Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Exes_870b77b31e7956807767fa54c0d08023.exe"
- * File Size: 1158656
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "71dbba7fb09e01e7f4b2a7b0ceb35d427af6642aa8baa94b6ff9f6df587af685"
- * MD5: "870b77b31e7956807767fa54c0d08023"
- * SHA1: "f0e33386cca4fe60b16840a2cc2abe9e7be7f19a"
- * SHA512: "dbb32d25d3fd96034d2e7de4d76a5c24c86ff45b6074681a46b5d19c9a60da1b0119e24143f03b00798dc6ae136dc61fec953e66417d84383321250362024ac9"
- * CRC32: "0823768B"
- * SSDEEP: "24576:OAHnh+eWsN3skA4RV1Hom2KXMmHaPQ5XFo4QKxpBTV4NhzYj5:5h+ZkldoPK8YaP2Xa4QoB6N90"
- * Process Execution:
- "J3VyTq55o.exe"
- * Executed Commands:
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: J3VyTq55o.exe, pid: 1504, offset: 0x00000000, length: 0x0011ae00"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.51, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00050800, virtual_size: 0x00050684"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\mqoezndnrj"
- "data": "C:\\Users\\Public\\mqoezndnrj.vbs"
- "Description": "File has been identified by 35 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.AIT.Agent.B"
- "FireEye": "Trojan.AIT.Agent.B"
- "McAfee": "Trojan-AitInject.aq"
- "Cylance": "Unsafe"
- "K7AntiVirus": "Trojan ( 700000111 )"
- "K7GW": "Trojan ( 700000111 )"
- "Cybereason": "malicious.6cca4f"
- "Arcabit": "Trojan.AIT.Agent.B"
- "Invincea": "heuristic"
- "F-Prot": "W32/AutoIt.KF.gen!Eldorado"
- "Symantec": "Packed.Generic.548"
- "APEX": "Malicious"
- "ClamAV": "Win.Malware.Autoit-7114825-0"
- "Kaspersky": "HEUR:Trojan.Win32.Generic"
- "BitDefender": "Trojan.AIT.Agent.B"
- "Ad-Aware": "Trojan.AIT.Agent.B"
- "F-Secure": "Heuristic.HEUR/AGEN.1038811"
- "McAfee-GW-Edition": "BehavesLike.Win32.Downloader.tc"
- "Emsisoft": "Trojan.AIT.Agent.B (B)"
- "Cyren": "W32/AutoIt.KF.gen!Eldorado"
- "Avira": "HEUR/AGEN.1038811"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
- "GData": "Trojan.AIT.Agent.B (2x)"
- "AhnLab-V3": "Trojan/Win32.RL_AutoInj.R272810"
- "Acronis": "suspicious"
- "ALYac": "Trojan.AIT.Agent.B"
- "MAX": "malware (ai score=83)"
- "ESET-NOD32": "a variant of Win32/Injector.Autoit.EFK"
- "Rising": "Trojan.Injector/Autoit!1.BB82 (CLASSIC)"
- "Ikarus": "Trojan-Spy.HawkEye"
- "Fortinet": "AutoIt/Agent.FC2A!tr"
- "CrowdStrike": "win/malicious_confidence_100% (D)"
- "Qihoo-360": "HEUR/QVM10.1.810B.Malware.Gen"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Malware.Autoit-7114825-0, sha256:71dbba7fb09e01e7f4b2a7b0ceb35d427af6642aa8baa94b6ff9f6df587af685, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Malware.Autoit-7114825-0, sha256:b501baf07ee4fe96ac3bd07156fdc125bfe880628c238f60b6c88338ed417137 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\cscript\\acproxy.bat, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Creates a slightly modified copy of itself",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\cscript\\acproxy.bat"
- "percent_match": 100
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- * Started Service:
- * Mutexes:
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\cscript\\acproxy.bat",
- "C:\\Users\\Public\\mqoezndnrj.vbs"
- * Deleted Files:
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\mqoezndnrj"
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement