Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "Exes_497bef838cdf6602c0755a5002f4516a.exe"
- * File Size: 4421632
- * File Type: "MS-DOS executable"
- * SHA256: "84133aaee4ab69bb70a496a03b3cfe818d787c905eb1900875ba8c813d990be9"
- * MD5: "497bef838cdf6602c0755a5002f4516a"
- * SHA1: "d50e0f9fb6024d247c8a436f51983e7ce4147800"
- * SHA512: "e32c57b7dc2579fea2177b9723775a4380e414c42a4c8e324db7b0109606a042f53bc6dfef72d0c35cf5349e71069ba2c069f7e7fbc56f6644a6d3ebc4c07bad"
- * CRC32: "9A649E04"
- * SSDEEP: "98304:bRjHOEnSGe8MyD8RQ/E1P4xqXRqKEiOzo8QIQ8jdSwsgOlS3:d7OESGe8MyQic1OQ1EiOM85QpJg8S"
- * Process Execution:
- "adyFWuIcTh3WG.exe",
- "PING.EXE"
- * Executed Commands:
- "Ping.exe 4.2.2.2 -n 1"
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (4 unique times)",
- "Details":
- "IP": "72.21.81.240:80"
- "IP": "2.16.115.194:80"
- "IP": "198.172.88.67:80 (United States)"
- "IP": "192.35.177.64:80"
- "Description": "NtSetInformationThread: attempt to hide thread from debugger",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "adyFWuIcTh3WG.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Network anomalies occured during the analysis.",
- "Details":
- "Anomaly": "'4.2.2.2' getaddrinfo with no actual connection to the IP."
- "Description": "Expresses interest in specific running processes",
- "Details":
- "process": "adyFWuIcTh3WG.exe"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: adyFWuIcTh3WG.exe, pid: 3676, offset: 0x00000000, length: 0x00330200"
- "self_read": "process: adyFWuIcTh3WG.exe, pid: 3676, offset: 0x00347825, length: 0x000effdb"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOxp9WQnkPJKwTzw%2BYl6FbPOQ%3D%3D"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0032fb48, virtual_size: 0x0032fb48"
- "section": "name: , entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00017625, virtual_size: 0x00018000"
- "Description": "A ping command was executed with the -n argument possibly to delay analysis",
- "Details":
- "command": "Ping.exe 4.2.2.2 -n 1"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "Ping.exe 4.2.2.2 -n 1"
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExW": "Process: adyFWuIcTh3WG.exe(3676)"
- "Description": "Checks for the presence of known windows from debuggers and forensic tools",
- "Details":
- "Window": "WinDbgFrameClass"
- "Window": "49492"
- "Window": "OLLYDBG"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Obsidium\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Obsidium\\82107DCE-0F47D6BD-21397D23-470B821E.4142505780787461506"
- "file": "C:\\Users\\user\\.obs32\\"
- "file": "C:\\Users\\user\\.obs32\\82107DCE-0F47D6BD-21397D23-470B821E.Metrics"
- "Description": "Checks for the presence of known devices from debuggers and forensic tools",
- "Details":
- "Description": "File has been identified by 31 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Gen:Variant.Strictor.199442"
- "FireEye": "Generic.mg.497bef838cdf6602"
- "ALYac": "Gen:Variant.Strictor.199442"
- "Alibaba": "Exploit:Win32/Shellcode.bad32566"
- "Cybereason": "malicious.fb6024"
- "Arcabit": "Trojan.Strictor.D30B12"
- "Symantec": "Trojan.Gen.MBT"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Kaspersky": "HEUR:Exploit.Win32.Shellcode.gen"
- "BitDefender": "Gen:Variant.Strictor.199442"
- "AegisLab": "Hacktool.Win32.Shellcode.3!c"
- "Ad-Aware": "Gen:Variant.Strictor.199442"
- "Emsisoft": "Gen:Variant.Strictor.199442 (B)"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.BadFile.rc"
- "Sophos": "Mal/Generic-S"
- "Avira": "HEUR/AGEN.1023530"
- "MAX": "malware (ai score=83)"
- "Microsoft": "Trojan:Win32/Tiggre!rfn"
- "ZoneAlarm": "HEUR:Exploit.Win32.Shellcode.gen"
- "GData": "Gen:Variant.Strictor.199442"
- "AhnLab-V3": "Malware/Win32.Generic.C3323919"
- "Acronis": "suspicious"
- "McAfee": "Artemis!497BEF838CDF"
- "VBA32": "BScope.TrojanDropper.Dapato"
- "Rising": "Trojan.Generic@ML.100 (RDMK:8f1LOD33R7dduyhJ8mkeLg)"
- "SentinelOne": "DFI - Malicious PE"
- "Panda": "Trj/CI.A"
- "CrowdStrike": "win/malicious_confidence_80% (W)"
- "Qihoo-360": "Win32/Trojan.Exploit.e6e"
- "Description": "Detects VirtualBox through the presence of a device",
- "Details":
- "Description": "Generates some ICMP traffic",
- "Details":
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Found duplicated section names"
- * Started Service:
- * Mutexes:
- "AHK Keybd",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1"
- * Modified Files:
- "\\??\\VBoxGuest",
- "C:\\Users\\user\\AppData\\Roaming\\Obsidium\\82107DCE-0F47D6BD-21397D23-470B821E.4142505780787461506",
- "C:\\Users\\user\\.obs32\\82107DCE-0F47D6BD-21397D23-470B821E.Metrics",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\76789FEF0726C26D2E5B56E8245C42E6",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\76789FEF0726C26D2E5B56E8245C42E6",
- "C:\\Users\\user\\AppData\\Local\\Temp\\44053595.ini"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\44053595.ini",
- "C:\\Users\\user\\AppData\\Roaming\\SammichLicense.key"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Obsidium\\82107DCE-0F47D6BD-21397D23-470B821E",
- "HKEY_CURRENT_USER\\Software\\Obsidium\\82107DCE-0F47D6BD-21397D23-470B821E\\4142505780787461506"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "scriptswithsammich.com",
- "answers":
- "data": "74.220.219.243",
- "type": "A"
- "type": "A",
- "request": "ocsp.int-x3.letsencrypt.org",
- "answers":
- "data": "198.172.88.82",
- "type": "A"
- "data": "198.172.88.67",
- "type": "A"
- "data": "a771.dscq.akamai.net",
- "type": "CNAME"
- "data": "ocsp.int-x3.letsencrypt.org.edgesuite.net",
- "type": "CNAME"
- * Domains:
- "ip": "74.220.219.243",
- "domain": "scriptswithsammich.com"
- "ip": "198.172.88.67",
- "domain": "ocsp.int-x3.letsencrypt.org"
- * Network Communication - ICMP:
- "src": "169.254.255.254
- "dst": "4.2.2.2",
- "type": 8,
- "data": "abcdefghijklmnopqrstuvwabcdefghi"
- "src": "4.2.2.2",
- "dst": "169.254.255.254
- "type": 0,
- "data": "abcdefghijklmnopqrstuvwabcdefghi"
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOxp9WQnkPJKwTzw%2BYl6FbPOQ%3D%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.int-x3.letsencrypt.org",
- "version": "1.1",
- "path": "/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOxp9WQnkPJKwTzw%2BYl6FbPOQ%3D%3D",
- "data": "GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOxp9WQnkPJKwTzw%2BYl6FbPOQ%3D%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.int-x3.letsencrypt.org\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United States",
- "ip": "74.220.219.243",
- "inaddrarpa": "",
- "hostname": "scriptswithsammich.com"
- "country_name": "United States",
- "ip": "4.2.2.2",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "198.172.88.67",
- "inaddrarpa": "",
- "hostname": "ocsp.int-x3.letsencrypt.org"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement