Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Nanocore"
- * MalScore: 10.0
- * File Name: "Exes_f2dc476568203b78563a77c0109a1073.exe"
- * File Size: 1187840
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "ea57060caf8b7aa6ce530589789792a8b16197e3c1cc04d953be764d3f835c6c"
- * MD5: "f2dc476568203b78563a77c0109a1073"
- * SHA1: "bb5f5ea04b61038ec29f22c46f873c219b7df1ef"
- * SHA512: "d673eb55d25d880416d4d516c8c112ca8201417ef0cdaba0fc887e528b84df3a0af39ed37e2d6f1b469a83d1eb567c3feb25300b96a6db1a187f55f5708ff50d"
- * CRC32: "D0AD7871"
- * SSDEEP: "24576:9AHnh+eWsN3skA4RV1Hom2KXMmHalzKIl9CYdXUwym5:ch+ZkldoPK8YaleIlBUS"
- * Process Execution:
- "J44RfSdR.exe",
- "RegAsm.exe"
- * Executed Commands:
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP": "178.124.140.146:5353 (Belarus)"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "RegAsm.exe tried to sleep 1358 seconds, actually delayed analysis time by 0 seconds"
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details":
- "ioc": "v2.0.50727"
- "Description": "Expresses interest in specific running processes",
- "Details":
- "process": "smss.exe"
- "process": "RegAsm.exe"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: J44RfSdR.exe, pid: 1732, offset: 0x00000000, length: 0x00122000"
- "self_read": "process: RegAsm.exe, pid: 3348, offset: 0x00000000, length: 0x00001000"
- "self_read": "process: RegAsm.exe, pid: 3348, offset: 0x00000080, length: 0x00000200"
- "self_read": "process: RegAsm.exe, pid: 3348, offset: 0x00000178, length: 0x00000200"
- "self_read": "process: RegAsm.exe, pid: 3348, offset: 0x0000a720, length: 0x00000200"
- "self_read": "process: RegAsm.exe, pid: 3348, offset: 0x0000a73c, length: 0x00000200"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.57, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00057a00, virtual_size: 0x0005796c"
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "J44RfSdR.exe(1732) -> RegAsm.exe(3348)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "J44RfSdR.exe(1732) -> RegAsm.exe(3348)"
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
- "Details":
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\gsXxUmbQan"
- "data": "C:\\Users\\Public\\gsXxUmbQan.vbs"
- "Description": "Exhibits behavior characteristic of Nanocore RAT",
- "Details":
- "Description": "File has been identified by 29 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.AIT.Agent.B"
- "FireEye": "Trojan.AIT.Agent.B"
- "McAfee": "Trojan-AitInject.aq"
- "CrowdStrike": "win/malicious_confidence_60% (D)"
- "Arcabit": "Trojan.AIT.Agent.B"
- "F-Prot": "W32/AutoIt.JI.gen!Eldorado"
- "Symantec": "Infostealer"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "ClamAV": "Win.Malware.Autoit-7111786-0"
- "Kaspersky": "HEUR:Trojan.Win32.Generic"
- "BitDefender": "Trojan.AIT.Agent.B"
- "Ad-Aware": "Trojan.AIT.Agent.B"
- "Emsisoft": "Trojan.AIT.Agent.B (B)"
- "McAfee-GW-Edition": "BehavesLike.Win32.Ransom.tc"
- "Cyren": "W32/AutoIt.JI.gen!Eldorado"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
- "GData": "Trojan.AIT.Agent.B (2x)"
- "AhnLab-V3": "Trojan/Win32.RL_AutoInj.R272810"
- "Acronis": "suspicious"
- "MAX": "malware (ai score=82)"
- "Malwarebytes": "Trojan.MalPack.AutoIt"
- "ESET-NOD32": "a variant of Win32/Injector.Autoit.EEV"
- "Rising": "Trojan.Obfus/Autoit!1.BB81 (CLASSIC)"
- "Ikarus": "Trojan.Autoit"
- "Fortinet": "AutoIt/Injector.EEV!tr"
- "Qihoo-360": "HEUR/QVM10.1.80E5.Malware.Gen"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Malware.Autoit-7111786-0, sha256:ea57060caf8b7aa6ce530589789792a8b16197e3c1cc04d953be764d3f835c6c, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Malware.Autoit-7111786-0, sha256:578740a7ffddae1bfb98f663423fcb286ba7405ee36c784db6860185f6d624b8 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\SnippingTool\\RtDCpl64.bat, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Creates a slightly modified copy of itself",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\SnippingTool\\RtDCpl64.bat"
- "percent_match": 100
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\df07078f-d289-4d2c-b7e9-b17fbb5a24ee",
- "Global\\.net clr networking"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\SnippingTool\\RtDCpl64.bat",
- "C:\\Users\\Public\\gsXxUmbQan.vbs",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat"
- * Deleted Files:
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\gsXxUmbQan"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "warzoneburky.ddns.net",
- "answers":
- "data": "178.124.140.146",
- "type": "A"
- * Domains:
- "ip": "178.124.140.146",
- "domain": "warzoneburky.ddns.net"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Belarus",
- "ip": "178.124.140.146",
- "inaddrarpa": "",
- "hostname": "warzoneburky.ddns.net"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement