Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 896
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Exes_1381c4eafba0a330272c831d78f60dfa.exe"
- * File Size: 576000
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "ece090a78dd15d62d2135e97df60c4aadd91a47febfa871394155bf367fde6fd"
- * MD5: "1381c4eafba0a330272c831d78f60dfa"
- * SHA1: "763f07b2bbfe567cfeefabab39aca50a5e061ee4"
- * SHA512: "a4e07839d3cc27f3bcba3c1f1bba82a1a90984d752ee74930ad72ec148fd154dda29b5d328b9142a5b8790ccf1e506014d36df744d1625df9ed9cfbf065429cd"
- * CRC32: "1441EB5D"
- * SSDEEP: "6144:ijFLYna3ZqRK2CZDcdMOupj8RM6V/rBuZoE:ijFLYn0ecYdtIj8"
- * Process Execution:
- "L1AbF3BmsWg52.exe",
- "powershell.exe",
- "images.exe",
- "powershell.exe",
- "cmd.exe",
- "explorer.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "WMIADAP.exe",
- "taskhost.exe"
- * Executed Commands:
- "powershell Add-MpPreference -ExclusionPath C:\\",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: images.exe, pid: 1340, offset: 0x00000000, length: 0x0008ca00"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "images.exe -> C:\\Windows\\System32\\cmd.exe"
- "Description": "A scripting utility was executed",
- "Details":
- "command": "powershell Add-MpPreference -ExclusionPath C:\\"
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\ProgramData\\images.exe:Zone.Identifier"
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExW": "Process: explorer.exe(2044)"
- "Description": "Code injection with CreateRemoteThread in a remote process",
- "Details":
- "Injection": "images.exe(1340) -> cmd.exe(572)"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
- "Details":
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "cmd.exe tried to sleep 372 seconds, actually delayed analysis time by 0 seconds"
- "Process": "WmiPrvSE.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds"
- "Process": "images.exe tried to sleep 38241 seconds, actually delayed analysis time by 0 seconds"
- "Process": "L1AbF3BmsWg52.exe tried to sleep 1000 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
- "data": "C:\\ProgramData\\images.exe"
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "L1AbF3BmsWg52.exe:2432"
- "process": "images.exe:1340"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF21afad2.TMP"
- "Description": "File has been identified by 22 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.1381c4eafba0a330"
- "Cylance": "Unsafe"
- "CrowdStrike": "win/malicious_confidence_90% (D)"
- "K7GW": "Riskware ( 0040eff71 )"
- "K7AntiVirus": "Riskware ( 0040eff71 )"
- "APEX": "Malicious"
- "Avast": "Win32:Trojan-gen"
- "Kaspersky": "Trojan-Spy.Win32.AveMaria.bvf"
- "Paloalto": "generic.ml"
- "Endgame": "malicious (high confidence)"
- "F-Secure": "Trojan.TR/AD.MortyStealer.yepni"
- "DrWeb": "Trojan.PWS.Maria.3"
- "SentinelOne": "DFI - Malicious PE"
- "Avira": "TR/AD.MortyStealer.yepni"
- "Antiy-AVL": "TrojanSpy/Win32.AveMaria"
- "ZoneAlarm": "Trojan-Spy.Win32.AveMaria.bvf"
- "Malwarebytes": "Backdoor.AveMaria"
- "Fortinet": "W32/AveMaria.BVF!tr"
- "AVG": "Win32:Trojan-gen"
- "Cybereason": "malicious.2bbfe5"
- "Panda": "Trj/GdSda.A"
- "Qihoo-360": "HEUR/QVM20.1.A46F.Malware.Gen"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\ProgramData\\images.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\ProgramData\\images.exe"
- "Description": "Collects information to fingerprint the system",
- "Details":
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\ProgramData\\images.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\H89AQB09FTYVTS1R2EIX.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
- "C:\\Users\\user\\AppData\\Local\\Microsoft Vision\\04-09-2019_02.52.18",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\EFIF7CEKMGS59OTQZ3W7.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF21afad2.TMP",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
- * Deleted Files:
- "C:\\ProgramData\\images.exe:Zone.Identifier",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\H89AQB09FTYVTS1R2EIX.temp",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1968.35318437",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1968.35318453",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1968.35318453",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF21afad2.TMP",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1772.35322703",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1772.35322703",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1772.35322703"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT\\inst",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.106\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.102\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.101\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.100\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.103\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.104\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\S38OS404-1Q43-42S2-9305-67QR0O28SP23\\rkcybere.rkr",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
- * DNS Communications:
- "type": "A",
- "request": "warzo.duckdns.org",
- "answers":
- "data": "23.105.131.202",
- "type": "A"
- * Domains:
- "ip": "23.105.131.202",
- "domain": "warzo.duckdns.org"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United States",
- "ip": "23.105.131.202",
- "inaddrarpa": "",
- "hostname": "warzo.duckdns.org"
- * Network Communication - IRC:
Add Comment
Please, Sign In to add comment