Exes_870b77b31e7956807767fa54c0d08023_exe_2019-08-28_10_30.txt

1.  
2. * MalFamily: "Malicious"
3.  
4. * MalScore: 10.0
5.  
6. * File Name: "Exes_870b77b31e7956807767fa54c0d08023.exe"
7. * File Size: 1158656
8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. * SHA256: "71dbba7fb09e01e7f4b2a7b0ceb35d427af6642aa8baa94b6ff9f6df587af685"
10. * MD5: "870b77b31e7956807767fa54c0d08023"
11. * SHA1: "f0e33386cca4fe60b16840a2cc2abe9e7be7f19a"
12. * SHA512: "dbb32d25d3fd96034d2e7de4d76a5c24c86ff45b6074681a46b5d19c9a60da1b0119e24143f03b00798dc6ae136dc61fec953e66417d84383321250362024ac9"
13. * CRC32: "0823768B"
14. * SSDEEP: "24576:OAHnh+eWsN3skA4RV1Hom2KXMmHaPQ5XFo4QKxpBTV4NhzYj5:5h+ZkldoPK8YaP2Xa4QoB6N90"
15.  
16. * Process Execution:
17. "J3VyTq55o.exe"
18.  
19.  
20. * Executed Commands:
21.  
22. * Signatures Detected:
23.  
24. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
25. "Details":
26.  
27.  
28. "Description": "Creates RWX memory",
29. "Details":
30.  
31.  
32. "Description": "Reads data out of its own binary image",
33. "Details":
34.  
35. "self_read": "process: J3VyTq55o.exe, pid: 1504, offset: 0x00000000, length: 0x0011ae00"
36.  
37.  
38.  
39.  
40. "Description": "The binary likely contains encrypted or compressed data.",
41. "Details":
42.  
43. "section": "name: .rsrc, entropy: 7.51, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00050800, virtual_size: 0x00050684"
44.  
45.  
46.  
47.  
48. "Description": "Installs itself for autorun at Windows startup",
49. "Details":
50.  
51. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\mqoezndnrj"
52.  
53.  
54. "data": "C:\\Users\\Public\\mqoezndnrj.vbs"
55.  
56.  
57.  
58.  
59. "Description": "File has been identified by 35 Antiviruses on VirusTotal as malicious",
60. "Details":
61.  
62. "MicroWorld-eScan": "Trojan.AIT.Agent.B"
63.  
64.  
65. "FireEye": "Trojan.AIT.Agent.B"
66.  
67.  
68. "McAfee": "Trojan-AitInject.aq"
69.  
70.  
71. "Cylance": "Unsafe"
72.  
73.  
74. "K7AntiVirus": "Trojan ( 700000111 )"
75.  
76.  
77. "K7GW": "Trojan ( 700000111 )"
78.  
79.  
80. "Cybereason": "malicious.6cca4f"
81.  
82.  
83. "Arcabit": "Trojan.AIT.Agent.B"
84.  
85.  
86. "Invincea": "heuristic"
87.  
88.  
89. "F-Prot": "W32/AutoIt.KF.gen!Eldorado"
90.  
91.  
92. "Symantec": "Packed.Generic.548"
93.  
94.  
95. "APEX": "Malicious"
96.  
97.  
98. "ClamAV": "Win.Malware.Autoit-7114825-0"
99.  
100.  
101. "Kaspersky": "HEUR:Trojan.Win32.Generic"
102.  
103.  
104. "BitDefender": "Trojan.AIT.Agent.B"
105.  
106.  
107. "Ad-Aware": "Trojan.AIT.Agent.B"
108.  
109.  
110. "F-Secure": "Heuristic.HEUR/AGEN.1038811"
111.  
112.  
113. "McAfee-GW-Edition": "BehavesLike.Win32.Downloader.tc"
114.  
115.  
116. "Emsisoft": "Trojan.AIT.Agent.B (B)"
117.  
118.  
119. "Cyren": "W32/AutoIt.KF.gen!Eldorado"
120.  
121.  
122. "Avira": "HEUR/AGEN.1038811"
123.  
124.  
125. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
126.  
127.  
128. "Endgame": "malicious (high confidence)"
129.  
130.  
131. "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
132.  
133.  
134. "GData": "Trojan.AIT.Agent.B (2x)"
135.  
136.  
137. "AhnLab-V3": "Trojan/Win32.RL_AutoInj.R272810"
138.  
139.  
140. "Acronis": "suspicious"
141.  
142.  
143. "ALYac": "Trojan.AIT.Agent.B"
144.  
145.  
146. "MAX": "malware (ai score=83)"
147.  
148.  
149. "ESET-NOD32": "a variant of Win32/Injector.Autoit.EFK"
150.  
151.  
152. "Rising": "Trojan.Injector/Autoit!1.BB82 (CLASSIC)"
153.  
154.  
155. "Ikarus": "Trojan-Spy.HawkEye"
156.  
157.  
158. "Fortinet": "AutoIt/Agent.FC2A!tr"
159.  
160.  
161. "CrowdStrike": "win/malicious_confidence_100% (D)"
162.  
163.  
164. "Qihoo-360": "HEUR/QVM10.1.810B.Malware.Gen"
165.  
166.  
167.  
168.  
169. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
170. "Details":
171.  
172. "target": "clamav:Win.Malware.Autoit-7114825-0, sha256:71dbba7fb09e01e7f4b2a7b0ceb35d427af6642aa8baa94b6ff9f6df587af685, type:PE32 executable (GUI) Intel 80386, for MS Windows"
173.  
174.  
175. "dropped": "clamav:Win.Malware.Autoit-7114825-0, sha256:b501baf07ee4fe96ac3bd07156fdc125bfe880628c238f60b6c88338ed417137 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\cscript\\acproxy.bat, type:PE32 executable (GUI) Intel 80386, for MS Windows"
176.  
177.  
178.  
179.  
180. "Description": "Creates a slightly modified copy of itself",
181. "Details":
182.  
183. "file": "C:\\Users\\user\\AppData\\Roaming\\cscript\\acproxy.bat"
184.  
185.  
186. "percent_match": 100
187.  
188.  
189.  
190.  
191. "Description": "Anomalous binary characteristics",
192. "Details":
193.  
194. "anomaly": "Actual checksum does not match that reported in PE header"
195.  
196.  
197.  
198.  
199.  
200. * Started Service:
201.  
202. * Mutexes:
203. "CicLoadWinStaWinSta0",
204. "Local\\MSCTF.CtfMonitorInstMutexDefault1"
205.  
206.  
207. * Modified Files:
208. "C:\\Users\\user\\AppData\\Roaming\\cscript\\acproxy.bat",
209. "C:\\Users\\Public\\mqoezndnrj.vbs"
210.  
211.  
212. * Deleted Files:
213.  
214. * Modified Registry Keys:
215. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\mqoezndnrj"
216.  
217.  
218. * Deleted Registry Keys:
219.  
220. * DNS Communications:
221.  
222. * Domains:
223.  
224. * Network Communication - ICMP:
225.  
226. * Network Communication - HTTP:
227.  
228. * Network Communication - SMTP:
229.  
230. * Network Communication - Hosts:
231.  
232. * Network Communication - IRC: