Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2447
- * MalFamily: "Shade"
- * MalScore: 10.0
- * File Name: "Troldesh_dafef0db48775da726b577b6a6c654ff.jpg"
- * File Size: 2055680
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "46ac406d59e23f24ffd14a8200934dd308f9c71bdffe0cd035e607c8722edb47"
- * MD5: "dafef0db48775da726b577b6a6c654ff"
- * SHA1: "c2c45bd5a70dfecb549e24cb8cf713539d6c6985"
- * SHA512: "c0b9317e6396d4d8dcaac97944e3874be41ff34e3cb6ee8df840ec8bea230e12da5b19aa1e7534427f27ab2f6cf09857806a5231fb74f1c1a939b5afb8bea94f"
- * CRC32: "7AE789C4"
- * SSDEEP: "49152:S9sdRaeMXETisO1eNsQ4U4hNLkWaSZLkyyNgJTDa+vOsonPaoe:S9GE1eNohNgeZLky8sDOsope"
- * Process Execution:
- "T7lDPSuj4Gp.exe",
- "T7lDPSuj4Gp.exe"
- * Executed Commands:
- "C:\\Users\\user\\AppData\\Local\\Temp\\T7lDPSuj4Gp.exe"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP_ioc": "128.31.0.39:9101 (United States)"
- "Description": "Scheduled file move on reboot detected",
- "Details":
- "File Move on Reboot": "Old: C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state.tmp -> New: C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state"
- "Description": "Starts servers listening on 127.0.0.1:35558",
- "Details":
- "Description": "Expresses interest in specific running processes",
- "Details":
- "process": "explorer.exe"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: T7lDPSuj4Gp.exe, pid: 2616, offset: 0x00000000, length: 0x001f5e00"
- "Description": "File has been identified by 10 Antiviruses on VirusTotal as malicious",
- "Details":
- "Invincea": "heuristic"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "Endgame": "malicious (moderate confidence)"
- "TrendMicro": "Mal_HPGen-37b"
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.tc"
- "FireEye": "Generic.mg.dafef0db48775da7"
- "Acronis": "suspicious"
- "ESET-NOD32": "a variant of Win32/GenKryptik.DTGU"
- "TrendMicro-HouseCall": "Mal_HPGen-37b"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.99, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00164000, virtual_size: 0x00163e8c"
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "T7lDPSuj4Gp.exe(2220) -> T7lDPSuj4Gp.exe(2616)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "T7lDPSuj4Gp.exe(2220) -> T7lDPSuj4Gp.exe(2616)"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Checks for the presence of known windows from debuggers and forensic tools",
- "Details":
- "Window": "ConsoleWindowClass"
- "Description": "Installs Tor on the infected machine",
- "Details":
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem"
- "data": "\"C:\\ProgramData\\Windows\\csrss.exe\""
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft OneDrive"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\ProgramData\\Windows\\"
- "Description": "CAPE detected the Shade malware family",
- "Details":
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\ProgramData\\Windows\\csrss.exe"
- * Started Service:
- * Mutexes:
- "Local\\__DDrawExclMode__",
- "Local\\__DDrawCheckExclMode__"
- * Modified Files:
- "\\??\\PIPE\\srvsvc",
- "\\??\\PIPE\\wkssvc",
- "C:\\ProgramData\\Windows\\csrss.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\lock",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state.tmp"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Direct3D\\MostRecentApplication\\Name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\System32\\Configuration\\",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xi",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xVersion"
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Austria",
- "ip": "86.59.21.38",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Netherlands",
- "ip": "194.109.206.212",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "128.31.0.39",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement