Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1578
- * MalFamily: "Delf"
- * MalScore: 10.0
- * File Name: "Exes_031384474caca637c7ebf01f338e3fbe.exe"
- * File Size: 877056
- * File Type: "PE32 executable (console) Intel 80386, for MS Windows"
- * SHA256: "93d4041c69ab570016db21dcca5c104a07818a6054f62e511077b7928250ccf3"
- * MD5: "031384474caca637c7ebf01f338e3fbe"
- * SHA1: "b6e4c600c29bface341217a287503597af4ad8b9"
- * SHA512: "b850a71b5696850e26d183ee963f9e8cf699ed557414338cdd9193bf83eb570d4ee9644ba2c24057f5d555d1f6ada48b95b66468c3539278d141d8a6bf3e0f2a"
- * CRC32: "D6C4A436"
- * SSDEEP: "24576:hSOqsG3rmtrhVSBsCP6iHS24k5uiRMFxDF4I6:hSO+SBhVCPXHS24dk2x"
- * Process Execution:
- "CwxXHtbJOrQR.exe",
- "regsvr32.exe",
- "rundll32.exe"
- * Executed Commands:
- "C:\\Windows\\system32\\regsvr32.exe -s C:\\Users\\user\\AppData\\Local\\Temp\\CWXXHT~1.DLL f1 C:\\Users\\user\\AppData\\Local\\Temp\\CWXXHT~1.EXE@2432",
- "C:\\Windows\\SysWOW64\\rundll32.exe C:\\Users\\user\\AppData\\Local\\Temp\\CWXXHT~1.DLL,f0"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Communicates with IPs located across a large number of unique countries",
- "Details":
- "country": "Germany"
- "country": "United States"
- "country": "Hong Kong"
- "country": "Thailand"
- "country": "Ukraine"
- "country": "Brazil"
- "country": "Netherlands"
- "country": "China"
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "CwxXHtbJOrQR.exe, PID 2432"
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "rundll32.exe tried to sleep 720 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Attempts to connect to a dead IP:Port (10 unique times)",
- "Details":
- "IP_ioc": "151.236.14.84:443 (Netherlands)"
- "IP_ioc": "228.152.217.194:443"
- "IP_ioc": "218.255.105.110:443 (Hong Kong)"
- "IP_ioc": "125.117.204.89:443 (China)"
- "IP_ioc": "203.151.231.30:443 (Thailand)"
- "IP_ioc": "28.67.143.116:443 (United States)"
- "IP_ioc": "189.118.237.91:443 (Brazil)"
- "IP_ioc": "62.80.20.15:443 (Germany)"
- "IP_ioc": "195.123.246.209:443 (Ukraine)"
- "IP_ioc": "187.88.128.32:443 (Brazil)"
- "Description": "Multiple direct IP connections",
- "Details":
- "direct_ip_connections": "Made direct connections to 9 unique IP addresses"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000a1600, virtual_size: 0x000a1600"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Tries to unhook or modify Windows functions monitored by Cuckoo",
- "Details":
- "unhook": "function_name: WSASend, type: modification"
- "unhook": "function_name: send, type: modification"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\ProgramData\\04F697A0\\"
- "file": "C:\\ProgramData\\04F697A0\\6AA0D03B"
- "file": "C:\\ProgramData\\04F697A0\\B951867D"
- "Description": "File has been identified by 39 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Gen:Variant.Dropper.Delf.1"
- "FireEye": "Generic.mg.031384474caca637"
- "McAfee": "GenericRXII-PL!031384474CAC"
- "Cylance": "Unsafe"
- "Cybereason": "malicious.0c29bf"
- "Arcabit": "Trojan.Dropper.Delf.1"
- "TrendMicro": "TROJ_GEN.R04AC0PIB19"
- "Symantec": "ML.Attribute.HighConfidence"
- "Avast": "Win32:Trojan-gen"
- "Kaspersky": "HEUR:Trojan-Banker.Win32.Danabot.gen"
- "BitDefender": "Gen:Variant.Dropper.Delf.1"
- "NANO-Antivirus": "Trojan.Win32.Delf.fyanrh"
- "Paloalto": "generic.ml"
- "Tencent": "Win32.Trojan-banker.Danabot.Bnn"
- "Endgame": "malicious (high confidence)"
- "Emsisoft": "Gen:Variant.Dropper.Delf.1 (B)"
- "F-Secure": "Heuristic.HEUR/AGEN.1043378"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.cc"
- "Webroot": "W32.Adware.Gen"
- "Avira": "HEUR/AGEN.1043378"
- "Microsoft": "Trojan:Win32/Pynamer.A!ac"
- "ZoneAlarm": "HEUR:Trojan-Banker.Win32.Danabot.gen"
- "GData": "Gen:Variant.Dropper.Delf.1"
- "AhnLab-V3": "Trojan/Win32.Agent.C3378248"
- "Acronis": "suspicious"
- "VBA32": "TrojanBanker.Danabot"
- "ALYac": "Gen:Variant.Dropper.Delf.1"
- "MAX": "malware (ai score=84)"
- "Ad-Aware": "Gen:Variant.Dropper.Delf.1"
- "ESET-NOD32": "a variant of Win32/TrojanDropper.Delf.OUI"
- "TrendMicro-HouseCall": "TROJ_GEN.R04AC0PIB19"
- "Rising": "Dropper.Delf!8.1EC (TFE:5:xeEnxO2DXG)"
- "Ikarus": "Trojan-Dropper.Win32.Delf"
- "Fortinet": "W32/Delf.OUI!tr"
- "AVG": "Win32:Trojan-gen"
- "Panda": "Trj/GdSda.A"
- "CrowdStrike": "win/malicious_confidence_90% (W)"
- "Qihoo-360": "HEUR/QVM05.1.C1DF.Malware.Gen"
- * Started Service:
- * Mutexes:
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\CwxXHtbJOrQR.dll"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\CwxXHtbJOrQR.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CwxXHtbJOrQR.exe"
- * Modified Registry Keys:
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Germany",
- "ip": "62.80.20.15",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "28.67.143.116",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Hong Kong",
- "ip": "218.255.105.110",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Thailand",
- "ip": "203.151.231.30",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Ukraine",
- "ip": "195.123.246.209",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Brazil",
- "ip": "189.118.237.91",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Brazil",
- "ip": "187.88.128.32",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Netherlands",
- "ip": "151.236.14.84",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "China",
- "ip": "125.117.204.89",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement