Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "bb0b4aadbefc8b33abf8d242527332b9"
- * MalScore: 10.0
- * File Name: "Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg"
- * File Size: 850431
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive"
- * SHA256: "6a534a101ea2e6fee398e29fa11e9c254d78d8bcf40d2bb445307a18ab5dca6f"
- * MD5: "bb0b4aadbefc8b33abf8d242527332b9"
- * SHA1: "582d53129eaec516ac5c55198ee12149fa6cc26a"
- * SHA512: "6f402f36daea95505d147dbdd6da8ece620fd15c6a28d490a29437a538f15fe1607e2e929774ef8f188e9ae75120435d2cfebd5db2029e021a40f8c5cbc8318a"
- * CRC32: "8C83D2AE"
- * SSDEEP: "24576:b2O/Gl+2MnqDPvvJZnFSjwmxhKbH3rUO46GUx:KMqDPv3FOwmxUT3icx"
- * Process Execution:
- "Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg",
- "tcw.exe",
- "tcw.exe",
- "RegSvcs.exe"
- * Executed Commands:
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\tcw.exe hvq=mjq"
- * Signatures Detected:
- "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
- "Details":
- "IP": "185.247.228.54:3999"
- "IP": "185.165.153.222:3999"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "RegSvcs.exe tried to sleep 900 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00000000, length: 0x00000007"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00000000, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00000007, length: 0x000cf9f8"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00001ff0, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00003fe0, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00005fd0, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00007fc0, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00009fb0, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x0000bfa0, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x0000df90, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x0000ff80, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00011f70, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00013f60, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00015f50, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00017f40, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00019f30, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x0001bf20, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x0001df10, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x0001ff00, length: 0x00002000"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00021000, length: 0x00000037"
- "self_read": "process: Exes_bb0b4aadbefc8b33abf8d242527332b9.jpg, pid: 2296, offset: 0x00021014, length: 0x000ae9e4"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\tcw.exe"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "tcw.exe(1772) -> RegSvcs.exe(2684)"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\desktop"
- "data": "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\tcw.exe C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\HVQ_MJ~1"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\62834225"
- "Description": "File has been identified by 50 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.GenericKD.31913316"
- "FireEye": "Generic.mg.bb0b4aadbefc8b33"
- "CAT-QuickHeal": "Trojan.Generic"
- "McAfee": "Artemis!BB0B4AADBEFC"
- "Alibaba": "Trojan:Win32/Starter.ali2000005"
- "K7GW": "Trojan ( 0054b2471 )"
- "K7AntiVirus": "Trojan ( 0054b2471 )"
- "Invincea": "heuristic"
- "Symantec": "Trojan.Gen.MBT"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "ClamAV": "Win.Trojan.Autoit-6870735-0"
- "Kaspersky": "HEUR:Trojan.Win32.Generic"
- "BitDefender": "Trojan.GenericKD.31913316"
- "NANO-Antivirus": "Trojan.Win32.AutoIt.fpjrzy"
- "Avast": "Win32:Trojan-gen"
- "Tencent": "Win32.Trojan.Generic.Pepn"
- "Endgame": "malicious (high confidence)"
- "Sophos": "Mal/Generic-S"
- "Comodo": "Malware@#3k5odn2jm49eq"
- "F-Secure": "Dropper.DR/AutoIt.Gen"
- "DrWeb": "Trojan.DownLoader27.57696"
- "VIPRE": "Trojan.Win32.Generic!BT"
- "TrendMicro": "TROJ_GEN.R002C0PDN19"
- "McAfee-GW-Edition": "BehavesLike.Win32.Backdoor.cc"
- "Fortinet": "AutoIt/Agent.DRKP!tr"
- "Trapmine": "malicious.high.ml.score"
- "Emsisoft": "Trojan.GenericKD.31913316 (B)"
- "Cyren": "W32/Trojan.GEFL-7635"
- "Jiangmin": "Trojan.Miner.ffr"
- "Avira": "DR/AutoIt.Gen"
- "MAX": "malware (ai score=99)"
- "Microsoft": "Trojan:Win32/Skeeyah.A!bit"
- "Arcabit": "Trojan.Generic.D1E6F564"
- "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
- "GData": "Trojan.GenericKD.31913316"
- "AhnLab-V3": "Trojan/Win32.Autoit.C1942121"
- "Acronis": "suspicious"
- "ALYac": "Trojan.GenericKD.31913316"
- "Cylance": "Unsafe"
- "Zoner": "Probably RARAutorun"
- "ESET-NOD32": "Win32/Injector.Autoit.DXJ"
- "TrendMicro-HouseCall": "TROJ_GEN.R002C0PDN19"
- "Rising": "Trojan.Injector!8.C4 (TOPIS:E0:it1Wp5KbcYC)"
- "Ikarus": "Trojan.Win32.Injector"
- "Ad-Aware": "Trojan.GenericKD.31913316"
- "AVG": "Win32:Trojan-gen"
- "Cybereason": "malicious.dbefc8"
- "CrowdStrike": "win/malicious_confidence_60% (W)"
- "Qihoo-360": "HEUR/QVM06.3.CAC5.Malware.Gen"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Trojan.Autoit-6870735-0, sha256:6a534a101ea2e6fee398e29fa11e9c254d78d8bcf40d2bb445307a18ab5dca6f, type:PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET DNS Query to a .tk domain - Likely Hostile"
- * Started Service:
- * Mutexes:
- "DefaultTabtip-MainUI",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "-"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\__tmp_rar_sfx_access_check_23103765",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\djd.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\hvq=mjq",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\FileConstants.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\ToolTipConstants.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\tcw.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\qps.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\ncb.mp4",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\jnn.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\aou.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\vch.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\aqo.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\dfp.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\vsh.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\cpw.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\svh.mp4",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\nsn.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\mss.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\jka.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\kcv.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\qqc.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\jvr.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\elb.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\ofp.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\bvp.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\oio.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\ogq.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\nwd.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\sta.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\stq.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\pac.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\duu.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\gvj.mp4",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\evv.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\bdc.mp4",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\qwh.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\mix.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\tou.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\els.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\atf.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\wkm.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\flj.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\ptk.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\eov.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\wtw.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\tse.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\bfc.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\vno.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\vev.mp4"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\__tmp_rar_sfx_access_check_23103765",
- "C:\\Users\\user\\AppData\\Local\\Temp\\62834225\\PQLPT"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\desktop"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "tojah77.duckdns.org",
- "answers":
- "data": "185.247.228.54",
- "type": "A"
- "type": "A",
- "request": "femolampa2.tk",
- "answers":
- "data": "185.165.153.222",
- "type": "A"
- * Domains:
- "ip": "185.247.228.54",
- "domain": "tojah77.duckdns.org"
- "ip": "185.165.153.222",
- "domain": "femolampa2.tk"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement