· 6 years ago · Sep 19, 2019, 03:36 AM
1
2* ID: 2309
3* MalFamily: ""
4
5* MalScore: 10.0
6
7* File Name: "Exes_f7ba2ccf732ac8c478f3a4a81370ef81.exe"
8* File Size: 544768
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "8ec2e2eddd0991cb56b2d67e9e1fe71b09f74c5d5fe449b021932be35c52fe3f"
11* MD5: "f7ba2ccf732ac8c478f3a4a81370ef81"
12* SHA1: "9d639cc6c7719a181aabaed9f1057ca6ffa296ee"
13* SHA512: "91a0427e73c8c75aec8f61d63492fd41d6a4aa6bc333bf41fbb89351616c979d669aa7bf4ee2059d8968be1ec520a725d02df703e72da3ac9173d2b0ff8e206b"
14* CRC32: "F2AB2E9C"
15* SSDEEP: "12288:EprZTd+GcY867xghkQ057GxVeQj0zkEyRvrBM:a9kYnxghu57iV5BM"
16
17* Process Execution:
18 "a5Y4h.exe",
19 "a5Y4h.exe",
20 "services.exe",
21 "lsass.exe",
22 "WmiApSrv.exe",
23 "taskhost.exe",
24 "WmiPrvSE.exe",
25 "WMIADAP.exe"
26
27
28* Executed Commands:
29 "\"C:\\Users\\user\\AppData\\Local\\Temp\\a5Y4h.exe\"",
30 "C:\\Windows\\system32\\lsass.exe",
31 "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
32 "C:\\Windows\\system32\\svchost.exe -k netsvcs"
33
34
35* Signatures Detected:
36
37 "Description": "Behavioural detection: Executable code extraction",
38 "Details":
39
40
41 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
42 "Details":
43
44
45 "Description": "NtSetInformationThread: attempt to hide thread from debugger",
46 "Details":
47
48
49 "Description": "Performs HTTP requests potentially not found in PCAP.",
50 "Details":
51
52 "url_ioc": "localneigh.us:80/api/check.get"
53
54
55 "url_ioc": "localneigh.us:80/api/gate.get?p1=0&p2=9&p3=0&p4=0&p5=0&p6=0&p7=0&p8=0&p9=2"
56
57
58
59
60 "Description": "The binary likely contains encrypted or compressed data.",
61 "Details":
62
63 "section": "name: .text, entropy: 7.09, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00083000, virtual_size: 0x000824ec"
64
65
66
67
68 "Description": "Behavioural detection: Injection (Process Hollowing)",
69 "Details":
70
71 "Injection": "a5Y4h.exe(648) -> a5Y4h.exe(2268)"
72
73
74
75
76 "Description": "Executed a process and injected code into it, probably while unpacking",
77 "Details":
78
79 "Injection": "a5Y4h.exe(648) -> a5Y4h.exe(2268)"
80
81
82
83
84 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
85 "Details":
86
87 "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 8429094 times"
88
89
90
91
92 "Description": "Steals private information from local Internet browsers",
93 "Details":
94
95 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
96
97
98 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
99
100
101 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
102
103
104 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
105
106
107
108
109 "Description": "Collects information about installed applications",
110 "Details":
111
112 "Program": "Google Update Helper"
113
114
115 "Program": "Microsoft Excel MUI 2013"
116
117
118 "Program": "Microsoft Outlook MUI 2013"
119
120
121
122
123 "Program": "Google Chrome"
124
125
126 "Program": "Adobe Flash Player 29 NPAPI"
127
128
129 "Program": "Adobe Flash Player 29 ActiveX"
130
131
132 "Program": "Microsoft DCF MUI 2013"
133
134
135 "Program": "Microsoft Access MUI 2013"
136
137
138 "Program": "Microsoft Office Proofing Tools 2013 - English"
139
140
141 "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
142
143
144 "Program": "Microsoft Publisher MUI 2013"
145
146
147 "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
148
149
150 "Program": "Microsoft Office Shared MUI 2013"
151
152
153 "Program": "Microsoft Office OSM MUI 2013"
154
155
156 "Program": "Microsoft InfoPath MUI 2013"
157
158
159 "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
160
161
162 "Program": "Microsoft Word MUI 2013"
163
164
165 "Program": "Microsoft Groove MUI 2013"
166
167
168
169
170 "Program": "Microsoft Access Setup Metadata MUI 2013"
171
172
173 "Program": "Microsoft Office OSM UX MUI 2013"
174
175
176 "Program": "Java Auto Updater"
177
178
179 "Program": "Microsoft PowerPoint MUI 2013"
180
181
182 "Program": "Microsoft Office Professional Plus 2013"
183
184
185 "Program": "Adobe Refresh Manager"
186
187
188 "Program": "Microsoft Office Proofing 2013"
189
190
191 "Program": "Microsoft Lync MUI 2013"
192
193
194
195
196 "Program": "Microsoft OneNote MUI 2013"
197
198
199
200
201 "Description": "Stack pivoting was detected when using a critical API",
202 "Details":
203
204 "process": "WmiPrvSE.exe:2480"
205
206
207
208
209 "Description": "File has been identified by 21 Antiviruses on VirusTotal as malicious",
210 "Details":
211
212 "FireEye": "Generic.mg.f7ba2ccf732ac8c4"
213
214
215 "McAfee": "Fareit-FPZ!F7BA2CCF732A"
216
217
218 "Malwarebytes": "Trojan.MalPack.VB"
219
220
221 "Cybereason": "malicious.6c7719"
222
223
224 "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
225
226
227 "APEX": "Malicious"
228
229
230 "Rising": "Trojan.Injector!1.B459 (CLASSIC)"
231
232
233 "Invincea": "heuristic"
234
235
236 "Trapmine": "malicious.high.ml.score"
237
238
239 "Sophos": "Mal/FareitVB-N"
240
241
242 "SentinelOne": "DFI - Suspicious PE"
243
244
245 "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
246
247
248 "Microsoft": "Trojan:Win32/Vbobfus.A!eml"
249
250
251 "Endgame": "malicious (high confidence)"
252
253
254 "AhnLab-V3": "Win-Trojan/VBKrypt.RP12"
255
256
257 "Acronis": "suspicious"
258
259
260 "Cylance": "Unsafe"
261
262
263 "ESET-NOD32": "a variant of Win32/Injector.EHVI"
264
265
266 "Ikarus": "Trojan.VB.Crypt"
267
268
269 "Fortinet": "W32/Injector.EHVI!tr"
270
271
272 "CrowdStrike": "win/malicious_confidence_100% (W)"
273
274
275
276
277 "Description": "Attempts to access Bitcoin/ALTCoin wallets",
278 "Details":
279
280 "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets"
281
282
283
284
285 "Description": "Harvests credentials from local FTP client softwares",
286 "Details":
287
288 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
289
290
291 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
292
293
294
295
296 "Description": "Harvests information related to installed instant messenger clients",
297 "Details":
298
299 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
300
301
302
303
304 "Description": "Harvests information related to installed mail clients",
305 "Details":
306
307 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles"
308
309
310 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles"
311
312
313 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
314
315
316 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
317
318
319 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
320
321
322 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Server"
323
324
325 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
326
327
328 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
329
330
331 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
332
333
334 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
335
336
337 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
338
339
340 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
341
342
343 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
344
345
346 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
347
348
349 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
350
351
352 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
353
354
355 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
356
357
358 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
359
360
361 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
362
363
364 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
365
366
367 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Server"
368
369
370 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
371
372
373 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
374
375
376
377
378
379* Started Service:
380 "VaultSvc",
381 "wmiApSrv"
382
383
384* Mutexes:
385 "s3v9x9w8v7v9x9w8v7",
386 "Global\\RefreshRA_Mutex_Lib",
387 "Global\\RefreshRA_Mutex",
388 "Global\\RefreshRA_Mutex_Flag",
389 "Global\\WmiApSrv",
390 "Global\\ADAP_WMI_ENTRY"
391
392
393* Modified Files:
394 "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8"
395
396
397* Deleted Files:
398
399* Modified Registry Keys:
400 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
401 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
402 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed"
403
404
405* Deleted Registry Keys:
406
407* DNS Communications:
408
409 "type": "A",
410 "request": "localneigh.us",
411 "answers":
412
413
414
415* Domains:
416
417 "ip": "82.102.30.177",
418 "domain": "localneigh.us"
419
420
421
422* Network Communication - ICMP:
423
424* Network Communication - HTTP:
425
426* Network Communication - SMTP:
427
428* Network Communication - Hosts:
429
430* Network Communication - IRC: