Foro de elhacker.net

Seguridad Informática => Análisis y Diseño de Malware => Mensaje iniciado por: colcrt en 24 Julio 2016, 22:37 pm


Título: esto sera un virus? 4n4ldetector
Publicado por: colcrt en 24 Julio 2016, 22:37 pm
hola chicos

me dio por probar esta tools pero algo me causo curiosidad aqui esta el registro pero nose si es un falso positivo o hay un virus, ya le pase varios antivirus y no encontro nada


Código:
Information:
  Size: 3,89 MB - [It is advisable to cut the file]
  md5 Hash: B6113983ED77D6FE99BDEE461E7BE004
  EntryPoint: 0A4FE0
  SizeOfHeaders: 00000400
  SizeOfImage: 003DF000
  ImageBase: 00400000
  Characteristics: 0102
  Architecture: x86
  File Type: EXE
  Sections Number:7
  Subsystem: Windows GUI
  UAC Execution Level Manifest: asInvoker 
  Compiler: Microsoft Visual Studio

Binder/Joiner/Crypter:
  Dropper code detected - 14,67 KB


Windows REG:
  software\microsoft\windows\currentversion\explorer\startmenu\startpanel

Windows REG (UNICODE):
  software\microsoft\windows\currentversion\explorer\accent
  software\microsoft\windows nt\currentversion\winlogon
  software\microsoft\windows\currentversion\explorer\advanced
  software\microsoft\windows\currentversion\explorer\startpage
  software\microsoft\windows\currentversion\policies\system
  software\microsoft\windows\currentversion\oobe
  software\microsoft\windows\currentversion\immersiveshell
  software\microsoft\windows\currentversion\explorer\accentcolorizediconabtest
  software\microsoft\windows\currentversion\parental controls
  software\microsoft\windows\currentversion\explorer\multitaskingview\allupview
  software\classes\local settings\
  software\microsoft\windows\currentversion\traynotify
  software\microsoft\windows\currentversion\explorer\controlpanel\namespace\
  software\microsoft\windows nt\currentversion\windows
  software\microsoft\windows\currentversion\explorer\notificationcustomization
  software\microsoft\windows\currentversion\explorer\advanced\delayedapps
  software\microsoft\windows\currentversion\explorer\logonstats
  software\policies\microsoft\windows\explorer
  software\microsoft\windows nt\currentversion\noimemodeimes
  software\microsoft\windows\currentversion\runonceex
  software\microsoft\windows\currentversion\control panel\cpls
  software\microsoft\windows nt\currentversion\windows,load
  software\microsoft\windows\currentversion\control panel\dont load
  software\microsoft\windows\currentversion\explorer\serialize
  software\microsoft\windows\currentversion\themes
  software\microsoft\windows\currentversion\systemprotecteduserdata
  software\microsoft\windows\currentversion\runonce
  software\microsoft\windows\currentversion\explorer\startupapproved
  software\microsoft\windows\currentversion\explorer
  software\microsoft\windows\currentversion\themes\personalize
  software\microsoft\windows\currentversion\settingsync\syncdata
  software\microsoft\windows\currentversion\settingsync
  software\microsoft\windows\currentversion\policies\explorer
  software\microsoft\windows\currentversion\immersiveshell\edgeui
  software\microsoft\windows\currentversion\search
  software\policies\microsoft\windows\onedrive
  software\microsoft\windows\currentversion\onedriveramps
  software\microsoft\windows\currentversion\oobe\telemetrycorrelation
  software\microsoft\windows\currentversion\explorer\taskband
  software\microsoft\windows\currentversion\pushnotifications\applications
  software\microsoft\windows\currentversion\diagnostics\performance\shell\responsemonitor
  software\microsoft\windows nt\currentversion\winlogon\alternateshells\availableshells
  software\microsoft\tablettip\1.7\
  software\microsoft\windows\currentversion\authentication\logonui\sessiondata
  software\microsoft\windows\currentversion\contentdeliverymanager
  software\microsoft\windows\currentversion\flightedfeatures
  software\microsoft\windows\currentversion\windowsupdate\updatediscoverability
  software\microsoft\windows\currentversion\oobe\stats
  software\microsoft\windows\currentversion\startmenu
  software\microsoft\alluserinstallagent
  software\microsoft\windows nt\currentversion\winlogon\alternateshells
  software\microsoft\windows\currentversion\explorer\fileexts
  software\microsoft\windows\currentversion\fileassociations
  software\microsoft\windows\shell\associations\urlassociations
  software\microsoft\windows\currentversion\useroobe
  software\microsoft\windows\currentversion\cloudexperiencehost
  software\microsoft\windows\currentversion\retaildemo\oobewrite
  software\microsoft\windows\currentversion\explorer\fileexts\%s
  software\microsoft\windows\shell\associations\urlassociations\%s
  software\microsoft\windows nt\currentversion\profilelist
  software\microsoft\windows\currentversion\run
  software\microsoft\windows\currentversion\policies\explorer\run
  software\classes\
  software\microsoft\windows\currentversion\thememanager
  software\microsoft\windows\currentversion\explorer\controlpanel
  software\microsoft\windows\currentversion\explorer\autoplayhandlers
  software\microsoft\windows\currentversion\control panel
  software\microsoft\windows\currentversion\explorer\notificationarea\promotedicon1
  software\microsoft\windows\currentversion\explorer\notificationarea\promotedicon2
  software\microsoft\windows\currentversion\immersiveshell\statestore
  software\microsoft\internet explorer\typedurls
  software\microsoft\windows\currentversion\explorer\typedpaths
  software\microsoft\windows\currentversion\explorer\runmru
  software\microsoft\windows\currentversion\explorer\doc find spec mru
  software\microsoft\windows\currentversion\explorer\comdlg32\opensavepidlmru
  software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedpidlmru
  software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedpidlmrulegacy
  software\microsoft\windows\currentversion\explorer\comdlg32\firstfolder
  software\microsoft\ctf\consentux
  software\classes\clsid\{031e4825-7b94-4dc3-b131-e946b44c8dd5}
  software\microsoft\windows nt\currentversion\server
  software\microsoft\windows nt\currentversion\windows,run
  software\policies\microsoft\windowsstore
  software\microsoft\windows\currentversion\smden
  software\microsoft\windows\currentversion\explorer\tbden
  software\microsoft\windows\tablet pc
  software\microsoft\windows\currentversion\explorer\oemwc
  software\microsoft\windows\currentversion\explorer\wcden
  software\microsoft\windows\currentversion\explorer\applicationdestinations\
  software\clients
  software\microsoft\windows\currentversion\explorer\startpage\newshortcuts
  software\microsoft\windows\currentversion\openwith
  software\microsoft\windows\currentversion\explorer\appkey\%d
  software\microsoft\windows\currentversion\explorer\remote\%d
  software\microsoft\windows\dwm
  software\microsoft\windows\currentversion\explorer\appcontract
  software\microsoft\windows nt\currentversion\time zones
  software\microsoft\windows\currentversion\explorer\startmenu\colors
  software\microsoft\windows\currentversion\settingsync\groups\%s
  software\microsoft\windows\currentversion\appx\appxalluserstore\upgrade\%ls
  software\microsoft\windows\currentversion\updatediscoverability
  software\microsoft\windows\currentversion\appreadiness\%s
  software\microsoft\windows\currentversion\authentication\logonui\accesspage\camera
  software\microsoft\windows\currentversion\explorer\svden
  software\microsoft\provisioning\
  software\microsoft\provisioning\applaunchid
  software\microsoft\windows\currentversion\explorer\shellserviceobjects\{872f8dc8-dde4-43bd-ac7a-e3d9fe86ceac}
  software\microsoft\windows\currentversion\onedriveoptin
  software\microsoft\windows\currentversion\oobe\testhooks
  software\microsoft\windows\currentversion\settingsync\syncdata\bootstrap
  software\microsoft\windows nt\currentversion\usercpl
  software\microsoft\internet explorer\main
  software\microsoft\windows\currentversion\explorer\startpage\creativeplacement\creative%d
  software\microsoft\windows\currentversion\explorer\startpage\creativeplacement
  software\microsoft\windows\currentversion\explorer\controlpanel\namespace\%s
  software\microsoft\windows\currentversion\controls folder (wow64)
  software\microsoft\windows\currentversion\policies\explorer\searchextensions
  Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - DisableTaskMgr
  Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - DisableTaskMgr
  Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
  Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run

File Access:
  .textlp12explorer.exe
  .textlp07explorer.exe
  .textlp06explorer.exe
  .textlp01explorer.exe
  .textlp00explorer.exe
  explorer.exe

File Access (UNICODE):
  rundll32.exe
  %%windir%%\syswow64\rundll32.exe
  %%windir%%\system32\rundll32.exe
  oobe\firstlogonanim.exe
  provtool.exe
  runonce.exe
  b%systemroot%\system32\sndvol.exe
  calc.exe
  taskmgr.exe
  {d65231b0-b2f1-4857-a4ce-a8e7c6ea7d27}\calc.exe
  {1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}\calc.exe
  {f38bf404-1d43-42f2-9305-67de0b28fc23}\explorer.exe
  %systemroot%\system32\rundll32.exe
  install.exe
  %systemroot%\system32\rundll32.exe
  @explorer.exe

Interests Words (UNICODE):
  outlook

Anti-VM/Sandbox/Debug Tricks (UNICODE):
  LabTools - taskmgr

URLs (UNICODE):
  http://schemas.microsoft.com/Search/2013/SettingContent

Payloads:
  Shellcode Byte Patterns

Título: Re: esto sera un virus? 4n4ldetector
Publicado por: 4n0nym0us en 3 Agosto 2016, 12:47 pm
Hola buenos días!

No se trata de un malware, incluso está firmada por Microsoft. Puede haber entrado por alguna actualización de Windows... aparece tanta información acerca del sistema porque se trata de un "explorer.exe"  :-*


Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines