· 6 years ago · Aug 28, 2019, 10:56 AM
1
2* MalFamily: "Nanocore"
3
4* MalScore: 10.0
5
6* File Name: "Exes_19029a0ca30cc1a8fdd73b9edad587ad.exe"
7* File Size: 1263616
8* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9* SHA256: "a04b653a8dc6869bce29f85cb0e81e83885bb050032aae69426ee7d6e7822734"
10* MD5: "19029a0ca30cc1a8fdd73b9edad587ad"
11* SHA1: "d75d78489b1f72492db4fbc5b749c09dd830f5b8"
12* SHA512: "7387f1c225f943966f84de4d57c686195474715aa4e6c1927b9c1a639113b4787f85aae1d90c047438c0ae787f739e50d404a55bdbbd14a2c7aa2d64e3c4669a"
13* CRC32: "13506714"
14* SSDEEP: "24576:BAHnh+eWsN3skA4RV1Hom2KXMmHao1G2Q0e/Ef/hI5:Yh+ZkldoPK8Yaowue/Es"
15
16* Process Execution:
17 "7ax1OKmKQIy.exe",
18 "RegSvcs.exe"
19
20
21* Executed Commands:
22
23* Signatures Detected:
24
25 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
26 "Details":
27
28
29 "Description": "Behavioural detection: Executable code extraction",
30 "Details":
31
32
33 "Description": "Guard pages use detected - possible anti-debugging.",
34 "Details":
35
36
37 "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
38 "Details":
39
40 "ioc": "v2.0.50727"
41
42
43
44
45 "Description": "Expresses interest in specific running processes",
46 "Details":
47
48 "process": "RegSvcs.exe"
49
50
51
52
53 "Description": "Reads data out of its own binary image",
54 "Details":
55
56 "self_read": "process: 7ax1OKmKQIy.exe, pid: 1576, offset: 0x00000000, length: 0x00134800"
57
58
59 "self_read": "process: RegSvcs.exe, pid: 792, offset: 0x00000000, length: 0x00001000"
60
61
62 "self_read": "process: RegSvcs.exe, pid: 792, offset: 0x00000080, length: 0x00000200"
63
64
65 "self_read": "process: RegSvcs.exe, pid: 792, offset: 0x00000178, length: 0x00000200"
66
67
68 "self_read": "process: RegSvcs.exe, pid: 792, offset: 0x00005b20, length: 0x00000200"
69
70
71 "self_read": "process: RegSvcs.exe, pid: 792, offset: 0x00005b3c, length: 0x00000200"
72
73
74
75
76 "Description": "The binary likely contains encrypted or compressed data.",
77 "Details":
78
79 "section": "name: .rsrc, entropy: 7.65, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0006a200, virtual_size: 0x0006a07c"
80
81
82
83
84 "Description": "Behavioural detection: Injection (Process Hollowing)",
85 "Details":
86
87 "Injection": "7ax1OKmKQIy.exe(1576) -> RegSvcs.exe(792)"
88
89
90
91
92 "Description": "Executed a process and injected code into it, probably while unpacking",
93 "Details":
94
95 "Injection": "7ax1OKmKQIy.exe(1576) -> RegSvcs.exe(792)"
96
97
98
99
100 "Description": "Attempts to remove evidence of file being downloaded from the Internet",
101 "Details":
102
103 "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier"
104
105
106
107
108 "Description": "Behavioural detection: Injection (inter-process)",
109 "Details":
110
111
112 "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
113 "Details":
114
115
116 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
117 "Details":
118
119 "Spam": "7ax1OKmKQIy.exe (1576) called API GetSystemTimeAsFileTime 24421 times"
120
121
122
123
124 "Description": "Installs itself for autorun at Windows startup",
125 "Details":
126
127 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\tAiYJRmGTx"
128
129
130 "data": "C:\\Users\\Public\\tAiYJRmGTx.vbs"
131
132
133
134
135 "Description": "Exhibits behavior characteristic of Nanocore RAT",
136 "Details":
137
138
139 "Description": "File has been identified by 44 Antiviruses on VirusTotal as malicious",
140 "Details":
141
142 "MicroWorld-eScan": "Trojan.GenericKD.32212168"
143
144
145 "McAfee": "Artemis!19029A0CA30C"
146
147
148 "Cylance": "Unsafe"
149
150
151 "AegisLab": "Trojan.Win32.Generic.4!c"
152
153
154 "K7AntiVirus": "Riskware ( 0040eff71 )"
155
156
157 "Alibaba": "Trojan:AutoIt/AgentTesla.ca32c41a"
158
159
160 "K7GW": "Riskware ( 0040eff71 )"
161
162
163 "Arcabit": "Trojan.Generic.D1EB84C8"
164
165
166 "TrendMicro": "TROJ_GEN.R002C0DH319"
167
168
169 "F-Prot": "W32/AutoIt.JI.gen!Eldorado"
170
171
172 "Symantec": "ML.Attribute.HighConfidence"
173
174
175 "APEX": "Malicious"
176
177
178 "Paloalto": "generic.ml"
179
180
181 "Kaspersky": "Trojan.MSIL.Crypt.hgqt"
182
183
184 "BitDefender": "Trojan.GenericKD.32212168"
185
186
187 "Avast": "Win32:Trojan-gen"
188
189
190 "Endgame": "malicious (high confidence)"
191
192
193 "Emsisoft": "Trojan.GenericKD.32212168 (B)"
194
195
196 "F-Secure": "Heuristic.HEUR/AGEN.1042319"
197
198
199 "DrWeb": "Trojan.DownLoader29.52797"
200
201
202 "Invincea": "heuristic"
203
204
205 "McAfee-GW-Edition": "BehavesLike.Win32.Downloader.tc"
206
207
208 "FireEye": "Trojan.GenericKD.32212168"
209
210
211 "Sophos": "Mal/Generic-S"
212
213
214 "SentinelOne": "DFI - Suspicious PE"
215
216
217 "Cyren": "W32/AutoIt.JI.gen!Eldorado"
218
219
220 "Avira": "HEUR/AGEN.1042319"
221
222
223 "MAX": "malware (ai score=71)"
224
225
226 "Antiy-AVL": "GrayWare/Autoit.RunPE.a"
227
228
229 "Microsoft": "Trojan:Win32/Occamy.C"
230
231
232 "ZoneAlarm": "Trojan.MSIL.Crypt.hgqt"
233
234
235 "GData": "MSIL.Backdoor.Nancat.OB04ZU"
236
237
238 "AhnLab-V3": "Trojan/Win32.RL_AutoInj.R272810"
239
240
241 "Acronis": "suspicious"
242
243
244 "ALYac": "Trojan.GenericKD.32212168"
245
246
247 "Malwarebytes": "Trojan.MalPack.AutoIt"
248
249
250 "ESET-NOD32": "a variant of Win32/Injector.Autoit.EEK"
251
252
253 "TrendMicro-HouseCall": "TROJ_GEN.R002C0DH319"
254
255
256 "Rising": "Trojan.Win32.Agent.jxu (CLASSIC)"
257
258
259 "Fortinet": "W32/Autoit.EEK!tr"
260
261
262 "Ad-Aware": "Trojan.GenericKD.32212168"
263
264
265 "AVG": "Win32:Trojan-gen"
266
267
268 "CrowdStrike": "win/malicious_confidence_70% (W)"
269
270
271 "Qihoo-360": "HEUR/QVM10.2.EEFF.Malware.Gen"
272
273
274
275
276 "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
277 "Details":
278
279 "target": "clamav:Win.Malware.Autoit-7101792-0, sha256:a04b653a8dc6869bce29f85cb0e81e83885bb050032aae69426ee7d6e7822734, type:PE32 executable (GUI) Intel 80386, for MS Windows"
280
281
282 "dropped": "clamav:Win.Malware.Autoit-7101792-0, sha256:0150bd41644d8bdecbaad16cb152bbf7c7726995d04e88680fb882c6c4c842c9 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\verclsid\\SystemPropertiesComputerName.bat, type:PE32 executable (GUI) Intel 80386, for MS Windows"
283
284
285
286
287 "Description": "Creates a slightly modified copy of itself",
288 "Details":
289
290 "file": "C:\\Users\\user\\AppData\\Roaming\\verclsid\\SystemPropertiesComputerName.bat"
291
292
293 "percent_match": 100
294
295
296
297
298 "Description": "Collects information to fingerprint the system",
299 "Details":
300
301
302 "Description": "Anomalous binary characteristics",
303 "Details":
304
305 "anomaly": "Actual checksum does not match that reported in PE header"
306
307
308
309
310
311* Started Service:
312
313* Mutexes:
314 "Global\\CLR_PerfMon_WrapMutex",
315 "Global\\CLR_CASOFF_MUTEX",
316 "Global\\7b902218-069b-4546-af78-0d2d86c9fc07"
317
318
319* Modified Files:
320 "C:\\Users\\user\\AppData\\Roaming\\verclsid\\SystemPropertiesComputerName.bat",
321 "C:\\Users\\Public\\tAiYJRmGTx.vbs",
322 "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat"
323
324
325* Deleted Files:
326 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier"
327
328
329* Modified Registry Keys:
330 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\tAiYJRmGTx"
331
332
333* Deleted Registry Keys:
334
335* DNS Communications:
336
337* Domains:
338
339* Network Communication - ICMP:
340
341* Network Communication - HTTP:
342
343* Network Communication - SMTP:
344
345* Network Communication - Hosts:
346
347* Network Communication - IRC: