Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2299
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "Exes_dd56e1d4529217bba2a85a97f410b993.html"
- * File Size: 275968
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "309db6c75c9878ca3297382833cba690a4d81baadc206689f344aca0dcc74d5a"
- * MD5: "dd56e1d4529217bba2a85a97f410b993"
- * SHA1: "e646976267d6adf08067f830d5773f5ff67cebea"
- * SHA512: "9bdfe0d79f13f5f14e70f52160bdffef955a213cd99dcf085902a02c6d4f8a2de03ff7017e77f97161ed52591617d35c58e0326687cec939c42701e8299bbf89"
- * CRC32: "854D3FE6"
- * SSDEEP: "1536:g/NNNz/SNNrsnafpeqxhCh/uP8TIaWgGOkXFn2gZVKjijR1WS75TwkmwgSa8wTBz:gl/2NaafpxemE/W92gajiN5TGVxB814"
- * Process Execution:
- "0BQNr2VVV2M.exe",
- "0BQNr2VVV2M.exe",
- "explorer.exe",
- "services.exe",
- "historymachine.exe",
- "historymachine.exe"
- * Executed Commands:
- "C:\\Users\\user\\AppData\\Local\\Temp\\0BQNr2VVV2M.exe --7f8bc06f",
- "\"C:\\Windows\\SysWOW64\\historymachine.exe\"",
- "C:\\Windows\\SysWOW64\\historymachine.exe --81d93c85"
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Communicates with IPs located across a large number of unique countries",
- "Details":
- "country": "United Arab Emirates"
- "country": "Russian Federation"
- "country": "Puerto Rico"
- "country": "United States"
- "country": "Thailand"
- "country": "Costa Rica"
- "country": "Colombia"
- "country": "Chile"
- "country": "Argentina"
- "country": "Singapore"
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "historymachine.exe, PID 3404"
- "Description": "Mimics the system's user agent string for its own requests",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url_ioc": "192.163.221.191:8080/xian/"
- "url_ioc": "203.150.19.63:443/ringin/"
- "url_ioc": "83.110.75.153:8090/tpt/raster/between/"
- "url_ioc": "190.171.105.158:7080/devices/taskbar/bml/"
- "url_ioc": "190.104.64.197:443/prep/"
- "url_ioc": "152.168.220.188:80/mult/devices/between/merge/"
- "url_ioc": "216.154.222.52:7080/health/publish/bml/merge/"
- "url_ioc": "70.45.30.28:80/iplk/"
- "url_ioc": "139.59.242.76:8080/schema/"
- "url_ioc": "190.13.146.47:443/forced/"
- "url_ioc": "78.109.34.178:443/devices/loadan/"
- "url_ioc": "190.146.81.138:8090/forced/glitch/"
- "url_ioc": "45.33.1.161:8080/child/ringin/"
- "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
- "Details":
- "Description": "Multiple direct IP connections",
- "Details":
- "direct_ip_connections": "Made direct connections to 13 unique IP addresses"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Windows\\SysWOW64\\historymachine.exe:Zone.Identifier"
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExW": "Process: explorer.exe(1884)"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 4481968 times"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "service name": "historymachine"
- "service path": "\"C:\\Windows\\SysWOW64\\historymachine.exe\""
- "Description": "File has been identified by 28 Antiviruses on VirusTotal as malicious",
- "Details":
- "Bkav": "W32.HfsAutoB."
- "MicroWorld-eScan": "Trojan.Emotet.ACJ"
- "FireEye": "Generic.mg.dd56e1d4529217bb"
- "McAfee": "GenericR-QRI!DD56E1D45292"
- "Cybereason": "malicious.452921"
- "Invincea": "heuristic"
- "Symantec": "Trojan.Emotet!gm"
- "APEX": "Malicious"
- "Kaspersky": "UDS:DangerousObject.Multi.Generic"
- "Paloalto": "generic.ml"
- "AegisLab": "Trojan.Win32.Generic.4!c"
- "Endgame": "malicious (high confidence)"
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.dt"
- "Sophos": "Mal/Emotet-Q"
- "SentinelOne": "DFI - Suspicious PE"
- "Webroot": "W32.Trojan.Emotet"
- "Microsoft": "Trojan:Win32/Emotet.BS!MTB"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "GData": "Trojan.Emotet.ACJ"
- "AhnLab-V3": "Malware/Win32.Generic.C3472442"
- "Acronis": "suspicious"
- "VBA32": "Malware-Cryptor.Limpopo"
- "MAX": "malware (ai score=89)"
- "Cylance": "Unsafe"
- "Rising": "Trojan.Kryptik!8.8 (TFE:4:LZUqZZThnqL)"
- "Fortinet": "W32/GenKryptik.DTDM!tr"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "HEUR/QVM20.1.F70F.Malware.Gen"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Windows\\SysWOW64\\historymachine.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Windows\\SysWOW64\\historymachine.exe"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 3"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 12"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 17"
- * Started Service:
- "historymachine"
- * Mutexes:
- "Global\\IC1C5B64F",
- "Global\\MC1C5B64F",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "IESQMMUTEX_0_208"
- * Modified Files:
- "C:\\Windows\\SysWOW64\\historymachine.exe"
- * Deleted Files:
- "C:\\Windows\\SysWOW64\\khmerflows.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\0BQNr2VVV2M.exe",
- "C:\\Windows\\SysWOW64\\historymachine.exe:Zone.Identifier"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings"
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United Arab Emirates",
- "ip": "83.110.75.153",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Russian Federation",
- "ip": "78.109.34.178",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Puerto Rico",
- "ip": "70.45.30.28",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "45.33.1.161",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "216.154.222.52",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Thailand",
- "ip": "203.150.19.63",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "192.163.221.191",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Costa Rica",
- "ip": "190.171.105.158",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Colombia",
- "ip": "190.146.81.138",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Chile",
- "ip": "190.13.146.47",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Argentina",
- "ip": "190.104.64.197",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Argentina",
- "ip": "152.168.220.188",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Singapore",
- "ip": "139.59.242.76",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement