API tools faq
paste
Advertisement
paladin316

Exes_7241c2613e4407d84aa5596788760c93_exe_2019-08-13_01_30.txt

paladin316
Aug 13th, 2019
1,681
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.57 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "Malicious"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_7241c2613e4407d84aa5596788760c93.exe"
  7. * File Size: 14768640
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "02ae3f91fd573c7a0219e9a9560af37ee28dc0eeeae7560c69f2333da0e309b7"
  10. * MD5: "7241c2613e4407d84aa5596788760c93"
  11. * SHA1: "a1357e1c60c3353161f67eb8f167aa25c2ca04c2"
  12. * SHA512: "87dc1ce193c14b10fe33c227e081210161b34e54ba932dceed8dcfe3eb68e17e73ca469bc4c9b075272a602acb9abdacf940dbed30f6088e15a9d447fdd77313"
  13. * CRC32: "9BEDFD30"
  14. * SSDEEP: "393216:utmtzFwoCoOxuO+9E6KcXlUvJPGI4Dgh441lXwc:MmHwZxuB9E6KcXuxgEOuJ"
  15.  
  16. * Process Execution:
  17. "Exes_7241c2613e4407d84aa5596788760c93.exe",
  18. "CL_Debug_Log.txt",
  19. "cmd.exe",
  20. "schtasks.exe",
  21. "svchost.exe",
  22. "svchost.exe",
  23. "WmiPrvSE.exe",
  24. "WmiPrvSE.exe",
  25. "WMIADAP.exe"
  26.  
  27.  
  28. * Executed Commands:
  29. "C:\\Users\\user\\AppData\\Local\\Temp\\CL_Debug_Log.txt e -p\"JDQJndnqwdnqw2139dn21n3b312idDQDB\" \"C:\\Users\\user\\AppData\\Local\\Temp\\CR_Debug_Log.txt\" -o\"C:\\Users\\user\\AppData\\Local\\Temp\\\"",
  30. "C:\\Users\\user\\AppData\\Local\\Temp\\start.bat",
  31. "schtasks.exe /Create /XML \"SystemCheck.xml\" /TN \"System\\SystemCheck\"",
  32. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
  33.  
  34.  
  35. * Signatures Detected:
  36.  
  37. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  38. "Details":
  39.  
  40. "IP": "88.99.66.31:80"
  41.  
  42.  
  43.  
  44.  
  45. "Description": "Creates RWX memory",
  46. "Details":
  47.  
  48.  
  49. "Description": "A process attempted to delay the analysis task.",
  50. "Details":
  51.  
  52. "Process": "WmiPrvSE.exe tried to sleep 480 seconds, actually delayed analysis time by 0 seconds"
  53.  
  54.  
  55.  
  56.  
  57. "Description": "Drops a binary and executes it",
  58. "Details":
  59.  
  60. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\CL_Debug_Log.txt"
  61.  
  62.  
  63.  
  64.  
  65. "Description": "Performs some HTTP requests",
  66. "Details":
  67.  
  68. "url": "http://ezstat.ru/1UeQ37"
  69.  
  70.  
  71.  
  72.  
  73. "Description": "The binary likely contains encrypted or compressed data.",
  74. "Details":
  75.  
  76. "section": "name: .rsrc, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00d4b400, virtual_size: 0x00d4b2b4"
  77.  
  78.  
  79.  
  80.  
  81. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  82. "Details":
  83.  
  84. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  85.  
  86.  
  87.  
  88.  
  89. "Description": "File has been identified by 40 Antiviruses on VirusTotal as malicious",
  90. "Details":
  91.  
  92. "MicroWorld-eScan": "AIT:Trojan.Nymeria.1546"
  93.  
  94.  
  95. "FireEye": "Generic.mg.7241c2613e4407d8"
  96.  
  97.  
  98. "CAT-QuickHeal": "Trojan.Miner"
  99.  
  100.  
  101. "McAfee": "Artemis!7241C2613E44"
  102.  
  103.  
  104. "K7AntiVirus": "Trojan ( 005414041 )"
  105.  
  106.  
  107. "Alibaba": "TrojanDropper:Win32/Miner.6e5e41e9"
  108.  
  109.  
  110. "K7GW": "Trojan ( 005414041 )"
  111.  
  112.  
  113. "CrowdStrike": "win/malicious_confidence_90% (W)"
  114.  
  115.  
  116. "Arcabit": "AIT:Trojan.Nymeria.D60A"
  117.  
  118.  
  119. "Symantec": "ML.Attribute.HighConfidence"
  120.  
  121.  
  122. "APEX": "Malicious"
  123.  
  124.  
  125. "Paloalto": "generic.ml"
  126.  
  127.  
  128. "Kaspersky": "Trojan.Win32.Miner.vwom"
  129.  
  130.  
  131. "BitDefender": "AIT:Trojan.Nymeria.1546"
  132.  
  133.  
  134. "NANO-Antivirus": "Trojan.Win32.Miner.fvbpar"
  135.  
  136.  
  137. "AegisLab": "Trojan.Win32.Miner.4!c"
  138.  
  139.  
  140. "Ad-Aware": "AIT:Trojan.Nymeria.1546"
  141.  
  142.  
  143. "Emsisoft": "AIT:Trojan.Nymeria.1546 (B)"
  144.  
  145.  
  146. "F-Secure": "Trojan.TR/Drop.AutoIt.lnspi"
  147.  
  148.  
  149. "DrWeb": "Trojan.DownLoader29.57642"
  150.  
  151.  
  152. "Invincea": "heuristic"
  153.  
  154.  
  155. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.vc"
  156.  
  157.  
  158. "Trapmine": "malicious.high.ml.score"
  159.  
  160.  
  161. "Cyren": "W32/Trojan.VHFI-7684"
  162.  
  163.  
  164. "Webroot": "W32.Trojan.Gen"
  165.  
  166.  
  167. "Avira": "TR/Drop.AutoIt.lnspi"
  168.  
  169.  
  170. "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
  171.  
  172.  
  173. "Microsoft": "Trojan:Win32/Occamy.C"
  174.  
  175.  
  176. "Endgame": "malicious (high confidence)"
  177.  
  178.  
  179. "ZoneAlarm": "Trojan.Win32.Miner.vwom"
  180.  
  181.  
  182. "Acronis": "suspicious"
  183.  
  184.  
  185. "ALYac": "AIT:Trojan.Nymeria.1546"
  186.  
  187.  
  188. "ESET-NOD32": "a variant of Win32/TrojanDropper.Autoit.TL"
  189.  
  190.  
  191. "TrendMicro-HouseCall": "TROJ_GEN.R04AH09H519"
  192.  
  193.  
  194. "Ikarus": "Trojan-Dropper.Win32.Autoit"
  195.  
  196.  
  197. "GData": "AIT:Trojan.Nymeria.1546 (2x)"
  198.  
  199.  
  200. "MaxSecure": "Trojan.Malware.300983.susgen"
  201.  
  202.  
  203. "Cybereason": "malicious.13e440"
  204.  
  205.  
  206. "Panda": "Trj/CI.A"
  207.  
  208.  
  209. "Qihoo-360": "Win32/Trojan.12c"
  210.  
  211.  
  212.  
  213.  
  214. "Description": "Created network traffic indicative of malicious activity",
  215. "Details":
  216.  
  217. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 215"
  218.  
  219.  
  220. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 640"
  221.  
  222.  
  223. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 228"
  224.  
  225.  
  226. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 241"
  227.  
  228.  
  229. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 253"
  230.  
  231.  
  232. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 533"
  233.  
  234.  
  235. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 611"
  236.  
  237.  
  238. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 137"
  239.  
  240.  
  241.  
  242.  
  243.  
  244. * Started Service:
  245.  
  246. * Mutexes:
  247. "QPRZ3bWvXh",
  248. "Global\\ADAP_WMI_ENTRY",
  249. "Global\\RefreshRA_Mutex",
  250. "Global\\RefreshRA_Mutex_Lib",
  251. "Global\\RefreshRA_Mutex_Flag"
  252.  
  253.  
  254. * Modified Files:
  255. "C:\\Users\\user\\AppData\\Local\\Temp\\aut64DA.tmp",
  256. "C:\\Users\\user\\AppData\\Local\\Temp\\asacpiex.dll",
  257. "C:\\Users\\user\\AppData\\Local\\Temp\\CR_Debug_Log.txt",
  258. "C:\\Users\\user\\AppData\\Local\\Temp\\aut70B2.tmp",
  259. "C:\\Users\\user\\AppData\\Local\\Temp\\CL_Debug_Log.txt",
  260. "C:\\Users\\user\\AppData\\Local\\Temp\\start.bat",
  261. "C:\\Users\\user\\AppData\\Local\\Temp\\start2.bat",
  262. "C:\\Users\\user\\AppData\\Local\\Temp\\SystemCheck.xml",
  263. "C:\\Users\\user\\AppData\\Local\\Temp\\32.exe",
  264. "C:\\Users\\user\\AppData\\Local\\Temp\\64.exe",
  265. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Helper.exe",
  266. "C:\\Windows\\sysnative\\Tasks\\System\\SystemCheck",
  267. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  268. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  269. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  270. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
  271. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h",
  272. "\\??\\WMIDataDevice"
  273.  
  274.  
  275. * Deleted Files:
  276. "C:\\Users\\user\\AppData\\Local\\Temp\\aut64DA.tmp",
  277. "C:\\Users\\user\\AppData\\Local\\Temp\\aut70B2.tmp",
  278. "C:\\Users\\user\\AppData\\Local\\Temp\\32.exe",
  279. "C:\\Users\\user\\AppData\\Local\\Temp\\64.exe",
  280. "C:\\Users\\user\\AppData\\Local\\Temp\\SystemCheck.xml",
  281. "C:\\Users\\user\\AppData\\Local\\Temp\\CR_Debug_Log.txt",
  282. "C:\\Users\\user\\AppData\\Local\\Temp\\CL_Debug_Log.txt",
  283. "C:\\Users\\user\\AppData\\Local\\Temp\\start2.bat",
  284. "C:\\Users\\user\\AppData\\Local\\Temp\\asacpiex.dll",
  285. "C:\\Users\\user\\AppData\\Local\\Temp\\start.bat",
  286. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  287.  
  288.  
  289. * Modified Registry Keys:
  290. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A1AA291B-3BCB-43BF-96F4-D85996580F80\\Path",
  291. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A1AA291B-3BCB-43BF-96F4-D85996580F80\\Hash",
  292. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\System\\SystemCheck\\Id",
  293. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\System\\SystemCheck\\Index",
  294. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A1AA291B-3BCB-43BF-96F4-D85996580F80\\Triggers",
  295. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A1AA291B-3BCB-43BF-96F4-D85996580F80\\DynamicInfo",
  296. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  297. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown",
  298. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
  299. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5&33d1638a&0&0.0.0_0-00000000-0000-0000-0000-000000000000",
  300. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\advapi32.dllMofResourceName",
  301. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\en-US\\advapi32.dll.muiMofResourceName",
  302. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ACPI.sysACPIMOFResource",
  303. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ACPI.sys.muiACPIMOFResource",
  304. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ndis.sysMofResourceName",
  305. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ndis.sys.muiMofResourceName",
  306. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\mssmbios.sysMofResource",
  307. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\mssmbios.sys.muiMofResource",
  308. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\HDAudBus.sysHDAudioMofName",
  309. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\HDAudBus.sys.muiHDAudioMofName",
  310. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\intelppm.sysPROCESSORWMI",
  311. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\intelppm.sys.muiPROCESSORWMI",
  312. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\portcls.SYSPortclsMof",
  313. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\en-US\\portcls.SYS.muiPortclsMof",
  314. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
  315.  
  316.  
  317. * Deleted Registry Keys:
  318. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  319. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
  320.  
  321.  
  322. * DNS Communications:
  323.  
  324. "type": "A",
  325. "request": "ezstat.ru",
  326. "answers":
  327.  
  328. "data": "88.99.66.31",
  329. "type": "A"
  330.  
  331.  
  332.  
  333.  
  334. "type": "A",
  335. "request": "pool.supportxmr.com",
  336. "answers":
  337.  
  338. "data": "107.178.104.10",
  339. "type": "A"
  340.  
  341.  
  342. "data": "192.110.160.114",
  343. "type": "A"
  344.  
  345.  
  346. "data": "pool-phx.supportxmr.com",
  347. "type": "CNAME"
  348.  
  349.  
  350.  
  351.  
  352.  
  353. * Domains:
  354.  
  355. "ip": "192.110.160.114",
  356. "domain": "pool.supportxmr.com"
  357.  
  358.  
  359. "ip": "88.99.66.31",
  360. "domain": "ezstat.ru"
  361.  
  362.  
  363.  
  364. * Network Communication - ICMP:
  365.  
  366. * Network Communication - HTTP:
  367.  
  368. "count": 2,
  369. "body": "",
  370. "uri": "http://ezstat.ru/1UeQ37",
  371. "user-agent": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)",
  372. "method": "GET",
  373. "host": "ezstat.ru",
  374. "version": "1.1",
  375. "path": "/1UeQ37",
  376. "data": "GET /1UeQ37 HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: ezstat.ru\r\n\r\n",
  377. "port": 80
  378.  
  379.  
  380.  
  381. * Network Communication - SMTP:
  382.  
  383. * Network Communication - Hosts:
  384.  
  385. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!