Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1342
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "Exes_df8125f7e69399e23227d9634a0a9d03.exe"
- * File Size: 487424
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "da21a9f135a2ea2ac4d62fe01068f0e4024a095f77b2434302c1c2b722f74e95"
- * MD5: "df8125f7e69399e23227d9634a0a9d03"
- * SHA1: "301ee3fb847bdafb40a7c0497513dab3b8f6a9dc"
- * SHA512: "c31cd79edaf2a6bfe6d18af1f9b3db94d61ee0ca3bf2ced7c0f7d1a161e08dbb2242ddcbc458347a1938eaa7cd53fb4648a7989c5ef9bfc440492746b7667806"
- * CRC32: "B0DDBC8A"
- * SSDEEP: "12288:vzQSJTesTJd+uv2x2lbKvm7PiwhwVJS6V:vxBeQ+uOxo/K6w6"
- * Process Execution:
- "egyephOtmt.exe",
- "egyephOtmt.exe",
- "Host.exe",
- "Host.exe",
- "cmd.exe",
- "PING.EXE",
- "cmd.exe",
- "services.exe",
- "lsass.exe",
- "WmiApSrv.exe",
- "WmiPrvSE.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\egyephOtmt.exe\"",
- "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\"",
- "C:\\Windows\\system32\\cmd.exe /c \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\"",
- "C:\\Windows\\system32\\lsass.exe",
- "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
- "C:\\Windows\\system32\\svchost.exe -k netsvcs",
- "C:\\Windows\\system32\\PING.EXE ping 192.0.2.2 -n 1 -w 3000",
- "cmd /c del \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\""
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Network anomalies occured during the analysis.",
- "Details":
- "Anomaly": "'192.0.2.2' getaddrinfo with no actual connection to the IP."
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: egyephOtmt.exe, pid: 2068, offset: 0x00000000, length: 0x00070000"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "Host.exe -> C:\\Windows\\system32\\cmd.exe /c \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\""
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
- "Description": "A ping command was executed with the -n argument possibly to delay analysis",
- "Details":
- "command": "C:\\Windows\\system32\\PING.EXE ping 192.0.2.2 -n 1 -w 3000"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "C:\\Windows\\system32\\cmd.exe /c \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\""
- "command": "C:\\Windows\\system32\\PING.EXE ping 192.0.2.2 -n 1 -w 3000"
- "command": "cmd /c del \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\""
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "egyephOtmt.exe(2540) -> egyephOtmt.exe(2068)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "egyephOtmt.exe(2540) -> egyephOtmt.exe(2068)"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows"
- "data": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\4Y0PX7QK-7IJL-83Y4-Q134-N54YD81455KA"
- "data": "unknown"
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\4Y0PX7QK-7IJL-83Y4-Q134-N54YD81455KA\\StubPath"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\""
- "Description": "File has been identified by 20 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Gen:Variant.Symmi.16120"
- "Cylance": "Unsafe"
- "Arcabit": "Trojan.Symmi.D3EF8"
- "Symantec": "ML.Attribute.HighConfidence"
- "Paloalto": "generic.ml"
- "Kaspersky": "UDS:DangerousObject.Multi.Generic"
- "BitDefender": "Gen:Variant.Symmi.16120"
- "Endgame": "malicious (high confidence)"
- "Invincea": "heuristic"
- "FireEye": "Generic.mg.df8125f7e69399e2"
- "Emsisoft": "Gen:Variant.Symmi.16120 (B)"
- "SentinelOne": "DFI - Suspicious PE"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "GData": "Gen:Variant.Symmi.16120"
- "AhnLab-V3": "Win-Trojan/VBKrypt.Suspicious"
- "MAX": "malware (ai score=82)"
- "Ad-Aware": "Gen:Variant.Symmi.16120"
- "ESET-NOD32": "a variant of Win32/GenKryptik.DSLE"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- "Description": "Generates some ICMP traffic",
- "Details":
- "Description": "Uses suspicious command line tools or Windows utilities",
- "Details":
- "command": "cmd /c del \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\""
- * Started Service:
- "VaultSvc",
- "wmiApSrv"
- * Mutexes:
- "-",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Flag",
- "Global\\WmiApSrv",
- "Global\\ADAP_WMI_ENTRY"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe",
- "\\??\\PIPE\\wkssvc",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\History.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat",
- "\\??\\nul"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\4Y0PX7QK-7IJL-83Y4-Q134-N54YD81455KA",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\4Y0PX7QK-7IJL-83Y4-Q134-N54YD81455KA\\StubPath",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows"
- * DNS Communications:
- "type": "A",
- "request": "general112.ddns.net",
- "answers":
- "data": "79.134.225.120",
- "type": "A"
- * Domains:
- "ip": "79.134.225.120",
- "domain": "general112.ddns.net"
- * Network Communication - ICMP:
- "src": "169.254.255.254
- "dst": "192.0.2.2",
- "type": 8,
- "data": "abcdefghijklmnopqrstuvwabcdefghi"
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Switzerland",
- "ip": "79.134.225.120",
- "inaddrarpa": "",
- "hostname": "general112.ddns.net"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement