See: https://urlhaus.abuse.ch/url/211178/
Detection: https://www.virustotal.com/gui/file/e6e2a0f4f64aa78699c8e7e56f33c391d085e655a8a0579f5fa43c42cd580ca7/detection
See: https://www.virustotal.com/gui/file/e6e2a0f4f64aa78699c8e7e56f33c391d085e655a8a0579f5fa43c42cd580ca7/details
Blacklisted site: https://sitecheck.sucuri.net/results/hillsmp.com/a/a.exe
Not being detected here: https://webhint.io/scanner/3d69e535-f9fb-4f00-be09-ee5c84eac4aa
Dr.Web detects a threat:
Checking: -http://hillsmp.com/a/a.exe
Engine version: 7.0.34.11020
Total virus-finding records: 7763862
File size: 500.00 KB
File MD5: 829858ba2b43bbe3dcd1738f96c32110
-http://hillsmp.com/a/a.exe infected with Trojan.Inject3.17831
Unified Layer bluehost abuse, IP blacklisted by 32 websites: https://www.ip-finder.me/50.87.144.152/
2 times reported here: https://www.abuseipdb.com/check/50.87.249.228
Infections can be cleansed with MBAM in combination with Adware Cleaner.
Handy batch file to detect:
PowerShell.exe -Command “Get-FileHash -LiteralPath %1 -Algorithm SHA1”
PowerShell.exe -Command “Get-FileHash -LiteralPath %1 -Algorithm SHA256”
PowerShell.exe -Command “Get-FileHash -LiteralPath %1 -Algorithm MD5” info credits go out to jfkelley.Analysis Environments
URL
-http://hillsmp.com/a/a.exe
Type
url
MIME
text/plain
SHA256
da29830b3b9c41…f286be088a6b6 Copy SHA256 to clipboard
Available: VMs
Windows 7 32 bit 3/74
Windows 7 32 bit (HWP Support) 3/73
Windows 7 64 bit 5/75
Linux (Ubuntu 16.04, 64 bit) 0/18
Android Static Analysis
Quick Scan 3/3
There are 8 files in the processing queue.
The public findings scanned for at https://www.hybrid-analysis.com/sample/da29830b3b9c414263d0a1cf96bf7ef9ffcc13dffb2d5200abef286be088a6b6
AT VT only Kaspersky’s to flag: https://www.virustotal.com/gui/url/8bcfe7ec16c4ee961d0ffedf100aef3e401365f946bafea2ec7b5aea9f5d8319/detection
Falcon report confirms: https://www.hybrid-analysis.com/sample/da29830b3b9c414263d0a1cf96bf7ef9ffcc13dffb2d5200abef286be088a6b6/5d0e953803883814162af5e9
Suspicious by mutants created
Creates mutants
details
“\Sessions\1\BaseNamedObjects\Local!BrowserEmulation!SharedMemory!Mutex”
“\Sessions\1\BaseNamedObjects\Local\VERMGMTBlockListFileMutex”
“\Sessions\1\BaseNamedObjects\Local\URLBLOCK_FILEMAPSWITCH_MUTEX_3020”
“\Sessions\1\BaseNamedObjects\Local\URLBLOCK_HASHFILESWITCH_MUTEX”
“\Sessions\1\BaseNamedObjects\Local\URLBLOCK_DOWNLOAD_MUTEX”
“\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex”
“\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex”
“\Sessions\1\BaseNamedObjects\IsoScope_bcc_IE_EarlyTabStart_0xf78_Mutex”
“\Sessions\1\BaseNamedObjects\IsoScope_bcc_ConnHashTable<3020>_HashTable_Mutex”
“\Sessions\1\BaseNamedObjects{5312EE61-79E3-4A24-BFE1-132B85B23C3A}”
“\Sessions\1\BaseNamedObjects\IsoScope_bcc_IESQMMUTEX_0_303”
“\Sessions\1\BaseNamedObjects\IsoScope_bcc_IESQMMUTEX_0_331”
“Local\InternetShortcutMutex”
“SmartScreen_ClientId_Mutex”
“Local\VERMGMTBlockListFileMutex”
“{5312EE61-79E3-4A24-BFE1-132B85B23C3A}”
“Local\URLBLOCK_DOWNLOAD_MUTEX”
“IsoScope_bcc_IE_EarlyTabStart_0xf78_Mutex”
“IsoScope_bcc_IESQMMUTEX_0_519”
“IsoScope_bcc_IESQMMUTEX_0_303”
source
Created Mutant
relevance
3/10
Labeled as “GenKryptik.DLIJ”
MITRE ATT&CK™ Techniques Detection Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Service Execution 1 Hooking 1 Hooking 1 Hooking 1 Peripheral Device Discovery 1
Mine was the anonymous comment: heuristic RAT Trojan.Infect
polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)