Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 893
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Exes_1381c4eafba0a330272c831d78f60dfa.exe"
- * File Size: 576000
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "ece090a78dd15d62d2135e97df60c4aadd91a47febfa871394155bf367fde6fd"
- * MD5: "1381c4eafba0a330272c831d78f60dfa"
- * SHA1: "763f07b2bbfe567cfeefabab39aca50a5e061ee4"
- * SHA512: "a4e07839d3cc27f3bcba3c1f1bba82a1a90984d752ee74930ad72ec148fd154dda29b5d328b9142a5b8790ccf1e506014d36df744d1625df9ed9cfbf065429cd"
- * CRC32: "1441EB5D"
- * SSDEEP: "6144:ijFLYna3ZqRK2CZDcdMOupj8RM6V/rBuZoE:ijFLYn0ecYdtIj8"
- * Process Execution:
- "50STpnDtuaHfJr.exe",
- "powershell.exe",
- "images.exe",
- "powershell.exe",
- "cmd.exe",
- "explorer.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "powershell Add-MpPreference -ExclusionPath C:\\",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: images.exe, pid: 2252, offset: 0x00000000, length: 0x0008ca00"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "images.exe -> C:\\Windows\\System32\\cmd.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\ProgramData\\images.exe"
- "Description": "A scripting utility was executed",
- "Details":
- "command": "powershell Add-MpPreference -ExclusionPath C:\\"
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\ProgramData\\images.exe:Zone.Identifier"
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExW": "Process: explorer.exe(1960)"
- "Description": "Code injection with CreateRemoteThread in a remote process",
- "Details":
- "Injection": "images.exe(2252) -> cmd.exe(2024)"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
- "Details":
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "cmd.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
- "Process": "50STpnDtuaHfJr.exe tried to sleep 1000 seconds, actually delayed analysis time by 0 seconds"
- "Process": "WmiPrvSE.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
- "Process": "images.exe tried to sleep 37121 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
- "data": "C:\\ProgramData\\images.exe"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF433821.TMP"
- "Description": "File has been identified by 22 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.1381c4eafba0a330"
- "Cylance": "Unsafe"
- "CrowdStrike": "win/malicious_confidence_90% (D)"
- "K7GW": "Riskware ( 0040eff71 )"
- "K7AntiVirus": "Riskware ( 0040eff71 )"
- "APEX": "Malicious"
- "Avast": "Win32:Trojan-gen"
- "Kaspersky": "Trojan-Spy.Win32.AveMaria.bvf"
- "Paloalto": "generic.ml"
- "Endgame": "malicious (high confidence)"
- "F-Secure": "Trojan.TR/AD.MortyStealer.yepni"
- "DrWeb": "Trojan.PWS.Maria.3"
- "SentinelOne": "DFI - Malicious PE"
- "Avira": "TR/AD.MortyStealer.yepni"
- "Antiy-AVL": "TrojanSpy/Win32.AveMaria"
- "ZoneAlarm": "Trojan-Spy.Win32.AveMaria.bvf"
- "Malwarebytes": "Backdoor.AveMaria"
- "Fortinet": "W32/AveMaria.BVF!tr"
- "AVG": "Win32:Trojan-gen"
- "Cybereason": "malicious.2bbfe5"
- "Panda": "Trj/GdSda.A"
- "Qihoo-360": "HEUR/QVM20.1.A46F.Malware.Gen"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\ProgramData\\images.exe"
- "Description": "Collects information to fingerprint the system",
- "Details":
- * Started Service:
- * Mutexes:
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\ProgramData\\images.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GQ4JN80CS7GZM44MX5D0.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
- "C:\\Users\\user\\AppData\\Local\\Microsoft Vision\\03-09-2019_17.08.36",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\Z38GN1C8K4I6BWVWYRZ0.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF433821.TMP",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
- * Deleted Files:
- "C:\\ProgramData\\images.exe:Zone.Identifier",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GQ4JN80CS7GZM44MX5D0.temp",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2276.3512515",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2276.3512515",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2276.3512515",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF433821.TMP",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1120.4405375",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1120.4405375",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1120.4405375"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT\\inst",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDEChannel\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDEChannel\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
- * DNS Communications:
- "type": "A",
- "request": "warzo.duckdns.org",
- "answers":
- "data": "23.105.131.202",
- "type": "A"
- * Domains:
- "ip": "23.105.131.202",
- "domain": "warzo.duckdns.org"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United States",
- "ip": "23.105.131.202",
- "inaddrarpa": "",
- "hostname": "warzo.duckdns.org"
- * Network Communication - IRC:
Add Comment
Please, Sign In to add comment