Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "TrojanSpy"
- * MalScore: 10.0
- * File Name: "Exes_22e71a26c13c9f5ce59a9c67dfa9cbbf.exe"
- * File Size: 932352
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "947272014278229105225f3d360b001645e1975843270f8a797928ac3d44f0d9"
- * MD5: "22e71a26c13c9f5ce59a9c67dfa9cbbf"
- * SHA1: "c18e143160f04fc72435dff4e98af4a06455b7d2"
- * SHA512: "aa2d20a4a21c207967461528e919dd06e6674911b9eb58900a29c1e163e2ed51663c179f477b3d313276158c4309f77eff8a79010e05299065a5435ff5a4de44"
- * CRC32: "F6478CCB"
- * SSDEEP: "24576:QAHnh+eWsN3skA4RV1Hom2KXMmHaf1/IUI5:Hh+ZkldoPK8YafhU"
- * Process Execution:
- "4BmZXkPJH6TLfwn.exe",
- "cmd.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "svchost.exe",
- "taskeng.exe",
- "libmfxsw32.exe",
- "libmfxsw32.exe"
- * Executed Commands:
- "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\"",
- "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\syswow64\\WININET.dll\",DispatchAPICall 1",
- "taskeng.exe B7B6B3BE-8658-49AA-A1BF-419A93D30063 S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
- "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\"",
- "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\"",
- "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\"",
- "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\\libmfxsw32.exe"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP": "151.139.128.14:80"
- "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
- "Details":
- "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url": "iplogger.org:443//1IZ4k"
- "Description": "Executed a very long command line or script command which may be indicative of chained commands or obfuscation",
- "Details":
- "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\\libmfxsw32.exe"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\\libmfxsw32.exe"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low"
- "Description": "File has been identified by 38 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.GenericKD.41589707"
- "Cylance": "Unsafe"
- "BitDefender": "Trojan.GenericKD.41589707"
- "Cybereason": "malicious.160f04"
- "ESET-NOD32": "a variant of Win32/ClipBanker.HL"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "GData": "Trojan.GenericKD.41589707"
- "Kaspersky": "Trojan-Spy.Win64.AutoIt.a"
- "Alibaba": "TrojanSpy:Win64/AutoIt.758b1733"
- "AegisLab": "Trojan.Win64.AutoIt.l!c"
- "Avast": "Win32:Trojan-gen"
- "Endgame": "malicious (high confidence)"
- "Sophos": "Mal/Generic-S"
- "Comodo": "Malware@#3ipzdc5y4fi23"
- "F-Secure": "Heuristic.HEUR/AGEN.1040463"
- "DrWeb": "Trojan.Clipper.8"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Downloader.dh"
- "FireEye": "Generic.mg.22e71a26c13c9f5c"
- "Emsisoft": "Trojan.GenericKD.41589707 (B)"
- "MaxSecure": "Trojan.Malware.300983.susgen"
- "Avira": "HEUR/AGEN.1040463"
- "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
- "Microsoft": "Program:Win32/Uwamson.A!ml"
- "Arcabit": "Trojan.Generic.D27A9BCB"
- "ZoneAlarm": "Trojan-Spy.Win64.AutoIt.a"
- "Acronis": "suspicious"
- "ALYac": "Trojan.GenericKD.41589707"
- "Ad-Aware": "Trojan.GenericKD.41589707"
- "Malwarebytes": "Spyware.ClipBanker"
- "TrendMicro-HouseCall": "TROJ_GEN.R002C0WHI19"
- "Ikarus": "Trojan.Win32.Clipbanker"
- "Fortinet": "W64/AutoIt.A!tr"
- "AVG": "Win32:Trojan-gen"
- "Panda": "Trj/CI.A"
- "CrowdStrike": "win/malicious_confidence_60% (W)"
- "Qihoo-360": "Win32/Trojan.Spy.881"
- "Description": "Attempts to modify proxy settings",
- "Details":
- "Description": "Appears to use character obfuscation in a command line",
- "Details":
- "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\\libmfxsw32.exe"
- "Description": "Uses suspicious command line tools or Windows utilities",
- "Details":
- "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
- "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
- "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\""
- "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\""
- "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\""
- "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\""
- "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
- "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
- * Started Service:
- * Mutexes:
- "1P19dTLTAZy1XuEQf9d6okeFAj5gh3AEoU9139186274clipperrorRER1233326FDSH123"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\\libmfxsw32.exe",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_99D41F4D77B8F7BB12F6EE812A503A28",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_99D41F4D77B8F7BB12F6EE812A503A28",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\4BmZXkPJH6TLfwn.exe"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\EnableFileTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\EnableConsoleTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\FileTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\ConsoleTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\MaxFileSize",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\FileDirectory",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASKDIRFORTASKCREATE\\TASKFORTASKCREATE\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASKDIRFORTASKCREATE\\TASKFORTASKCREATE\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\B7B6B3BE-8658-49AA-A1BF-419A93D30063",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\B7B6B3BE-8658-49AA-A1BF-419A93D30063\\data"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyOverride",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL"
- * DNS Communications:
- "type": "A",
- "request": "iplogger.org",
- "answers":
- "data": "88.99.66.31",
- "type": "A"
- * Domains:
- "ip": "88.99.66.31",
- "domain": "iplogger.org"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Germany",
- "ip": "88.99.66.31",
- "inaddrarpa": "",
- "hostname": "iplogger.org"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement