API tools faq
paste
Advertisement
paladin316

1511SWIFTMT202_105RD119002425_exe_2019-09-11_09_30.txt

paladin316
Sep 11th, 2019
2,019
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 32.37 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 1511
  3. * MalFamily: "Nanocore"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "SWIFTMT202_105RD119002425.exe"
  8. * File Size: 1360938
  9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  10. * SHA256: "d9dcdef4fea2521509bb3eeae3dab75392ac903891f0f3161a3a30ff6f26010f"
  11. * MD5: "acef3abfbde27400e0737fb780f6a3cc"
  12. * SHA1: "fcacf624debeb0bdd9d81525961e877e881c7dff"
  13. * SHA512: "c19768846138a4c9cfba180980c5369285cacd879542acb845ef287a6a6200f968e3accc623b62cc5f1d0fa4c16f9972ea8758efb32eccc716bffc082f21fcad"
  14. * CRC32: "FEBC8CB0"
  15. * SSDEEP: "24576:6NA3R5drXvdiVhlFfZ4TyDEPzXNNHp1bO30+3X67LDu1h6LId7nT1RMwaMm3CfBP:z5F+hnfOWEzHQ0+3KPy1h6LIdzTXM76d"
  16.  
  17. * Process Execution:
  18. "SWIFTMT202_105RD119002425.exe",
  19. "wscript.exe",
  20. "xbb.exe",
  21. "RegSvcs.exe",
  22. "schtasks.exe",
  23. "svchost.exe"
  24.  
  25.  
  26. * Executed Commands:
  27. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vhe.vbe\"",
  28. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vhe.vbe ",
  29. "\"C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe\" pnn=gbo",
  30. "xbb.exe pnn=gbo",
  31. "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpF741.tmp\""
  32.  
  33.  
  34. * Signatures Detected:
  35.  
  36. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  37. "Details":
  38.  
  39.  
  40. "Description": "Behavioural detection: Executable code extraction",
  41. "Details":
  42.  
  43.  
  44. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  45. "Details":
  46.  
  47. "IP_ioc": "79.134.225.110:54985 (Switzerland)"
  48.  
  49.  
  50.  
  51.  
  52. "Description": "Guard pages use detected - possible anti-debugging.",
  53. "Details":
  54.  
  55.  
  56. "Description": "Detected script timer window indicative of sleep style evasion",
  57. "Details":
  58.  
  59. "Window": "WSH-Timer"
  60.  
  61.  
  62.  
  63.  
  64. "Description": "A process attempted to delay the analysis task.",
  65. "Details":
  66.  
  67. "Process": "RegSvcs.exe tried to sleep 1192 seconds, actually delayed analysis time by 0 seconds"
  68.  
  69.  
  70.  
  71.  
  72. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
  73. "Details":
  74.  
  75. "ioc": "v2.0.50727"
  76.  
  77.  
  78.  
  79.  
  80. "Description": "Expresses interest in specific running processes",
  81. "Details":
  82.  
  83. "process": "RegSvcs.exe"
  84.  
  85.  
  86.  
  87.  
  88. "Description": "Reads data out of its own binary image",
  89. "Details":
  90.  
  91. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00000000, length: 0x00000007"
  92.  
  93.  
  94. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00000000, length: 0x00002000"
  95.  
  96.  
  97. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00000007, length: 0x0014c423"
  98.  
  99.  
  100. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00001ff0, length: 0x00002000"
  101.  
  102.  
  103. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00003fe0, length: 0x00002000"
  104.  
  105.  
  106. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00005fd0, length: 0x00002000"
  107.  
  108.  
  109. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00007fc0, length: 0x00002000"
  110.  
  111.  
  112. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00009fb0, length: 0x00002000"
  113.  
  114.  
  115. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0000bfa0, length: 0x00002000"
  116.  
  117.  
  118. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0000df90, length: 0x00002000"
  119.  
  120.  
  121. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0000ff80, length: 0x00002000"
  122.  
  123.  
  124. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00011f70, length: 0x00002000"
  125.  
  126.  
  127. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00013f60, length: 0x00002000"
  128.  
  129.  
  130. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00015f50, length: 0x00002000"
  131.  
  132.  
  133. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00017f40, length: 0x00002000"
  134.  
  135.  
  136. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00019f30, length: 0x00002000"
  137.  
  138.  
  139. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0001bf20, length: 0x00002000"
  140.  
  141.  
  142. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0001df10, length: 0x00002000"
  143.  
  144.  
  145. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0001ff00, length: 0x00002000"
  146.  
  147.  
  148. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00021ef0, length: 0x00002000"
  149.  
  150.  
  151. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00023ee0, length: 0x00002000"
  152.  
  153.  
  154. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00025ed0, length: 0x00002000"
  155.  
  156.  
  157. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00027ec0, length: 0x00002000"
  158.  
  159.  
  160. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00029eb0, length: 0x00002000"
  161.  
  162.  
  163. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0002bea0, length: 0x00002000"
  164.  
  165.  
  166. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0002de90, length: 0x00002000"
  167.  
  168.  
  169. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0002fe80, length: 0x00002000"
  170.  
  171.  
  172. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00031e70, length: 0x00002000"
  173.  
  174.  
  175. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00033e60, length: 0x00002000"
  176.  
  177.  
  178. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00035e50, length: 0x00002000"
  179.  
  180.  
  181. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00037e40, length: 0x00002000"
  182.  
  183.  
  184. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00039e30, length: 0x00002000"
  185.  
  186.  
  187. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0003be20, length: 0x00002000"
  188.  
  189.  
  190. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0003de10, length: 0x00002000"
  191.  
  192.  
  193. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0003fe00, length: 0x00002000"
  194.  
  195.  
  196. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00041df0, length: 0x00002000"
  197.  
  198.  
  199. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00043de0, length: 0x00002000"
  200.  
  201.  
  202. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00044400, length: 0x001011d6"
  203.  
  204.  
  205. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001457d5, length: 0x00000028"
  206.  
  207.  
  208. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001459ac, length: 0x00000028"
  209.  
  210.  
  211. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00145b8e, length: 0x00000028"
  212.  
  213.  
  214. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00145d62, length: 0x00000027"
  215.  
  216.  
  217. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00145f77, length: 0x00000028"
  218.  
  219.  
  220. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00146153, length: 0x00000028"
  221.  
  222.  
  223. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014632b, length: 0x00000028"
  224.  
  225.  
  226. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001464fd, length: 0x00000028"
  227.  
  228.  
  229. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001466cd, length: 0x00000029"
  230.  
  231.  
  232. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00146895, length: 0x00000028"
  233.  
  234.  
  235. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00146a5d, length: 0x00000028"
  236.  
  237.  
  238. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00146c66, length: 0x00000027"
  239.  
  240.  
  241. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00146e63, length: 0x00000027"
  242.  
  243.  
  244. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014707a, length: 0x00000028"
  245.  
  246.  
  247. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014724b, length: 0x00000029"
  248.  
  249.  
  250. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147435, length: 0x00000028"
  251.  
  252.  
  253. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147636, length: 0x00000029"
  254.  
  255.  
  256. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147824, length: 0x00000027"
  257.  
  258.  
  259. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001479f1, length: 0x00000028"
  260.  
  261.  
  262. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147be1, length: 0x00000028"
  263.  
  264.  
  265. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147dc9, length: 0x00000028"
  266.  
  267.  
  268. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147fa0, length: 0x00000028"
  269.  
  270.  
  271. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014817a, length: 0x00000028"
  272.  
  273.  
  274. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014837d, length: 0x00000027"
  275.  
  276.  
  277. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001485a3, length: 0x00000028"
  278.  
  279.  
  280. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00148784, length: 0x00000028"
  281.  
  282.  
  283. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014896a, length: 0x00000028"
  284.  
  285.  
  286. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00148b43, length: 0x00000028"
  287.  
  288.  
  289. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00148d4a, length: 0x00000028"
  290.  
  291.  
  292. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00148f15, length: 0x00000028"
  293.  
  294.  
  295. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001490e1, length: 0x00000028"
  296.  
  297.  
  298. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001492f3, length: 0x00000028"
  299.  
  300.  
  301. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001494c5, length: 0x00000028"
  302.  
  303.  
  304. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00149694, length: 0x00000028"
  305.  
  306.  
  307. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014988b, length: 0x00000027"
  308.  
  309.  
  310. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00149a84, length: 0x00000028"
  311.  
  312.  
  313. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00149c53, length: 0x00000028"
  314.  
  315.  
  316. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00149e2d, length: 0x00000028"
  317.  
  318.  
  319. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00149ffa, length: 0x00000028"
  320.  
  321.  
  322. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014a1fd, length: 0x00000028"
  323.  
  324.  
  325. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014a40c, length: 0x00000028"
  326.  
  327.  
  328. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014a5ed, length: 0x00000028"
  329.  
  330.  
  331. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014a7c3, length: 0x00000028"
  332.  
  333.  
  334. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014a998, length: 0x00000028"
  335.  
  336.  
  337. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014aba4, length: 0x00000028"
  338.  
  339.  
  340. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014adb4, length: 0x00000028"
  341.  
  342.  
  343. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014af9d, length: 0x00000028"
  344.  
  345.  
  346. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014b16f, length: 0x00000028"
  347.  
  348.  
  349. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014b376, length: 0x00000028"
  350.  
  351.  
  352. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014b541, length: 0x00000028"
  353.  
  354.  
  355. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014b762, length: 0x00000028"
  356.  
  357.  
  358. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014b947, length: 0x00000028"
  359.  
  360.  
  361. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014bb46, length: 0x00000028"
  362.  
  363.  
  364. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014bd53, length: 0x00000027"
  365.  
  366.  
  367. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014bf3f, length: 0x00000028"
  368.  
  369.  
  370. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014c15a, length: 0x00000028"
  371.  
  372.  
  373. "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014c339, length: 0x0000001b"
  374.  
  375.  
  376. "self_read": "process: wscript.exe, pid: 2092, offset: 0x00000000, length: 0x00000040"
  377.  
  378.  
  379. "self_read": "process: wscript.exe, pid: 2092, offset: 0x000000f0, length: 0x00000018"
  380.  
  381.  
  382. "self_read": "process: wscript.exe, pid: 2092, offset: 0x000001e8, length: 0x00000078"
  383.  
  384.  
  385. "self_read": "process: wscript.exe, pid: 2092, offset: 0x00018000, length: 0x00000020"
  386.  
  387.  
  388. "self_read": "process: wscript.exe, pid: 2092, offset: 0x00018058, length: 0x00000018"
  389.  
  390.  
  391. "self_read": "process: wscript.exe, pid: 2092, offset: 0x000181a8, length: 0x00000018"
  392.  
  393.  
  394. "self_read": "process: wscript.exe, pid: 2092, offset: 0x00018470, length: 0x00000010"
  395.  
  396.  
  397. "self_read": "process: wscript.exe, pid: 2092, offset: 0x00018640, length: 0x00000012"
  398.  
  399.  
  400. "self_read": "process: RegSvcs.exe, pid: 1664, offset: 0x00000000, length: 0x00001000"
  401.  
  402.  
  403. "self_read": "process: RegSvcs.exe, pid: 1664, offset: 0x00000080, length: 0x00000200"
  404.  
  405.  
  406. "self_read": "process: RegSvcs.exe, pid: 1664, offset: 0x00000178, length: 0x00000200"
  407.  
  408.  
  409. "self_read": "process: RegSvcs.exe, pid: 1664, offset: 0x00005b20, length: 0x00000200"
  410.  
  411.  
  412. "self_read": "process: RegSvcs.exe, pid: 1664, offset: 0x00005b3c, length: 0x00000200"
  413.  
  414.  
  415.  
  416.  
  417. "Description": "A process created a hidden window",
  418. "Details":
  419.  
  420. "Process": "RegSvcs.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpF741.tmp\""
  421.  
  422.  
  423.  
  424.  
  425. "Description": "A scripting utility was executed",
  426. "Details":
  427.  
  428. "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vhe.vbe\""
  429.  
  430.  
  431.  
  432.  
  433. "Description": "Uses Windows utilities for basic functionality",
  434. "Details":
  435.  
  436. "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpF741.tmp\""
  437.  
  438.  
  439.  
  440.  
  441. "Description": "Behavioural detection: Injection (Process Hollowing)",
  442. "Details":
  443.  
  444. "Injection": "xbb.exe(2792) -> RegSvcs.exe(1664)"
  445.  
  446.  
  447.  
  448.  
  449. "Description": "Executed a process and injected code into it, probably while unpacking",
  450. "Details":
  451.  
  452. "Injection": "xbb.exe(2792) -> RegSvcs.exe(1664)"
  453.  
  454.  
  455.  
  456.  
  457. "Description": "Attempts to remove evidence of file being downloaded from the Internet",
  458. "Details":
  459.  
  460. "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier"
  461.  
  462.  
  463.  
  464.  
  465. "Description": "Behavioural detection: Injection (inter-process)",
  466. "Details":
  467.  
  468.  
  469. "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
  470. "Details":
  471.  
  472.  
  473. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  474. "Details":
  475.  
  476. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  477.  
  478.  
  479.  
  480.  
  481. "Description": "Installs itself for autorun at Windows startup",
  482. "Details":
  483.  
  484. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate"
  485.  
  486.  
  487. "data": "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\PNN_GB~1"
  488.  
  489.  
  490.  
  491.  
  492. "Description": "Exhibits behavior characteristic of Nanocore RAT",
  493. "Details":
  494.  
  495.  
  496. "Description": "Stack pivoting was detected when using a critical API",
  497. "Details":
  498.  
  499. "process": "svchost.exe:884"
  500.  
  501.  
  502.  
  503.  
  504. "Description": "Creates a hidden or system file",
  505. "Details":
  506.  
  507. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe"
  508.  
  509.  
  510. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\95444044"
  511.  
  512.  
  513. "file": "C:\\Users\\user\\temp"
  514.  
  515.  
  516.  
  517.  
  518. "Description": "File has been identified by 23 Antiviruses on VirusTotal as malicious",
  519. "Details":
  520.  
  521. "FireEye": "Generic.mg.acef3abfbde27400"
  522.  
  523.  
  524. "Cybereason": "malicious.4debeb"
  525.  
  526.  
  527. "APEX": "Malicious"
  528.  
  529.  
  530. "ClamAV": "Win.Malware.Mycop-6983471-0"
  531.  
  532.  
  533. "Kaspersky": "HEUR:Trojan-Dropper.Win32.Generic"
  534.  
  535.  
  536. "AegisLab": "Trojan.BAT.Crypter.tqa8"
  537.  
  538.  
  539. "Rising": "Trojan.Pack-RAR!1.BB61 (CLASSIC)"
  540.  
  541.  
  542. "F-Secure": "Dropper.DR/AutoIt.Gen"
  543.  
  544.  
  545. "Invincea": "heuristic"
  546.  
  547.  
  548. "McAfee-GW-Edition": "BehavesLike.Win32.Backdoor.tc"
  549.  
  550.  
  551. "Cyren": "W32/AutoIt.EN.gen!Eldorado"
  552.  
  553.  
  554. "Avira": "DR/AutoIt.Gen"
  555.  
  556.  
  557. "Antiy-AVL": "TrojanArcBomb/Win32.Agent"
  558.  
  559.  
  560. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
  561.  
  562.  
  563. "ZoneAlarm": "HEUR:Trojan-Dropper.Win32.Generic"
  564.  
  565.  
  566. "Cylance": "Unsafe"
  567.  
  568.  
  569. "Zoner": "Probably RARAutorun"
  570.  
  571.  
  572. "Yandex": "Trojan.Agent!nS7qVYN4VgU"
  573.  
  574.  
  575. "Ikarus": "Win32.Outbreak"
  576.  
  577.  
  578. "Fortinet": "W32/Generic.AC.45A0E1!tr"
  579.  
  580.  
  581. "AVG": "FileRepMalware"
  582.  
  583.  
  584. "CrowdStrike": "win/malicious_confidence_80% (W)"
  585.  
  586.  
  587. "Qihoo-360": "HEUR/QVM10.1.CF17.Malware.Gen"
  588.  
  589.  
  590.  
  591.  
  592. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  593. "Details":
  594.  
  595. "target": "clamav:Win.Malware.Mycop-6983471-0, sha256:d9dcdef4fea2521509bb3eeae3dab75392ac903891f0f3161a3a30ff6f26010f, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  596.  
  597.  
  598. "dropped": "clamav:Win.Trojan.Autoit-6922942-0, sha256:fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b , guest_paths:C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  599.  
  600.  
  601.  
  602.  
  603. "Description": "Drops a binary and executes it",
  604. "Details":
  605.  
  606. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe"
  607.  
  608.  
  609.  
  610.  
  611. "Description": "Collects information to fingerprint the system",
  612. "Details":
  613.  
  614.  
  615.  
  616. * Started Service:
  617.  
  618. * Mutexes:
  619. "DefaultTabtip-MainUI",
  620. "Local\\ZoneAttributeCacheCounterMutex",
  621. "Local\\ZonesCacheCounterMutex",
  622. "Local\\ZonesLockedCacheCounterMutex",
  623. "Global\\CLR_PerfMon_WrapMutex",
  624. "Global\\CLR_CASOFF_MUTEX",
  625. "Global\\25104a4c-f498-4fa3-b06f-7cb02eff6741",
  626. "Global\\.net clr networking"
  627.  
  628.  
  629. * Modified Files:
  630. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\__tmp_rar_sfx_access_check_11654343",
  631. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\cjr.ppt",
  632. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\pnn=gbo",
  633. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vhe.vbe",
  634. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe",
  635. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\lca.ico",
  636. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\cgb.bmp",
  637. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\axt.msc",
  638. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\rqu.icm",
  639. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\plh.txt",
  640. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\hcm.icm",
  641. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\uow.icm",
  642. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\kma.exe",
  643. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\mus.mp3",
  644. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\bjg.dll",
  645. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ksb.exe",
  646. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\est.xml",
  647. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\eaj.docx",
  648. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\npf.exe",
  649. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\itf.xml",
  650. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\jaw.docx",
  651. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\jcs.msc",
  652. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vxo.jpg",
  653. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\gpr.bin",
  654. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vnu.ppt",
  655. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\jkl.xl",
  656. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xkn.jpg",
  657. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\coc.ico",
  658. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\lse.ico",
  659. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vrr.dll",
  660. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\oak.docx",
  661. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\deu.exe",
  662. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\wco.bmp",
  663. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\oxs.xl",
  664. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\gqa.xl",
  665. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\bcn.msc",
  666. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\opw.docx",
  667. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ptk.xls",
  668. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\smw.docx",
  669. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xxu.xl",
  670. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\noo.mp3",
  671. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vxn.ico",
  672. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\wsf.exe",
  673. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\gjn.ppt",
  674. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vlb.bin",
  675. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\bas.xl",
  676. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\dpn.ini",
  677. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\mdn.dat",
  678. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\sdi.bmp",
  679. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\hfj.ico",
  680. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\jlg.msc",
  681. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\jcx.icm",
  682. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ivm.exe",
  683. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\qgx.ico",
  684. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\iko.pdf",
  685. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\cph.log",
  686. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\glt.xl",
  687. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\dnh.txt",
  688. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ath.ini",
  689. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ovq.bin",
  690. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\gvg.msc",
  691. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xjh.bmp",
  692. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\aqx.ppt",
  693. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\lal.mp3",
  694. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\qua.cpl",
  695. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\lde.dll",
  696. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\rrd.cpl",
  697. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\uju.icm",
  698. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\crj.mp3",
  699. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\abe.exe",
  700. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\odn.ini",
  701. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\oog.log",
  702. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\edp.bmp",
  703. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\iqs.icm",
  704. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\lrm.exe",
  705. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xjg.xl",
  706. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ewr.mp3",
  707. "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\apr.log",
  708. "C:\\Users\\user\\temp\\cjr.ppt",
  709. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
  710. "C:\\Users\\user\\AppData\\Local\\Temp\\tmpF741.tmp",
  711. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\task.dat",
  712. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  713. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
  714.  
  715.  
  716. * Deleted Files:
  717. "C:\\Users\\user\\AppData\\Local\\Temp\\tmpF741.tmp",
  718. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier",
  719. "C:\\Windows\\Tasks\\DSL Subsystem.job",
  720. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  721.  
  722.  
  723. * Modified Registry Keys:
  724. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  725. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  726. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  727. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate",
  728. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Path",
  729. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Hash",
  730. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Id",
  731. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Index",
  732. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Triggers"
  733.  
  734.  
  735. * Deleted Registry Keys:
  736. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  737. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  738. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  739. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  740. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job",
  741. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job.fp"
  742.  
  743.  
  744. * DNS Communications:
  745.  
  746. "type": "A",
  747. "request": "1gstemos.duckdns.org",
  748. "answers":
  749.  
  750. "data": "79.134.225.110",
  751. "type": "A"
  752.  
  753.  
  754.  
  755.  
  756. "type": "A",
  757. "request": "jaden222.kozow.com",
  758. "answers":
  759.  
  760.  
  761.  
  762. * Domains:
  763.  
  764. "ip": "79.134.225.110",
  765. "domain": "1gstemos.duckdns.org"
  766.  
  767.  
  768. "ip": "79.134.225.110",
  769. "domain": "jaden222.kozow.com"
  770.  
  771.  
  772.  
  773. * Network Communication - ICMP:
  774.  
  775. * Network Communication - HTTP:
  776.  
  777. * Network Communication - SMTP:
  778.  
  779. * Network Communication - Hosts:
  780.  
  781. "country_name": "Switzerland",
  782. "ip": "79.134.225.110",
  783. "inaddrarpa": "",
  784. "hostname": "1gstemos.duckdns.org"
  785.  
  786.  
  787.  
  788. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!