Exes_497bef838cdf6602c0755a5002f4516a_exe_2019-08-29_02_30.txt

1.  
2.  
3. * MalFamily: ""
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "Exes_497bef838cdf6602c0755a5002f4516a.exe"
8. * File Size: 4421632
9. * File Type: "MS-DOS executable"
10. * SHA256: "84133aaee4ab69bb70a496a03b3cfe818d787c905eb1900875ba8c813d990be9"
11. * MD5: "497bef838cdf6602c0755a5002f4516a"
12. * SHA1: "d50e0f9fb6024d247c8a436f51983e7ce4147800"
13. * SHA512: "e32c57b7dc2579fea2177b9723775a4380e414c42a4c8e324db7b0109606a042f53bc6dfef72d0c35cf5349e71069ba2c069f7e7fbc56f6644a6d3ebc4c07bad"
14. * CRC32: "9A649E04"
15. * SSDEEP: "98304:bRjHOEnSGe8MyD8RQ/E1P4xqXRqKEiOzo8QIQ8jdSwsgOlS3:d7OESGe8MyQic1OQ1EiOM85QpJg8S"
16.  
17. * Process Execution:
18. "adyFWuIcTh3WG.exe",
19. "PING.EXE"
20.  
21.  
22. * Executed Commands:
23. "Ping.exe 4.2.2.2 -n 1"
24.  
25.  
26. * Signatures Detected:
27.  
28. "Description": "Behavioural detection: Executable code extraction",
29. "Details":
30.  
31.  
32. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
33. "Details":
34.  
35.  
36. "Description": "Attempts to connect to a dead IP:Port (4 unique times)",
37. "Details":
38.  
39. "IP": "72.21.81.240:80"
40.  
41.  
42. "IP": "2.16.115.194:80"
43.  
44.  
45. "IP": "198.172.88.67:80 (United States)"
46.  
47.  
48. "IP": "192.35.177.64:80"
49.  
50.  
51.  
52.  
53. "Description": "NtSetInformationThread: attempt to hide thread from debugger",
54. "Details":
55.  
56.  
57. "Description": "A process attempted to delay the analysis task.",
58. "Details":
59.  
60. "Process": "adyFWuIcTh3WG.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds"
61.  
62.  
63.  
64.  
65. "Description": "Network anomalies occured during the analysis.",
66. "Details":
67.  
68. "Anomaly": "'4.2.2.2' getaddrinfo with no actual connection to the IP."
69.  
70.  
71.  
72.  
73. "Description": "Expresses interest in specific running processes",
74. "Details":
75.  
76. "process": "adyFWuIcTh3WG.exe"
77.  
78.  
79.  
80.  
81. "Description": "Reads data out of its own binary image",
82. "Details":
83.  
84. "self_read": "process: adyFWuIcTh3WG.exe, pid: 3676, offset: 0x00000000, length: 0x00330200"
85.  
86.  
87. "self_read": "process: adyFWuIcTh3WG.exe, pid: 3676, offset: 0x00347825, length: 0x000effdb"
88.  
89.  
90.  
91.  
92. "Description": "Performs some HTTP requests",
93. "Details":
94.  
95. "url": "http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOxp9WQnkPJKwTzw%2BYl6FbPOQ%3D%3D"
96.  
97.  
98.  
99.  
100. "Description": "The binary likely contains encrypted or compressed data.",
101. "Details":
102.  
103. "section": "name: .rsrc, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0032fb48, virtual_size: 0x0032fb48"
104.  
105.  
106. "section": "name: , entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00017625, virtual_size: 0x00018000"
107.  
108.  
109.  
110.  
111. "Description": "A ping command was executed with the -n argument possibly to delay analysis",
112. "Details":
113.  
114. "command": "Ping.exe 4.2.2.2 -n 1"
115.  
116.  
117.  
118.  
119. "Description": "Uses Windows utilities for basic functionality",
120. "Details":
121.  
122. "command": "Ping.exe 4.2.2.2 -n 1"
123.  
124.  
125.  
126.  
127. "Description": "Sniffs keystrokes",
128. "Details":
129.  
130. "SetWindowsHookExW": "Process: adyFWuIcTh3WG.exe(3676)"
131.  
132.  
133.  
134.  
135. "Description": "Checks for the presence of known windows from debuggers and forensic tools",
136. "Details":
137.  
138. "Window": "WinDbgFrameClass"
139.  
140.  
141. "Window": "49492"
142.  
143.  
144. "Window": "OLLYDBG"
145.  
146.  
147.  
148.  
149. "Description": "Creates a hidden or system file",
150. "Details":
151.  
152. "file": "C:\\Users\\user\\AppData\\Roaming\\Obsidium\\"
153.  
154.  
155. "file": "C:\\Users\\user\\AppData\\Roaming\\Obsidium\\82107DCE-0F47D6BD-21397D23-470B821E.4142505780787461506"
156.  
157.  
158. "file": "C:\\Users\\user\\.obs32\\"
159.  
160.  
161. "file": "C:\\Users\\user\\.obs32\\82107DCE-0F47D6BD-21397D23-470B821E.Metrics"
162.  
163.  
164.  
165.  
166. "Description": "Checks for the presence of known devices from debuggers and forensic tools",
167. "Details":
168.  
169.  
170. "Description": "File has been identified by 31 Antiviruses on VirusTotal as malicious",
171. "Details":
172.  
173. "MicroWorld-eScan": "Gen:Variant.Strictor.199442"
174.  
175.  
176. "FireEye": "Generic.mg.497bef838cdf6602"
177.  
178.  
179. "ALYac": "Gen:Variant.Strictor.199442"
180.  
181.  
182. "Alibaba": "Exploit:Win32/Shellcode.bad32566"
183.  
184.  
185. "Cybereason": "malicious.fb6024"
186.  
187.  
188. "Arcabit": "Trojan.Strictor.D30B12"
189.  
190.  
191. "Symantec": "Trojan.Gen.MBT"
192.  
193.  
194. "APEX": "Malicious"
195.  
196.  
197. "Paloalto": "generic.ml"
198.  
199.  
200. "Kaspersky": "HEUR:Exploit.Win32.Shellcode.gen"
201.  
202.  
203. "BitDefender": "Gen:Variant.Strictor.199442"
204.  
205.  
206. "AegisLab": "Hacktool.Win32.Shellcode.3!c"
207.  
208.  
209. "Ad-Aware": "Gen:Variant.Strictor.199442"
210.  
211.  
212. "Emsisoft": "Gen:Variant.Strictor.199442 (B)"
213.  
214.  
215. "Invincea": "heuristic"
216.  
217.  
218. "McAfee-GW-Edition": "BehavesLike.Win32.BadFile.rc"
219.  
220.  
221. "Sophos": "Mal/Generic-S"
222.  
223.  
224. "Avira": "HEUR/AGEN.1023530"
225.  
226.  
227. "MAX": "malware (ai score=83)"
228.  
229.  
230. "Microsoft": "Trojan:Win32/Tiggre!rfn"
231.  
232.  
233. "ZoneAlarm": "HEUR:Exploit.Win32.Shellcode.gen"
234.  
235.  
236. "GData": "Gen:Variant.Strictor.199442"
237.  
238.  
239. "AhnLab-V3": "Malware/Win32.Generic.C3323919"
240.  
241.  
242. "Acronis": "suspicious"
243.  
244.  
245. "McAfee": "Artemis!497BEF838CDF"
246.  
247.  
248. "VBA32": "BScope.TrojanDropper.Dapato"
249.  
250.  
251. "Rising": "Trojan.Generic@ML.100 (RDMK:8f1LOD33R7dduyhJ8mkeLg)"
252.  
253.  
254. "SentinelOne": "DFI - Malicious PE"
255.  
256.  
257. "Panda": "Trj/CI.A"
258.  
259.  
260. "CrowdStrike": "win/malicious_confidence_80% (W)"
261.  
262.  
263. "Qihoo-360": "Win32/Trojan.Exploit.e6e"
264.  
265.  
266.  
267.  
268. "Description": "Detects VirtualBox through the presence of a device",
269. "Details":
270.  
271.  
272. "Description": "Generates some ICMP traffic",
273. "Details":
274.  
275.  
276. "Description": "Anomalous binary characteristics",
277. "Details":
278.  
279. "anomaly": "Found duplicated section names"
280.  
281.  
282.  
283.  
284.  
285. * Started Service:
286.  
287. * Mutexes:
288. "AHK Keybd",
289. "CicLoadWinStaWinSta0",
290. "Local\\MSCTF.CtfMonitorInstMutexDefault1"
291.  
292.  
293. * Modified Files:
294. "\\??\\VBoxGuest",
295. "C:\\Users\\user\\AppData\\Roaming\\Obsidium\\82107DCE-0F47D6BD-21397D23-470B821E.4142505780787461506",
296. "C:\\Users\\user\\.obs32\\82107DCE-0F47D6BD-21397D23-470B821E.Metrics",
297. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
298. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
299. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
300. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
301. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08",
302. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08",
303. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\76789FEF0726C26D2E5B56E8245C42E6",
304. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\76789FEF0726C26D2E5B56E8245C42E6",
305. "C:\\Users\\user\\AppData\\Local\\Temp\\44053595.ini"
306.  
307.  
308. * Deleted Files:
309. "C:\\Users\\user\\AppData\\Local\\Temp\\44053595.ini",
310. "C:\\Users\\user\\AppData\\Roaming\\SammichLicense.key"
311.  
312.  
313. * Modified Registry Keys:
314. "HKEY_CURRENT_USER\\Software\\Obsidium\\82107DCE-0F47D6BD-21397D23-470B821E",
315. "HKEY_CURRENT_USER\\Software\\Obsidium\\82107DCE-0F47D6BD-21397D23-470B821E\\4142505780787461506"
316.  
317.  
318. * Deleted Registry Keys:
319.  
320. * DNS Communications:
321.  
322. "type": "A",
323. "request": "scriptswithsammich.com",
324. "answers":
325.  
326. "data": "74.220.219.243",
327. "type": "A"
328.  
329.  
330.  
331.  
332. "type": "A",
333. "request": "ocsp.int-x3.letsencrypt.org",
334. "answers":
335.  
336. "data": "198.172.88.82",
337. "type": "A"
338.  
339.  
340. "data": "198.172.88.67",
341. "type": "A"
342.  
343.  
344. "data": "a771.dscq.akamai.net",
345. "type": "CNAME"
346.  
347.  
348. "data": "ocsp.int-x3.letsencrypt.org.edgesuite.net",
349. "type": "CNAME"
350.  
351.  
352.  
353.  
354.  
355. * Domains:
356.  
357. "ip": "74.220.219.243",
358. "domain": "scriptswithsammich.com"
359.  
360.  
361. "ip": "198.172.88.67",
362. "domain": "ocsp.int-x3.letsencrypt.org"
363.  
364.  
365.  
366. * Network Communication - ICMP:
367.  
368. "src": "169.254.255.254
369. "dst": "4.2.2.2",
370. "type": 8,
371. "data": "abcdefghijklmnopqrstuvwabcdefghi"
372.  
373.  
374. "src": "4.2.2.2",
375. "dst": "169.254.255.254
376. "type": 0,
377. "data": "abcdefghijklmnopqrstuvwabcdefghi"
378.  
379.  
380.  
381. * Network Communication - HTTP:
382.  
383. "count": 1,
384. "body": "",
385. "uri": "http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOxp9WQnkPJKwTzw%2BYl6FbPOQ%3D%3D",
386. "user-agent": "Microsoft-CryptoAPI/6.1",
387. "method": "GET",
388. "host": "ocsp.int-x3.letsencrypt.org",
389. "version": "1.1",
390. "path": "/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOxp9WQnkPJKwTzw%2BYl6FbPOQ%3D%3D",
391. "data": "GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOxp9WQnkPJKwTzw%2BYl6FbPOQ%3D%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.int-x3.letsencrypt.org\r\n\r\n",
392. "port": 80
393.  
394.  
395.  
396. * Network Communication - SMTP:
397.  
398. * Network Communication - Hosts:
399.  
400. "country_name": "United States",
401. "ip": "74.220.219.243",
402. "inaddrarpa": "",
403. "hostname": "scriptswithsammich.com"
404.  
405.  
406. "country_name": "United States",
407. "ip": "4.2.2.2",
408. "inaddrarpa": "",
409. "hostname": ""
410.  
411.  
412. "country_name": "United States",
413. "ip": "198.172.88.67",
414. "inaddrarpa": "",
415. "hostname": "ocsp.int-x3.letsencrypt.org"
416.  
417.  
418.  
419. * Network Communication - IRC: