Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2309
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "Exes_f7ba2ccf732ac8c478f3a4a81370ef81.exe"
- * File Size: 544768
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "8ec2e2eddd0991cb56b2d67e9e1fe71b09f74c5d5fe449b021932be35c52fe3f"
- * MD5: "f7ba2ccf732ac8c478f3a4a81370ef81"
- * SHA1: "9d639cc6c7719a181aabaed9f1057ca6ffa296ee"
- * SHA512: "91a0427e73c8c75aec8f61d63492fd41d6a4aa6bc333bf41fbb89351616c979d669aa7bf4ee2059d8968be1ec520a725d02df703e72da3ac9173d2b0ff8e206b"
- * CRC32: "F2AB2E9C"
- * SSDEEP: "12288:EprZTd+GcY867xghkQ057GxVeQj0zkEyRvrBM:a9kYnxghu57iV5BM"
- * Process Execution:
- "a5Y4h.exe",
- "a5Y4h.exe",
- "services.exe",
- "lsass.exe",
- "WmiApSrv.exe",
- "taskhost.exe",
- "WmiPrvSE.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\a5Y4h.exe\"",
- "C:\\Windows\\system32\\lsass.exe",
- "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
- "C:\\Windows\\system32\\svchost.exe -k netsvcs"
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "NtSetInformationThread: attempt to hide thread from debugger",
- "Details":
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url_ioc": "localneigh.us:80/api/check.get"
- "url_ioc": "localneigh.us:80/api/gate.get?p1=0&p2=9&p3=0&p4=0&p5=0&p6=0&p7=0&p8=0&p9=2"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .text, entropy: 7.09, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00083000, virtual_size: 0x000824ec"
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "a5Y4h.exe(648) -> a5Y4h.exe(2268)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "a5Y4h.exe(648) -> a5Y4h.exe(2268)"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 8429094 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "WmiPrvSE.exe:2480"
- "Description": "File has been identified by 21 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.f7ba2ccf732ac8c4"
- "McAfee": "Fareit-FPZ!F7BA2CCF732A"
- "Malwarebytes": "Trojan.MalPack.VB"
- "Cybereason": "malicious.6c7719"
- "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
- "APEX": "Malicious"
- "Rising": "Trojan.Injector!1.B459 (CLASSIC)"
- "Invincea": "heuristic"
- "Trapmine": "malicious.high.ml.score"
- "Sophos": "Mal/FareitVB-N"
- "SentinelOne": "DFI - Suspicious PE"
- "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
- "Microsoft": "Trojan:Win32/Vbobfus.A!eml"
- "Endgame": "malicious (high confidence)"
- "AhnLab-V3": "Win-Trojan/VBKrypt.RP12"
- "Acronis": "suspicious"
- "Cylance": "Unsafe"
- "ESET-NOD32": "a variant of Win32/Injector.EHVI"
- "Ikarus": "Trojan.VB.Crypt"
- "Fortinet": "W32/Injector.EHVI!tr"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Description": "Attempts to access Bitcoin/ALTCoin wallets",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- * Started Service:
- "VaultSvc",
- "wmiApSrv"
- * Mutexes:
- "s3v9x9w8v7v9x9w8v7",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Flag",
- "Global\\WmiApSrv",
- "Global\\ADAP_WMI_ENTRY"
- * Modified Files:
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8"
- * Deleted Files:
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "localneigh.us",
- "answers":
- * Domains:
- "ip": "82.102.30.177",
- "domain": "localneigh.us"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement