API tools faq
paste
Advertisement
paladin316

1342Exes_df8125f7e69399e23227d9634a0a9d03_exe_2019-09-09_08_30.txt

paladin316
Sep 9th, 2019
1,617
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.84 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 1342
  3. * MalFamily: ""
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_df8125f7e69399e23227d9634a0a9d03.exe"
  8. * File Size: 487424
  9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  10. * SHA256: "da21a9f135a2ea2ac4d62fe01068f0e4024a095f77b2434302c1c2b722f74e95"
  11. * MD5: "df8125f7e69399e23227d9634a0a9d03"
  12. * SHA1: "301ee3fb847bdafb40a7c0497513dab3b8f6a9dc"
  13. * SHA512: "c31cd79edaf2a6bfe6d18af1f9b3db94d61ee0ca3bf2ced7c0f7d1a161e08dbb2242ddcbc458347a1938eaa7cd53fb4648a7989c5ef9bfc440492746b7667806"
  14. * CRC32: "B0DDBC8A"
  15. * SSDEEP: "12288:vzQSJTesTJd+uv2x2lbKvm7PiwhwVJS6V:vxBeQ+uOxo/K6w6"
  16.  
  17. * Process Execution:
  18. "egyephOtmt.exe",
  19. "egyephOtmt.exe",
  20. "Host.exe",
  21. "Host.exe",
  22. "cmd.exe",
  23. "PING.EXE",
  24. "cmd.exe",
  25. "services.exe",
  26. "lsass.exe",
  27. "WmiApSrv.exe",
  28. "WmiPrvSE.exe",
  29. "WMIADAP.exe"
  30.  
  31.  
  32. * Executed Commands:
  33. "\"C:\\Users\\user\\AppData\\Local\\Temp\\egyephOtmt.exe\"",
  34. "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\"",
  35. "C:\\Windows\\system32\\cmd.exe /c \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\"",
  36. "C:\\Windows\\system32\\lsass.exe",
  37. "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
  38. "C:\\Windows\\system32\\svchost.exe -k netsvcs",
  39. "C:\\Windows\\system32\\PING.EXE ping 192.0.2.2 -n 1 -w 3000",
  40. "cmd /c del \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\""
  41.  
  42.  
  43. * Signatures Detected:
  44.  
  45. "Description": "Behavioural detection: Executable code extraction",
  46. "Details":
  47.  
  48.  
  49. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  50. "Details":
  51.  
  52.  
  53. "Description": "Creates RWX memory",
  54. "Details":
  55.  
  56.  
  57. "Description": "Network anomalies occured during the analysis.",
  58. "Details":
  59.  
  60. "Anomaly": "'192.0.2.2' getaddrinfo with no actual connection to the IP."
  61.  
  62.  
  63.  
  64.  
  65. "Description": "Reads data out of its own binary image",
  66. "Details":
  67.  
  68. "self_read": "process: egyephOtmt.exe, pid: 2068, offset: 0x00000000, length: 0x00070000"
  69.  
  70.  
  71.  
  72.  
  73. "Description": "A process created a hidden window",
  74. "Details":
  75.  
  76. "Process": "Host.exe -> C:\\Windows\\system32\\cmd.exe /c \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\""
  77.  
  78.  
  79.  
  80.  
  81. "Description": "Drops a binary and executes it",
  82. "Details":
  83.  
  84. "binary": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
  85.  
  86.  
  87.  
  88.  
  89. "Description": "A ping command was executed with the -n argument possibly to delay analysis",
  90. "Details":
  91.  
  92. "command": "C:\\Windows\\system32\\PING.EXE ping 192.0.2.2 -n 1 -w 3000"
  93.  
  94.  
  95.  
  96.  
  97. "Description": "Uses Windows utilities for basic functionality",
  98. "Details":
  99.  
  100. "command": "C:\\Windows\\system32\\cmd.exe /c \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\""
  101.  
  102.  
  103. "command": "C:\\Windows\\system32\\PING.EXE ping 192.0.2.2 -n 1 -w 3000"
  104.  
  105.  
  106. "command": "cmd /c del \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\""
  107.  
  108.  
  109.  
  110.  
  111. "Description": "Behavioural detection: Injection (Process Hollowing)",
  112. "Details":
  113.  
  114. "Injection": "egyephOtmt.exe(2540) -> egyephOtmt.exe(2068)"
  115.  
  116.  
  117.  
  118.  
  119. "Description": "Executed a process and injected code into it, probably while unpacking",
  120. "Details":
  121.  
  122. "Injection": "egyephOtmt.exe(2540) -> egyephOtmt.exe(2068)"
  123.  
  124.  
  125.  
  126.  
  127. "Description": "Steals private information from local Internet browsers",
  128. "Details":
  129.  
  130. "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat"
  131.  
  132.  
  133. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  134.  
  135.  
  136.  
  137.  
  138. "Description": "Installs itself for autorun at Windows startup",
  139. "Details":
  140.  
  141. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows"
  142.  
  143.  
  144. "data": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
  145.  
  146.  
  147. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\4Y0PX7QK-7IJL-83Y4-Q134-N54YD81455KA"
  148.  
  149.  
  150. "data": "unknown"
  151.  
  152.  
  153. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\4Y0PX7QK-7IJL-83Y4-Q134-N54YD81455KA\\StubPath"
  154.  
  155.  
  156. "data": "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\""
  157.  
  158.  
  159.  
  160.  
  161. "Description": "File has been identified by 20 Antiviruses on VirusTotal as malicious",
  162. "Details":
  163.  
  164. "MicroWorld-eScan": "Gen:Variant.Symmi.16120"
  165.  
  166.  
  167. "Cylance": "Unsafe"
  168.  
  169.  
  170. "Arcabit": "Trojan.Symmi.D3EF8"
  171.  
  172.  
  173. "Symantec": "ML.Attribute.HighConfidence"
  174.  
  175.  
  176. "Paloalto": "generic.ml"
  177.  
  178.  
  179. "Kaspersky": "UDS:DangerousObject.Multi.Generic"
  180.  
  181.  
  182. "BitDefender": "Gen:Variant.Symmi.16120"
  183.  
  184.  
  185. "Endgame": "malicious (high confidence)"
  186.  
  187.  
  188. "Invincea": "heuristic"
  189.  
  190.  
  191. "FireEye": "Generic.mg.df8125f7e69399e2"
  192.  
  193.  
  194. "Emsisoft": "Gen:Variant.Symmi.16120 (B)"
  195.  
  196.  
  197. "SentinelOne": "DFI - Suspicious PE"
  198.  
  199.  
  200. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
  201.  
  202.  
  203. "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
  204.  
  205.  
  206. "GData": "Gen:Variant.Symmi.16120"
  207.  
  208.  
  209. "AhnLab-V3": "Win-Trojan/VBKrypt.Suspicious"
  210.  
  211.  
  212. "MAX": "malware (ai score=82)"
  213.  
  214.  
  215. "Ad-Aware": "Gen:Variant.Symmi.16120"
  216.  
  217.  
  218. "ESET-NOD32": "a variant of Win32/GenKryptik.DSLE"
  219.  
  220.  
  221. "CrowdStrike": "win/malicious_confidence_100% (W)"
  222.  
  223.  
  224.  
  225.  
  226. "Description": "Creates a copy of itself",
  227. "Details":
  228.  
  229. "copy": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
  230.  
  231.  
  232.  
  233.  
  234. "Description": "Harvests information related to installed mail clients",
  235. "Details":
  236.  
  237. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  238.  
  239.  
  240. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
  241.  
  242.  
  243. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  244.  
  245.  
  246. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  247.  
  248.  
  249. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
  250.  
  251.  
  252. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
  253.  
  254.  
  255. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
  256.  
  257.  
  258.  
  259.  
  260. "Description": "Generates some ICMP traffic",
  261. "Details":
  262.  
  263.  
  264. "Description": "Uses suspicious command line tools or Windows utilities",
  265. "Details":
  266.  
  267. "command": "cmd /c del \"C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat\""
  268.  
  269.  
  270.  
  271.  
  272.  
  273. * Started Service:
  274. "VaultSvc",
  275. "wmiApSrv"
  276.  
  277.  
  278. * Mutexes:
  279. "-",
  280. "Global\\RefreshRA_Mutex_Lib",
  281. "Global\\RefreshRA_Mutex",
  282. "Global\\RefreshRA_Mutex_Flag",
  283. "Global\\WmiApSrv",
  284. "Global\\ADAP_WMI_ENTRY"
  285.  
  286.  
  287. * Modified Files:
  288. "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe",
  289. "\\??\\PIPE\\wkssvc",
  290. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
  291. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\index.dat",
  292. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\History.IE5\\index.dat",
  293. "C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat",
  294. "\\??\\nul"
  295.  
  296.  
  297. * Deleted Files:
  298. "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe",
  299. "C:\\Users\\user\\AppData\\Local\\Temp\\aeaiCuO6.bat"
  300.  
  301.  
  302. * Modified Registry Keys:
  303. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows",
  304. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\4Y0PX7QK-7IJL-83Y4-Q134-N54YD81455KA",
  305. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\4Y0PX7QK-7IJL-83Y4-Q134-N54YD81455KA\\StubPath",
  306. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
  307. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
  308. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed"
  309.  
  310.  
  311. * Deleted Registry Keys:
  312. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows"
  313.  
  314.  
  315. * DNS Communications:
  316.  
  317. "type": "A",
  318. "request": "general112.ddns.net",
  319. "answers":
  320.  
  321. "data": "79.134.225.120",
  322. "type": "A"
  323.  
  324.  
  325.  
  326.  
  327.  
  328. * Domains:
  329.  
  330. "ip": "79.134.225.120",
  331. "domain": "general112.ddns.net"
  332.  
  333.  
  334.  
  335. * Network Communication - ICMP:
  336.  
  337. "src": "169.254.255.254
  338. "dst": "192.0.2.2",
  339. "type": 8,
  340. "data": "abcdefghijklmnopqrstuvwabcdefghi"
  341.  
  342.  
  343.  
  344. * Network Communication - HTTP:
  345.  
  346. * Network Communication - SMTP:
  347.  
  348. * Network Communication - Hosts:
  349.  
  350. "country_name": "Switzerland",
  351. "ip": "79.134.225.120",
  352. "inaddrarpa": "",
  353. "hostname": "general112.ddns.net"
  354.  
  355.  
  356.  
  357. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!