· 6 years ago · Sep 19, 2019, 03:36 AM
1
2* ID: 2306
3* MalFamily: ""
4
5* MalScore: 10.0
6
7* File Name: "Exes_f7ba2ccf732ac8c478f3a4a81370ef81.exe"
8* File Size: 544768
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "8ec2e2eddd0991cb56b2d67e9e1fe71b09f74c5d5fe449b021932be35c52fe3f"
11* MD5: "f7ba2ccf732ac8c478f3a4a81370ef81"
12* SHA1: "9d639cc6c7719a181aabaed9f1057ca6ffa296ee"
13* SHA512: "91a0427e73c8c75aec8f61d63492fd41d6a4aa6bc333bf41fbb89351616c979d669aa7bf4ee2059d8968be1ec520a725d02df703e72da3ac9173d2b0ff8e206b"
14* CRC32: "F2AB2E9C"
15* SSDEEP: "12288:EprZTd+GcY867xghkQ057GxVeQj0zkEyRvrBM:a9kYnxghu57iV5BM"
16
17* Process Execution:
18 "uMtJ200VHcY.exe",
19 "uMtJ200VHcY.exe",
20 "services.exe",
21 "lsass.exe",
22 "WmiApSrv.exe",
23 "taskhost.exe",
24 "WmiPrvSE.exe",
25 "WMIADAP.exe"
26
27
28* Executed Commands:
29 "\"C:\\Users\\user\\AppData\\Local\\Temp\\uMtJ200VHcY.exe\"",
30 "C:\\Windows\\system32\\lsass.exe",
31 "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
32 "C:\\Windows\\system32\\svchost.exe -k netsvcs"
33
34
35* Signatures Detected:
36
37 "Description": "Behavioural detection: Executable code extraction",
38 "Details":
39
40
41 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
42 "Details":
43
44
45 "Description": "Creates RWX memory",
46 "Details":
47
48
49 "Description": "NtSetInformationThread: attempt to hide thread from debugger",
50 "Details":
51
52
53 "Description": "Performs HTTP requests potentially not found in PCAP.",
54 "Details":
55
56 "url_ioc": "localneigh.us:80/api/check.get"
57
58
59 "url_ioc": "localneigh.us:80/api/gate.get?p1=0&p2=9&p3=0&p4=0&p5=0&p6=0&p7=0&p8=0&p9=2"
60
61
62
63
64 "Description": "The binary likely contains encrypted or compressed data.",
65 "Details":
66
67 "section": "name: .text, entropy: 7.09, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00083000, virtual_size: 0x000824ec"
68
69
70
71
72 "Description": "Behavioural detection: Injection (Process Hollowing)",
73 "Details":
74
75 "Injection": "uMtJ200VHcY.exe(2432) -> uMtJ200VHcY.exe(2424)"
76
77
78
79
80 "Description": "Executed a process and injected code into it, probably while unpacking",
81 "Details":
82
83 "Injection": "uMtJ200VHcY.exe(2432) -> uMtJ200VHcY.exe(2424)"
84
85
86
87
88 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
89 "Details":
90
91 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 15172466 times"
92
93
94
95
96 "Description": "Steals private information from local Internet browsers",
97 "Details":
98
99 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
100
101
102 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
103
104
105 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
106
107
108 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
109
110
111
112
113 "Description": "Collects information about installed applications",
114 "Details":
115
116 "Program": "Google Update Helper"
117
118
119 "Program": "Microsoft Excel MUI 2013"
120
121
122 "Program": "Microsoft Outlook MUI 2013"
123
124
125
126
127 "Program": "Google Chrome"
128
129
130 "Program": "Adobe Flash Player 29 NPAPI"
131
132
133 "Program": "Adobe Flash Player 29 ActiveX"
134
135
136 "Program": "Microsoft DCF MUI 2013"
137
138
139 "Program": "Microsoft Access MUI 2013"
140
141
142 "Program": "Microsoft Office Proofing Tools 2013 - English"
143
144
145 "Program": "Adobe Acrobat Reader DC"
146
147
148 "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
149
150
151 "Program": "Microsoft Publisher MUI 2013"
152
153
154 "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
155
156
157 "Program": "Microsoft Office Shared MUI 2013"
158
159
160 "Program": "Microsoft Office OSM MUI 2013"
161
162
163 "Program": "Microsoft InfoPath MUI 2013"
164
165
166 "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
167
168
169 "Program": "Microsoft Word MUI 2013"
170
171
172 "Program": "Microsoft Groove MUI 2013"
173
174
175
176
177 "Program": "Microsoft Access Setup Metadata MUI 2013"
178
179
180 "Program": "Microsoft Office OSM UX MUI 2013"
181
182
183 "Program": "Java Auto Updater"
184
185
186 "Program": "Microsoft PowerPoint MUI 2013"
187
188
189 "Program": "Microsoft Office Professional Plus 2013"
190
191
192 "Program": "Adobe Refresh Manager"
193
194
195 "Program": "Microsoft Office Proofing 2013"
196
197
198 "Program": "Microsoft Lync MUI 2013"
199
200
201
202
203 "Program": "Microsoft OneNote MUI 2013"
204
205
206
207
208 "Description": "File has been identified by 21 Antiviruses on VirusTotal as malicious",
209 "Details":
210
211 "FireEye": "Generic.mg.f7ba2ccf732ac8c4"
212
213
214 "McAfee": "Fareit-FPZ!F7BA2CCF732A"
215
216
217 "Malwarebytes": "Trojan.MalPack.VB"
218
219
220 "Cybereason": "malicious.6c7719"
221
222
223 "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
224
225
226 "APEX": "Malicious"
227
228
229 "Rising": "Trojan.Injector!1.B459 (CLASSIC)"
230
231
232 "Invincea": "heuristic"
233
234
235 "Trapmine": "malicious.high.ml.score"
236
237
238 "Sophos": "Mal/FareitVB-N"
239
240
241 "SentinelOne": "DFI - Suspicious PE"
242
243
244 "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
245
246
247 "Microsoft": "Trojan:Win32/Vbobfus.A!eml"
248
249
250 "Endgame": "malicious (high confidence)"
251
252
253 "AhnLab-V3": "Win-Trojan/VBKrypt.RP12"
254
255
256 "Acronis": "suspicious"
257
258
259 "Cylance": "Unsafe"
260
261
262 "ESET-NOD32": "a variant of Win32/Injector.EHVI"
263
264
265 "Ikarus": "Trojan.VB.Crypt"
266
267
268 "Fortinet": "W32/Injector.EHVI!tr"
269
270
271 "CrowdStrike": "win/malicious_confidence_100% (W)"
272
273
274
275
276 "Description": "Attempts to access Bitcoin/ALTCoin wallets",
277 "Details":
278
279 "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets"
280
281
282
283
284 "Description": "Harvests credentials from local FTP client softwares",
285 "Details":
286
287 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
288
289
290 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
291
292
293
294
295 "Description": "Harvests information related to installed instant messenger clients",
296 "Details":
297
298 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
299
300
301
302
303 "Description": "Harvests information related to installed mail clients",
304 "Details":
305
306 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles"
307
308
309 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles"
310
311
312 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
313
314
315 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
316
317
318 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
319
320
321 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Server"
322
323
324 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
325
326
327 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
328
329
330 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
331
332
333 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
334
335
336 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
337
338
339 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
340
341
342 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
343
344
345 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
346
347
348 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
349
350
351 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
352
353
354 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
355
356
357 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
358
359
360 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
361
362
363 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
364
365
366 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Server"
367
368
369 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
370
371
372 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
373
374
375
376
377
378* Started Service:
379 "VaultSvc",
380 "wmiApSrv"
381
382
383* Mutexes:
384 "s3v9x9w8v7v9x9w8v7",
385 "Global\\RefreshRA_Mutex_Lib",
386 "Global\\RefreshRA_Mutex",
387 "Global\\RefreshRA_Mutex_Flag",
388 "Global\\WmiApSrv",
389 "Global\\ADAP_WMI_ENTRY",
390 "CicLoadWinStaWinSta0",
391 "Local\\MSCTF.CtfMonitorInstMutexDefault1"
392
393
394* Modified Files:
395 "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8"
396
397
398* Deleted Files:
399
400* Modified Registry Keys:
401 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
402 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
403 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed"
404
405
406* Deleted Registry Keys:
407
408* DNS Communications:
409
410 "type": "A",
411 "request": "localneigh.us",
412 "answers":
413
414
415
416* Domains:
417
418 "ip": "82.102.30.177",
419 "domain": "localneigh.us"
420
421
422
423* Network Communication - ICMP:
424
425* Network Communication - HTTP:
426
427* Network Communication - SMTP:
428
429* Network Communication - Hosts:
430
431* Network Communication - IRC: