agenttesla | 46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

Sharing

Copy URL

Twitter E-mail

General

Target

foo.zip
Size

148.2MB
Sample

200811-8q4fq2yyya
MD5

875294d0dba88dbc80c33a5cbb110b41
SHA1

3727db2a114f7302be5d5a3ef212bc0922060346
SHA256

46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a
SHA512

4482e49c33c076cbde30a4da9c7283ef9cc67ae3ae75d9217ea402c206f6fc82aa4ffe90b76ab18c79cda6a7c1e302c02abda6736d594df2b2db273d013e07ab

Malware Config

Extracted

Family

cobaltstrike

http://www.google.com:443/__utm.gif

Attributes

access_type
512
beacon_type
2048
host
www.google.com,/__utm.gif
http_header1
AAAACQAAABJ1dG1hYz1VQS0yMjAyNjA0LTIAAAAJAAAAB3V0bWNuPTEAAAAJAAAAEHV0bWNzPUlTTy04ODU5LTEAAAAJAAAAD3V0bXNyPTEyODB4MTAyNAAAAAkAAAAMdXRtc2M9MzItYml0AAAACQAAAAt1dG11bD1lbi1VUwAAAAoAAAAoSG9zdDogdHJhbnNsYXRlc2VydmljZXVwZGF0ZS5hcHBzcG90LmNvbQAAAAcAAAAAAAAACAAAAAIAAAAGX191dG1hAAAABQAAAAV1dG1jYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAAAgAAAAZVQS0yMjAAAAABAAAAAi0yAAAABQAAAAV1dG1hYwAAAAkAAAAHdXRtY249MQAAAAkAAAAQdXRtY3M9SVNPLTg4NTktMQAAAAkAAAAPdXRtc3I9MTI4MHgxMDI0AAAACQAAAAx1dG1zYz0zMi1iaXQAAAAJAAAAC3V0bXVsPWVuLVVTAAAACgAAAChIb3N0OiB0cmFuc2xhdGVzZXJ2aWNldXBkYXRlLmFwcHNwb3QuY29tAAAABwAAAAEAAAAEAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+xef42wyX1NAUR5Ukrnj2L8wg2GQ3+zg6SV5+gTlXxdgo8apUHH/mtKv7A+Fa5aReI1QBvVbMdkwq7A1YwJpBtFUBouokiqs8MjBWWrcftqQno/goPu3jDA1eHNyB8Hn+E4URKzRBBwQBduCA6fvUK83z/jAh062sZrZaFGE6dwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
6.71092736e+08
unknown2
AAAABAAAAAIAAAAPAAAAAgAAAA8AAAACAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/___utm.gif
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

Extracted

Family

smokeloader

Version

2018

http://segodnya.bit/biologe/

rc4.i32

Extracted

Family

lokibot

http://clogwars.com/~zadmin/lmark/seng/link.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://hawkcarts.info/jeff/five/fre.php

Extracted

Credentials

Protocol: ftp
Host:
files.000webhost.com
Port:
21
Username:
foroni

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Campaign

1535648626

Credentials

Protocol: ftp
Host:
37.60.244.211
Port:
21
Username:
[email protected]
Password:
4AsEzIaMwi2d

Protocol: ftp
Host:
198.38.77.162
Port:
21
Username:
[email protected]
Password:
kJm6DKVPfyiv

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

190.185.219.110:443

73.74.72.141:443

65.116.179.83:443

50.198.141.161:2078

70.183.154.153:995

68.49.120.179:443

70.94.109.57:443

24.45.54.50:2222

190.80.21.204:2222

216.201.159.118:443

74.88.210.56:995

75.189.235.216:443

47.48.236.98:2222

68.59.209.183:995

75.3.101.153:443

108.17.25.169:443

185.219.83.73:443

184.180.157.203:2222

207.178.109.161:443

174.48.72.160:443

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.mwanzompya.com
Port:
587
Username:
[email protected]
Password:
mwanzo#05

Mutex

382536c5-1156-46e8-b78f-7f58423a46e3

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:mwanzo#05 _EmailPort:587 _EmailSSL:false _EmailServer:mail.mwanzompya.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:382536c5-1156-46e8-b78f-7f58423a46e3 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Extracted

Credentials

Protocol: smtp
Host:
mail.mwanzompya.com
Port:
587
Username:
[email protected]
Password:
mwanzo#05

Extracted

Family

remcos

185.244.29.195:1991

Targets

- Target
  
  foo/0044d66e4abf7c4af6b5d207065320f7
- Size
  
  127KB
- MD5
  
  0044d66e4abf7c4af6b5d207065320f7
- SHA1
  
  07e73ac58bee7bdc26d289bb2697d2588a6b7e64
- SHA256
  
  b6d19c3e6e82bbde62984f50144ce4d98a18871374ec5d313489d5831317c480
- SHA512
  
  25633ea2e3cc78262ba69de30d2d3b7f6c013ce3bcbad2eda3c424ac50d7c0b7169372c5ad2b2cd81748ea0622f3db5ba3429f0d3ecfd3feabbfc65d961af5dd
Score

1^/10
behavioral1 behavioral2
- Target
  
  foo/034e4c62965f8d5dd5d5a2ce34a53ba9
- Size
  
  416KB
- MD5
  
  034e4c62965f8d5dd5d5a2ce34a53ba9
- SHA1
  
  edc165e7e833a5e5345f675467398fb38cf6c16f
- SHA256
  
  52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f
- SHA512
  
  c2de626a339d21e5fd287c0e625bca02c770e09f9cad01005160d473164fa8edc5fc381b6ddd01293bdd31f2d7de1b0171674d12ec428e42a97d0ed0b7efb9dd
Score

4^/10
behavioral3 behavioral4
- Target
  
  foo/035fa2f2fae0a8fad733686a7d9ea772
- Size
  
  291KB
- MD5
  
  035fa2f2fae0a8fad733686a7d9ea772
- SHA1
  
  411ee99b26bb612b1905b0c7254129fb1dd0cb56
- SHA256
  
  f823ee1362132d0c4cb632829abbaae16b7ae8f938e86a10bdab3897e4f5dc8c
- SHA512
  
  9a58f3b940e83e79fd7c7353b8d20947ab45ee48c617217f7c5ac58b1a0d0b5904eda1d49eb118a55f309291055b50b4710a6ab598ae5b29bbb6ff541ab599f1
Score

10^/10

smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral5 behavioral6
- Target
  
  foo/04884a82d01d733f245d921e1f74fb1b
- Size
  
  2.9MB
- MD5
  
  04884a82d01d733f245d921e1f74fb1b
- SHA1
  
  975c743feccce12419d4d72f26c2d44c8591118a
- SHA256
  
  e3d13acdbf704b60569fad130fec670ff20d99183fb4bfb32f339dd3138a5f2f
- SHA512
  
  c7f26c9656a14a2865da01e7903f29b2474e5fb3bb7a054d09fdd7ea476f7c3666bf4b3fc87e676c4829c0f51942273bb8161b448e42246898985874389a072c
Score

8^/10

bootkit persistence
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral7 behavioral8
- Target
  
  foo/06ed82e88e1f68cc08602d7cd8ec5f59
- Size
  
  12.2MB
- MD5
  
  06ed82e88e1f68cc08602d7cd8ec5f59
- SHA1
  
  37d4750e5f22cc395dd721dd5df73aeccc095bb5
- SHA256
  
  43eebbd84e92a99b2bbca0b578df68dc07756e2c5fe908c668ac8c69f934a7e5
- SHA512
  
  63060f8723b2ad50b8bfc225af22156215d5362bcf4a3ad77d9fe9059414b8ba69679f5fcf83159da224f165a83ebee74a306300f41205a887a06ec0bb86f895
Score

7^/10

discovery
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral9 behavioral10
- Target
  
  foo/07470b6ede84f02ec31ab0a601cdc068
- Size
  
  199KB
- MD5
  
  07470b6ede84f02ec31ab0a601cdc068
- SHA1
  
  2ca5cc5bf36cf0dfc95a128267e5ca1bdead991b
- SHA256
  
  c7307db0fdd462a0415cec9cb707045f575d28ae18f2db8efcedd7a2db3079ac
- SHA512
  
  002bd7b302ce582ae8921f2613ab340a366a5928e32d1bddf6fbfc16f8fbde2ea93668775d418ea1b3375a32eff24d3f8e32a8f17d7549a743b545f873a0dab7
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral11 behavioral12
- Target
  
  foo/078adb95b1a0a6449d8c4ece796deac0
- Size
  
  349KB
- MD5
  
  078adb95b1a0a6449d8c4ece796deac0
- SHA1
  
  412cbff9af426e0af43b9b860150c7c30ebce654
- SHA256
  
  94a65945d7cebe9755b6cb5cffe7139c848bcbbf5988b07a3d195c57f5e44a89
- SHA512
  
  32b58760617c268de6571bae946d3757f021fc975e3546333371d1667e592057a71956578039e75ad953e8a8aff18d1f871e2fe360abe13a9866f1d56f5ea3e0
Score

10^/10

imminent spyware trojan
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- Drops desktop.ini file(s)
behavioral13 behavioral14
- Target
  
  foo/09e5c88a0592763e0c4f30fb88d663b4
- Size
  
  713KB
- MD5
  
  09e5c88a0592763e0c4f30fb88d663b4
- SHA1
  
  939a8f3e7477ce8ee6406ac2b8aa58bd8399e1b4
- SHA256
  
  9aac9319312f83811ad3ee68cd0ae467c088fa484ce921271be0382dc0d027fc
- SHA512
  
  aa8aaa125fc6a47db42b882c960dc52e16df2a308675382f761a66060da414c26345fa526c92e322104b563372f7de6c305645d7a626fd5e4b5c100bdaba089b
Score

1^/10
behavioral15 behavioral16
- Target
  
  foo/0becfedf4d0b9ad5251aca33274a4cf4
- Size
  
  443KB
- MD5
  
  0becfedf4d0b9ad5251aca33274a4cf4
- SHA1
  
  5d6faf04a6215b08988f289373f3b239d5878d06
- SHA256
  
  235b35c4574f4d28ac034e7fbd4827384f6243d591d1d1bd76e320905f5b0242
- SHA512
  
  0e835c83ff46c74acf6140bd434666ddffd2c0aa9875fc9899daff62b473ab98ee0947c226e9ffd8c4322b418574e9f5e2d2d32415b232667921c3db404dcd35
Score

10^/10

aspackv2 evasion persistence trojan upx
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  foo/1a78d313f2891bd468f78694814a28a3
- Size
  
  5.5MB
- MD5
  
  1a78d313f2891bd468f78694814a28a3
- SHA1
  
  7b10daf92b6bb599c68379909fbc951955e9335e
- SHA256
  
  b8953f266d0ec05808dd5ba4799986c61bfc4d6e5308b0da84cbc8afe19de4df
- SHA512
  
  4a9d76516888a4abff4acb29712abdc65674d5a9a3e69b0e30fa0cf815267d7d45f02d4879383232eb44c5503256af3adc4cb3db201e603816ccc983666475cb
Score

5^/10
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral19 behavioral20
- Target
  
  foo/1ffe827beb75335731cb6f052a8ec3a6
- Size
  
  468KB
- MD5
  
  1ffe827beb75335731cb6f052a8ec3a6
- SHA1
  
  381ff47af182f52185fe2ff8d01453c5f611b04a
- SHA256
  
  bf26329c083407931e46c85220e294904dc532e1095823290c04537f15316e47
- SHA512
  
  fe1d68657aa99cb2949aa4aee3c12a70ba4f1fa9542f4606fb6a63627c593c74ce2188ebba15c2e366d8c79c4591e2bc048505abf4eed16d156a9b2ecf6334c8
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral21 behavioral22
- Target
  
  foo/255028f2f37838e92f84f27c68aaf4e1
- Size
  
  536KB
- MD5
  
  255028f2f37838e92f84f27c68aaf4e1
- SHA1
  
  64e6d06aba93b91fbda44364278f2a91e91c6cf3
- SHA256
  
  db04d912a4fa503b27bea546ca8160b040e3eaf8eabfa5ee0dc30b64738976e2
- SHA512
  
  be1f9a5005c9c446a100891c9c955336e011ba550ca7c1f5dd4dd9c3f3041ff20fa30445f117331b6d121b0e89361bead40b981c50f01ce185fa3acf2b7d00d8
Score

1^/10
behavioral23 behavioral24
- Target
  
  foo/27601d095e5b3761d9289584415a73cc
- Size
  
  565KB
- MD5
  
  27601d095e5b3761d9289584415a73cc
- SHA1
  
  9570f23b5abe2ef46a23ded17adb2fb6c203a201
- SHA256
  
  749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4
- SHA512
  
  066263bf8f11d48b4e3715b8962686e0ca32aa8647b642a193b5331513538a44bb49edad5ef6a08ae6cc6401504fadc7adf38efb07c9ae9560e947aac443e0e7
Score

8^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral25 behavioral26
- Target
  
  foo/27f9116902c35a9b784c703762bbd249
- Size
  
  1.3MB
- MD5
  
  27f9116902c35a9b784c703762bbd249
- SHA1
  
  1f398a7f5bb032a30c2207e5e692524691b8a09e
- SHA256
  
  548b424bedcb831086fb9ab5b6e284a7a71a53e430acad99155153a869844570
- SHA512
  
  c046022a16f572eda5f60484d61190491579ee0d9d883d8f760859bbde0730dcfe4a603f847162d8901f6a87140da6a9c53134e8b7c2f9fa6192584765e94ff6
Score

10^/10

betabot backdoor botnet evasion trojan
- BetaBot
  Beta Bot is a Trojan that infects computers and disables Antivirus.
  trojan backdoor botnet betabot
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  foo/28408caa2961caecd35c9f8f7c1aecc5
- Size
  
  290KB
- MD5
  
  28408caa2961caecd35c9f8f7c1aecc5
- SHA1
  
  2df15d3bc4f7623ca3a18665b3c666ec8b70baa6
- SHA256
  
  fe99d5ab8be0c9830fd97c1ed127b0c236da75b43a42a58fcd46cb8d46dc3c34
- SHA512
  
  a4fdb80d3ac39a2fa46f19c8b5a803ded144e97dd7a3f194177ddaba15b8e0a0486e7b4de2e8c9c957eac4398487fe5872e54ad8e866e68e0beb283c937d0cbd
Score

10^/10

lokibot spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Loads dropped DLL
behavioral29 behavioral30
- Target
  
  foo/29682275a385f42634ee312db7f666e4
- Size
  
  8.3MB
- MD5
  
  29682275a385f42634ee312db7f666e4
- SHA1
  
  660661c84c925dd781c327bbdd519b89bcf378c3
- SHA256
  
  9bf25bf1e0f9bfb8381dc1ec57ee256ef77d294259468fc17bbab9fe50b8b4a3
- SHA512
  
  c03ee099bfb533ae5f88a31499e428588de0bbbc2864a057873355d26b89a9a3b8da73a706fc08e8633b09e73018fbf4406fd2c8cc7738b605a0b2eeac23db36
Score

3^/10
behavioral31 behavioral32
- Target
  
  foo/2de7b886ed3bf5455694d76ac69a96a4
- Size
  
  99KB
- MD5
  
  2de7b886ed3bf5455694d76ac69a96a4
- SHA1
  
  8e80636a30b25b9aba51bc048882a43b9914f631
- SHA256
  
  1cc983ae1831efb88cafacc5e7efcdf60ee5d3637a3d8e2336f14fa2bf53e606
- SHA512
  
  abe16eb7e94e947507a3276e3d94be5e4c56055263e5aa4ebb5449dc969401d3659460bc152a67001a01874054a4968fcaa9720f81514ab6560ae18cd637f9ca
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral33 behavioral34
- Target
  
  foo/2e00df497f82c0bf215548969fefc18b
- Size
  
  8.6MB
- MD5
  
  2e00df497f82c0bf215548969fefc18b
- SHA1
  
  6f1f6f9e8f40055644670378da81ea668c8b69f5
- SHA256
  
  3386ab7ec029dca692f7f8e3214fcfa97f88c42cf384807d9a5c56a146e89ed9
- SHA512
  
  0ce197d3f63995265d4c9d8c51ffd2317065c8d653dd8135882ba0fe2201fbb3cfff66b8a88a6f2626a292918cdeccda026b6f9430c6d57196c162688dd03a0b
Score

9^/10

upx
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Blocklisted process makes network request
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Drops file in System32 directory
behavioral35 behavioral36
- Target
  
  foo/2e90a15707ad3eb4cd06bd8a05463922
- Size
  
  403KB
- MD5
  
  2e90a15707ad3eb4cd06bd8a05463922
- SHA1
  
  5190382aaac9a76a31315f3e3b3bc6b12fac2738
- SHA256
  
  b594e7917381e1089e150150bb0db36cef541d0226fec4ff681f3cf32cb8be36
- SHA512
  
  1838ba984c52c21621e68b87fb257590255085177a073b3b0d318802fa24a79317fa96a07d87068ae8b57418adf2fbf93cf9a313e20ba19b6a82420f00427358
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral37 behavioral38
- Target
  
  foo/2f215e008c6a7d8886c578e442b8f1b0
- Size
  
  200KB
- MD5
  
  2f215e008c6a7d8886c578e442b8f1b0
- SHA1
  
  a4409e2c333fa3aaa4e0b718775d325fcf76cb41
- SHA256
  
  6903fcc0ca7851ca2aad10ae4ebc3533eda1f1d85f7f0f6df39082d6c562b867
- SHA512
  
  4cf2365b786d5894d335c2fa421901fd45dcac709974eda1ed2bb2f8d7c443c20b5975af17ee337d81986909c03786800929a36d53ed317a353a2e88bb621a3c
Score

10^/10

cobaltstrike backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral39 behavioral40
- Target
  
  foo/30bc06d0add076dd6500fcdfbc12643e
- Size
  
  322KB
- MD5
  
  30bc06d0add076dd6500fcdfbc12643e
- SHA1
  
  def54b6b4ca0d0ea952510cb8c0e3ee2a5f85a3e
- SHA256
  
  5038cf5a6ef817ad95a57c8cc8da89e66e24c83fafef450618b4d3e18ebdd9b4
- SHA512
  
  6576b45177e01f0c8bec1e1728ed69df450b2f6f7c62aeb8ba85df54b48a37e90925eddfbbce4080fd44c08266a5fec92cdfcb6efb7518e1e808b3b488686314
Score

10^/10

imminent spyware trojan
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- Drops desktop.ini file(s)
behavioral41 behavioral42
- Target
  
  foo/312e67dc35992949937d1bad6ba529f3
- Size
  
  476KB
- MD5
  
  312e67dc35992949937d1bad6ba529f3
- SHA1
  
  b1b33ac2b7b82240369b43289c9dafe498df63d5
- SHA256
  
  0a58ffc4705b353154ea7347fd495b0e34d25da5f3094f52d43e312ea8163f81
- SHA512
  
  9097b5896ea47777fbe389e0cf75ebbdf943695559db78b2fd06aae400ab8a852d7d216fe7687e78418404d238092eec77b4e9601dd33fe34accab0a2791dbb3
Score

4^/10
behavioral43 behavioral44
- Target
  
  foo/383497fda5ca670a06dc688443c2011b
- Size
  
  623KB
- MD5
  
  383497fda5ca670a06dc688443c2011b
- SHA1
  
  c622ebf694003368c3246e166a3a7bfc6b787652
- SHA256
  
  d84d8ebcdfb0abcd821c24197517a5e329a1a6ae8e534509db78899b147cd60f
- SHA512
  
  5f1f854690f9743a09fcdd0b6be43fd09af3eb5bc0f1ee4c20659458e34f46c33eec8eb651e569315902d99a12a217e5dea750411effca79485fa343c24d0129
Score

10^/10

matrix discovery persistence ransomware
- Matrix Ransomware
  Targeted ransomware with information collection and encryption functionality.
  ransomware matrix
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral45 behavioral46
- Target
  
  foo/39555eb0403a69906729713ad20888ec
- Size
  
  502KB
- MD5
  
  39555eb0403a69906729713ad20888ec
- SHA1
  
  3496ed1ff1c3ede32a025b33eec820cdf5512ca9
- SHA256
  
  7926fbb4fe0c69379b2c1ac217cfd0a09ff9a73e48c24d3c464785119d8ab349
- SHA512
  
  674c3048cf7798c407138474a40b318f1465d920493d6a057de0cbd6befb66649a0f9e0059b042c1141cad40ae38800c8b98a9ea3140d6ae998b88aa1d2ec9ae
Score

10^/10

hawkeye keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral47 behavioral48
- Target
  
  foo/39e5310f67f0b1bf98604a2e0edb9204
- Size
  
  104KB
- MD5
  
  39e5310f67f0b1bf98604a2e0edb9204
- SHA1
  
  3a2d3638449252c6d890c4061bcd92e733a7cdb3
- SHA256
  
  4f91d0b1c9a27ac005f37227e1ef9f9e796cbbe896be2407d23a89734ddbdf3f
- SHA512
  
  30c373c76c2910d4aa4671c06fde272ca40d012a353f7c6004643c95da5a486c124662bd303b42501ac29b801cdcfc05cf853764477184d247ffbaf4f02838c8
Score

10^/10

evasion persistence trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral49 behavioral50
- Target
  
  foo/3aba72d1f87f4372162972b6a45ed8cd
- Size
  
  364KB
- MD5
  
  3aba72d1f87f4372162972b6a45ed8cd
- SHA1
  
  62eaec946e6c05d6279737e9e5583831beb383e8
- SHA256
  
  31bae2c85740d091f58896a36a461191d666e33f3ad5d8a4e529bc74bf024b6c
- SHA512
  
  d66f28238e74c13057da5f8a6d89807d7d513c542dd65d5005334e360b22d82cc4be7826ce1e3d1372c44c68a4acd8ff662adddb4affffbadfd174ccbd016249
Score

1^/10
behavioral51 behavioral52
- Target
  
  foo/406c9b9529109f835fe7292e6cf3fefe
- Size
  
  468KB
- MD5
  
  406c9b9529109f835fe7292e6cf3fefe
- SHA1
  
  80a616526044d8b3dfe9848b73c8873f474b27ae
- SHA256
  
  eeaed429ed196822dfded9099479bbb7d9cd48cdb96a986627512e607badfa66
- SHA512
  
  ce013422daaea03d9d31c713cc6ce1e0349b862f3d2b52ef9ee151b6e1e20ea0724e71000d6f2d10b953cd3bcc5b5e2dd69cbfe858b451811a2152c623e7a92d
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral53 behavioral54
- Target
  
  foo/457cfd3e7a53e7500f8206b3ea300aca
- Size
  
  193KB
- MD5
  
  457cfd3e7a53e7500f8206b3ea300aca
- SHA1
  
  7426d503db90a0795e279968009ac03853cdfbed
- SHA256
  
  feb51e59044de8b60c0e72553b2cfc7aea655af83068cf934525eec303d65c10
- SHA512
  
  cd1896539b4f1732ee6be803ca5eb012d1ed69d0bb2be71dd09d17fc7d831a2a7bbfb78cee1b1a6545c7bf00c1855dc502ce1ab0ace7432cabc2d2a00db8df43
Score

7^/10

adware discovery persistence stealer
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral55 behavioral56
- Target
  
  foo/4761e4b165f62d326b9032d96329e460
- Size
  
  793KB
- MD5
  
  4761e4b165f62d326b9032d96329e460
- SHA1
  
  59aaeba76ac34841d60aef175309161d2b5e4992
- SHA256
  
  5f6884586533f6065ec2c0557e63e1b5865f0b22c42a386a338cc211ec1a308b
- SHA512
  
  c2ce8e91fcd7697b5f7b6e5a7a62f2552be4388f3fbc1dc0003893edb133731160736852f2fab62c18f06d8f773e7dca96ade6e151b2c0163599d49269e46a9d
Score

8^/10

persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral57 behavioral58
- Target
  
  foo/487f1b1f30212eaa9104c084a667f104
- Size
  
  5.7MB
- MD5
  
  487f1b1f30212eaa9104c084a667f104
- SHA1
  
  e562c8d364fea1f1f4524c30a0606598b8814096
- SHA256
  
  8b72156895f47b7f216b544937a46a3909bc07134ebac1c586de7aac3eab18a5
- SHA512
  
  c6ad92308792d2135ce918fcc1b88a15a3c928c30a99de2366f7477df9196dff9d287e8d84c2176f4b7385adee5b2601402cc2deee84d26060057ea044d59ddd
Score

8^/10

spyware upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
behavioral59 behavioral60
- Target
  
  foo/4a74c9f378007412ec2c8b2eea6da4cf
- Size
  
  512KB
- MD5
  
  4a74c9f378007412ec2c8b2eea6da4cf
- SHA1
  
  7ed849c7e9f2c70af40a6feb46d57bd5f06c3a8d
- SHA256
  
  4ef7144d88b296b15236dd8866cf50d4f20657551da60897ceb2e67ec8bad793
- SHA512
  
  5043709c2e1f1b339df4cd035ad959746ebe6ecbf43ee2ebe9718367581a6c557ccd3a0c3f2615e8fe0ce6ac1efc169348ddafde77f2d82984eb945d09d4f4d2
Score

10^/10

lokibot persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral61 behavioral62
- Target
  
  foo/4b2d7854b47943b118e24c6ec79b974b
- Size
  
  4.2MB
- MD5
  
  4b2d7854b47943b118e24c6ec79b974b
- SHA1
  
  e80270395d82212d41e64f8afe0203b8061bf9fe
- SHA256
  
  ccce7394fc1a6e1730f440e2d20183c830f30bb7cb446a54ca18277974205503
- SHA512
  
  64216c5bbd286496e33adb03e80e1aec67a2c6e2f8f1088804dc95182d42e978aa77f8366c384b4bed5eebdd5e15ad5484bf839b6fb8a35799819c64d05f3162
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral63 behavioral64
- Target
  
  foo/4c49c2496ae538bcec9e1510f3eb8eba
- Size
  
  176KB
- MD5
  
  4c49c2496ae538bcec9e1510f3eb8eba
- SHA1
  
  2d62b087f6a1504b57fe65fef38ee8c831bf7aa5
- SHA256
  
  a149cb7f8d29506837ecad9e9b7e7a1e8fd23ba5716c653b2bd3d9bac9eccd6e
- SHA512
  
  8cfecc9d516603a41c0801f75cec51b318d39b4985745439a433cfc0c1eded9dc8d5c2258ff7de358191211041345eb7c74e969dd69262cf09cb724eb59333b6
Score

1^/10
behavioral65 behavioral66
- Target
  
  foo/4cfe8f3aa1592035b9a2cdb2c4f54c77
- Size
  
  2.0MB
- MD5
  
  4cfe8f3aa1592035b9a2cdb2c4f54c77
- SHA1
  
  ed8024ea02ca996e74c40459ff35c78cefdf111f
- SHA256
  
  0aa9b861be9e293f3d71e39949141e7c87c52e3f4f8b0ea4d26b768b0c188bc2
- SHA512
  
  42cc40eb614b4afbf08ae8646c7511ffcdfbf3c3af924ff20d40b5499acf1f1136e4809aa5428c5b260e4b8676041cdb70ef74904b0c09ab5944db1cf89cff3e
Score

9^/10

evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral67 behavioral68
- Target
  
  foo/4ea45460c3e7c3d8486d3f7bec90c613
- Size
  
  6.0MB
- MD5
  
  4ea45460c3e7c3d8486d3f7bec90c613
- SHA1
  
  303c290738a2d89d4bbd365da80650ef5a55bcab
- SHA256
  
  a0ea757d9a9ec9e09bc806dbb1526fb5b90692ccc1f31aded8e3dbd0abcde5ec
- SHA512
  
  1ad7731246a7dfce4cc656481af68f8f4f37d511b453431f32dfec6078313eb636047031d9341e4e62b969ae95c600877b9c49a28168e3c7e02de4371be88228
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral69 behavioral70
- Target
  
  foo/52d6c59fcfe73048a240c7fdd1f04d7e
- Size
  
  9.7MB
- MD5
  
  52d6c59fcfe73048a240c7fdd1f04d7e
- SHA1
  
  e8af78f67fb5859b54d10e865b7a1070b4d34f46
- SHA256
  
  93b36133201cfe77b1319c72d9b0b4ed471a6337a58f6b30f926f1786159ec82
- SHA512
  
  cfd767ea4063205a57894d9d8f09f205c8e9bc71b8052985076496c136b98f037aa7b274cc225c5ad759ddc530ccb6201cacdfa8c6a015311331f2589b4ff8ca
Score

7^/10
- Loads dropped DLL
behavioral71 behavioral72
- Target
  
  foo/55fc11ec67a00177d047d5abc84231e0
- Size
  
  35KB
- MD5
  
  55fc11ec67a00177d047d5abc84231e0
- SHA1
  
  acbd513fa686cdbc50ae7f69d41fb8384255658a
- SHA256
  
  d65e0dea8a361b12e8d278afbf103d0bda2753fd9c1e14a779bc92fbc4c1e144
- SHA512
  
  206a0f9fe46bd39910f6224f41dab028b74312b1ed9a3052f97f44771a5d43b01e32ba5b3bab40adf7b877a1d48371d140dfa4b3241ab2b54d8bfc3cc74f930e
Score

10^/10

njrat evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral73 behavioral74
- Target
  
  foo/59f0fbc29bace019804b8a181ce75a06
- Size
  
  568KB
- MD5
  
  59f0fbc29bace019804b8a181ce75a06
- SHA1
  
  c3a44b6ea913ce4eb32f04930ea60043d79c3a0a
- SHA256
  
  b2e8676b7a04f3582470aa3de91b39ba731fdf072907d8d843d052d73c87405e
- SHA512
  
  a68ce42173331381d1618929cdb7cff9d3220afd151856c62c6eb015faaba61c1141a7bb2af5d1b58b1732cafa2286acbd2c95115f2a789c7a3454bc96b63ce2
Score

1^/10
behavioral75 behavioral76
- Target
  
  foo/5b1c0df2be80006ec3af6a5eeea17ecb
- Size
  
  777KB
- MD5
  
  5b1c0df2be80006ec3af6a5eeea17ecb
- SHA1
  
  b2353f17d51fc76dec8681df4526406e7c9113a6
- SHA256
  
  6ad2f4284d0c364d7a2664100ec5448607d1e064c3d1a65e4e737769ba3cda25
- SHA512
  
  607334838181a37883132906e562944cd54221f28c2efa279cade7ce8829550d20c11d864797118ff476497144cd84218282bb97cd4b4cf8fa13f753459ad7eb
Score

1^/10
behavioral77 behavioral78
- Target
  
  foo/5bc72a1ae433663758319d97917b77ea
- Size
  
  5.5MB
- MD5
  
  5bc72a1ae433663758319d97917b77ea
- SHA1
  
  889f6f4ec2347ded9924ff9a51c14d0e0347feaa
- SHA256
  
  c84eb9ad415a282bbdb0adced711af66631e29a4e0606a566f1477018f9315f5
- SHA512
  
  8e3000e76531bc8332003016ff926e9330ef28d154f8f04d2f522b6cb822df10323d811fc5116919944e74483fd3bcded30bbcc0b14fd26e5041a68dcdace551
Score

8^/10

bootkit persistence
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral79 behavioral80
- Target
  
  foo/5d33050f0514054c49f2bc2ff9abee2a
- Size
  
  272KB
- MD5
  
  5d33050f0514054c49f2bc2ff9abee2a
- SHA1
  
  2cdf78701185d2d773666af2d8ea4e0b04781bf9
- SHA256
  
  65b2fb3df4cf7da2980a6af696bdee3df2effd65228cc56f51a5d8fb29469e68
- SHA512
  
  e22b419fd86cc4d0af4c48c0a53abf1afda4715dd92acbb3296f4e1f32a588364c1b48c9eb3b2214c1f834d79ca541cdd79a13d8975d91337970d7cf320f61be
Score

7^/10
- Loads dropped DLL
behavioral81 behavioral82
- Target
  
  foo/5d9775622b5e7123d5796d4de5dc2839
- Size
  
  133KB
- MD5
  
  5d9775622b5e7123d5796d4de5dc2839
- SHA1
  
  176ef2d48f75b9be26882040e69fc95fa8b02e5b
- SHA256
  
  a57aefff0656b1266ff25b5e4972e6829ffec6a5855597587e026d28881dc62c
- SHA512
  
  ffd89d99223fabfe4def0b27bab031ea76f50fd3be36b27f3d76754bb333784f91985e1c88a7e1991ee334ab98b42f3b0cb2e38dcb5d6599bf0d98ac8f73089e
Score

8^/10

persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral83 behavioral84
- Target
  
  foo/60121ea2ab380455f7e143cd9438443e
- Size
  
  98KB
- MD5
  
  60121ea2ab380455f7e143cd9438443e
- SHA1
  
  091fd74c5caebd9f53c34781ad6b0241883fe698
- SHA256
  
  b8f7c90cd170ba8c79c472997c17509e2d241a54a9cef7efea4dac23b043afe8
- SHA512
  
  3f42a0756999d6441721f8d4663c8af677c895c4e11ddff25d7a1216b3b4a015b7d3763c0e06f616f73eb5e9df3b42e07baf8d5ec910632f3e275c8d2fd388e6
Score

9^/10

evasion ransomware
- Clears Windows event logs
  evasion ransomware
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral85 behavioral86
- Target
  
  foo/62565a39c4a264e48e0678edad5d60fd
- Size
  
  856KB
- MD5
  
  62565a39c4a264e48e0678edad5d60fd
- SHA1
  
  1dc0f3920082e9f3e789d5d1587d9c7b47d58a5e
- SHA256
  
  d9d3596268e269cb48aee92aaa47a50f785f8568f319aad812af163da28e7a40
- SHA512
  
  9b851c15b072ba5e0b316f2f02ff49fbb483fd5b4545d7c225f27ddfe8ef0fc99747a5b14bbad6b6373c1b562984c22d52d83c65970ce5ffc5209a5dc1e715cc
Score

10^/10

qakbot 1535648626 banker persistence stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral87 behavioral88
- Target
  
  foo/62a3fd9b4932e59a7192813c22617764
- Size
  
  453KB
- MD5
  
  62a3fd9b4932e59a7192813c22617764
- SHA1
  
  202a619fdab056d51bde34db8683839feccf0da5
- SHA256
  
  8b433a97defbbddb0922aa477226ab820f388d9d38ba10d8d8b89917053880be
- SHA512
  
  87846d0a4d55c209dc5dcdec1e9c9dee7beedce840d099df4fa5ced0e814183162d25a3e3ae8b56dc533ac9dedfc612631559da7e5cc19985a6bb3d0ff80ba54
Score

10^/10

imminent persistence spyware trojan
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral89 behavioral90
- Target
  
  foo/63e9ce22dbf66934fd75c77bc84954d0
- Size
  
  563KB
- MD5
  
  63e9ce22dbf66934fd75c77bc84954d0
- SHA1
  
  c48e6b5974e2f10c5c4e0426a898fbcf7a67c8cf
- SHA256
  
  550d461697099ebb3a5ee86336bd3358a05850f2835738d6520a552527b096a6
- SHA512
  
  e14692ed9673f2926ea62b6e9f128953fa79b1ce3df8452656e11e479af7a187784a5aa893719d3e8438e8697b7793292d46a0a9adc6a400e610eb288976036a
Score

8^/10
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
behavioral91 behavioral92
- Target
  
  foo/6497ba06c339ec8ca438ddf0dd2f8fc5
- Size
  
  29KB
- MD5
  
  6497ba06c339ec8ca438ddf0dd2f8fc5
- SHA1
  
  4287ee2103467196df93fad515a844bd2b94df78
- SHA256
  
  dcf7b759aae3ce6597eeca586238419728e432770451522a0f0d1873463aac20
- SHA512
  
  45b97bcc1dbc060cb5d461fd945759c60fa943f18e1b777592183fdc6cb9719578669d5ab914e4e0be1fd3e2356e88bd2e54f71f13b586c9892d034b751c5277
Score

10^/10

limerat rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral93 behavioral94
- Target
  
  foo/698cc868cdae13a5cc744020ec00e331
- Size
  
  2.5MB
- MD5
  
  698cc868cdae13a5cc744020ec00e331
- SHA1
  
  cb498c95868eb907422351cff294476fa474f856
- SHA256
  
  2e0bbdb1882e670a907d79987fb5ea80a050f7a57b17196bdd2ec42e3c4e2b95
- SHA512
  
  e8b7631c4bc2c76a4ed9b706636f6bd25c6556d1bcb1c21e296022d030005cee29f692f5f773fe47511b66e3bf45005f7d0e7b4b3cc19cde38632029759e2b3b
Score

7^/10
- Loads dropped DLL
behavioral95 behavioral96
- Target
  
  foo/6f2c5c31fefa00afa2af1adcbdd93ad5
- Size
  
  6.1MB
- MD5
  
  6f2c5c31fefa00afa2af1adcbdd93ad5
- SHA1
  
  f460f3caff95e713dea4105ab48aa06331ea5d5e
- SHA256
  
  00ba0c7b8b90f5ef0a432c893ef0f90fa91b1e7c4a74d1c49d8fc9a63c6e8a17
- SHA512
  
  fe9564cecf0997cbfefe5818688261f894179101a71315f4351addd35d0e3539e2e67f79fa9e45bc02f57bd8e325cea9763978df52522fc4d7774e70c18daa13
Score

7^/10
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral97 behavioral98
- Target
  
  foo/798f5e61531f527821a490a15ef957ba
- Size
  
  100KB
- MD5
  
  798f5e61531f527821a490a15ef957ba
- SHA1
  
  8b9cf50467ecccda66fe065e52994a0df369b139
- SHA256
  
  1b2d37bb6b98fb77496db754816296b740a2fe7a8e3d0a5263a8002d16a1b5f9
- SHA512
  
  9706113b056b96f4c5f89a3991a2adddbe1d7a6e44d03ce919edf88ead8e500eed4b84d5b2886ec4f733003bd751ba9653ad810bf7b8046aa94711f2552d628e
Score

10^/10

evasion persistence trojan upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral99 behavioral100
- Target
  
  foo/7aec86c6c4cc35139b7874a0117e4451
- Size
  
  707KB
- MD5
  
  7aec86c6c4cc35139b7874a0117e4451
- SHA1
  
  b597ea073119727156f95b5224d6db7ddc370bee
- SHA256
  
  48749cd789a40b8358f06ce41100985b4544162df8ed47bfc17c72242756d50b
- SHA512
  
  7f8f596607a925bb72b91b7a9fc78d9094ec4a5a5dc41c866f9dcf961daee52dc4052d2ace663b021301e1cb715c3ba9f209ddc7e48ef07b46283673b647c561
Score

1^/10
behavioral101 behavioral102
- Target
  
  foo/84bf6e1a8fcd94cf6cba6ac7e2a95b64
- Size
  
  685KB
- MD5
  
  84bf6e1a8fcd94cf6cba6ac7e2a95b64
- SHA1
  
  cc788b747b956cac871f55be59995e4bf57901db
- SHA256
  
  f2e8ae7bffb3210efb4a5baf9ee1875e1143d2d73614adb292b44bb143b3ffd9
- SHA512
  
  058fd21be218125c20aa1a715d9c53151ed68283465a2e2a8acdb534e95818bc8f9b99a74a13c963c2839b3955e38f217d8475fafd91eec0eaebeeba152e6b65
Score

8^/10
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral103 behavioral104
- Target
  
  foo/907b7d9a23ed7821abb700fcbe1c9bb3
- Size
  
  3.7MB
- MD5
  
  907b7d9a23ed7821abb700fcbe1c9bb3
- SHA1
  
  6caba04b65d28c5a0d0666572c40022fa1f1acca
- SHA256
  
  e37ca180d6f18e361f5cbc3f6c6f0ae4d301018e45891b32cf93da490d62f607
- SHA512
  
  d407ddae4f820e1aff994adf9e88952d5756fd1c0b6eef58e28a72fc7c455af991fb4294931ebb2eaee5133d2e56f72f5013e45a1b5d0fe17416d1b0583346f1
Score

8^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral105 behavioral106
- Target
  
  foo/928f1db0c63d122f0183686a3bdfccee
- Size
  
  842KB
- MD5
  
  928f1db0c63d122f0183686a3bdfccee
- SHA1
  
  8fb82a9595afb94e6e77a9ac3555e2b1abfdbbb5
- SHA256
  
  78fabf339b726203334bb592812ab42c8652ab37535eeccf2e457df257d7a881
- SHA512
  
  6f500e95cdb91a07fb0af0aff671054f6628752d563c34a0ad691c2727ffd9f7107da71f7c84550a95a2850eae1bb60b5271fbca7d648d88748a28859310ccb5
Score

1^/10
behavioral107 behavioral108
- Target
  
  foo/9401b0788dc22eeb1dace02d23a9596c
- Size
  
  552KB
- MD5
  
  9401b0788dc22eeb1dace02d23a9596c
- SHA1
  
  b5dde6f4feaec905d14dedd1d7957e556797e84c
- SHA256
  
  048d9773dc60db5173e4cc0ccdb9eff1ca61e2a7bd1b7e357388d9cd8e94ada5
- SHA512
  
  5d3796bb2e9c5a1753a7ad9ddff26eed7f1289196c5d40b0be946a52b3818406cf9b7b776f677c5e252b2eb294077034aaaf4cbe05cf64a66eeeb0466965264d
Score

1^/10
behavioral109 behavioral110
- Target
  
  foo/97dd8726304f889ef12ef1beb510be84
- Size
  
  679KB
- MD5
  
  97dd8726304f889ef12ef1beb510be84
- SHA1
  
  2358917da7fcf07e9b165dfb3961b9212e37b671
- SHA256
  
  424ef529e699a29eb1324f71f56a3d0728079926ea793cb8ebbee71ddbfeabf1
- SHA512
  
  d141a224a4c55b4b4c7ef2348b5accd7a3ba9bebb0dd5eaafbc08060746a0a9082c7ab93a022b20ac2fb2255293430da729d995ab5b0106ab064c0c0c5b4eeb4
Score

10^/10

gozi_ifsb banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
behavioral111 behavioral112
- Target
  
  foo/9b8c48e6186718b7b290ceed9369a1a4
- Size
  
  826KB
- MD5
  
  9b8c48e6186718b7b290ceed9369a1a4
- SHA1
  
  816a6a15054568dd2f51e25ac73178f9a0182d82
- SHA256
  
  f05ec8838752a3b917acbd2e742e03646f091ef5ce97bf1eef75810cebbfc93b
- SHA512
  
  6ff8ac1f9b6c296679458022b375548e8c322809e4a1887551ca0cb553f0cf864e43361edd6e1a2ee8a9b3b3a5680a95689b2bf91785aea68baaca6be91339b9
Score

8^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral113 behavioral114
- Target
  
  foo/9cde71abfd2a6aeb83cdd233cbc04fcd
- Size
  
  146KB
- MD5
  
  9cde71abfd2a6aeb83cdd233cbc04fcd
- SHA1
  
  a1cb6ad95fe9df8fefe9dd0753b88cfc852368f0
- SHA256
  
  e742096e51fcd3e8c19d43cd26dd25235f04a0af5a64343754e2e46bb90c3816
- SHA512
  
  8a6a152626b9b912089e6c68193788fbc2258f56b359fa20d0b09f4033cdd357d9e661de6c0a8378aeaf2c66f6ccef8f86cc624fcf97d90f004213eb2ebbfe04
Score

6^/10

discovery
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral115 behavioral116
- Target
  
  foo/9d3438ba1dbdbcc2a65451893e38004b
- Size
  
  2.0MB
- MD5
  
  9d3438ba1dbdbcc2a65451893e38004b
- SHA1
  
  d981bd3d2abb18bcd1421c9de38bf1854f4c13b1
- SHA256
  
  8f04cf8f8be775e065bce4ff33ca3afc7711aea57b5fb91c488bc03af1df58da
- SHA512
  
  6818546c2a967a0d63814e77e339656939eaae510591e3888b8abb8626d89132ac51774efe0912c083072b2314040d1d5c2f0ccc463669a7bc34b2d134b714ba
Score

8^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral117 behavioral118
- Target
  
  foo/9f88187d774cc9eaf89dc65479c4302d
- Size
  
  326KB
- MD5
  
  9f88187d774cc9eaf89dc65479c4302d
- SHA1
  
  4c1e5e0bb72c78c4ce0d37aed939478aaa35a94f
- SHA256
  
  5ee12dd028f5f8c2c0eb76f28c2ce273423998b36f3fc20c9e291f39825601f9
- SHA512
  
  e03a4000bc7cac0332f2060ad58cadbe65a4283d012606f8395a6e63c42fa5e7b98f8ebf40d438c56332e19e845658d70a7ef99d2343323bd701e56c3b0cd0e7
Score

8^/10
- Executes dropped EXE
- Deletes itself
behavioral119 behavioral120
- Target
  
  foo/a17bdcde184026e23ae6dc8723f73fcf
- Size
  
  784KB
- MD5
  
  a17bdcde184026e23ae6dc8723f73fcf
- SHA1
  
  faea5147df4768b101d0fd214c7fbf7a9cb048a0
- SHA256
  
  a358e56c91218b5f21d54556fb7aef5de158da4764c9cf8e5d71e3e41ff4841f
- SHA512
  
  90d58f8e290bc751fd3f945ad5de218f93d8605578c87972359edcc9e87d84473f2ebd54452c09d2bc9ba4d11f9412742e9f1d3bb9c9cd67a17cd58693624616
Score

9^/10

evasion persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Adds Run key to start application
  persistence
behavioral121 behavioral122
- Target
  
  foo/a2981192a30538e97b55f363abbce946
- Size
  
  804KB
- MD5
  
  a2981192a30538e97b55f363abbce946
- SHA1
  
  ae16cec3416895c912b03b7f76be2177aede6745
- SHA256
  
  99e7e093c6f7be4cf21b5068a4ae746be2b3a4475ec251288d02a3985de70d48
- SHA512
  
  b03fa2f833951441f5bf56711296b48a6ece3b3964d15893fcff78563e808de88fff9d644c4b73253add71eb729a7e1dc4095abdd33a7a26d60eab904e7661d3
Score

10^/10

xmrig miner
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral123 behavioral124
- Target
  
  foo/aa3b51bd50bcc98f763cffcf7f907152
- Size
  
  840KB
- MD5
  
  aa3b51bd50bcc98f763cffcf7f907152
- SHA1
  
  17868a0f0c8d52ffb80e120a010fd7737e0ecd4c
- SHA256
  
  dd518cbba0506c2392969aa01ba4b9f5216724d9234055d7f0ac1db93227baf4
- SHA512
  
  aba0fb7359b45e7f206632219873ee6834c01b89a9f6b4001b8299ee5422a02cfc25cf17c40522349e98b5911b09d771ec793a70e29d9770b51cf873c64249cd
Score

10^/10

azorult infostealer persistence trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral125 behavioral126
- Target
  
  foo/acf0b7f4fe980501192187bb9b8e20c4
- Size
  
  872KB
- MD5
  
  acf0b7f4fe980501192187bb9b8e20c4
- SHA1
  
  f627019b79fd174403cb81c9a59b1ed81b658e81
- SHA256
  
  d8f2f635135cc57f0d566646bbe5c6f22be2aa4d9fcab74c272b22f7e4b28f6c
- SHA512
  
  df3afaf21da7bfca412a6bcfea39913904d5a95767220f30e07d23487276fbce7bb489bf12b11f68e2a5651fc3c2b4041d76e201d3416a8bea460418d7a25683
Score

8^/10

evasion persistence trojan
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral127 behavioral128
- Target
  
  foo/aeca5c301d02253e8ffcc240c08f61f7
- Size
  
  105KB
- MD5
  
  aeca5c301d02253e8ffcc240c08f61f7
- SHA1
  
  a7d94fc834a9e73e35ea48d0d1630e2a8cfebf97
- SHA256
  
  ae2b285ce6b791fc7b0b01e923db298cb53b43e646a7f34bf1c8c79c94cfc0d2
- SHA512
  
  f72e6608f437f59ad924ffd5de19785262931b6e4ab2a8a70970c9aa60488ea5df08b284bb3ecbda5ae2c9b8395c2919f34e0cb051b042a41782a7a59d66fcd2
Score

1^/10
behavioral129 behavioral130
- Target
  
  foo/b1071426aa88f31339f1b369cf13cef3
- Size
  
  504KB
- MD5
  
  b1071426aa88f31339f1b369cf13cef3
- SHA1
  
  69ff5bd81f366fece2d36c98cc3bf4a2d41b8f68
- SHA256
  
  08dca503de70aabb60f5edb4ca366523a86084cf4546ad25e338c2ced99f2f6c
- SHA512
  
  a6e1dd3c13dd952d09ae9cdcf1b94c99ab9b0fe7c58d957eb558353f61084ec6ae9e133f8c449ffc434efaaf3f767e30709547e3efb2106839e2d31574b18ac1
Score

8^/10

persistence ransomware spyware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral131 behavioral132
- Target
  
  foo/b2365260985173cc758575cd8059459f
- Size
  
  645KB
- MD5
  
  b2365260985173cc758575cd8059459f
- SHA1
  
  f6e874021db45fcd4042c621499ab925b4dec1c8
- SHA256
  
  d30b001d1a77d323443e37323aabc9c316dbd3be556cb57854644cd875885ba8
- SHA512
  
  6fec4a3b28f4f1c8fae9e0c2f04d0157f6b4a2db87b98837dc0330820dac97c373c10cd323af421d2e3dc1be93862d645a3620c9e8f86717d65eb695c65cecca
Score

6^/10

evasion trojan
- Checks whether UAC is enabled
  evasion trojan
behavioral133 behavioral134
- Target
  
  foo/b514b59324818c52140b431aeac96bfc
- Size
  
  155KB
- MD5
  
  b514b59324818c52140b431aeac96bfc
- SHA1
  
  83d7256670dccce993acf2df73872abda39bb5be
- SHA256
  
  ae57d0af018f011cd42ed91caba202201069be6fc5de6b8b3ab14162cbcbfbe5
- SHA512
  
  4bfb86bd70c1f1b376255972708efd2dadc252566625d02e84ec5297580edfa50a9e321ae1503bdc6bcbe1beea8b607f445caa4bb1c940363f47512407ca6649
Score

1^/10
behavioral135 behavioral136
- Target
  
  foo/b641961018d09dfbd7fa9c15f09a7723
- Size
  
  8.9MB
- MD5
  
  b641961018d09dfbd7fa9c15f09a7723
- SHA1
  
  69e515dd8840866fbfb1e239daf80f6fcb745f1b
- SHA256
  
  44095d0a22646ef5b369ade7ce87d2f9bd51402de73f977f352de9a3a3eeed6c
- SHA512
  
  e9e43f1d59be84fbc918ea601a7b489286661a81919b760e2a0339fedb93b9d3a33b148cfefdd584c163957107194b764eb2ddbad79ca2af9a5e90db3c1c9beb
Score

7^/10
- Loads dropped DLL
behavioral137 behavioral138
- Target
  
  foo/b693dfe99d2915616044eea2cfe18360
- Size
  
  286KB
- MD5
  
  b693dfe99d2915616044eea2cfe18360
- SHA1
  
  6415634e1fcc51714e871ccb08f26b4806aed3b0
- SHA256
  
  1d4169bb0978e88bdff29844645d54763e62db8af10abc324fb2145f64304024
- SHA512
  
  95081c20adc6363ba3c0f7d6390a98c5f47074a270f112a002f549009d6c50654756b89f59737b7554e3186c17355dcda57424e255aba1392a574a4b27734efb
Score

7^/10
- Loads dropped DLL
behavioral139 behavioral140
- Target
  
  foo/b6e7c9793cf40153bf8865195e06ecbc
- Size
  
  3.3MB
- MD5
  
  b6e7c9793cf40153bf8865195e06ecbc
- SHA1
  
  fef5dbf8ef53dafd676818196815e6b110f2bc03
- SHA256
  
  0e0cb0d76bc848f729878dab7218f4e12c9c0cc7d5c939e5d92995ba422ea7ec
- SHA512
  
  d12eb44304f7054e060a105bff9f3861aa16bb10fd72bbd819a8ffe3d23818ce66f5d790a929d41cee4161bbbe78d0077d167fe792c3e27c018dc88632a5e5ee
Score

10^/10

gozi_ifsb banker bootkit evasion persistence trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral141 behavioral142
- Target
  
  foo/b7d5f0b9bf2e6e13c5b3ca1c2a0a8b4a
- Size
  
  99KB
- MD5
  
  b7d5f0b9bf2e6e13c5b3ca1c2a0a8b4a
- SHA1
  
  15a0e8dea24b904cd083ed51b28098726ecceed4
- SHA256
  
  0b499361076d8d02fa6b313a08199fd10cd9af1abc7fae0b091039be0194c0f3
- SHA512
  
  674d28fb9900070fd0cc58940fb97fbbeabea2d167ad19e248fe8a980221f6ea79d9f1795c019b844896e8b19ce1d746bda6c34040c1ae535b9e22135692a0d0
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral143 behavioral144
- Target
  
  foo/ba2d460199eb2d9e9d6d0559bb455529
- Size
  
  39KB
- MD5
  
  ba2d460199eb2d9e9d6d0559bb455529
- SHA1
  
  8c50ef4cd9feadf857ad2d501e3d03bd55d5de4d
- SHA256
  
  a3f13a940ae3f6d0a8e94c8ab203005cd737a899962425f1600a4bdf30877375
- SHA512
  
  dd376f8f9f05d509eca465c04c451d83a12043f614d90a04c63b25f202f9e87e3960666e2710e19538c9818a778fd81832b45c1e495c263b6725991413755fcc
Score

1^/10
behavioral145 behavioral146
- Target
  
  foo/bad78e11371381ce9e1d703aac2821e5
- Size
  
  210KB
- MD5
  
  bad78e11371381ce9e1d703aac2821e5
- SHA1
  
  76ad0abaf1c99c741352a16e5b2f71fb38fed0e4
- SHA256
  
  18dfcf81046272e08f6ef3230df83008cb78eb30cda341c59ceb33c5be542d85
- SHA512
  
  8bccc4535dd97b483f10eda69f91a17e794b122215bb2e926a114ec46e8935ab0a1e5e1cb0b6fa3b6bb0a5a6d1b669a87579850197af4a0c33b3bb57a7f00b25
Score

9^/10

ransomware spyware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Drops desktop.ini file(s)
behavioral147 behavioral148
- Target
  
  foo/bc6536b86b04cf5b3bf7cd353d615ab9
- Size
  
  583KB
- MD5
  
  bc6536b86b04cf5b3bf7cd353d615ab9
- SHA1
  
  5e796021e22ed016697d6aefb0b955c57b4b8dc8
- SHA256
  
  1e8dbcedd0e30e32583548508edc4cf2b8f3d0f731a1a65559fe83382298136f
- SHA512
  
  f1f3fd81b2e56daa77cabbed191978b51308d8202e35d34cdc300d9fa429a426f88fad618ae7df9bed0a6f2ce665ad4586a5d5cbc6099e98e4b9bcda1cd160ab
Score

10^/10

xmrig discovery evasion miner persistence upx
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Modifies file permissions
  discovery
- Modifies WinLogon
  persistence
- Drops file in System32 directory
behavioral149 behavioral150
- Target
  
  foo/be85e0b2608a55942aa101c66ce6c32c
- Size
  
  728KB
- MD5
  
  be85e0b2608a55942aa101c66ce6c32c
- SHA1
  
  77e651fa75f8221458777a0d290ccae73682204a
- SHA256
  
  c77d9095b13bfa202cfdfa87475cb1799fcdf8152a3d298300d63ca16abd3757
- SHA512
  
  f0a2f943e251cc96ee7026bdc25cc920afd79d42ab1ec112a641d881602117fa1cfd8b39b18b9e28a9e6b1401fcf133e052be2e63a654eaf34075342a7d5a3bd
Score

1^/10
behavioral151 behavioral152
- Target
  
  foo/c914b169d1388c5e78421045d05946ee
- Size
  
  3.5MB
- MD5
  
  c914b169d1388c5e78421045d05946ee
- SHA1
  
  4f2de494d334710253cf3ad40faf1d07e048d55c
- SHA256
  
  e1ee4f9cb208e3560177f49c3e809a29ff9fa0b0daed5316f17caf22647e4eef
- SHA512
  
  96dc235e2a93f99682f26f95ff0986db2b8a09e5b3470122270de5c3ea77575356178a51c6d7e3515f68fad894ebb63e2b86e3766f6f12ffa3930ca1192205f2
Score

3^/10
behavioral153 behavioral154
- Target
  
  foo/c944eadb6e032fd9e7a0988464a6f1cc
- Size
  
  160KB
- MD5
  
  c944eadb6e032fd9e7a0988464a6f1cc
- SHA1
  
  c21551f6885ac52f80a5e303ef3cb6d40c182d11
- SHA256
  
  2e4a248e3f279a42e2bea37409ab0de8770a3cd4a3b5fcccd701a535c2436d52
- SHA512
  
  475ed1d94361538bdd71d21b4127fc1b7bab5edfc0ad917b7c3bbdfa51a8ed11ff6f0d4df47e3be266f07a4722448d53a926d041a161a5646efec94eecd3bde9
Score

8^/10

upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
behavioral155 behavioral156
- Target
  
  foo/cad3634df5d5058551bed38237ab8e8b
- Size
  
  823KB
- MD5
  
  cad3634df5d5058551bed38237ab8e8b
- SHA1
  
  2f2ac22494e49ce18470677690ee9bdfcd9f0c74
- SHA256
  
  663ef562dbd3a7fc7490fd6ebc11c328450db6f5a9f9e058c4d3ec663b925147
- SHA512
  
  bc1eee26f9375f0138fc571aaf2602d9b4c14e7052867e739fd131450b3453a1a19424031ae6ff80c1cfac4a6e71e9087255e97a3f3d9053f84451b745054ebe
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral157 behavioral158
- Target
  
  foo/cd89b6c808c296cde0bc77ee630dc7df
- Size
  
  284KB
- MD5
  
  cd89b6c808c296cde0bc77ee630dc7df
- SHA1
  
  47a17c5b8263acb882f078b81897f615c25de0ca
- SHA256
  
  246ad930ec77776b847e9470b725029f5dd5e0384b869d6105c3571b8cb8189a
- SHA512
  
  a51620d5170356cabb73cfe2f9f2de54d52467c3a126b2b34eef5d18a84b6cd6e68b2003168c8b077abee1d58d1aa9e5af58ee65eaaee4a75f9414c04bc169fa
Score

8^/10

persistence spyware
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral159 behavioral160
- Target
  
  foo/d81e76123ccb64b73eeac2f31a7434c4
- Size
  
  4.7MB
- MD5
  
  d81e76123ccb64b73eeac2f31a7434c4
- SHA1
  
  6a32284225e897965972ba4915e5c327b900b81a
- SHA256
  
  695ac197f95781e22c61604838e3e339285b08259a971289ce6993d409fcbc4a
- SHA512
  
  37404b0e8fa7825f837ff9d6ab1e487bc1591daf46b57bfe030b7c015937ba80605db96f649ec024761d13eeb2cba86ab50870af9007bc75fe6043fd8b8f6cc0
Score

10^/10

glupteba dropper evasion loader persistence trojan upx
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral161 behavioral162
- Target
  
  foo/d86d2cb12111422ad0b401afa523e308
- Size
  
  894KB
- MD5
  
  d86d2cb12111422ad0b401afa523e308
- SHA1
  
  d019e10b793b78f2da2f006acdb0aeff6b57d927
- SHA256
  
  bfefbd8050f0dfbe1047ddcc07e951967a5b8395190127d97d0c3a4441c919bf
- SHA512
  
  e9bea547df7cd2b5cfab5890245ca2540828eb87aba7052a3d5c0cc11d03552c8d39ba0bfc9994acafc257facf9797f1cbaa149e7628d99124bf2b53b840a78e
Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- M00nD3v Logger Payload
  Detects M00nD3v Logger payload in memory.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Drops startup file
- Uses the VBS compiler for execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral163 behavioral164
- Target
  
  foo/d8e37dd7ca017370a0b54147a27a7498
- Size
  
  8.4MB
- MD5
  
  d8e37dd7ca017370a0b54147a27a7498
- SHA1
  
  c6167da141d215d31aef6ac9e332f58118edb70d
- SHA256
  
  00ef059476bea303a3d8c6621e7286c32a953e4c83c30361938fd338e9665f9b
- SHA512
  
  6a0c989f8ebfe2dc2706a4241db52962dadc6cf94749a9408dd534531582a061be3aa860e65b15e96c172292b607c8606e4e8fde11e05b0840f4eb2e4540b355
Score

9^/10
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Loads dropped DLL
behavioral165 behavioral166
- Target
  
  foo/dea515c25081073ec2cee293b2991ee1
- Size
  
  1.4MB
- MD5
  
  dea515c25081073ec2cee293b2991ee1
- SHA1
  
  811a254ac1f803d5707310f87e454bb7504f0757
- SHA256
  
  9ee19d067ec19b2c6d07726448639c869d61138e2f53c9eed136c3a2622c881b
- SHA512
  
  68886a649fbc0f53a63fd7f437508dd93dd7e8cd6ae67640a07206a4ffdf349c7e662721b42c9cb68a889888d29d6d693f26273ce2db27d36440f4482cb8d530
Score

10^/10

remcos persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral167 behavioral168
- Target
  
  foo/dfcc555a02bccc9c438b08555b5c2ab8
- Size
  
  252KB
- MD5
  
  dfcc555a02bccc9c438b08555b5c2ab8
- SHA1
  
  5f10b75aa47823bc7e81a859fdced21b8556040d
- SHA256
  
  1095b754656cf05da5e65406de095e1b1dd4b28c2c2f8efca5e34283bd17e0b5
- SHA512
  
  fcb9ef49ec2f7eab67394997a92cdb15c11878434c6ed47240fafd71ea4c8993fbd0f986d4086e51473a5168d472e4eaeb993491bd36f0a804008dc5a0eb6b6c
Score

7^/10
- Loads dropped DLL
behavioral169 behavioral170
- Target
  
  foo/e03bd458de4a107688236bdc4ddc3afe
- Size
  
  431KB
- MD5
  
  e03bd458de4a107688236bdc4ddc3afe
- SHA1
  
  55859c4fa195c36a48425bb8aca9ef3609b62e89
- SHA256
  
  344bce1df6486b71b78e85d6dce7ba1929176afda786acac56b6a11b625cd21c
- SHA512
  
  f4585ddb1aff65d34a5a33c95a29c0c816f0ed5009faf7cc7ba26adf9bea3e787c1efa82c9c8423fc2bfdc8d4b9324566f0ab33b4212bb625c36052fb27c5948
Score

8^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of SetThreadContext
behavioral171 behavioral172
- Target
  
  foo/e16ec7bc29b68f66e90fdbfefe1d3a2d
- Size
  
  674KB
- MD5
  
  e16ec7bc29b68f66e90fdbfefe1d3a2d
- SHA1
  
  156d9d781a1302d8e958486effcec79713c41708
- SHA256
  
  fe9470a406b6dadc18cb3a430671d3ac321e97eb8d1ecf0dc054db440df7187d
- SHA512
  
  c9e7c58170fb110bb9b76ec17a4349f5a73b912cd6c36d85d1aca7f1c94cbf70563900c36c4702f49a3ff4776fd45162e4a0f94ca826b2eff60668bcca9c55ec
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral173 behavioral174
- Target
  
  foo/e61c0e180c2616fa81e6c4d581a9520e
- Size
  
  4.9MB
- MD5
  
  e61c0e180c2616fa81e6c4d581a9520e
- SHA1
  
  d91996fabaa7a1af229ce118551aeef66e389cb7
- SHA256
  
  a2fd87672b5dc07057c47208124b7f02862c4f5512f1b667ea27bc79a8d57ba2
- SHA512
  
  21c84bd84c125be26d7fe053a0b11d2c31f29a38355be85ed17d2303b5700c7b335a7c2a924e6a1c4c3b05ff9fbda88745a20ad3a0449f6c193d718f503e68de
Score

7^/10

spyware
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
behavioral175 behavioral176
- Target
  
  foo/e78fad8a5d0ea89127ed36ed20bc9351
- Size
  
  11.1MB
- MD5
  
  e78fad8a5d0ea89127ed36ed20bc9351
- SHA1
  
  816c12862830ec0c0ec065c7d73f2128cb4cc9dd
- SHA256
  
  b25d571c5210bb02ba01a54a75a781094397bda7bc4745b2aa4c4a971233fb56
- SHA512
  
  515e6aac22e11d8fb9663fab08250afe56c94faf93fe8062cea079d8633d1338f4e94735a5a46cf75b16c05570090cb1a47a464aaa64e549432536f4dce03d9f
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral177 behavioral178
- Target
  
  foo/e7ad45164be5c3c7f9936e9b5fb28788
- Size
  
  558KB
- MD5
  
  e7ad45164be5c3c7f9936e9b5fb28788
- SHA1
  
  a2cd13bc8bce9b107ac38662c35d70c4ff1d16b8
- SHA256
  
  8c9c9951c2bf631b818a5e1dcdf700342f1c0c05391ec3c9c4ee15496aa28f4f
- SHA512
  
  1bc0e6e3b9e416cf152d2ddef23d928c90725b589eb30d62c1c6f880af83b3068de1d27050e89f9961d71f664f98a6694fc0cf698d1c861c9a7b131efa419bfa
Score

3^/10
behavioral179 behavioral180
- Target
  
  foo/e95678212c7218c6e7944fca1631c88f
- Size
  
  861KB
- MD5
  
  e95678212c7218c6e7944fca1631c88f
- SHA1
  
  45a011ec5b1eb913a6f9bf4b46389dbeeeb6e1f3
- SHA256
  
  2a5100ba7bfe592e112ab0071d8ea1861b4d365fc4fb98f4e2be0459b990db72
- SHA512
  
  16f286de9ceb5545efc477741ec0e69f4de40e1a864ed00d16854e1c0580655f5d0ea93450602c3a2598e889078ab8a12923244710c67b23e3f3551fd0f76b9e
Score

1^/10
behavioral181 behavioral182
- Target
  
  foo/edf723c8e404cd67041e7dfbbb1a6eee
- Size
  
  75KB
- MD5
  
  edf723c8e404cd67041e7dfbbb1a6eee
- SHA1
  
  96a2fda8f26018724c86b275fe9396e24b26ec9e
- SHA256
  
  bf2534b2f059547967bb453d67909921a41c10cdd19c1ec346a193060b094e2e
- SHA512
  
  04bea993ba6af7e568bdfee4185e8145e4111af6bb92a68de3785658e0f5a65e741b378848eb9e77aa200cd72ab94339fcf852aae41cac45ea64bd430b8f9f50
Score

1^/10
behavioral183 behavioral184
- Target
  
  foo/f2366f48d3534bc8af573f2696dce4f5
- Size
  
  191KB
- MD5
  
  f2366f48d3534bc8af573f2696dce4f5
- SHA1
  
  706750f403d6f12c10489befa6032c1c4eb30a3e
- SHA256
  
  f7fab7d724f492cb7baccb49c5fdef8305bebe9896a6853913b5d3ec225d51b0
- SHA512
  
  9fd4632204c33bbd124bfff5744c8da551a4a8f94c4f714413861e92f6b4d70f4f506d8079540adfd19ded4ace9c9745891617bbfa3d00784cfea24b04913c35
Score

1^/10
behavioral185 behavioral186
- Target
  
  foo/f645a94491240317caccd6f8508fba1f
- Size
  
  1.9MB
- MD5
  
  f645a94491240317caccd6f8508fba1f
- SHA1
  
  59c94235d380d09a479291cd3400694d1c2ec18d
- SHA256
  
  c130982342656ad1b4d588b0e985ec9d6169f279bbb748cd09727a3e96622fd2
- SHA512
  
  8731c4c9cce9922793418ee7ae095893195f0609731aa0312fd38d548a94b2ba0a5bd437a8586c4c05f85cd45cac61caad3f1311b91b9db87baf61a2d4327280
Score

1^/10
behavioral187 behavioral188
- Target
  
  foo/f65e75d9675a50f9b4807e79dcc48d56
- Size
  
  1.8MB
- MD5
  
  f65e75d9675a50f9b4807e79dcc48d56
- SHA1
  
  8ed35b0ce78c565441ee6ac5722347fbeb220305
- SHA256
  
  36a4d9e2eb623e59acbaf14341c3998114fcce9bc37392572213d9d22b2fb450
- SHA512
  
  9da997c23af8b5bb90abfa7eb7e967ef026645604d3652a39a7c2a9ce719e7110956fe7e491c9bf733fd1da14f0cc518681bde409498c12797678e166c72fc5f
Score

1^/10
behavioral189 behavioral190
- Target
  
  foo/f660284cb3574213a512e3f03ca9012b
- Size
  
  995KB
- MD5
  
  f660284cb3574213a512e3f03ca9012b
- SHA1
  
  8051d5262c8c67e8888fc1991fbe667d4b4e311d
- SHA256
  
  f0d6ee327670c99e451f6e54b842a3ced72b1de7e586ba81bdd27dc5366613d0
- SHA512
  
  3b54928c6d1eb9e36db5ec8aeffa06b08d3e5c4167d9a884d2133282e5511edcaa7eed45832ff172bd1e71ddd56150f726382c528960f7db82a6aa87c6e9d890
Score

8^/10

discovery spyware
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral191 behavioral192
- Target
  
  foo/f6c1c72f3e45d2f3499b6bd6661b3289
- Size
  
  387KB
- MD5
  
  f6c1c72f3e45d2f3499b6bd6661b3289
- SHA1
  
  aabaf0e9fbda0e00d53ef30ad736b9a3db9973c2
- SHA256
  
  90120bc1c6a88ef6032b2ea5da0b8e9432ce6cfe126e9fef4515f0660a6a88ec
- SHA512
  
  c50e1c73ea369c7dd87a650a635b3e9702a4be13ddba87cf1ba649e9ad8522503d643d256486dbd3973b35beb3e77d97d180c771d099c40f380834647ce9f318
Score

10^/10

azorult infostealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
behavioral193 behavioral194
- Target
  
  foo/fbab903080d6a4e65a1a2f6bc4d97b7c
- Size
  
  1.6MB
- MD5
  
  fbab903080d6a4e65a1a2f6bc4d97b7c
- SHA1
  
  0a7eee729e7d140ca81b9595578ee305651a6946
- SHA256
  
  cf1b96af0838abbd8b8a292f4aa5e335743eb3d5da862254a86184db37ecf85e
- SHA512
  
  894bc25e7bdab656988a8e6b419eeee4b696e9e644f38142fcb373f557dd7170dc7ce0979ccd3c6b84b0eea32822669c9f244182391d1719c8db22d5c61b1dd7
Score

7^/10
- Loads dropped DLL
- Drops file in System32 directory
behavioral195 behavioral196
- Target
  
  foo/fcdc003a1529fe3660b160fd012173b3
- Size
  
  3.4MB
- MD5
  
  fcdc003a1529fe3660b160fd012173b3
- SHA1
  
  a517d1137be23fc41f03efdb0e9354089bedf6ba
- SHA256
  
  6490b57b8944f8f07e687a4dfa6ab76080de99ffc9d48d4c10f64dd88fa2cb95
- SHA512
  
  a00b22d8a348891a828e4c16e0e56fc66caf29fa1f43ca3cd97ffa76675700446e905750016ea083a67592a7d2aea02c3396306527efb7fa255e08c9748e7d21
Score

8^/10

upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
behavioral197 behavioral198
- Target
  
  foo/fffb61eaaac6e8a40bfaa7a4acb6b9ba
- Size
  
  195KB
- MD5
  
  fffb61eaaac6e8a40bfaa7a4acb6b9ba
- SHA1
  
  84deb15aeea324b2d11922c2fa4aebd039a5f805
- SHA256
  
  8e22a34621adf78355b916d1a96ef4a6de5caa0dcb6e7949fa2df88ddfd999fd
- SHA512
  
  07a9f94e70e461142e3e06921bfca1f9fe8723a68b6ff067651f5685bbf1c823de4beda42dc4c1ef44c969a494682e2c41ba6a1235d0a978ce6d070f4b24bd38
Score

1^/10
behavioral199 behavioral200