Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2301
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "Emotet_e895b1432632b5f3900ba28d5d176377.5"
- * File Size: 413696
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "6bbc1fc04607dc91b4bc52faafb15b3c5a51778bc59487684d3dfa64a1c85a71"
- * MD5: "e895b1432632b5f3900ba28d5d176377"
- * SHA1: "6cbfecfa88875b829a48ac33ed08557b3d0219e3"
- * SHA512: "b0b83680bd588f5d15f09861a8d40006c6e718cce25b0f8eeac2db407a0f0edb7c4d5d142e5bbfa123adde3652e23a802c05adc040a3ee6459c118b5d7335b9b"
- * CRC32: "F6741077"
- * SSDEEP: "6144:yGqCzZ+I7NhNEMxrE6CC0x1/hkVTIX8XrA7PI0TOwUhYtEJxKIRYzV:7qSJLEcrrJqvXAA7PIruyxrRYzV"
- * Process Execution:
- "WCMK49g.exe",
- "WCMK49g.exe",
- "WCMK49g.exe",
- "WCMK49g.exe",
- "explorer.exe",
- "services.exe",
- "historymachine.exe",
- "historymachine.exe",
- "historymachine.exe",
- "historymachine.exe",
- "WmiApSrv.exe",
- "svchost.exe",
- "svchost.exe",
- "WmiPrvSE.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\WCMK49g.exe\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WCMK49g.exe --a848c185",
- "\"C:\\Windows\\SysWOW64\\historymachine.exe\"",
- "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
- "C:\\Windows\\system32\\svchost.exe -k netsvcs",
- "C:\\Windows\\SysWOW64\\historymachine.exe --81d93c85"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Communicates with IPs located across a large number of unique countries",
- "Details":
- "country": "United Kingdom"
- "country": "France"
- "country": "Iran, Islamic Republic of"
- "country": "Germany"
- "country": "Bangladesh"
- "country": "Argentina"
- "country": "United States"
- "country": "Singapore"
- "country": "Ecuador"
- "country": "Azerbaijan"
- "country": "Canada"
- "country": "India"
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "historymachine.exe, PID 1048"
- "Description": "Mimics the system's user agent string for its own requests",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url_ioc": "201.212.57.109:80/entries/window/tpt/"
- "url_ioc": "87.106.136.232:8080/badge/balloon/"
- "url_ioc": "59.152.93.46:443/between/splash/pnp/"
- "url_ioc": "186.4.172.5:443/walk/usbccid/pnp/merge/"
- "url_ioc": "198.199.88.162:8080/bml/health/"
- "url_ioc": "178.62.37.188:443/report/raster/"
- "url_ioc": "95.128.43.213:8080/balloon/"
- "url_ioc": "142.44.162.209:8080/chunk/"
- "url_ioc": "185.129.92.210:7080/cone/cone/pnp/merge/"
- "url_ioc": "91.92.191.134:8080/vermont/symbols/"
- "url_ioc": "92.222.125.16:7080/balloon/forced/pnp/merge/"
- "url_ioc": "117.197.124.36:443/devices/cookies/"
- "url_ioc": "188.166.253.46:8080/raster/jit/"
- "url_ioc": "178.254.6.27:7080/taskbar/srvc/"
- "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
- "Details":
- "Description": "A process created a hidden window",
- "Details":
- "Process": "WCMK49g.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\WCMK49g.exe"
- "Process": "WCMK49g.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\WCMK49g.exe"
- "Process": "historymachine.exe -> C:\\Windows\\SysWOW64\\historymachine.exe"
- "Process": "historymachine.exe -> C:\\Windows\\SysWOW64\\historymachine.exe"
- "Description": "Multiple direct IP connections",
- "Details":
- "direct_ip_connections": "Made direct connections to 14 unique IP addresses"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.17, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0001d000, virtual_size: 0x0001ccfc"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Windows\\SysWOW64\\historymachine.exe:Zone.Identifier"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 1527381 times"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "service name": "historymachine"
- "service path": "\"C:\\Windows\\SysWOW64\\historymachine.exe\""
- "Description": "File has been identified by 12 Antiviruses on VirusTotal as malicious",
- "Details":
- "Invincea": "heuristic"
- "APEX": "Malicious"
- "Kaspersky": "UDS:DangerousObject.Multi.Generic"
- "Paloalto": "generic.ml"
- "Emsisoft": "Trojan.Agent (A)"
- "Microsoft": "Trojan:Win32/Trickbot.GN"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "ESET-NOD32": "a variant of Win32/Kryptik.GWNL"
- "Tencent": "Win32.Trojan.Inject.Auto"
- "Webroot": "W32.Trojan.Emotet"
- "AVG": "FileRepMalware"
- "CrowdStrike": "win/malicious_confidence_60% (D)"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Windows\\SysWOW64\\historymachine.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Windows\\SysWOW64\\historymachine.exe"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 3"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 2"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 5"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 10"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 15"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 16"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 24"
- * Started Service:
- "historymachine",
- "wmiApSrv"
- * Mutexes:
- "Global\\IC1C5B64F",
- "Global\\MC1C5B64F",
- "IESQMMUTEX_0_208",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Flag",
- "Global\\WmiApSrv"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
- "C:\\Windows\\SysWOW64\\historymachine.exe",
- "C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_00000000-0000-0000-0000-000000000000",
- "\\??\\WMIDataDevice",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
- * Deleted Files:
- "C:\\Windows\\SysWOW64\\khmerflows.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WCMK49g.exe",
- "C:\\Windows\\SysWOW64\\historymachine.exe:Zone.Identifier"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDEChannel\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDEChannel\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United Kingdom",
- "ip": "95.128.43.213",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "France",
- "ip": "92.222.125.16",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Iran, Islamic Republic of",
- "ip": "91.92.191.134",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Germany",
- "ip": "87.106.136.232",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Bangladesh",
- "ip": "59.152.93.46",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Argentina",
- "ip": "201.212.57.109",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "198.199.88.162",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Singapore",
- "ip": "188.166.253.46",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Ecuador",
- "ip": "186.4.172.5",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Azerbaijan",
- "ip": "185.129.92.210",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United Kingdom",
- "ip": "178.62.37.188",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Germany",
- "ip": "178.254.6.27",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Canada",
- "ip": "142.44.162.209",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "India",
- "ip": "117.197.124.36",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement