2299Exes_dd56e1d4529217bba2a85a97f410b993_html_2019-09-18_13_30.txt

1.  
2. * ID: 2299
3. * MalFamily: ""
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "Exes_dd56e1d4529217bba2a85a97f410b993.html"
8. * File Size: 275968
9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10. * SHA256: "309db6c75c9878ca3297382833cba690a4d81baadc206689f344aca0dcc74d5a"
11. * MD5: "dd56e1d4529217bba2a85a97f410b993"
12. * SHA1: "e646976267d6adf08067f830d5773f5ff67cebea"
13. * SHA512: "9bdfe0d79f13f5f14e70f52160bdffef955a213cd99dcf085902a02c6d4f8a2de03ff7017e77f97161ed52591617d35c58e0326687cec939c42701e8299bbf89"
14. * CRC32: "854D3FE6"
15. * SSDEEP: "1536:g/NNNz/SNNrsnafpeqxhCh/uP8TIaWgGOkXFn2gZVKjijR1WS75TwkmwgSa8wTBz:gl/2NaafpxemE/W92gajiN5TGVxB814"
16.  
17. * Process Execution:
18. "0BQNr2VVV2M.exe",
19. "0BQNr2VVV2M.exe",
20. "explorer.exe",
21. "services.exe",
22. "historymachine.exe",
23. "historymachine.exe"
24.  
25.  
26. * Executed Commands:
27. "C:\\Users\\user\\AppData\\Local\\Temp\\0BQNr2VVV2M.exe --7f8bc06f",
28. "\"C:\\Windows\\SysWOW64\\historymachine.exe\"",
29. "C:\\Windows\\SysWOW64\\historymachine.exe --81d93c85"
30.  
31.  
32. * Signatures Detected:
33.  
34. "Description": "Behavioural detection: Executable code extraction",
35. "Details":
36.  
37.  
38. "Description": "Communicates with IPs located across a large number of unique countries",
39. "Details":
40.  
41. "country": "United Arab Emirates"
42.  
43.  
44. "country": "Russian Federation"
45.  
46.  
47. "country": "Puerto Rico"
48.  
49.  
50. "country": "United States"
51.  
52.  
53. "country": "Thailand"
54.  
55.  
56. "country": "Costa Rica"
57.  
58.  
59. "country": "Colombia"
60.  
61.  
62. "country": "Chile"
63.  
64.  
65. "country": "Argentina"
66.  
67.  
68. "country": "Singapore"
69.  
70.  
71.  
72.  
73. "Description": "Possible date expiration check, exits too soon after checking local time",
74. "Details":
75.  
76. "process": "historymachine.exe, PID 3404"
77.  
78.  
79.  
80.  
81. "Description": "Mimics the system's user agent string for its own requests",
82. "Details":
83.  
84.  
85. "Description": "Guard pages use detected - possible anti-debugging.",
86. "Details":
87.  
88.  
89. "Description": "Performs HTTP requests potentially not found in PCAP.",
90. "Details":
91.  
92. "url_ioc": "192.163.221.191:8080/xian/"
93.  
94.  
95. "url_ioc": "203.150.19.63:443/ringin/"
96.  
97.  
98. "url_ioc": "83.110.75.153:8090/tpt/raster/between/"
99.  
100.  
101. "url_ioc": "190.171.105.158:7080/devices/taskbar/bml/"
102.  
103.  
104. "url_ioc": "190.104.64.197:443/prep/"
105.  
106.  
107. "url_ioc": "152.168.220.188:80/mult/devices/between/merge/"
108.  
109.  
110. "url_ioc": "216.154.222.52:7080/health/publish/bml/merge/"
111.  
112.  
113. "url_ioc": "70.45.30.28:80/iplk/"
114.  
115.  
116. "url_ioc": "139.59.242.76:8080/schema/"
117.  
118.  
119. "url_ioc": "190.13.146.47:443/forced/"
120.  
121.  
122. "url_ioc": "78.109.34.178:443/devices/loadan/"
123.  
124.  
125. "url_ioc": "190.146.81.138:8090/forced/glitch/"
126.  
127.  
128. "url_ioc": "45.33.1.161:8080/child/ringin/"
129.  
130.  
131.  
132.  
133. "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
134. "Details":
135.  
136.  
137. "Description": "Multiple direct IP connections",
138. "Details":
139.  
140. "direct_ip_connections": "Made direct connections to 13 unique IP addresses"
141.  
142.  
143.  
144.  
145. "Description": "Deletes its original binary from disk",
146. "Details":
147.  
148.  
149. "Description": "Attempts to remove evidence of file being downloaded from the Internet",
150. "Details":
151.  
152. "file": "C:\\Windows\\SysWOW64\\historymachine.exe:Zone.Identifier"
153.  
154.  
155.  
156.  
157. "Description": "Sniffs keystrokes",
158. "Details":
159.  
160. "SetWindowsHookExW": "Process: explorer.exe(1884)"
161.  
162.  
163.  
164.  
165. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
166. "Details":
167.  
168. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 4481968 times"
169.  
170.  
171.  
172.  
173. "Description": "Installs itself for autorun at Windows startup",
174. "Details":
175.  
176. "service name": "historymachine"
177.  
178.  
179. "service path": "\"C:\\Windows\\SysWOW64\\historymachine.exe\""
180.  
181.  
182.  
183.  
184. "Description": "File has been identified by 28 Antiviruses on VirusTotal as malicious",
185. "Details":
186.  
187. "Bkav": "W32.HfsAutoB."
188.  
189.  
190. "MicroWorld-eScan": "Trojan.Emotet.ACJ"
191.  
192.  
193. "FireEye": "Generic.mg.dd56e1d4529217bb"
194.  
195.  
196. "McAfee": "GenericR-QRI!DD56E1D45292"
197.  
198.  
199. "Cybereason": "malicious.452921"
200.  
201.  
202. "Invincea": "heuristic"
203.  
204.  
205. "Symantec": "Trojan.Emotet!gm"
206.  
207.  
208. "APEX": "Malicious"
209.  
210.  
211. "Kaspersky": "UDS:DangerousObject.Multi.Generic"
212.  
213.  
214. "Paloalto": "generic.ml"
215.  
216.  
217. "AegisLab": "Trojan.Win32.Generic.4!c"
218.  
219.  
220. "Endgame": "malicious (high confidence)"
221.  
222.  
223. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.dt"
224.  
225.  
226. "Sophos": "Mal/Emotet-Q"
227.  
228.  
229. "SentinelOne": "DFI - Suspicious PE"
230.  
231.  
232. "Webroot": "W32.Trojan.Emotet"
233.  
234.  
235. "Microsoft": "Trojan:Win32/Emotet.BS!MTB"
236.  
237.  
238. "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
239.  
240.  
241. "GData": "Trojan.Emotet.ACJ"
242.  
243.  
244. "AhnLab-V3": "Malware/Win32.Generic.C3472442"
245.  
246.  
247. "Acronis": "suspicious"
248.  
249.  
250. "VBA32": "Malware-Cryptor.Limpopo"
251.  
252.  
253. "MAX": "malware (ai score=89)"
254.  
255.  
256. "Cylance": "Unsafe"
257.  
258.  
259. "Rising": "Trojan.Kryptik!8.8 (TFE:4:LZUqZZThnqL)"
260.  
261.  
262. "Fortinet": "W32/GenKryptik.DTDM!tr"
263.  
264.  
265. "CrowdStrike": "win/malicious_confidence_100% (W)"
266.  
267.  
268. "Qihoo-360": "HEUR/QVM20.1.F70F.Malware.Gen"
269.  
270.  
271.  
272.  
273. "Description": "Creates a copy of itself",
274. "Details":
275.  
276. "copy": "C:\\Windows\\SysWOW64\\historymachine.exe"
277.  
278.  
279.  
280.  
281. "Description": "Drops a binary and executes it",
282. "Details":
283.  
284. "binary": "C:\\Windows\\SysWOW64\\historymachine.exe"
285.  
286.  
287.  
288.  
289. "Description": "Created network traffic indicative of malicious activity",
290. "Details":
291.  
292. "signature": "ET CNC Feodo Tracker Reported CnC Server group 3"
293.  
294.  
295. "signature": "ET CNC Feodo Tracker Reported CnC Server group 12"
296.  
297.  
298. "signature": "ET CNC Feodo Tracker Reported CnC Server group 17"
299.  
300.  
301.  
302.  
303.  
304. * Started Service:
305. "historymachine"
306.  
307.  
308. * Mutexes:
309. "Global\\IC1C5B64F",
310. "Global\\MC1C5B64F",
311. "CicLoadWinStaWinSta0",
312. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
313. "IESQMMUTEX_0_208"
314.  
315.  
316. * Modified Files:
317. "C:\\Windows\\SysWOW64\\historymachine.exe"
318.  
319.  
320. * Deleted Files:
321. "C:\\Windows\\SysWOW64\\khmerflows.exe",
322. "C:\\Users\\user\\AppData\\Local\\Temp\\0BQNr2VVV2M.exe",
323. "C:\\Windows\\SysWOW64\\historymachine.exe:Zone.Identifier"
324.  
325.  
326. * Modified Registry Keys:
327. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
328. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
329. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting",
330. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings"
331.  
332.  
333. * Deleted Registry Keys:
334.  
335. * DNS Communications:
336.  
337. * Domains:
338.  
339. * Network Communication - ICMP:
340.  
341. * Network Communication - HTTP:
342.  
343. * Network Communication - SMTP:
344.  
345. * Network Communication - Hosts:
346.  
347. "country_name": "United Arab Emirates",
348. "ip": "83.110.75.153",
349. "inaddrarpa": "",
350. "hostname": ""
351.  
352.  
353. "country_name": "Russian Federation",
354. "ip": "78.109.34.178",
355. "inaddrarpa": "",
356. "hostname": ""
357.  
358.  
359. "country_name": "Puerto Rico",
360. "ip": "70.45.30.28",
361. "inaddrarpa": "",
362. "hostname": ""
363.  
364.  
365. "country_name": "United States",
366. "ip": "45.33.1.161",
367. "inaddrarpa": "",
368. "hostname": ""
369.  
370.  
371. "country_name": "United States",
372. "ip": "216.154.222.52",
373. "inaddrarpa": "",
374. "hostname": ""
375.  
376.  
377. "country_name": "Thailand",
378. "ip": "203.150.19.63",
379. "inaddrarpa": "",
380. "hostname": ""
381.  
382.  
383. "country_name": "United States",
384. "ip": "192.163.221.191",
385. "inaddrarpa": "",
386. "hostname": ""
387.  
388.  
389. "country_name": "Costa Rica",
390. "ip": "190.171.105.158",
391. "inaddrarpa": "",
392. "hostname": ""
393.  
394.  
395. "country_name": "Colombia",
396. "ip": "190.146.81.138",
397. "inaddrarpa": "",
398. "hostname": ""
399.  
400.  
401. "country_name": "Chile",
402. "ip": "190.13.146.47",
403. "inaddrarpa": "",
404. "hostname": ""
405.  
406.  
407. "country_name": "Argentina",
408. "ip": "190.104.64.197",
409. "inaddrarpa": "",
410. "hostname": ""
411.  
412.  
413. "country_name": "Argentina",
414. "ip": "152.168.220.188",
415. "inaddrarpa": "",
416. "hostname": ""
417.  
418.  
419. "country_name": "Singapore",
420. "ip": "139.59.242.76",
421. "inaddrarpa": "",
422. "hostname": ""
423.  
424.  
425.  
426. * Network Communication - IRC: