|
RIP_YOUR_PC_LOL.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
 |
|
|
| Filetype: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
7.788951719729708
|
| Filename: |
RIP_YOUR_PC_LOL.exe
|
| Filesize: |
23633920
|
| MD5: |
52867174362410d63215d78e708103ea
|
| SHA1: |
7ae4e1048e4463a4201bdeaf224c5b6face681bf
|
| SHA256: |
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
|
| SHA512: |
89e17e147d3f073e479e85d0b0321f6264bbc2aa84c930ed645e8f5cde3f1e58812c3db1ba0f10bee6ce7ac0731e1e3de6747a9b3c4d63a564dd8d904bd726ab
|
| SSDEEP: |
393216:HJLgf7BPkdKzrZciLxv8naSNtPr5rn57M84UTB9xO5/VWvJKJPkwdnfZ4y5SDkFV:poBPQwxMR7pn5qUTB9xOFVWvJKJPkwd9
|
| Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..a..................h...........h..
....h...@.. ........................i...........@................................
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Multi AV Scanner detection for submitted file |
AV Detection |
|
| Malicious sample detected (through community Yara rule) |
System Summary |
|
| Antivirus / Scanner detection for submitted sample |
AV Detection |
|
| Detected HawkEye Rat |
Remote Access Functionality |
|
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) |
Malware Analysis System Evasion |
Security Software Discovery
|
| Machine Learning detection for sample |
AV Detection |
|
| .NET source code contains potential unpacker |
Data Obfuscation |
|
| May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Uses 32bit PE files |
Compliance, System Summary |
|
| Yara signature match |
System Summary |
|
| May infect USB drives |
Spreading |
Replication Through Removable Media
|
| AV process strings found (often used to terminate AV products) |
Lowering of HIPS / PFW / Operating System Security Settings |
|
| Sample file is different than original file name gathered from version info |
System Summary |
|
| Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
| PE file has an executable .text section and no other executable section |
System Summary |
|
| Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
|
| Creates files inside the user directory |
System Summary |
|
| Reads ini files |
System Summary |
File and Directory Discovery
|
| URLs found in memory or binary data |
Networking |
|
| Sample is known by Antivirus |
System Summary |
|
| Reads software policies |
System Summary |
|
| Uses an in-process (OLE) Automation server |
System Summary |
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| SQL strings found in memory and binary data |
System Summary |
|
| Creates guard pages, often used to prevent reverse usering and debugging |
Anti Debugging |
|
| Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
| Found strings which match to known social media urls |
Networking |
|
| Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
| PE file has a big raw section |
System Summary |
|
| PE file has a big code size |
System Summary |
|
| Uses new MSVCR Dlls |
Compliance, System Summary |
|
| PE file contains a COM descriptor data directory |
System Summary |
|
| Submission file is bigger than most known malware samples |
System Summary |
|
|
|
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
|
| Category: |
dropped
|
| Dump: |
dhcpmon.exe.9.dr
|
| ID: |
dr_17
|
| Target ID: |
9
|
| Process: |
C:\Users\user\AppData\Roaming\Opus.exe
|
| Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
7.449669736966968
|
| Encrypted: |
false
|
| Ssdeep: |
6144:cLV6Bta6dtJmakIM5zEN/wjwJsvle+o9f/N:cLV6Btpmk1Elepd
|
| Size: |
208384
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Yara detected Nanocore RAT |
AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Sigma detected: Autorun Keys Modification |
System Summary |
|
| Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RIP_YOUR_PC_LOL.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RIP_YOUR_PC_LOL.exe.log
|
| Category: |
dropped
|
| Dump: |
RIP_YOUR_PC_LOL.exe.log.0.dr
|
| ID: |
dr_0
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
|
| Type: |
ASCII text, with CRLF line terminators
|
| Entropy: |
5.185983766127119
|
| Encrypted: |
false
|
| Ssdeep: |
3:QHXMKaZImrnLCR2RAVIAQyz2QyDBLnDLFv:Q3LadLCR22IAQykdL1v
|
| Size: |
128
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus / Scanner detection for submitted sample |
AV Detection |
|
| Multi AV Scanner detection for submitted file |
AV Detection |
|
| Machine Learning detection for sample |
AV Detection |
|
| Uses 32bit PE files |
Compliance, System Summary |
|
| PE file has an executable .text section and no other executable section |
System Summary |
|
| Sample is known by Antivirus |
System Summary |
|
| Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
| PE file has a big raw section |
System Summary |
|
| PE file contains a COM descriptor data directory |
System Summary |
|
| PE file has a big code size |
System Summary |
|
| Submission file is bigger than most known malware samples |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\healastounding.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\healastounding.exe.log
|
| Category: |
dropped
|
| Dump: |
healastounding.exe.log.4.dr
|
| ID: |
dr_13
|
| Target ID: |
4
|
| Process: |
C:\Users\user\AppData\Roaming\healastounding.exe
|
| Type: |
ASCII text, with CRLF line terminators
|
| Entropy: |
5.185983766127119
|
| Encrypted: |
false
|
| Ssdeep: |
3:QHXMKaZImrnLCR2RAVIAQyz2QyDBLnDLFv:Q3LadLCR22IAQykdL1v
|
| Size: |
128
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Detected Nanocore Rat |
Remote Access Functionality |
|
| May infect USB drives |
Spreading |
Replication Through Removable Media
|
| May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) |
Malware Analysis System Evasion |
Security Software Discovery
|
| URLs found in memory or binary data |
Networking |
|
|
|
C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe
|
| Category: |
dropped
|
| Dump: |
Dcvxaamev.exe.14.dr
|
| ID: |
dr_27
|
| Target ID: |
14
|
| Process: |
C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.696824069546379
|
| Encrypted: |
false
|
| Ssdeep: |
6144:WLR0mFZcyJuOwhXdZkWwQ5eRI44axa7AP5Mb:8RHTJuOwhNZkWwQURI4xxa70ab
|
| Size: |
335872
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe
|
| Category: |
dropped
|
| Dump: |
FFDvbcrdfqs.exe.14.dr
|
| ID: |
dr_26
|
| Target ID: |
14
|
| Process: |
C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.605066056188275
|
| Encrypted: |
false
|
| Ssdeep: |
6144:7S0BFZcouRlCLNkbI7u2KrMmCI44axa7AR5Mp:7SkZolCLybI7xI4xxa7Wap
|
| Size: |
290816
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Sigma detected: Process Start From Suspicious Folder |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\tmp4896.tmp
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tmp4896.tmp
|
| Category: |
dropped
|
| Dump: |
tmp4896.tmp.9.dr
|
| ID: |
dr_18
|
| Target ID: |
9
|
| Process: |
C:\Users\user\AppData\Roaming\Opus.exe
|
| Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
| Entropy: |
5.090556205433367
|
| Encrypted: |
false
|
| Ssdeep: |
24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0V75xtn:cbk4oL600QydbQxIYODOLedq3K5j
|
| Size: |
1305
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: Suspicious Add Scheduled Task From User AppData Temp |
System Summary |
|
| Sigma detected: Suspicius Schtasks From Env Var Folder |
System Summary |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Sigma detected: Suspicious Add Scheduled Task Parent |
System Summary |
|
| Creates temporary files |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
|
| Category: |
dropped
|
| Dump: |
0fd7de5367376231a788872005d7ed4f.exe.0.dr
|
| ID: |
dr_3
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.964847007042997
|
| Encrypted: |
false
|
| Ssdeep: |
12288:eKmlz464jAfhe5pUC1jAXBoFACBfz6JMW0rwrsu:oz4d/5iCj0BoNBb6Jh3
|
| Size: |
549556
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| May check the online IP address of the machine |
Networking |
System Network Configuration Discovery
|
| Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Anti Debugging |
Security Software Discovery
|
| Contains functionality to dynamically determine API calls |
Data Obfuscation, Anti Debugging |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found evasive API chain (may stop execution after checking a module file name) |
Malware Analysis System Evasion |
|
| Found large amount of non-executed APIs |
Malware Analysis System Evasion |
|
| Sigma detected: Suspicious DNS Query for IP Lookup Service APIs |
System Summary |
|
| Contains functionality to query local / system time |
Language, Device and Operating System Detection |
System Information Discovery
|
| Contains functionality to register its own exception handler |
Anti Debugging |
|
| Creates mutexes |
System Summary |
|
| Program exit points |
Malware Analysis System Evasion |
|
| Reads the hosts file |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\22.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\22.exe
|
| Category: |
dropped
|
| Dump: |
22.exe.0.dr
|
| ID: |
dr_4
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.055994450169564
|
| Encrypted: |
false
|
| Ssdeep: |
49152:XkSw2TRlsQ1k0+eDE/C9fLtGoDs9cXpJGy:0EHZ/rDjfLe9cy
|
| Size: |
2101248
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Sigma detected: File Created with System Process Name |
System Summary |
|
| Uses netsh to modify the Windows network and firewall settings |
Lowering of HIPS / PFW / Operating System Security Settings |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Creates files inside the system directory |
System Summary |
|
| Creates or modifies windows services |
Boot Survival |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Drops PE files to the windows directory (C:\Windows) |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
| Modifies existing windows services |
Boot Survival |
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\3.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\3.exe
|
| Category: |
dropped
|
| Dump: |
3.exe.16.dr
|
| ID: |
dr_30
|
| Target ID: |
16
|
| Process: |
C:\Users\user\AppData\Roaming\4.exe
|
| Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
5.535850322343421
|
| Encrypted: |
false
|
| Ssdeep: |
12288:aWMT5dtGv3Kom+qn4e9PtlAc7+Q4hMY1FOhcV:bMT5Sw++4ilAZ1OhcV
|
| Size: |
577536
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Yara detected DCRat |
Stealing of Sensitive Information, Remote Access Functionality |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\4.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\4.exe
|
| Category: |
dropped
|
| Dump: |
4.exe.4.dr
|
| ID: |
dr_6
|
| Target ID: |
4
|
| Process: |
C:\Users\user\AppData\Roaming\healastounding.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.206124159305961
|
| Encrypted: |
false
|
| Ssdeep: |
12288:xzxzTDWikLSb4NS7IODX+KEe+gpSwcxRLe4:bDWHSb4Ngse+USTR64
|
| Size: |
579127
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| File is packed with WinRar |
Data Obfuscation |
|
| Tries to load missing DLLs |
System Summary |
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
|
| Category: |
dropped
|
| Dump: |
8f1c8b40c7be588389a8d382040b23bb.exe.4.dr
|
| ID: |
dr_11
|
| Target ID: |
4
|
| Process: |
C:\Users\user\AppData\Roaming\healastounding.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.769765528202914
|
| Encrypted: |
false
|
| Ssdeep: |
24576:mMyMzC8+ovorlBtugg0uHqJkSkSZI7C8JaYRHwOwhNGWwQ58Xaj8rac:mMHF+lxuPHYkSfI77aYRQOayac
|
| Size: |
1241088
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Sample uses process hollowing technique |
HIPS / PFW / Operating System Protection Evasion |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic) |
System Summary |
|
| Sigma detected: Process Start From Suspicious Folder |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
|
data
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
|
| Category: |
dropped
|
| Dump: |
run.dat.9.dr
|
| ID: |
dr_16
|
| Target ID: |
9
|
| Process: |
C:\Users\user\AppData\Roaming\Opus.exe
|
| Type: |
data
|
| Entropy: |
3.0
|
| Encrypted: |
false
|
| Ssdeep: |
3:tiK:f
|
| Size: |
8
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: NanoCore |
AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality |
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe
|
| Category: |
dropped
|
| Dump: |
a797c6ca3f5e7aff8fa1149c47fe9466.exe.17.dr
|
| ID: |
dr_31
|
| Target ID: |
17
|
| Process: |
C:\Users\user\AppData\Roaming\mediaget.exe
|
| Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
5.575438262402469
|
| Encrypted: |
false
|
| Ssdeep: |
384:HLWZcaCisD/WRdL5kyc/Ss4fzrngNsIhOrAF+rMRTyN/0L+EcoinblneHQM3epzN:iZcID5nc/Ss4HysIsrM+rMRa8NuM0t
|
| Size: |
37888
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Yara detected Njrat |
AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality |
|
| Drops PE files to the startup folder |
Boot Survival |
Registry Run Keys / Startup Folder
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Creates a start menu entry (Start Menu\Programs\Startup) |
Boot Survival |
Registry Run Keys / Startup Folder
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
|
|
C:\Users\user\AppData\Roaming\Opus.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\Opus.exe
|
| Category: |
dropped
|
| Dump: |
Opus.exe.4.dr
|
| ID: |
dr_9
|
| Target ID: |
4
|
| Process: |
C:\Users\user\AppData\Roaming\healastounding.exe
|
| Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
7.449669736966968
|
| Encrypted: |
false
|
| Ssdeep: |
6144:cLV6Bta6dtJmakIM5zEN/wjwJsvle+o9f/N:cLV6Btpmk1Elepd
|
| Size: |
208384
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Sigma detected: NanoCore |
AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality |
|
| Yara detected Nanocore RAT |
AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality |
|
| Hides that the sample has been downloaded from the Internet (zone.identifier) |
Hooking and other Techniques for Hiding and Protection |
Hidden Files and Directories
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Sigma detected: Suspicious Add Scheduled Task From User AppData Temp |
System Summary |
|
| Sigma detected: Suspicius Schtasks From Env Var Folder |
System Summary |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Enables debug privileges |
Anti Debugging |
|
| Sample execution stops while process was sleeping (likely an evasion) |
Malware Analysis System Evasion |
|
| Sigma detected: Autorun Keys Modification |
System Summary |
|
| Sigma detected: Suspicious Add Scheduled Task Parent |
System Summary |
|
| Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification |
System Summary |
|
| Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Creates files inside the program directory |
System Summary |
|
| Creates mutexes |
System Summary |
|
| Creates temporary files |
System Summary |
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
| Queries a list of all running processes |
Malware Analysis System Evasion |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\Pluto Panel.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\Pluto Panel.exe
|
| Category: |
dropped
|
| Dump: |
Pluto Panel.exe.0.dr
|
| ID: |
dr_2
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
|
| Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
7.376805169532317
|
| Encrypted: |
false
|
| Ssdeep: |
12288:ypEQtqB5urTIoYWBQk1E+VF9mOx9wi1T0hnbkOWAvyPx4+c/bUUCy:HQtqBorTlYWBhE+V3mO5vWgxE/nb
|
| Size: |
913920
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Detected HawkEye Rat |
Remote Access Functionality |
|
| Yara detected HawkEye Keylogger |
Key, Mouse, Clipboard, Microphone and Screen Capturing, Stealing of Sensitive Information, Remote Access Functionality |
|
| Yara detected MailPassView |
Stealing of Sensitive Information |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Yara detected WebBrowserPassView password recovery tool |
Stealing of Sensitive Information |
|
| Contains functionality to open a port and listen for incoming connection (possibly a backdoor) |
Remote Access Functionality |
|
| Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found inlined nop instructions (likely shell or obfuscated code) |
Software Vulnerabilities |
Obfuscated Files or Information
|
| Found potential string decryption / allocating functions |
System Summary |
Obfuscated Files or Information
Deobfuscate/Decode Files or Information
|
| May infect USB drives |
Spreading |
Replication Through Removable Media
|
| Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
| Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
Obfuscated Files or Information
|
| Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| Found strings which match to known social media urls |
Networking |
|
| Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
| Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
| Spawns processes |
System Summary |
|
| URLs found in memory or binary data |
Networking |
|
| Uses Microsoft Silverlight |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\___11.19.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\___11.19.exe
|
| Category: |
dropped
|
| Dump: |
___11.19.exe.0.dr
|
| ID: |
dr_5
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.8569139750386485
|
| Encrypted: |
false
|
| Ssdeep: |
393216:G7BPkdKzrZciLxv8naSNtPr5rn57M84UTB9xO5/VWvJKJPkwdnfZ:uBPQwxMR7pn5qUTB9xOFVWvJKJPkwdnB
|
| Size: |
16322590
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Sigma detected: Suspect Svchost Activity |
System Summary |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Sigma detected: Suspicious Svchost Process |
System Summary |
|
| Sigma detected: System File Execution Location Anomaly |
System Summary |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Sigma detected: Windows Processes Suspicious Parent Directory |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\a.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\a.exe
|
| Category: |
dropped
|
| Dump: |
a.exe.4.dr
|
| ID: |
dr_12
|
| Target ID: |
4
|
| Process: |
C:\Users\user\AppData\Roaming\healastounding.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.99205858382872
|
| Encrypted: |
true
|
| Ssdeep: |
24576:XsoFdKkWRoohlLUI9AMNo9p2mbfmqFycZm4lZD3Ya10Hue4MBSYcQkEaHNYK3Kyh:XrHW6ilLU1Eor3Fg4lBIM0Hue1BSYcQ4
|
| Size: |
1484512
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\aaa.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\aaa.exe
|
| Category: |
dropped
|
| Dump: |
aaa.exe.4.dr
|
| ID: |
dr_10
|
| Target ID: |
4
|
| Process: |
C:\Users\user\AppData\Roaming\healastounding.exe
|
| Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
7.206630188700291
|
| Encrypted: |
false
|
| Ssdeep: |
3072:zMJQH6NvccnsXOf4qhi01sXT0RZTF27rcAXIlWMhBN2/MTDM:zMxsU9i0iXT0RZo7Iwhec/MTD
|
| Size: |
122880
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Hides that the sample has been downloaded from the Internet (zone.identifier) |
Hooking and other Techniques for Hiding and Protection |
Hidden Files and Directories
|
| Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Enables debug privileges |
Anti Debugging |
|
| Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\gay.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\gay.exe
|
| Category: |
dropped
|
| Dump: |
gay.exe.4.dr
|
| ID: |
dr_8
|
| Target ID: |
4
|
| Process: |
C:\Users\user\AppData\Roaming\healastounding.exe
|
| Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
5.575438262402469
|
| Encrypted: |
false
|
| Ssdeep: |
384:HLWZcaCisD/WRdL5kyc/Ss4fzrngNsIhOrAF+rMRTyN/0L+EcoinblneHQM3epzN:iZcID5nc/Ss4HysIsrM+rMRa8NuM0t
|
| Size: |
37888
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Yara detected Njrat |
AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| May infect USB drives |
Spreading |
Replication Through Removable Media
|
| Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\healastounding.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\healastounding.exe
|
| Category: |
dropped
|
| Dump: |
healastounding.exe.0.dr
|
| ID: |
dr_1
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
|
| Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
7.794569867865562
|
| Encrypted: |
false
|
| Ssdeep: |
98304:pAdy2TU151ZIpH8YcItGTHF+iSfI77agdayaW/ej:gy5Ls8YcItWFXlWZVy
|
| Size: |
3733504
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Detected Nanocore Rat |
Remote Access Functionality |
|
| Yara detected AsyncRAT |
Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings |
Obfuscated Files or Information
|
| Yara detected Nanocore RAT |
AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality |
|
| Yara detected Njrat |
AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Detected potential crypto function |
System Summary |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| May infect USB drives |
Spreading |
Replication Through Removable Media
|
| Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Creates files inside the user directory |
System Summary |
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) |
Malware Analysis System Evasion |
Security Software Discovery
|
| Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
| Spawns processes |
System Summary |
|
| URLs found in memory or binary data |
Networking |
|
|
|
C:\Users\user\AppData\Roaming\mediaget.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\mediaget.exe
|
| Category: |
dropped
|
| Dump: |
mediaget.exe.8.dr
|
| ID: |
dr_14
|
| Target ID: |
8
|
| Process: |
C:\Users\user\AppData\Roaming\gay.exe
|
| Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
5.575438262402469
|
| Encrypted: |
false
|
| Ssdeep: |
384:HLWZcaCisD/WRdL5kyc/Ss4fzrngNsIhOrAF+rMRTyN/0L+EcoinblneHQM3epzN:iZcID5nc/Ss4HysIsrM+rMRa8NuM0t
|
| Size: |
37888
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Yara detected Njrat |
AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality |
|
| Creates autostart registry keys with suspicious names |
Boot Survival |
Registry Run Keys / Startup Folder
|
| Drops PE files to the startup folder |
Boot Survival |
Registry Run Keys / Startup Folder
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Modifies the windows firewall |
Lowering of HIPS / PFW / Operating System Security Settings |
|
| Protects its processes via BreakOnTermination flag |
Operating System Destruction |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Creates a start menu entry (Start Menu\Programs\Startup) |
Boot Survival |
Registry Run Keys / Startup Folder
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Enables debug privileges |
Anti Debugging |
|
| Sample execution stops while process was sleeping (likely an evasion) |
Malware Analysis System Evasion |
|
| Sigma detected: CurrentVersion Autorun Keys Modification |
System Summary |
|
| Sigma detected: Netsh Port or Application Allowed |
System Summary |
|
| Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
| Creates an autostart registry key |
Boot Survival |
Registry Run Keys / Startup Folder
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
| Reads the hosts file |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\test.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\test.exe
|
| Category: |
dropped
|
| Dump: |
test.exe.4.dr
|
| ID: |
dr_7
|
| Target ID: |
4
|
| Process: |
C:\Users\user\AppData\Roaming\healastounding.exe
|
| Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
5.459376005695359
|
| Encrypted: |
false
|
| Ssdeep: |
768:EuwCNToEjaNLWU3zKZmo2q7C8V1vBTcPI1zjbkgX3ir64oRfdwQfybTWVABDZTx:EuwCNToqaS2z8VnTh13brXSr64oZSbZH
|
| Size: |
46080
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Yara detected AsyncRAT |
Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings |
Obfuscated Files or Information
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
| Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
| Creates mutexes |
System Summary |
|
| Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
| Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
| Reads the hosts file |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Windows\Cursors\WUDFhosts.exe
|
PE32+ executable (console) x86-64, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Windows\Cursors\WUDFhosts.exe
|
| Category: |
dropped
|
| Dump: |
WUDFhosts.exe.11.dr
|
| ID: |
dr_23
|
| Target ID: |
11
|
| Process: |
C:\Users\user\AppData\Roaming\22.exe
|
| Type: |
PE32+ executable (console) x86-64, for MS Windows
|
| Entropy: |
7.921653477744872
|
| Encrypted: |
false
|
| Ssdeep: |
24576:f7hffPYBJUtGpCXX3dquvU9ckRvYLpZjQaYM8l:NfLtGoDs9cXpJG
|
| Size: |
806912
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Drops PE files to the windows directory (C:\Windows) |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Windows\Help\Winlogon.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Windows\Help\Winlogon.exe
|
| Category: |
dropped
|
| Dump: |
Winlogon.exe.11.dr
|
| ID: |
dr_21
|
| Target ID: |
11
|
| Process: |
C:\Users\user\AppData\Roaming\22.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.357076953831382
|
| Encrypted: |
false
|
| Ssdeep: |
1536:WH8tImFvh/tAoX/V1d/Xc81qsWjcdTxekxemB:WH8imz/H111TxfAmB
|
| Size: |
76248
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Sigma detected: File Created with System Process Name |
System Summary |
|
| Creates files inside the system directory |
System Summary |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Drops PE files to the windows directory (C:\Windows) |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Windows\Help\active_desktop_render.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Windows\Help\active_desktop_render.dll
|
| Category: |
dropped
|
| Dump: |
active_desktop_render.dll.11.dr
|
| ID: |
dr_22
|
| Target ID: |
11
|
| Process: |
C:\Users\user\AppData\Roaming\22.exe
|
| Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.19848257170581
|
| Encrypted: |
false
|
| Ssdeep: |
12288:BT8s5nv9sQ1ViVNEPazI+eGGhFqxVOa+28WXvC:BT8MnlsQ1kVqPv+eDhGwdIvC
|
| Size: |
995328
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Drops PE files to the windows directory (C:\Windows) |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\ProgramData\kaosdma.txt
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
| File: |
C:\ProgramData\kaosdma.txt
|
| Category: |
dropped
|
| Dump: |
kaosdma.txt.15.dr
|
| ID: |
dr_29
|
| Target ID: |
15
|
| Process: |
C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
|
| Type: |
ASCII text, with no line terminators
|
| Entropy: |
2.6464393446710157
|
| Encrypted: |
false
|
| Ssdeep: |
3:HLLv:fv
|
| Size: |
10
|
| Whitelisted: |
false
|
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aaa.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aaa.exe.log
|
| Category: |
dropped
|
| Dump: |
aaa.exe.log.12.dr
|
| ID: |
dr_24
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Roaming\aaa.exe
|
| Type: |
ASCII text, with CRLF line terminators
|
| Entropy: |
5.2874233355119316
|
| Encrypted: |
false
|
| Ssdeep: |
12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
|
| Size: |
525
|
| Whitelisted: |
false
|
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\gay.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\gay.exe.log
|
| Category: |
dropped
|
| Dump: |
gay.exe.log.8.dr
|
| ID: |
dr_15
|
| Target ID: |
8
|
| Process: |
C:\Users\user\AppData\Roaming\gay.exe
|
| Type: |
ASCII text, with CRLF line terminators
|
| Entropy: |
5.2874233355119316
|
| Encrypted: |
false
|
| Ssdeep: |
12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
|
| Size: |
525
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| May infect USB drives |
Spreading |
Replication Through Removable Media
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\5JOCE52U.txt
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\5JOCE52U.txt
|
| Category: |
dropped
|
| Dump: |
5JOCE52U.txt.15.dr
|
| ID: |
dr_28
|
| Target ID: |
15
|
| Process: |
C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
|
| Type: |
ASCII text, with no line terminators
|
| Entropy: |
2.6464393446710157
|
| Encrypted: |
false
|
| Ssdeep: |
3:HLLv:fv
|
| Size: |
10
|
| Whitelisted: |
false
|
|
|
C:\Users\user\AppData\Local\Temp\tmp5D87.tmp
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tmp5D87.tmp
|
| Category: |
dropped
|
| Dump: |
tmp5D87.tmp.9.dr
|
| ID: |
dr_20
|
| Target ID: |
9
|
| Process: |
C:\Users\user\AppData\Roaming\Opus.exe
|
| Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
| Entropy: |
5.109425792877704
|
| Encrypted: |
false
|
| Ssdeep: |
24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
|
| Size: |
1310
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
|
| Category: |
dropped
|
| Dump: |
task.dat.9.dr
|
| ID: |
dr_19
|
| Target ID: |
9
|
| Process: |
C:\Users\user\AppData\Roaming\Opus.exe
|
| Type: |
ASCII text, with no line terminators
|
| Entropy: |
4.15091348260215
|
| Encrypted: |
false
|
| Ssdeep: |
3:oNN+EaKC5fMN:oNN7aZ5fMN
|
| Size: |
42
|
| Whitelisted: |
false
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a
|
data
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a
|
| Category: |
dropped
|
| Dump: |
21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a.14.dr
|
| ID: |
dr_25
|
| Target ID: |
14
|
| Process: |
C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
|
| Type: |
data
|
| Entropy: |
1.2701062923235522
|
| Encrypted: |
false
|
| Ssdeep: |
3:/l1PL3n:fPL3
|
| Size: |
49
|
| Whitelisted: |
false
|
|
