Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1099
- * MalFamily: "NetWire"
- * MalScore: 10.0
- * File Name: "NetWire_82cf92967ff37089ac670b63f2dd45e6.txt"
- * File Size: 557056
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1"
- * MD5: "82cf92967ff37089ac670b63f2dd45e6"
- * SHA1: "37cdf11edd5bf245d7d0ab61939c920270ec8cbe"
- * SHA512: "4658d213a8e4688d156b32f393092d1474679544488b11f72c439e0feb1ff18ebcbbf7c83d49f6e0e947670aab244e4481b28b3c8dbfd382452bfbb1591e2323"
- * CRC32: "FA427131"
- * SSDEEP: "12288:zWkjHZV+Lfb1CnBOeMLpjOxpA+Ua2Hj+:qGlBHMZLY"
- * Process Execution:
- "dHHJ9vjbQZ6.exe",
- "dHHJ9vjbQZ6.exe",
- "Host.exe",
- "Host.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\dHHJ9vjbQZ6.exe\"",
- "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\""
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP_ioc": "212.7.208.123:8765 (Netherlands)"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "Host.exe tried to sleep 754 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: dHHJ9vjbQZ6.exe, pid: 624, offset: 0x00000000, length: 0x00088000"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "dHHJ9vjbQZ6.exe(2320) -> dHHJ9vjbQZ6.exe(624)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "dHHJ9vjbQZ6.exe(2320) -> dHHJ9vjbQZ6.exe(624)"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "dHHJ9vjbQZ6.exe (2320) called API GetLocalTime 106937 times"
- "Spam": "Host.exe (2372) called API GetLocalTime 106937 times"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows"
- "data": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0"
- "data": "unknown"
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0\\StubPath"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\""
- "Description": "File has been identified by 21 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Gen:Variant.Razy.551446"
- "McAfee": "Fareit-FPT!82CF92967FF3"
- "Cylance": "Unsafe"
- "Cybereason": "malicious.edd5bf"
- "Invincea": "heuristic"
- "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Endgame": "malicious (high confidence)"
- "Trapmine": "malicious.moderate.ml.score"
- "FireEye": "Generic.mg.82cf92967ff37089"
- "SentinelOne": "DFI - Suspicious PE"
- "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
- "Microsoft": "Trojan:Win32/Fuerboos.C!cl"
- "AhnLab-V3": "Trojan/Win32.VBKrypt.R290013"
- "Acronis": "suspicious"
- "MAX": "malware (ai score=84)"
- "Malwarebytes": "Trojan.MalPack.VB.Generic"
- "ESET-NOD32": "a variant of Win32/Injector.EHPN"
- "Fortinet": "W32/GenKryptik.DRZR!tr"
- "CrowdStrike": "win/malicious_confidence_60% (D)"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
- * Started Service:
- * Mutexes:
- "-"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0\\StubPath"
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Netherlands",
- "ip": "212.7.208.123",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement