network Communication - ICMP:
  336.  
  337. * Network Communication - HTTP:
  338.  
  339. * Network Communication - SMTP:
  340.  
  341. * Network Communication - Hosts:
  342.  
  343. "country_name": "Netherlands",
  344. "ip": "193.242.211.184",
  345. "inaddrarpa": "",
  346. "hostname": "sebains.kozow.com"
  347.  
  348.  
  349.  
  350. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!