Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1174
- * MalFamily: "TrojanStealer"
- * MalScore: 10.0
- * File Name: "Exes_9b18daeb5efec28a80b29144f6054458.exe"
- * File Size: 1571840
- * File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
- * SHA256: "edae570a92eba7f38bc91746336d2d5961b0e20e2cead99efc09b92ddc13b286"
- * MD5: "9b18daeb5efec28a80b29144f6054458"
- * SHA1: "78aab8c9a6d5d53479b7ce03ad116d3f89bb5656"
- * SHA512: "0def5b8055b0c51c91763d23062ac3d464c7030dbccd59291c9b80803acba8933eabe2a1a4c6b336bd9b900e2d75d38f1dd143d662b75504ac015b95e52636ad"
- * CRC32: "C0A8D6CB"
- * SSDEEP: "24576:58fxc1XPsYvYLzn2dd1li1vYrzrmSUNBaz:58fxc1XiL2dHGvimSUTS"
- * Process Execution:
- "x7DrMEJEC.exe",
- "x7DrMEJEC.exe",
- "svchost.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\x7DrMEJEC.exe\""
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP_ioc": "5.101.191.51:2012 (Estonia)"
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "x7DrMEJEC.exe, PID 1908"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details":
- "ioc": "v2.0.50727"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "x7DrMEJEC.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\x7DrMEJEC.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- "suspicious_request_iocs": "http://5.101.191.51:2012/websocket"
- "suspicious_request_iocs": "http://api.ipify.org/"
- "Description": "Performs some HTTP requests",
- "Details":
- "url_iocs": "http://5.101.191.51:2012/websocket"
- "url_iocs": "http://api.ipify.org/"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .data, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0008a800, virtual_size: 0x0008c328"
- "Description": "Looks up the external IP address",
- "Details":
- "domain": "api.ipify.org"
- "Description": "Anomalous .NET characteristics",
- "Details":
- "anomalous_version": "Assembly version is set to 0"
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "x7DrMEJEC.exe(1908) -> x7DrMEJEC.exe(1828)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "x7DrMEJEC.exe(1908) -> x7DrMEJEC.exe(1828)"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
- "Details":
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "x7DrMEJEC.exe tried to sleep 5167 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "File has been identified by 23 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Gen:Variant.Ursu.541441"
- "FireEye": "Generic.mg.9b18daeb5efec28a"
- "ALYac": "Gen:Variant.Ursu.541441"
- "Cylance": "Unsafe"
- "Cybereason": "malicious.9a6d5d"
- "Arcabit": "Trojan.Ursu.D84301"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "GData": "Gen:Variant.Ursu.541441"
- "BitDefender": "Gen:Variant.Ursu.541441"
- "Avast": "FileRepMetagen Malware"
- "Ad-Aware": "Gen:Variant.Ursu.541441"
- "Invincea": "heuristic"
- "Trapmine": "malicious.high.ml.score"
- "Emsisoft": "Gen:Variant.Ursu.541441 (B)"
- "SentinelOne": "DFI - Suspicious PE"
- "Endgame": "malicious (high confidence)"
- "Acronis": "suspicious"
- "MAX": "malware (ai score=84)"
- "MaxSecure": "Ransomeware.CRAB.gen"
- "AVG": "FileRepMetagen Malware"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "Win32/Trojan.d78"
- "Description": "Attempts to access Bitcoin/ALTCoin wallets",
- "Details":
- "file": "C:\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\wallet.dat"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\.net clr networking",
- "DBWinMutex"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\tempDataBase2019-09-05T04_22_08.8125000-07_001616",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tempDataBase2019-09-05T04_22_09.2343750-07_001616",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tempDataBase2019-09-05T04_22_09.3906250-07_001616",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tempDataBase2019-09-05T04_22_09.5156250-07_001616"
- * Deleted Files:
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1908.4718921",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1908.4718921",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1908.4718937"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\x7DrMEJEC_RASAPI32",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\x7DrMEJEC_RASAPI32\\EnableFileTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\x7DrMEJEC_RASAPI32\\EnableConsoleTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\x7DrMEJEC_RASAPI32\\FileTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\x7DrMEJEC_RASAPI32\\ConsoleTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\x7DrMEJEC_RASAPI32\\MaxFileSize",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\x7DrMEJEC_RASAPI32\\FileDirectory"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "api.ipify.org",
- "answers":
- "data": "54.225.92.64",
- "type": "A"
- "data": "54.243.198.12",
- "type": "A"
- "data": "23.23.243.154",
- "type": "A"
- "data": "nagano-19599.herokussl.com",
- "type": "CNAME"
- "data": "23.21.121.219",
- "type": "A"
- "data": "54.243.147.226",
- "type": "A"
- "data": "23.23.229.94",
- "type": "A"
- "data": "elb097307-934924932.us-east-1.elb.amazonaws.com",
- "type": "CNAME"
- * Domains:
- "ip": "23.21.121.219",
- "domain": "api.ipify.org"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://5.101.191.51:2012/websocket",
- "user-agent": "",
- "method": "GET",
- "host": "5.101.191.51:2012",
- "version": "1.1",
- "path": "/websocket",
- "data": "GET /websocket HTTP/1.1\r\nHost: 5.101.191.51:2012\r\nUpgrade: websocket\r\nConnection: Upgrade\r\nSec-WebSocket-Version: 13\r\nSec-WebSocket-Key: YTVjOTMzMmYtMGEwYi00NQ==\r\nOrigin: ws://5.101.191.51:2012\r\n\r\n",
- "port": 2012
- "count": 1,
- "body": "",
- "uri": "http://api.ipify.org/",
- "user-agent": "",
- "method": "GET",
- "host": "api.ipify.org",
- "version": "1.1",
- "path": "/",
- "data": "GET / HTTP/1.1\r\nHost: api.ipify.org\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United States",
- "ip": "54.225.92.64",
- "inaddrarpa": "",
- "hostname": "api.ipify.org"
- "country_name": "Estonia",
- "ip": "5.101.191.51",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement