Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Exes_fc5b65cf9b456e0faba5f6f5a69ef462.exe"
- * File Size: 73728
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "c733e0d16741640a5c4da33b74cd755d68c54370477fc4267a40e2998e98e21c"
- * MD5: "fc5b65cf9b456e0faba5f6f5a69ef462"
- * SHA1: "1e108343e1048a5c971212684de9402dd610a4a4"
- * SHA512: "a387dabb37b761c9181bbc701fb23a6419685db1ebd2e7c09986e8d782102f47b52501856e7ea269bbfe7b6276d827b2d636194c7c34a42b5a0cb9d7aca662c8"
- * CRC32: "A2441718"
- * SSDEEP: "1536:NG6YL0tJYtg0M4xbVBjuvvWEePjnjnWklU1Y8FOS:kotJYtg0Mu3jY+EL3Y8FOS"
- * Process Execution:
- "hte9EysIKQr.exe",
- "services.exe",
- "gmoywg.exe",
- "WmiApSrv.exe",
- "svchost.exe",
- "WmiPrvSE.exe"
- * Executed Commands:
- "C:\\Windows\\SysWOW64\\gmoywg.exe",
- "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
- "C:\\Windows\\system32\\svchost.exe -k netsvcs"
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Scheduled file move on reboot detected",
- "Details":
- "File Move on Reboot": "Old: C:\\Users\\user\\AppData\\Local\\Temp\\hte9EysIKQr.exe -> New: C:\\Windows\\System32\\26319265.bak"
- "File Move on Reboot": "Old: C:\\Windows\\System32\\26319265.bak -> New: "
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 5112769 times"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "service name": "WervPoxySvc"
- "service path": "C:\\Windows\\system32\\gmoywg.exe"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Windows\\System32\\gmoywg.exe"
- "Description": "File has been identified by 62 Antiviruses on VirusTotal as malicious",
- "Details":
- "Bkav": "W32.RoatiscoLTAC.Worm"
- "MicroWorld-eScan": "Gen:Variant.Zusy.234606"
- "CAT-QuickHeal": "Trojan.Mauvaise.SL1"
- "McAfee": "Packed-FAC!FC5B65CF9B45"
- "Malwarebytes": "Trojan.Crypt"
- "K7AntiVirus": "Trojan ( 0052cdd61 )"
- "Alibaba": "Trojan:Win32/Siscos.5914ab66"
- "K7GW": "Trojan ( 0052cdd61 )"
- "Cybereason": "malicious.f9b456"
- "Arcabit": "Trojan.Zusy.D3946E"
- "TrendMicro": "BKDR_ZEGOST.SM34"
- "Cyren": "W32/Reconyc.M.gen!Eldorado"
- "Symantec": "Trojan.Gen.MBT"
- "ESET-NOD32": "Win32/Farfli.BLH"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "ClamAV": "Win.Dropper.Gh0stRAT-6989861-0"
- "Kaspersky": "Trojan.Win32.Siscos.wgv"
- "BitDefender": "Gen:Variant.Zusy.234606"
- "NANO-Antivirus": "Trojan.Win32.Reconyc.eoqyci"
- "ViRobot": "Trojan.Win32.Z.Zusy.73728.SE"
- "SUPERAntiSpyware": "Trojan.Agent/Gen-Crypt"
- "Rising": "Dropper.Generic!8.35E (KTSE)"
- "Ad-Aware": "Gen:Variant.Zusy.234606"
- "Sophos": "Troj/Agent-AWJO"
- "Comodo": "Backdoor.Win32.Farfli.FK@7jqjxo"
- "F-Secure": "Trojan.TR/BAS.ServStart.xxjtz"
- "DrWeb": "Trojan.DownLoader25.10311"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "Packed-FAC!FC5B65CF9B45"
- "Trapmine": "malicious.moderate.ml.score"
- "FireEye": "Generic.mg.fc5b65cf9b456e0f"
- "Emsisoft": "Gen:Variant.Zusy.234606 (B)"
- "SentinelOne": "DFI - Suspicious PE"
- "F-Prot": "W32/Reconyc.M.gen!Eldorado"
- "Jiangmin": "Worm.BlueHero.g"
- "Webroot": "W32.Malware.Gen"
- "Avira": "TR/BAS.ServStart.xxjtz"
- "MAX": "malware (ai score=100)"
- "Antiy-AVL": "Trojan/Win32.TSGeneric"
- "Microsoft": "VirTool:Win32/CeeInject.SN!bit"
- "Endgame": "malicious (high confidence)"
- "AegisLab": "Trojan.Win32.Siscos.4!c"
- "ZoneAlarm": "Trojan.Win32.Siscos.wgv"
- "GData": "Gen:Variant.Zusy.234606"
- "AhnLab-V3": "Trojan/Win32.Reconyc.C1950982"
- "Acronis": "suspicious"
- "VBA32": "Trojan.Reconyc"
- "ALYac": "Gen:Variant.Zusy.234606"
- "TACHYON": "Backdoor/W32.Agent.73728.IM"
- "Cylance": "Unsafe"
- "Panda": "Trj/CI.A"
- "Zoner": "Trojan.Win32.74850"
- "TrendMicro-HouseCall": "BKDR_ZEGOST.SM34"
- "Tencent": "Win32.Trojan.Siscos.Eerb"
- "Yandex": "Trojan.Reconyc!"
- "Ikarus": "Virus.Win32.CeeInject"
- "Fortinet": "W32/Kryptik.FHSE!tr"
- "AVG": "Win32:Malware-gen"
- "Avast": "Win32:Malware-gen"
- "CrowdStrike": "win/malicious_confidence_90% (W)"
- "Qihoo-360": "HEUR/QVM07.1.4CA1.Malware.Gen"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Dropper.Gh0stRAT-6989861-0, sha256:c733e0d16741640a5c4da33b74cd755d68c54370477fc4267a40e2998e98e21c, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Dropper.Gh0stRAT-6989861-0, sha256:c733e0d16741640a5c4da33b74cd755d68c54370477fc4267a40e2998e98e21c , guest_paths:C:\\Windows\\System32\\gmoywg.exe*C:\\Windows\\System32\\26319265.bak, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Windows\\System32\\gmoywg.exe"
- "copy": "C:\\Windows\\System32\\26319265.bak"
- * Started Service:
- "WervPoxySvc",
- "wmiApSrv"
- * Mutexes:
- "oo.mygoodluck.best:51888:WervPoxySvc",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Flag",
- "Global\\WmiApSrv"
- * Modified Files:
- "C:\\Windows\\System32\\gmoywg.exe",
- "C:\\Windows\\System32\\26319265.bak"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\hte9EysIKQr.exe",
- "C:\\Windows\\System32\\26319265.bak"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WervPoxySvc\\Description",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WervPoxySvc\\Group",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WervPoxySvc\\InstallTime",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "oo.mygoodluck.best",
- "answers":
- "data": "46.173.217.80",
- "type": "A"
- * Domains:
- "ip": "46.173.217.80",
- "domain": "oo.mygoodluck.best"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Russian Federation",
- "ip": "46.173.217.80",
- "inaddrarpa": "",
- "hostname": "oo.mygoodluck.best"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement