Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2326
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "AgentTesla_351eb287618799d48f4bdb3225c94029.exe"
- * File Size: 614400
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "b9e355d367b2d26a2f1f558e1b4e77ac351e2e9b9a7a4bb81acdf104c692b2c2"
- * MD5: "351eb287618799d48f4bdb3225c94029"
- * SHA1: "1594df98665618c97e05be9d3f8545d4a9f19214"
- * SHA512: "8e9b38ef86b0b32147287ef5dcf0a47f7a3a3063f988cf564f39ec0ad708d3ac62b81ba9922dfaab0c67f403127012e9206d7b4f1ca366c7204e52ce023c090a"
- * CRC32: "EE5E5E5F"
- * SSDEEP: "12288:NKx4Jj666+dnSqTGt0a10OCNlKDpOVpeYaQX:No4JJ6+pSqTGt0o5CXAQVbaY"
- * Process Execution:
- "Y1bZEW.exe",
- "Y1bZEW.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "WmiPrvSE.exe",
- "svchost.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\Y1bZEW.exe\"",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
- "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R"
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "Y1bZEW.exe, PID 1428"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "Y1bZEW.exe tried to sleep 882 seconds, actually delayed analysis time by 0 seconds"
- "Process": "WmiPrvSE.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .text, entropy: 7.19, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00093000, virtual_size: 0x00092278"
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "Y1bZEW.exe(1428) -> Y1bZEW.exe(3048)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "Y1bZEW.exe(1428) -> Y1bZEW.exe(3048)"
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "svchost.exe:1832"
- "Description": "File has been identified by 41 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Gen:Variant.Midie.66301"
- "McAfee": "Fareit-FPZ!351EB2876187"
- "Malwarebytes": "Trojan.MalPack.VB.Generic"
- "Cybereason": "malicious.866561"
- "Arcabit": "Trojan.Midie.D102FD"
- "TrendMicro": "TROJ_GEN.R015C0DII19"
- "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Kaspersky": "Trojan.Win32.VBKryjetor.chax"
- "BitDefender": "Gen:Variant.Midie.66301"
- "Avast": "Win32:TrojanX-gen Trj"
- "Rising": "Trojan.Injector!1.B459 (CLASSIC)"
- "Ad-Aware": "Gen:Variant.Midie.66301"
- "Sophos": "Mal/FareitVB-N"
- "F-Secure": "Trojan.TR/Kryptik.hfzvw"
- "DrWeb": "Trojan.PWS.Banker1.34969"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.jc"
- "Trapmine": "malicious.moderate.ml.score"
- "FireEye": "Generic.mg.351eb287618799d4"
- "Emsisoft": "Gen:Variant.Midie.66301 (B)"
- "Ikarus": "Trojan.VB.Agent"
- "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
- "Avira": "TR/Kryptik.hfzvw"
- "MAX": "malware (ai score=85)"
- "Microsoft": "Trojan:Win32/Vbobfus.A!eml"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "Trojan.Win32.VBKryjetor.chax"
- "GData": "Gen:Variant.Midie.66301"
- "AhnLab-V3": "Win-Trojan/VBKrypt.RP12"
- "Acronis": "suspicious"
- "ALYac": "Gen:Variant.Midie.66301"
- "Cylance": "Unsafe"
- "ESET-NOD32": "a variant of Win32/Injector.EHVD"
- "SentinelOne": "DFI - Suspicious PE"
- "Fortinet": "W32/GenKryptik.EHBD!tr"
- "AVG": "Win32:TrojanX-gen Trj"
- "Panda": "Trj/GdSda.A"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\WMIDataDevice"
- * Deleted Files:
- * Modified Registry Keys:
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement