Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Hawkeye"
- * MalScore: 10.0
- * File Name: "Exes_bcc4f7c92d2cca537f543d1094d3f062.exe"
- * File Size: 1150976
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "a09d0b15408fb9a96eb6046e011eeec3c27d2efc3424268c1708d7a2da92547a"
- * MD5: "bcc4f7c92d2cca537f543d1094d3f062"
- * SHA1: "5046fa0bcf8c26c6841a6951df7ae2162a7ad973"
- * SHA512: "0b9e6bf4b3b7dea6c686f3bb05df625b94d5a6b79017f9a3d8b4cf0b7e474cf3f9e15dddbf11c96f04ff1f6826c0f5a28a16c4d72f6037abc6edb31c934f9f72"
- * CRC32: "5A6694D8"
- * SSDEEP: "24576:drIKt0CU+YM7oG2VB+XwK6G9o47GQuWclVNvfXxyENsd:BKNVB0albXXxFNG"
- * Process Execution:
- "Exes_bcc4f7c92d2cca537f543d1094d3f062.exe",
- "arinrifh.exe",
- "arinrifh.exe",
- "vbc.exe",
- "dw20.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Roaming\\arinrolfm\\arinrifh.exe\"",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\holdermail.txt\"",
- "dw20.exe -x -s 948",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "arinrifh.exe tried to sleep 691 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Starts servers listening on 127.0.0.1:0",
- "Details":
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: arinrifh.exe, pid: 1832, offset: 0x00000000, length: 0x00001000"
- "self_read": "process: arinrifh.exe, pid: 1832, offset: 0x00000100, length: 0x00000200"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\arinrolfm\\arinrifh.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- "suspicious_request": "http://whatismyipaddress.com/"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://whatismyipaddress.com/"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.54, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x0005f200, virtual_size: 0x0005f038"
- "Description": "Looks up the external IP address",
- "Details":
- "domain": "whatismyipaddress.com"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "arinrifh.exe(980) -> arinrifh.exe(1832)"
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExA": "Process: arinrifh.exe(1832)"
- "Description": "Exhibits behavior characteristics of HawkEye keylogger.",
- "Details":
- "Description": "Retrieves Windows ProductID, probably to fingerprint the sandbox",
- "Details":
- "Description": "File has been identified by 20 Antiviruses on VirusTotal as malicious",
- "Details":
- "TrendMicro": "TrojanSpy.Win32.LOKI.SMDD.hp"
- "Symantec": "Packed.Generic.516"
- "APEX": "Malicious"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.tc"
- "Trapmine": "malicious.high.ml.score"
- "FireEye": "Generic.mg.bcc4f7c92d2cca53"
- "Fortinet": "W32/Injector.EGKJ!tr"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "AhnLab-V3": "Win-Trojan/Delphiless.Exp"
- "Acronis": "suspicious"
- "Cylance": "Unsafe"
- "TrendMicro-HouseCall": "TrojanSpy.Win32.LOKI.SMDD.hp"
- "Rising": "Trojan.Injector!1.AFE3 (CLASSIC)"
- "SentinelOne": "DFI - Suspicious PE"
- "Cybereason": "malicious.bcf8c2"
- "CrowdStrike": "win/malicious_confidence_90% (D)"
- "Qihoo-360": "HEUR/QVM05.1.95DF.Malware.Gen"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\arinrolfm\\arinrifh.exe"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Google\\Google Talk\\Accounts"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.oeaccount"
- "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.*"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles"
- "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\arinrolfm\\arinrifh.exe:ZoneIdentifier"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
- "Description": "Attempts to modify Explorer settings to prevent hidden files from being displayed",
- "Details":
- * Started Service:
- * Mutexes:
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\.net clr networking",
- "Global\\5b7f403e-a8c2-11e9-b470-18c086cd4732",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\arinrolfm\\arinrifh.exe",
- "C:\\Users\\user\\AppData\\Roaming\\arinrolfm\\arinrifh.exe:ZoneIdentifier",
- "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
- "C:\\Users\\user\\AppData\\Roaming\\pid.txt",
- "C:\\Users\\user\\AppData\\Roaming\\pidloc.txt",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\PIPE\\wkssvc",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\holdermail.txt",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_arinrifh.exe_c8f650fea74fcdb873c85817db22ac2e1f41123_04d81068\\Report.wer"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Roaming\\arinrolfm\\arinrifh.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\holdermail.txt"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\arinrifh_RASAPI32",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\arinrifh_RASAPI32\\EnableFileTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\arinrifh_RASAPI32\\EnableConsoleTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\arinrifh_RASAPI32\\FileTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\arinrifh_RASAPI32\\ConsoleTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\arinrifh_RASAPI32\\MaxFileSize",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\arinrifh_RASAPI32\\FileDirectory",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "whatismyipaddress.com",
- "answers":
- "data": "104.16.154.36",
- "type": "A"
- "data": "104.16.155.36",
- "type": "A"
- * Domains:
- "ip": "104.16.154.36",
- "domain": "whatismyipaddress.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://whatismyipaddress.com/",
- "user-agent": "",
- "method": "GET",
- "host": "whatismyipaddress.com",
- "version": "1.1",
- "path": "/",
- "data": "GET / HTTP/1.1\r\nHost: whatismyipaddress.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
