Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: UNKNOWN MALWARE
- NOTES
- Running the executable also drops a .dll and 3 additional (non-executable) files to disk.
- Amazingly, the file hash for the .dll appears to have been on VirusTotal since 2009!
- There was traffic out to an IP address but all I saw were TCP resets.
- SUBJECTS OBSERVED
- Re: Invoice
- SENDERS OBSERVED
- liz@baptistelectric.com
- MALDOC FILE HASH
- Invoice.iso
- b7d01db02b4cc2a8eb206ba19f929d9d
- UNKNOWN MALWARE FILE HASH
- INV.exe
- f8273c95045f27e5d6e134b3a549a804
- Copied and renamed to:
- weprasfwjvatm.exe
- f8273c95045f27e5d6e134b3a549a804
- EXTERNAL TRAFFIC
- All I saw were TCP reset packets to/from 104.152.188.104
- ADDITIONAL FILE HASHES
- AppData\Local\Temp contains:
- tambd6oqxct5led0
- d3dde1244f9803c4e203358fdb6650e9
- ynqcndeig
- acbd3e7c6c99c4b193f2a1e604bc9976
- 3bxww6ac1hfs
- 96cbec9afc4628836a80fa456b63e5ef
- Also, in a separate directory under AppData\Local\Temp\:
- System.dll
- c17103ae9072a06da581dec998343fc1
- SUPPORTING EVIDENCE
- https://www.virustotal.com/gui/file/dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f/detection
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement