found by Angel Hun @SeraphimDomain mosbussum[.]nl/a3.exe I *think* its EvilAmmy: https://twitter.com/SeraphimDomain/status/980811174399819781 https://www.hybrid-analysis.com/sample/47f8893dfd5477783d016f397db0f37697e535b0d8f0117ee525eff76707e232/5ac3d92b7ca3e1522c5f96d4 ------------- interesting api calls ------------- CreateFileA ( "C:\Users\xxx\AppData\Local\Temp\1.bat", GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, 0, NULL ) CreateProcessA ( NULL, "C:\Users\xxx\AppData\Local\Temp\1.bat", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, 0x002ee290, 0x002e9c58 ) CreateProcessW ( "C:\Windows\system32\PING.EXE", "ping localhost -n 2 ", NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, "C:\Users\Win732\AppData\Local\Temp", 0x0020e7fc, 0x0020e848 )
Friday, April 6, 2018
evilammy sample
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment