Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 807
- * MalFamily: "Aaxz"
- * MalScore: 10.0
- * File Name: "Exes_ba81ab7dfed9fd03b0426016ba1df452.exe"
- * File Size: 502784
- * File Type: "PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows"
- * SHA256: "7d48a6706013036266dbcd44aa7528d9e9331de0e9214b564255b96b5767b282"
- * MD5: "ba81ab7dfed9fd03b0426016ba1df452"
- * SHA1: "95b62aeef3c551d7aebd348cdf09533859e48171"
- * SHA512: "4eb6ef23809cbeb1d9f52ff7c087c0308043878250cf292a2080cd7081f1576a038d059d0b398e01df1b1dae3444c2e1b2fe8b9fa7571850d5cb0910c9f088e2"
- * CRC32: "AB38E09C"
- * SSDEEP: "12288:Ydngx3PPKMCG2/zZwHiNg2qFbH+as6YwYHaqwb:YdnwPS3G2/NmiNg2qFbH+as6YwiaqQ"
- * Process Execution:
- "P9LnqhGHmEUV.exe",
- "XFEdTi5QxS.exe",
- "XFEdTi5QxS.exe",
- "cmd.exe",
- "PING.EXE",
- "cmd.exe",
- "tasklist.exe",
- "cmd.exe",
- "NETSTAT.EXE",
- "cmd.exe",
- "PING.EXE",
- "cmd.exe",
- "PING.EXE",
- "svchost.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "\"C:\\ProgramData\\XFEdTi5QxS.exe\"",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\Q1b6ZN721OBhbpGYMV84kn.bat\"",
- "\"C:\\ProgramData\\XFEdTi5QxS.exe\" iVpm9y1TCXZs88F06wHg080oNk",
- "C:\\Windows\\system32\\PING.EXE ping -n 2 127.0.0.1",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat\"",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat\"",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat\"",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\f3zsSd781Dvh07U4oY8YK3.bat\"",
- "C:\\Windows\\system32\\PING.EXE ping -n 3 127.0.0.1",
- "tasklist",
- "C:\\Windows\\system32\\NETSTAT.EXE netstat -ano"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "NETSTAT.EXE, PID 1476"
- "Description": "Anomalous file deletion behavior detected (10+)",
- "Details":
- "DeletedFile": "C:\\ProgramData\\XFEdTi5QxS.exedat"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\iVpm9y1TCXZs88F06wHg080oNk"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\P9LnqhGHmEUV.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\Q1b6ZN721OBhbpGYMV84kn.bat"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\kdxbFpgtRdaCuys2428j514g.txt"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\h7n3u8eZ6yxQ0S2Lr7lUolo4O.txt"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\d6ru7kbXr43nm7a64d0F4.txt"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat"
- "DeletedFile": "C:\\ProgramData\\XFEdTi5QxS.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\f3zsSd781Dvh07U4oY8YK3.bat"
- "Description": "Network anomalies occured during the analysis.",
- "Details":
- "Anomaly": "'193.242.211.184' getaddrinfo with no actual connection to the IP."
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: P9LnqhGHmEUV.exe, pid: 2936, offset: 0x00000000, length: 0x00040000"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "P9LnqhGHmEUV.exe -> \"C:\\ProgramData\\XFEdTi5QxS.exe\""
- "Process": "P9LnqhGHmEUV.exe -> \"C:\\Users\\user\\AppData\\Local\\Temp\\Q1b6ZN721OBhbpGYMV84kn.bat\" "
- "Process": "XFEdTi5QxS.exe -> \"C:\\ProgramData\\XFEdTi5QxS.exe\" iVpm9y1TCXZs88F06wHg080oNk"
- "Process": "XFEdTi5QxS.exe -> \"C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat\" "
- "Process": "XFEdTi5QxS.exe -> \"C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat\" "
- "Process": "XFEdTi5QxS.exe -> \"C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat\" "
- "Process": "XFEdTi5QxS.exe -> \"C:\\Users\\user\\AppData\\Local\\Temp\\f3zsSd781Dvh07U4oY8YK3.bat\" "
- "Description": "File has been identified by 8 Antiviruses on VirusTotal as malicious",
- "Details":
- "McAfee": "Artemis!BA81AB7DFED9"
- "ESET-NOD32": "a variant of Win32/Agent.AAXZ"
- "Paloalto": "generic.ml"
- "AegisLab": "Trojan.Win32.Generic.4!c"
- "McAfee-GW-Edition": "Artemis!Trojan"
- "Ikarus": "Trojan.Win32.Agent"
- "Fortinet": "W32/Agent.AAXZ!tr"
- "AVG": "FileRepMalware"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\ProgramData\\XFEdTi5QxS.exe"
- "Description": "A ping command was executed with the -n argument possibly to delay analysis",
- "Details":
- "command": "C:\\Windows\\system32\\PING.EXE ping -n 2 127.0.0.1"
- "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.0.0.1"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "C:\\Windows\\system32\\PING.EXE ping -n 2 127.0.0.1"
- "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.0.0.1"
- "command": "tasklist"
- "command": "C:\\Windows\\system32\\NETSTAT.EXE netstat -ano"
- "command": "C:\\Windows\\system32\\NETSTAT.EXE netstat -ano"
- "command": "C:\\Windows\\system32\\NETSTAT.EXE netstat -ano"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "P9LnqhGHmEUV.exe (2936) called API GetSystemTimeAsFileTime 128126 times"
- "Spam": "XFEdTi5QxS.exe (1720) called API GetSystemTimeAsFileTime 299429 times"
- "Spam": "XFEdTi5QxS.exe (2632) called API GetSystemTimeAsFileTime 41671 times"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\ProgramData\\XFEdTi5QxS.exe"
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- "Description": "Uses suspicious command line tools or Windows utilities",
- "Details":
- "command": "tasklist"
- * Started Service:
- * Mutexes:
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\ProgramData\\XFEdTi5QxS.exe",
- "C:\\ProgramData\\XFEdTi5QxS.exedat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\Q1b6ZN721OBhbpGYMV84kn.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\iVpm9y1TCXZs88F06wHg080oNk",
- "C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\kdxbFpgtRdaCuys2428j514g.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\h7n3u8eZ6yxQ0S2Lr7lUolo4O.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\d6ru7kbXr43nm7a64d0F4.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\o.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\f3zsSd781Dvh07U4oY8YK3.bat"
- * Deleted Files:
- "C:\\ProgramData\\XFEdTi5QxS.exedat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\iVpm9y1TCXZs88F06wHg080oNk",
- "C:\\Users\\user\\AppData\\Local\\Temp\\P9LnqhGHmEUV.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\Q1b6ZN721OBhbpGYMV84kn.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\3h59YNed5AAiEDkrRo4V3vrfum.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\kdxbFpgtRdaCuys2428j514g.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\pX34uu5D7L44IJ08w9Z0192xkt4.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\h7n3u8eZ6yxQ0S2Lr7lUolo4O.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\663Lj3Nr7Ze820jtkRzYz.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\d6ru7kbXr43nm7a64d0F4.txt",
- "C:\\ProgramData\\XFEdTi5QxS.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\f3zsSd781Dvh07U4oY8YK3.bat"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters\\TrapPollTimeMilliSecs"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "sebains.kozow.com",
- "answers":
- "data": "193.242.211.184",
- "type": "A"
- * Domains:
- "ip": "193.242.211.184",
- "domain": "sebains.kozow.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Netherlands",
- "ip": "193.242.211.184",
- "inaddrarpa": "",
- "hostname": "sebains.kozow.com"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement