1578Exes_031384474caca637c7ebf01f338e3fbe_exe_2019-09-11_17_30.txt

1.  
2. * ID: 1578
3. * MalFamily: "Delf"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "Exes_031384474caca637c7ebf01f338e3fbe.exe"
8. * File Size: 877056
9. * File Type: "PE32 executable (console) Intel 80386, for MS Windows"
10. * SHA256: "93d4041c69ab570016db21dcca5c104a07818a6054f62e511077b7928250ccf3"
11. * MD5: "031384474caca637c7ebf01f338e3fbe"
12. * SHA1: "b6e4c600c29bface341217a287503597af4ad8b9"
13. * SHA512: "b850a71b5696850e26d183ee963f9e8cf699ed557414338cdd9193bf83eb570d4ee9644ba2c24057f5d555d1f6ada48b95b66468c3539278d141d8a6bf3e0f2a"
14. * CRC32: "D6C4A436"
15. * SSDEEP: "24576:hSOqsG3rmtrhVSBsCP6iHS24k5uiRMFxDF4I6:hSO+SBhVCPXHS24dk2x"
16.  
17. * Process Execution:
18. "CwxXHtbJOrQR.exe",
19. "regsvr32.exe",
20. "rundll32.exe"
21.  
22.  
23. * Executed Commands:
24. "C:\\Windows\\system32\\regsvr32.exe -s C:\\Users\\user\\AppData\\Local\\Temp\\CWXXHT~1.DLL f1 C:\\Users\\user\\AppData\\Local\\Temp\\CWXXHT~1.EXE@2432",
25. "C:\\Windows\\SysWOW64\\rundll32.exe C:\\Users\\user\\AppData\\Local\\Temp\\CWXXHT~1.DLL,f0"
26.  
27.  
28. * Signatures Detected:
29.  
30. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
31. "Details":
32.  
33.  
34. "Description": "Behavioural detection: Executable code extraction",
35. "Details":
36.  
37.  
38. "Description": "Communicates with IPs located across a large number of unique countries",
39. "Details":
40.  
41. "country": "Germany"
42.  
43.  
44. "country": "United States"
45.  
46.  
47. "country": "Hong Kong"
48.  
49.  
50. "country": "Thailand"
51.  
52.  
53. "country": "Ukraine"
54.  
55.  
56. "country": "Brazil"
57.  
58.  
59. "country": "Netherlands"
60.  
61.  
62. "country": "China"
63.  
64.  
65.  
66.  
67. "Description": "Possible date expiration check, exits too soon after checking local time",
68. "Details":
69.  
70. "process": "CwxXHtbJOrQR.exe, PID 2432"
71.  
72.  
73.  
74.  
75. "Description": "A process attempted to delay the analysis task.",
76. "Details":
77.  
78. "Process": "rundll32.exe tried to sleep 720 seconds, actually delayed analysis time by 0 seconds"
79.  
80.  
81.  
82.  
83. "Description": "Attempts to connect to a dead IP:Port (10 unique times)",
84. "Details":
85.  
86. "IP_ioc": "151.236.14.84:443 (Netherlands)"
87.  
88.  
89. "IP_ioc": "228.152.217.194:443"
90.  
91.  
92. "IP_ioc": "218.255.105.110:443 (Hong Kong)"
93.  
94.  
95. "IP_ioc": "125.117.204.89:443 (China)"
96.  
97.  
98. "IP_ioc": "203.151.231.30:443 (Thailand)"
99.  
100.  
101. "IP_ioc": "28.67.143.116:443 (United States)"
102.  
103.  
104. "IP_ioc": "189.118.237.91:443 (Brazil)"
105.  
106.  
107. "IP_ioc": "62.80.20.15:443 (Germany)"
108.  
109.  
110. "IP_ioc": "195.123.246.209:443 (Ukraine)"
111.  
112.  
113. "IP_ioc": "187.88.128.32:443 (Brazil)"
114.  
115.  
116.  
117.  
118. "Description": "Multiple direct IP connections",
119. "Details":
120.  
121. "direct_ip_connections": "Made direct connections to 9 unique IP addresses"
122.  
123.  
124.  
125.  
126. "Description": "The binary likely contains encrypted or compressed data.",
127. "Details":
128.  
129. "section": "name: .rsrc, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000a1600, virtual_size: 0x000a1600"
130.  
131.  
132.  
133.  
134. "Description": "Deletes its original binary from disk",
135. "Details":
136.  
137.  
138. "Description": "Tries to unhook or modify Windows functions monitored by Cuckoo",
139. "Details":
140.  
141. "unhook": "function_name: WSASend, type: modification"
142.  
143.  
144. "unhook": "function_name: send, type: modification"
145.  
146.  
147.  
148.  
149. "Description": "Creates a hidden or system file",
150. "Details":
151.  
152. "file": "C:\\ProgramData\\04F697A0\\"
153.  
154.  
155. "file": "C:\\ProgramData\\04F697A0\\6AA0D03B"
156.  
157.  
158. "file": "C:\\ProgramData\\04F697A0\\B951867D"
159.  
160.  
161.  
162.  
163. "Description": "File has been identified by 39 Antiviruses on VirusTotal as malicious",
164. "Details":
165.  
166. "MicroWorld-eScan": "Gen:Variant.Dropper.Delf.1"
167.  
168.  
169. "FireEye": "Generic.mg.031384474caca637"
170.  
171.  
172. "McAfee": "GenericRXII-PL!031384474CAC"
173.  
174.  
175. "Cylance": "Unsafe"
176.  
177.  
178. "Cybereason": "malicious.0c29bf"
179.  
180.  
181. "Arcabit": "Trojan.Dropper.Delf.1"
182.  
183.  
184. "TrendMicro": "TROJ_GEN.R04AC0PIB19"
185.  
186.  
187. "Symantec": "ML.Attribute.HighConfidence"
188.  
189.  
190. "Avast": "Win32:Trojan-gen"
191.  
192.  
193. "Kaspersky": "HEUR:Trojan-Banker.Win32.Danabot.gen"
194.  
195.  
196. "BitDefender": "Gen:Variant.Dropper.Delf.1"
197.  
198.  
199. "NANO-Antivirus": "Trojan.Win32.Delf.fyanrh"
200.  
201.  
202. "Paloalto": "generic.ml"
203.  
204.  
205. "Tencent": "Win32.Trojan-banker.Danabot.Bnn"
206.  
207.  
208. "Endgame": "malicious (high confidence)"
209.  
210.  
211. "Emsisoft": "Gen:Variant.Dropper.Delf.1 (B)"
212.  
213.  
214. "F-Secure": "Heuristic.HEUR/AGEN.1043378"
215.  
216.  
217. "Invincea": "heuristic"
218.  
219.  
220. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.cc"
221.  
222.  
223. "Webroot": "W32.Adware.Gen"
224.  
225.  
226. "Avira": "HEUR/AGEN.1043378"
227.  
228.  
229. "Microsoft": "Trojan:Win32/Pynamer.A!ac"
230.  
231.  
232. "ZoneAlarm": "HEUR:Trojan-Banker.Win32.Danabot.gen"
233.  
234.  
235. "GData": "Gen:Variant.Dropper.Delf.1"
236.  
237.  
238. "AhnLab-V3": "Trojan/Win32.Agent.C3378248"
239.  
240.  
241. "Acronis": "suspicious"
242.  
243.  
244. "VBA32": "TrojanBanker.Danabot"
245.  
246.  
247. "ALYac": "Gen:Variant.Dropper.Delf.1"
248.  
249.  
250. "MAX": "malware (ai score=84)"
251.  
252.  
253. "Ad-Aware": "Gen:Variant.Dropper.Delf.1"
254.  
255.  
256. "ESET-NOD32": "a variant of Win32/TrojanDropper.Delf.OUI"
257.  
258.  
259. "TrendMicro-HouseCall": "TROJ_GEN.R04AC0PIB19"
260.  
261.  
262. "Rising": "Dropper.Delf!8.1EC (TFE:5:xeEnxO2DXG)"
263.  
264.  
265. "Ikarus": "Trojan-Dropper.Win32.Delf"
266.  
267.  
268. "Fortinet": "W32/Delf.OUI!tr"
269.  
270.  
271. "AVG": "Win32:Trojan-gen"
272.  
273.  
274. "Panda": "Trj/GdSda.A"
275.  
276.  
277. "CrowdStrike": "win/malicious_confidence_90% (W)"
278.  
279.  
280. "Qihoo-360": "HEUR/QVM05.1.C1DF.Malware.Gen"
281.  
282.  
283.  
284.  
285.  
286. * Started Service:
287.  
288. * Mutexes:
289.  
290. * Modified Files:
291. "C:\\Users\\user\\AppData\\Local\\Temp\\CwxXHtbJOrQR.dll"
292.  
293.  
294. * Deleted Files:
295. "C:\\Users\\user\\AppData\\Local\\Temp\\CwxXHtbJOrQR.dll",
296. "C:\\Users\\user\\AppData\\Local\\Temp\\CwxXHtbJOrQR.exe"
297.  
298.  
299. * Modified Registry Keys:
300.  
301. * Deleted Registry Keys:
302.  
303. * DNS Communications:
304.  
305. * Domains:
306.  
307. * Network Communication - ICMP:
308.  
309. * Network Communication - HTTP:
310.  
311. * Network Communication - SMTP:
312.  
313. * Network Communication - Hosts:
314.  
315. "country_name": "Germany",
316. "ip": "62.80.20.15",
317. "inaddrarpa": "",
318. "hostname": ""
319.  
320.  
321. "country_name": "United States",
322. "ip": "28.67.143.116",
323. "inaddrarpa": "",
324. "hostname": ""
325.  
326.  
327. "country_name": "Hong Kong",
328. "ip": "218.255.105.110",
329. "inaddrarpa": "",
330. "hostname": ""
331.  
332.  
333. "country_name": "Thailand",
334. "ip": "203.151.231.30",
335. "inaddrarpa": "",
336. "hostname": ""
337.  
338.  
339. "country_name": "Ukraine",
340. "ip": "195.123.246.209",
341. "inaddrarpa": "",
342. "hostname": ""
343.  
344.  
345. "country_name": "Brazil",
346. "ip": "189.118.237.91",
347. "inaddrarpa": "",
348. "hostname": ""
349.  
350.  
351. "country_name": "Brazil",
352. "ip": "187.88.128.32",
353. "inaddrarpa": "",
354. "hostname": ""
355.  
356.  
357. "country_name": "Netherlands",
358. "ip": "151.236.14.84",
359. "inaddrarpa": "",
360. "hostname": ""
361.  
362.  
363. "country_name": "China",
364. "ip": "125.117.204.89",
365. "inaddrarpa": "",
366. "hostname": ""
367.  
368.  
369.  
370. * Network Communication - IRC: