Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Exes_7241c2613e4407d84aa5596788760c93.exe"
- * File Size: 14768640
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "02ae3f91fd573c7a0219e9a9560af37ee28dc0eeeae7560c69f2333da0e309b7"
- * MD5: "7241c2613e4407d84aa5596788760c93"
- * SHA1: "a1357e1c60c3353161f67eb8f167aa25c2ca04c2"
- * SHA512: "87dc1ce193c14b10fe33c227e081210161b34e54ba932dceed8dcfe3eb68e17e73ca469bc4c9b075272a602acb9abdacf940dbed30f6088e15a9d447fdd77313"
- * CRC32: "9BEDFD30"
- * SSDEEP: "393216:utmtzFwoCoOxuO+9E6KcXlUvJPGI4Dgh441lXwc:MmHwZxuB9E6KcXuxgEOuJ"
- * Process Execution:
- "Exes_7241c2613e4407d84aa5596788760c93.exe",
- "CL_Debug_Log.txt",
- "cmd.exe",
- "schtasks.exe",
- "svchost.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "WmiPrvSE.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "C:\\Users\\user\\AppData\\Local\\Temp\\CL_Debug_Log.txt e -p\"JDQJndnqwdnqw2139dn21n3b312idDQDB\" \"C:\\Users\\user\\AppData\\Local\\Temp\\CR_Debug_Log.txt\" -o\"C:\\Users\\user\\AppData\\Local\\Temp\\\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\start.bat",
- "schtasks.exe /Create /XML \"SystemCheck.xml\" /TN \"System\\SystemCheck\"",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
- * Signatures Detected:
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP": "88.99.66.31:80"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "WmiPrvSE.exe tried to sleep 480 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\CL_Debug_Log.txt"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://ezstat.ru/1UeQ37"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00d4b400, virtual_size: 0x00d4b2b4"
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "File has been identified by 40 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "AIT:Trojan.Nymeria.1546"
- "FireEye": "Generic.mg.7241c2613e4407d8"
- "CAT-QuickHeal": "Trojan.Miner"
- "McAfee": "Artemis!7241C2613E44"
- "K7AntiVirus": "Trojan ( 005414041 )"
- "Alibaba": "TrojanDropper:Win32/Miner.6e5e41e9"
- "K7GW": "Trojan ( 005414041 )"
- "CrowdStrike": "win/malicious_confidence_90% (W)"
- "Arcabit": "AIT:Trojan.Nymeria.D60A"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Kaspersky": "Trojan.Win32.Miner.vwom"
- "BitDefender": "AIT:Trojan.Nymeria.1546"
- "NANO-Antivirus": "Trojan.Win32.Miner.fvbpar"
- "AegisLab": "Trojan.Win32.Miner.4!c"
- "Ad-Aware": "AIT:Trojan.Nymeria.1546"
- "Emsisoft": "AIT:Trojan.Nymeria.1546 (B)"
- "F-Secure": "Trojan.TR/Drop.AutoIt.lnspi"
- "DrWeb": "Trojan.DownLoader29.57642"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.vc"
- "Trapmine": "malicious.high.ml.score"
- "Cyren": "W32/Trojan.VHFI-7684"
- "Webroot": "W32.Trojan.Gen"
- "Avira": "TR/Drop.AutoIt.lnspi"
- "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
- "Microsoft": "Trojan:Win32/Occamy.C"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "Trojan.Win32.Miner.vwom"
- "Acronis": "suspicious"
- "ALYac": "AIT:Trojan.Nymeria.1546"
- "ESET-NOD32": "a variant of Win32/TrojanDropper.Autoit.TL"
- "TrendMicro-HouseCall": "TROJ_GEN.R04AH09H519"
- "Ikarus": "Trojan-Dropper.Win32.Autoit"
- "GData": "AIT:Trojan.Nymeria.1546 (2x)"
- "MaxSecure": "Trojan.Malware.300983.susgen"
- "Cybereason": "malicious.13e440"
- "Panda": "Trj/CI.A"
- "Qihoo-360": "Win32/Trojan.12c"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 215"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 640"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 228"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 241"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 253"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 533"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 611"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 137"
- * Started Service:
- * Mutexes:
- "QPRZ3bWvXh",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut64DA.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\asacpiex.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CR_Debug_Log.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut70B2.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CL_Debug_Log.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\start.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\start2.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\SystemCheck.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\32.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\64.exe",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Helper.exe",
- "C:\\Windows\\sysnative\\Tasks\\System\\SystemCheck",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h",
- "\\??\\WMIDataDevice"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut64DA.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut70B2.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\32.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\64.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\SystemCheck.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CR_Debug_Log.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CL_Debug_Log.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\start2.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\asacpiex.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\start.bat",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A1AA291B-3BCB-43BF-96F4-D85996580F80\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A1AA291B-3BCB-43BF-96F4-D85996580F80\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\System\\SystemCheck\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\System\\SystemCheck\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A1AA291B-3BCB-43BF-96F4-D85996580F80\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A1AA291B-3BCB-43BF-96F4-D85996580F80\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5&33d1638a&0&0.0.0_0-00000000-0000-0000-0000-000000000000",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\advapi32.dllMofResourceName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\en-US\\advapi32.dll.muiMofResourceName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ACPI.sysACPIMOFResource",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ACPI.sys.muiACPIMOFResource",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ndis.sysMofResourceName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ndis.sys.muiMofResourceName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\mssmbios.sysMofResource",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\mssmbios.sys.muiMofResource",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\HDAudBus.sysHDAudioMofName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\HDAudBus.sys.muiHDAudioMofName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\intelppm.sysPROCESSORWMI",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\intelppm.sys.muiPROCESSORWMI",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\portcls.SYSPortclsMof",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\en-US\\portcls.SYS.muiPortclsMof",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
- * DNS Communications:
- "type": "A",
- "request": "ezstat.ru",
- "answers":
- "data": "88.99.66.31",
- "type": "A"
- "type": "A",
- "request": "pool.supportxmr.com",
- "answers":
- "data": "107.178.104.10",
- "type": "A"
- "data": "192.110.160.114",
- "type": "A"
- "data": "pool-phx.supportxmr.com",
- "type": "CNAME"
- * Domains:
- "ip": "192.110.160.114",
- "domain": "pool.supportxmr.com"
- "ip": "88.99.66.31",
- "domain": "ezstat.ru"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 2,
- "body": "",
- "uri": "http://ezstat.ru/1UeQ37",
- "user-agent": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)",
- "method": "GET",
- "host": "ezstat.ru",
- "version": "1.1",
- "path": "/1UeQ37",
- "data": "GET /1UeQ37 HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/plain; Charset=UTF-8\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: ezstat.ru\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement