VT Information about a malicious sample:
MD5 | e564d95cff4e3c7c14b8a149de41935a |
SHA-1 | f9c256c5b2ae937a9b04d73ac88aaa782b8770dc |
SHA-256 | 57bab53ddf5ba525343218c78de26064d0e6b9a3cd739ebbe0ba2358ea2b7394 |
ssdeep | 12288:jN5mEjuyhoWgXk6Eqyli7B0d6hHBZ0FAb12:jNIEjuyhoWgXk6W07B0d6hHBqFAZ2 |
imphash | a49926a7e80581b917867c2bd8cfdf8f |
Size | 416.5 KB (426496 bytes) |
Type | Win32 EXE |
Magic | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
TrID | Win32 Executable MS Visual C++ (generic) (64.5%) Win32 Dynamic Link Library (generic) (13.6%) Win32 Executable (generic) (9.3%) Clipper DOS Executable (4.1%) Generic Win/DOS Executable (4.1%)
|
This malware through an error message when you execute:
But if you observe the changes in the system through process explorer and process monitoring tools, you will find some process with random character as process name which points to the %Application data%. This is obviously wired. And give one hundred percent confirmation to the user that we are executed a malware. If you use inctrl, it will log all the changes made in the files, folders and registries.
Leading Antivirus such as Sophos detecting these set of malwares with the name :
Troj/Wonton-FE
And Eset-Nod32 detect the same malwares with the name:
a variant of Win32/Agent.VNC
|
sophos write up
|
The above snap says what sophos says about the behavior of the samples. Sophos is pretty good AV.
Stay protected. Enjoy the cyber world.
Post made by