Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "7408763b2851bd25f1808c65b69b3ecf0bbeba34ff8f0762488af8e204b4541e"
- * File Size: 774248
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
- * SHA256: "092c76dff9cf620403cc85206b7e2673a47e98604c220903df69b456b6889ffa"
- * MD5: "034ff7485d1d6c91d6cc17458fc8b0b3"
- * SHA1: "08c8786c8130ae2cef70f93ede6256ea3d809c8d"
- * SHA512: "f8d6c682f29001fd0b8fe07aaad2e9e584437c0757aedc19fee748adfc7feb0e866bf5649806a9de4a5addf7bb45f0e6f5168ec962ca66676f6b24711cdc1053"
- * CRC32: "D72109D6"
- * SSDEEP: "12288:xquErHF6xC9D6DmR1J98w4oknqOKwnzIcXbOL+iW/0Lb3I9q34T6Dv8Flt1/Qi:0rl6kD68JmloOnzRLY+iWiMow28/t1Yi"
- * Process Execution:
- "7408763b2851bd25f1808c65b69b3ecf0bbeba34ff8f0762488af8e204b4541e.exe",
- "RegAsm.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "svchost.exe"
- * Executed Commands:
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: 7408763b2851bd25f1808c65b69b3ecf0bbeba34ff8f0762488af8e204b4541e.exe, pid: 2932, offset: 0x00000000, length: 0x000bd068"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- "suspicious_request": "http://checkip.dyndns.org/"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://checkip.dyndns.org/"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: UPX1, entropy: 7.94, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00055600, virtual_size: 0x00056000"
- "section": "name: .rsrc, entropy: 7.47, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00067600, virtual_size: 0x00068000"
- "Description": "The executable is compressed using UPX",
- "Details":
- "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x000e7000"
- "Description": "Looks up the external IP address",
- "Details":
- "domain": "checkip.dyndns.org"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "7408763b2851bd25f1808c65b69b3ecf0bbeba34ff8f0762488af8e204b4541e.exe(2932) -> RegAsm.exe(372)"
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExW": "Process: RegAsm.exe(372)"
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "WmiPrvSE.exe tried to sleep 601 seconds, actually delayed analysis time by 0 seconds"
- "Process": "RegAsm.exe tried to sleep 4234 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load"
- "data": "C:\\Users\\user\\AppData\\Local\\Temp\\BackgroundTransferHost\\igfxEM.exe"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\BackgroundTransferHost"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\BackgroundTransferHost\\igfxEM.exe"
- "Description": "Retrieves Windows ProductID, probably to fingerprint the sandbox",
- "Details":
- "Description": "File has been identified by 47 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.GenericKD.41365391"
- "FireEye": "Generic.mg.034ff7485d1d6c91"
- "CAT-QuickHeal": "Backdoor.AutoIt"
- "McAfee": "Packed-FTE!034FF7485D1D"
- "Malwarebytes": "Trojan.MalPack.Generic"
- "SUPERAntiSpyware": "Trojan.Agent/Gen-Dropper"
- "K7GW": "Trojan ( 0054df7c1 )"
- "K7AntiVirus": "Trojan ( 0054df7c1 )"
- "Arcabit": "Trojan.Generic.D2772F8F"
- "F-Prot": "W32/FakeDoc.J.gen!Eldorado"
- "Symantec": "ML.Attribute.HighConfidence"
- "ESET-NOD32": "a variant of Win32/Packed.AutoIt.PK"
- "APEX": "Malicious"
- "Avast": "Win32:Trojan-gen"
- "ClamAV": "Win.Malware.Azorult-6971822-0"
- "Kaspersky": "Backdoor.Win32.AutoIt.ed"
- "BitDefender": "Trojan.GenericKD.41365391"
- "Endgame": "malicious (moderate confidence)"
- "Emsisoft": "Trojan.Autoit (A)"
- "F-Secure": "Trojan.TR/Autoit.eltll"
- "DrWeb": "Trojan.AutoIt.421"
- "Zillya": "Trojan.Packed.Win32.157099"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.bc"
- "Sophos": "Troj/AutoIt-CLG"
- "SentinelOne": "DFI - Suspicious PE"
- "Cyren": "W32/FakeDoc.J.gen!Eldorado"
- "Avira": "TR/Autoit.eltll"
- "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
- "Microsoft": "TrojanSpy:MSIL/AgentTesla"
- "AhnLab-V3": "Trojan/Win32.Agent.R270625"
- "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
- "GData": "Trojan.GenericKD.41365391"
- "Acronis": "suspicious"
- "VBA32": "TrojanDropper.Agent"
- "MAX": "malware (ai score=82)"
- "Ad-Aware": "Trojan.GenericKD.41365391"
- "Cylance": "Unsafe"
- "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
- "Rising": "PUF.Pack-AutoIt!1.B8E7 (CLASSIC)"
- "Ikarus": "Trojan.Autoit"
- "Fortinet": "AutoIt/Scar.RWET!tr"
- "MaxSecure": "Trojan.Malware.74295958.susgen"
- "AVG": "Win32:Trojan-gen"
- "Cybereason": "malicious.85d1d6"
- "CrowdStrike": "win/malicious_confidence_100% (D)"
- "Qihoo-360": "HEUR/QVM11.1.074F.Malware.Gen"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Malware.Azorult-6971822-0, sha256:092c76dff9cf620403cc85206b7e2673a47e98604c220903df69b456b6889ffa, type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
- "dropped": "clamav:Win.Malware.Azorult-6971822-0, sha256:80ec1dd172c70beffef17fdb14e1d3b1f598720432ec8a49f3a3b7225b1f16c8 , guest_paths:C:\\Users\\user\\AppData\\Local\\Temp\\BackgroundTransferHost\\igfxEM.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- "Description": "Creates a slightly modified copy of itself",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\BackgroundTransferHost\\igfxEM.exe"
- "percent_match": 99
- "Description": "Collects information to fingerprint the system",
- "Details":
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\.net clr networking",
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\BackgroundTransferHost\\igfxEM.exe",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
- "\\??\\WMIDataDevice"
- * Deleted Files:
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RegAsm_RASAPI32",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\EnableFileTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\EnableConsoleTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\FileTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\ConsoleTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\MaxFileSize",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\FileDirectory",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load"
- * DNS Communications:
- "type": "A",
- "request": "checkip.dyndns.org",
- "answers":
- "data": "checkip.dyndns.com",
- "type": "CNAME"
- "data": "162.88.193.70",
- "type": "A"
- "data": "216.146.43.71",
- "type": "A"
- "data": "216.146.43.70",
- "type": "A"
- "data": "131.186.113.70",
- "type": "A"
- * Domains:
- "ip": "131.186.113.70",
- "domain": "checkip.dyndns.org"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://checkip.dyndns.org/",
- "user-agent": "",
- "method": "GET",
- "host": "checkip.dyndns.org",
- "version": "1.1",
- "path": "/",
- "data": "GET / HTTP/1.1\r\nHost: checkip.dyndns.org\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement