Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2398
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Pony_e66b8fb74f7a5d490b39b718be129134.exe"
- * File Size: 291840
- * File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
- * SHA256: "13d47b45e8f68e833d6cb30a463f2ae09aa5a14e95230780efc48237cb2be624"
- * MD5: "e66b8fb74f7a5d490b39b718be129134"
- * SHA1: "9a71153ee74ffe942b9bcba9109e6e392e22c02b"
- * SHA512: "77c6b0568a41c51ff47c5de1356009af63cc1c16041fd2446b850bd3310a25e9a36f49cdc228dd3a7e69946727bc6dc7ede6d11af8a289917e8bedadfb3d1f64"
- * CRC32: "48D777CC"
- * SSDEEP: "6144:+0MZPlvCy5lpzT8zoEnr8ym7OKUNQyVqTmZ6MBJSmAuCCI0JC:sxCy5LzT8zoKvmKKUCyV7LBEnCI0J"
- * Process Execution:
- "AuB94vaqyGOObkG.exe",
- "schtasks.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Windows\\System32\\schtasks.exe\" /Create /TN \"Updates\\RrDcAB\" /XML \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp4297.tmp\"",
- "schtasks.exe /Create /TN \"Updates\\RrDcAB\" /XML \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp4297.tmp\""
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process created a hidden window",
- "Details":
- "Process": "AuB94vaqyGOObkG.exe -> schtasks.exe"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .text, entropy: 7.70, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00045400, virtual_size: 0x00045304"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"C:\\Windows\\System32\\schtasks.exe\" /Create /TN \"Updates\\RrDcAB\" /XML \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp4297.tmp\""
- "command": "schtasks.exe /Create /TN \"Updates\\RrDcAB\" /XML \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp4297.tmp\""
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "svchost.exe:884"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\RrDcAB.exe"
- "Description": "File has been identified by 15 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.e66b8fb74f7a5d49"
- "Cybereason": "malicious.ee74ff"
- "Invincea": "heuristic"
- "APEX": "Malicious"
- "Kaspersky": "UDS:DangerousObject.Multi.Generic"
- "Paloalto": "generic.ml"
- "Tencent": "Win32.Trojan.Inject.Auto"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "AhnLab-V3": "Spyware/Win32.KeyLogger.C131843"
- "Acronis": "suspicious"
- "Cylance": "Unsafe"
- "ESET-NOD32": "a variant of MSIL/GenKryptik.DTGY"
- "SentinelOne": "DFI - Malicious PE"
- "CrowdStrike": "win/malicious_confidence_80% (W)"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\RrDcAB.exe"
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
- "C:\\Users\\user\\AppData\\Roaming\\RrDcAB.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp4297.tmp",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
- * Deleted Files:
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement