API tools faq
paste
Advertisement
paladin316

Exes_22e71a26c13c9f5ce59a9c67dfa9cbbf_exe_2019-08-19_09_00.txt

paladin316
Aug 19th, 2019
1,989
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.55 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "TrojanSpy"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_22e71a26c13c9f5ce59a9c67dfa9cbbf.exe"
  7. * File Size: 932352
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "947272014278229105225f3d360b001645e1975843270f8a797928ac3d44f0d9"
  10. * MD5: "22e71a26c13c9f5ce59a9c67dfa9cbbf"
  11. * SHA1: "c18e143160f04fc72435dff4e98af4a06455b7d2"
  12. * SHA512: "aa2d20a4a21c207967461528e919dd06e6674911b9eb58900a29c1e163e2ed51663c179f477b3d313276158c4309f77eff8a79010e05299065a5435ff5a4de44"
  13. * CRC32: "F6478CCB"
  14. * SSDEEP: "24576:QAHnh+eWsN3skA4RV1Hom2KXMmHaf1/IUI5:Hh+ZkldoPK8YafhU"
  15.  
  16. * Process Execution:
  17. "4BmZXkPJH6TLfwn.exe",
  18. "cmd.exe",
  19. "icacls.exe",
  20. "icacls.exe",
  21. "icacls.exe",
  22. "svchost.exe",
  23. "taskeng.exe",
  24. "libmfxsw32.exe",
  25. "libmfxsw32.exe"
  26.  
  27.  
  28. * Executed Commands:
  29. "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\"",
  30. "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\syswow64\\WININET.dll\",DispatchAPICall 1",
  31. "taskeng.exe B7B6B3BE-8658-49AA-A1BF-419A93D30063 S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
  32. "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\"",
  33. "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\"",
  34. "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\"",
  35. "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\\libmfxsw32.exe"
  36.  
  37.  
  38. * Signatures Detected:
  39.  
  40. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  41. "Details":
  42.  
  43.  
  44. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  45. "Details":
  46.  
  47. "IP": "151.139.128.14:80"
  48.  
  49.  
  50.  
  51.  
  52. "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
  53. "Details":
  54.  
  55. "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
  56.  
  57.  
  58.  
  59.  
  60. "Description": "Performs HTTP requests potentially not found in PCAP.",
  61. "Details":
  62.  
  63. "url": "iplogger.org:443//1IZ4k"
  64.  
  65.  
  66.  
  67.  
  68. "Description": "Executed a very long command line or script command which may be indicative of chained commands or obfuscation",
  69. "Details":
  70.  
  71. "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
  72.  
  73.  
  74.  
  75.  
  76. "Description": "Drops a binary and executes it",
  77. "Details":
  78.  
  79. "binary": "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\\libmfxsw32.exe"
  80.  
  81.  
  82.  
  83.  
  84. "Description": "Uses Windows utilities for basic functionality",
  85. "Details":
  86.  
  87. "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
  88.  
  89.  
  90.  
  91.  
  92. "Description": "Deletes its original binary from disk",
  93. "Details":
  94.  
  95.  
  96. "Description": "Creates a hidden or system file",
  97. "Details":
  98.  
  99. "file": "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux"
  100.  
  101.  
  102. "file": "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\\libmfxsw32.exe"
  103.  
  104.  
  105. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low"
  106.  
  107.  
  108.  
  109.  
  110. "Description": "File has been identified by 38 Antiviruses on VirusTotal as malicious",
  111. "Details":
  112.  
  113. "MicroWorld-eScan": "Trojan.GenericKD.41589707"
  114.  
  115.  
  116. "Cylance": "Unsafe"
  117.  
  118.  
  119. "BitDefender": "Trojan.GenericKD.41589707"
  120.  
  121.  
  122. "Cybereason": "malicious.160f04"
  123.  
  124.  
  125. "ESET-NOD32": "a variant of Win32/ClipBanker.HL"
  126.  
  127.  
  128. "APEX": "Malicious"
  129.  
  130.  
  131. "Paloalto": "generic.ml"
  132.  
  133.  
  134. "GData": "Trojan.GenericKD.41589707"
  135.  
  136.  
  137. "Kaspersky": "Trojan-Spy.Win64.AutoIt.a"
  138.  
  139.  
  140. "Alibaba": "TrojanSpy:Win64/AutoIt.758b1733"
  141.  
  142.  
  143. "AegisLab": "Trojan.Win64.AutoIt.l!c"
  144.  
  145.  
  146. "Avast": "Win32:Trojan-gen"
  147.  
  148.  
  149. "Endgame": "malicious (high confidence)"
  150.  
  151.  
  152. "Sophos": "Mal/Generic-S"
  153.  
  154.  
  155. "Comodo": "Malware@#3ipzdc5y4fi23"
  156.  
  157.  
  158. "F-Secure": "Heuristic.HEUR/AGEN.1040463"
  159.  
  160.  
  161. "DrWeb": "Trojan.Clipper.8"
  162.  
  163.  
  164. "Invincea": "heuristic"
  165.  
  166.  
  167. "McAfee-GW-Edition": "BehavesLike.Win32.Downloader.dh"
  168.  
  169.  
  170. "FireEye": "Generic.mg.22e71a26c13c9f5c"
  171.  
  172.  
  173. "Emsisoft": "Trojan.GenericKD.41589707 (B)"
  174.  
  175.  
  176. "MaxSecure": "Trojan.Malware.300983.susgen"
  177.  
  178.  
  179. "Avira": "HEUR/AGEN.1040463"
  180.  
  181.  
  182. "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
  183.  
  184.  
  185. "Microsoft": "Program:Win32/Uwamson.A!ml"
  186.  
  187.  
  188. "Arcabit": "Trojan.Generic.D27A9BCB"
  189.  
  190.  
  191. "ZoneAlarm": "Trojan-Spy.Win64.AutoIt.a"
  192.  
  193.  
  194. "Acronis": "suspicious"
  195.  
  196.  
  197. "ALYac": "Trojan.GenericKD.41589707"
  198.  
  199.  
  200. "Ad-Aware": "Trojan.GenericKD.41589707"
  201.  
  202.  
  203. "Malwarebytes": "Spyware.ClipBanker"
  204.  
  205.  
  206. "TrendMicro-HouseCall": "TROJ_GEN.R002C0WHI19"
  207.  
  208.  
  209. "Ikarus": "Trojan.Win32.Clipbanker"
  210.  
  211.  
  212. "Fortinet": "W64/AutoIt.A!tr"
  213.  
  214.  
  215. "AVG": "Win32:Trojan-gen"
  216.  
  217.  
  218. "Panda": "Trj/CI.A"
  219.  
  220.  
  221. "CrowdStrike": "win/malicious_confidence_60% (W)"
  222.  
  223.  
  224. "Qihoo-360": "Win32/Trojan.Spy.881"
  225.  
  226.  
  227.  
  228.  
  229. "Description": "Attempts to modify proxy settings",
  230. "Details":
  231.  
  232.  
  233. "Description": "Appears to use character obfuscation in a command line",
  234. "Details":
  235.  
  236. "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
  237.  
  238.  
  239.  
  240.  
  241. "Description": "Creates a copy of itself",
  242. "Details":
  243.  
  244. "copy": "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\\libmfxsw32.exe"
  245.  
  246.  
  247.  
  248.  
  249. "Description": "Uses suspicious command line tools or Windows utilities",
  250. "Details":
  251.  
  252. "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
  253.  
  254.  
  255. "command": "C:\\Windows\\system32\\cmd.exe /c icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\" & icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
  256.  
  257.  
  258. "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\""
  259.  
  260.  
  261. "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-1-0:(R,REA,RA,RD)\""
  262.  
  263.  
  264. "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\""
  265.  
  266.  
  267. "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"*S-1-5-7:(R,REA,RA,RD)\""
  268.  
  269.  
  270. "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
  271.  
  272.  
  273. "command": "icacls \"C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\" /inheritance:e /deny \"user:(R,REA,RA,RD)\""
  274.  
  275.  
  276.  
  277.  
  278.  
  279. * Started Service:
  280.  
  281. * Mutexes:
  282. "1P19dTLTAZy1XuEQf9d6okeFAj5gh3AEoU9139186274clipperrorRER1233326FDSH123"
  283.  
  284.  
  285. * Modified Files:
  286. "C:\\Users\\user\\AppData\\Roaming\\Mxmetamux\\libmfxsw32.exe",
  287. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4",
  288. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4",
  289. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220",
  290. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220",
  291. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_99D41F4D77B8F7BB12F6EE812A503A28",
  292. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_99D41F4D77B8F7BB12F6EE812A503A28",
  293. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf"
  294.  
  295.  
  296. * Deleted Files:
  297. "C:\\Users\\user\\AppData\\Local\\Temp\\4BmZXkPJH6TLfwn.exe"
  298.  
  299.  
  300. * Modified Registry Keys:
  301. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32",
  302. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\EnableFileTracing",
  303. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\EnableConsoleTracing",
  304. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\FileTracingMask",
  305. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\ConsoleTracingMask",
  306. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\MaxFileSize",
  307. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\4BmZXkPJH6TLfwn_RASAPI32\\FileDirectory",
  308. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable",
  309. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer",
  310. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings",
  311. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Path",
  312. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Hash",
  313. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASKDIRFORTASKCREATE\\TASKFORTASKCREATE\\Id",
  314. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASKDIRFORTASKCREATE\\TASKFORTASKCREATE\\Index",
  315. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Triggers",
  316. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\DynamicInfo",
  317. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\B7B6B3BE-8658-49AA-A1BF-419A93D30063",
  318. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\B7B6B3BE-8658-49AA-A1BF-419A93D30063\\data"
  319.  
  320.  
  321. * Deleted Registry Keys:
  322. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyOverride",
  323. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL"
  324.  
  325.  
  326. * DNS Communications:
  327.  
  328. "type": "A",
  329. "request": "iplogger.org",
  330. "answers":
  331.  
  332. "data": "88.99.66.31",
  333. "type": "A"
  334.  
  335.  
  336.  
  337.  
  338.  
  339. * Domains:
  340.  
  341. "ip": "88.99.66.31",
  342. "domain": "iplogger.org"
  343.  
  344.  
  345.  
  346. * Network Communication - ICMP:
  347.  
  348. * Network Communication - HTTP:
  349.  
  350. * Network Communication - SMTP:
  351.  
  352. * Network Communication - Hosts:
  353.  
  354. "country_name": "Germany",
  355. "ip": "88.99.66.31",
  356. "inaddrarpa": "",
  357. "hostname": "iplogger.org"
  358.  
  359.  
  360.  
  361. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!