Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    foo/0044d66e4abf7c4af6b5d207065320f7

  • Size

    127KB

  • MD5

    0044d66e4abf7c4af6b5d207065320f7

  • SHA1

    07e73ac58bee7bdc26d289bb2697d2588a6b7e64

  • SHA256

    b6d19c3e6e82bbde62984f50144ce4d98a18871374ec5d313489d5831317c480

  • SHA512

    25633ea2e3cc78262ba69de30d2d3b7f6c013ce3bcbad2eda3c424ac50d7c0b7169372c5ad2b2cd81748ea0622f3db5ba3429f0d3ecfd3feabbfc65d961af5dd

  Score

  1^/10
  behavioral1behavioral2

• • Target

    foo/034e4c62965f8d5dd5d5a2ce34a53ba9

  • Size

    416KB

  • MD5

    034e4c62965f8d5dd5d5a2ce34a53ba9

  • SHA1

    edc165e7e833a5e5345f675467398fb38cf6c16f

  • SHA256

    52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f

  • SHA512

    c2de626a339d21e5fd287c0e625bca02c770e09f9cad01005160d473164fa8edc5fc381b6ddd01293bdd31f2d7de1b0171674d12ec428e42a97d0ed0b7efb9dd

  Score

  4^/10
  behavioral3behavioral4

• • Target

    foo/035fa2f2fae0a8fad733686a7d9ea772

  • Size

    291KB

  • MD5

    035fa2f2fae0a8fad733686a7d9ea772

  • SHA1

    411ee99b26bb612b1905b0c7254129fb1dd0cb56

  • SHA256

    f823ee1362132d0c4cb632829abbaae16b7ae8f938e86a10bdab3897e4f5dc8c

  • SHA512

    9a58f3b940e83e79fd7c7353b8d20947ab45ee48c617217f7c5ac58b1a0d0b5904eda1d49eb118a55f309291055b50b4710a6ab598ae5b29bbb6ff541ab599f1

  Score

  10^/10

  smokeloaderbackdoortrojan

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  behavioral5behavioral6

• • Target

    foo/04884a82d01d733f245d921e1f74fb1b

  • Size

    2.9MB

  • MD5

    04884a82d01d733f245d921e1f74fb1b

  • SHA1

    975c743feccce12419d4d72f26c2d44c8591118a

  • SHA256

    e3d13acdbf704b60569fad130fec670ff20d99183fb4bfb32f339dd3138a5f2f

  • SHA512

    c7f26c9656a14a2865da01e7903f29b2474e5fb3bb7a054d09fdd7ea476f7c3666bf4b3fc87e676c4829c0f51942273bb8161b448e42246898985874389a072c

  Score

  8^/10

  bootkitpersistence

  • Executes dropped EXE

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral7behavioral8

• • Target

    foo/06ed82e88e1f68cc08602d7cd8ec5f59

  • Size

    12.2MB

  • MD5

    06ed82e88e1f68cc08602d7cd8ec5f59

  • SHA1

    37d4750e5f22cc395dd721dd5df73aeccc095bb5

  • SHA256

    43eebbd84e92a99b2bbca0b578df68dc07756e2c5fe908c668ac8c69f934a7e5

  • SHA512

    63060f8723b2ad50b8bfc225af22156215d5362bcf4a3ad77d9fe9059414b8ba69679f5fcf83159da224f165a83ebee74a306300f41205a887a06ec0bb86f895

  Score

  7^/10

  discovery

  • Loads dropped DLL

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  behavioral9behavioral10

• • Target

    foo/07470b6ede84f02ec31ab0a601cdc068

  • Size

    199KB

  • MD5

    07470b6ede84f02ec31ab0a601cdc068

  • SHA1

    2ca5cc5bf36cf0dfc95a128267e5ca1bdead991b

  • SHA256

    c7307db0fdd462a0415cec9cb707045f575d28ae18f2db8efcedd7a2db3079ac

  • SHA512

    002bd7b302ce582ae8921f2613ab340a366a5928e32d1bddf6fbfc16f8fbde2ea93668775d418ea1b3375a32eff24d3f8e32a8f17d7549a743b545f873a0dab7

  Score

  8^/10

  • Executes dropped EXE

  • Loads dropped DLL

  behavioral11behavioral12

• • Target

    foo/078adb95b1a0a6449d8c4ece796deac0

  • Size

    349KB

  • MD5

    078adb95b1a0a6449d8c4ece796deac0

  • SHA1

    412cbff9af426e0af43b9b860150c7c30ebce654

  • SHA256

    94a65945d7cebe9755b6cb5cffe7139c848bcbbf5988b07a3d195c57f5e44a89

  • SHA512

    32b58760617c268de6571bae946d3757f021fc975e3546333371d1667e592057a71956578039e75ad953e8a8aff18d1f871e2fe360abe13a9866f1d56f5ea3e0

  Score

  10^/10

  imminentspywaretrojan

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent

  • Drops desktop.ini file(s)

  behavioral13behavioral14

• • Target

    foo/09e5c88a0592763e0c4f30fb88d663b4

  • Size

    713KB

  • MD5

    09e5c88a0592763e0c4f30fb88d663b4

  • SHA1

    939a8f3e7477ce8ee6406ac2b8aa58bd8399e1b4

  • SHA256

    9aac9319312f83811ad3ee68cd0ae467c088fa484ce921271be0382dc0d027fc

  • SHA512

    aa8aaa125fc6a47db42b882c960dc52e16df2a308675382f761a66060da414c26345fa526c92e322104b563372f7de6c305645d7a626fd5e4b5c100bdaba089b

  Score

  1^/10
  behavioral15behavioral16

• • Target

    foo/0becfedf4d0b9ad5251aca33274a4cf4

  • Size

    443KB

  • MD5

    0becfedf4d0b9ad5251aca33274a4cf4

  • SHA1

    5d6faf04a6215b08988f289373f3b239d5878d06

  • SHA256

    235b35c4574f4d28ac034e7fbd4827384f6243d591d1d1bd76e320905f5b0242

  • SHA512

    0e835c83ff46c74acf6140bd434666ddffd2c0aa9875fc9899daff62b473ab98ee0947c226e9ffd8c4322b418574e9f5e2d2d32415b232667921c3db404dcd35

  Score

  10^/10

  aspackv2evasionpersistencetrojanupx

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    evasion

  • Modifies security service

    evasion

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Disables Task Manager via registry modification

    evasion

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Drops startup file

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of SetThreadContext

  behavioral17behavioral18

• • Target

    foo/1a78d313f2891bd468f78694814a28a3

  • Size

    5.5MB

  • MD5

    1a78d313f2891bd468f78694814a28a3

  • SHA1

    7b10daf92b6bb599c68379909fbc951955e9335e

  • SHA256

    b8953f266d0ec05808dd5ba4799986c61bfc4d6e5308b0da84cbc8afe19de4df

  • SHA512

    4a9d76516888a4abff4acb29712abdc65674d5a9a3e69b0e30fa0cf815267d7d45f02d4879383232eb44c5503256af3adc4cb3db201e603816ccc983666475cb

  Score

  5^/10

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral19behavioral20

• • Target

    foo/1ffe827beb75335731cb6f052a8ec3a6

  • Size

    468KB

  • MD5

    1ffe827beb75335731cb6f052a8ec3a6

  • SHA1

    381ff47af182f52185fe2ff8d01453c5f611b04a

  • SHA256

    bf26329c083407931e46c85220e294904dc532e1095823290c04537f15316e47

  • SHA512

    fe1d68657aa99cb2949aa4aee3c12a70ba4f1fa9542f4606fb6a63627c593c74ce2188ebba15c2e366d8c79c4591e2bc048505abf4eed16d156a9b2ecf6334c8

  Score

  10^/10

  warzoneratinfostealerpersistencerat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT Payload

    rat

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral21behavioral22

• • Target

    foo/255028f2f37838e92f84f27c68aaf4e1

  • Size

    536KB

  • MD5

    255028f2f37838e92f84f27c68aaf4e1

  • SHA1

    64e6d06aba93b91fbda44364278f2a91e91c6cf3

  • SHA256

    db04d912a4fa503b27bea546ca8160b040e3eaf8eabfa5ee0dc30b64738976e2

  • SHA512

    be1f9a5005c9c446a100891c9c955336e011ba550ca7c1f5dd4dd9c3f3041ff20fa30445f117331b6d121b0e89361bead40b981c50f01ce185fa3acf2b7d00d8

  Score

  1^/10
  behavioral23behavioral24

• • Target

    foo/27601d095e5b3761d9289584415a73cc

  • Size

    565KB

  • MD5

    27601d095e5b3761d9289584415a73cc

  • SHA1

    9570f23b5abe2ef46a23ded17adb2fb6c203a201

  • SHA256

    749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4

  • SHA512

    066263bf8f11d48b4e3715b8962686e0ca32aa8647b642a193b5331513538a44bb49edad5ef6a08ae6cc6401504fadc7adf38efb07c9ae9560e947aac443e0e7

  Score

  8^/10

  discovery

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  behavioral25behavioral26

• • Target

    foo/27f9116902c35a9b784c703762bbd249

  • Size

    1.3MB

  • MD5

    27f9116902c35a9b784c703762bbd249

  • SHA1

    1f398a7f5bb032a30c2207e5e692524691b8a09e

  • SHA256

    548b424bedcb831086fb9ab5b6e284a7a71a53e430acad99155153a869844570

  • SHA512

    c046022a16f572eda5f60484d61190491579ee0d9d883d8f760859bbde0730dcfe4a603f847162d8901f6a87140da6a9c53134e8b7c2f9fa6192584765e94ff6

  Score

  10^/10

  betabotbackdoorbotnetevasiontrojan

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral27behavioral28

• • Target

    foo/28408caa2961caecd35c9f8f7c1aecc5

  • Size

    290KB

  • MD5

    28408caa2961caecd35c9f8f7c1aecc5

  • SHA1

    2df15d3bc4f7623ca3a18665b3c666ec8b70baa6

  • SHA256

    fe99d5ab8be0c9830fd97c1ed127b0c236da75b43a42a58fcd46cb8d46dc3c34

  • SHA512

    a4fdb80d3ac39a2fa46f19c8b5a803ded144e97dd7a3f194177ddaba15b8e0a0486e7b4de2e8c9c957eac4398487fe5872e54ad8e866e68e0beb283c937d0cbd

  Score

  10^/10

  lokibotspywarestealertrojan

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot

  • Loads dropped DLL

  behavioral29behavioral30

• • Target

    foo/29682275a385f42634ee312db7f666e4

  • Size

    8.3MB

  • MD5

    29682275a385f42634ee312db7f666e4

  • SHA1

    660661c84c925dd781c327bbdd519b89bcf378c3

  • SHA256

    9bf25bf1e0f9bfb8381dc1ec57ee256ef77d294259468fc17bbab9fe50b8b4a3

  • SHA512

    c03ee099bfb533ae5f88a31499e428588de0bbbc2864a057873355d26b89a9a3b8da73a706fc08e8633b09e73018fbf4406fd2c8cc7738b605a0b2eeac23db36

  Score

  3^/10
  behavioral31behavioral32

• • Target

    foo/2de7b886ed3bf5455694d76ac69a96a4

  • Size

    99KB

  • MD5

    2de7b886ed3bf5455694d76ac69a96a4

  • SHA1

    8e80636a30b25b9aba51bc048882a43b9914f631

  • SHA256

    1cc983ae1831efb88cafacc5e7efcdf60ee5d3637a3d8e2336f14fa2bf53e606

  • SHA512

    abe16eb7e94e947507a3276e3d94be5e4c56055263e5aa4ebb5449dc969401d3659460bc152a67001a01874054a4968fcaa9720f81514ab6560ae18cd637f9ca

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner Payload

    miner

  • Creates new service(s)

    persistence

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Deletes itself

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral33behavioral34

• • Target

    foo/2e00df497f82c0bf215548969fefc18b

  • Size

    8.6MB

  • MD5

    2e00df497f82c0bf215548969fefc18b

  • SHA1

    6f1f6f9e8f40055644670378da81ea668c8b69f5

  • SHA256

    3386ab7ec029dca692f7f8e3214fcfa97f88c42cf384807d9a5c56a146e89ed9

  • SHA512

    0ce197d3f63995265d4c9d8c51ffd2317065c8d653dd8135882ba0fe2201fbb3cfff66b8a88a6f2626a292918cdeccda026b6f9430c6d57196c162688dd03a0b

  Score

  9^/10

  upx

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Blocklisted process makes network request

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Drops file in System32 directory

  behavioral35behavioral36

• • Target

    foo/2e90a15707ad3eb4cd06bd8a05463922

  • Size

    403KB

  • MD5

    2e90a15707ad3eb4cd06bd8a05463922

  • SHA1

    5190382aaac9a76a31315f3e3b3bc6b12fac2738

  • SHA256

    b594e7917381e1089e150150bb0db36cef541d0226fec4ff681f3cf32cb8be36

  • SHA512

    1838ba984c52c21621e68b87fb257590255085177a073b3b0d318802fa24a79317fa96a07d87068ae8b57418adf2fbf93cf9a313e20ba19b6a82420f00427358

  Score

  6^/10

  persistence

  • Adds Run key to start application

    persistence
  behavioral37behavioral38

• • Target

    foo/2f215e008c6a7d8886c578e442b8f1b0

  • Size

    200KB

  • MD5

    2f215e008c6a7d8886c578e442b8f1b0

  • SHA1

    a4409e2c333fa3aaa4e0b718775d325fcf76cb41

  • SHA256

    6903fcc0ca7851ca2aad10ae4ebc3533eda1f1d85f7f0f6df39082d6c562b867

  • SHA512

    4cf2365b786d5894d335c2fa421901fd45dcac709974eda1ed2bb2f8d7c443c20b5975af17ee337d81986909c03786800929a36d53ed317a353a2e88bb621a3c

  Score

  10^/10

  cobaltstrikebackdoortrojan

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  behavioral39behavioral40

• • Target

    foo/30bc06d0add076dd6500fcdfbc12643e

  • Size

    322KB

  • MD5

    30bc06d0add076dd6500fcdfbc12643e

  • SHA1

    def54b6b4ca0d0ea952510cb8c0e3ee2a5f85a3e

  • SHA256

    5038cf5a6ef817ad95a57c8cc8da89e66e24c83fafef450618b4d3e18ebdd9b4

  • SHA512

    6576b45177e01f0c8bec1e1728ed69df450b2f6f7c62aeb8ba85df54b48a37e90925eddfbbce4080fd44c08266a5fec92cdfcb6efb7518e1e808b3b488686314

  Score

  10^/10

  imminentspywaretrojan

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent

  • Drops desktop.ini file(s)

  behavioral41behavioral42

• • Target

    foo/312e67dc35992949937d1bad6ba529f3

  • Size

    476KB

  • MD5

    312e67dc35992949937d1bad6ba529f3

  • SHA1

    b1b33ac2b7b82240369b43289c9dafe498df63d5

  • SHA256

    0a58ffc4705b353154ea7347fd495b0e34d25da5f3094f52d43e312ea8163f81

  • SHA512

    9097b5896ea47777fbe389e0cf75ebbdf943695559db78b2fd06aae400ab8a852d7d216fe7687e78418404d238092eec77b4e9601dd33fe34accab0a2791dbb3

  Score

  4^/10
  behavioral43behavioral44

• • Target

    foo/383497fda5ca670a06dc688443c2011b

  • Size

    623KB

  • MD5

    383497fda5ca670a06dc688443c2011b

  • SHA1

    c622ebf694003368c3246e166a3a7bfc6b787652

  • SHA256

    d84d8ebcdfb0abcd821c24197517a5e329a1a6ae8e534509db78899b147cd60f

  • SHA512

    5f1f854690f9743a09fcdd0b6be43fd09af3eb5bc0f1ee4c20659458e34f46c33eec8eb651e569315902d99a12a217e5dea750411effca79485fa343c24d0129

  Score

  10^/10

  matrixdiscoverypersistenceransomware

  • Matrix Ransomware

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral45behavioral46

• • Target

    foo/39555eb0403a69906729713ad20888ec

  • Size

    502KB

  • MD5

    39555eb0403a69906729713ad20888ec

  • SHA1

    3496ed1ff1c3ede32a025b33eec820cdf5512ca9

  • SHA256

    7926fbb4fe0c69379b2c1ac217cfd0a09ff9a73e48c24d3c464785119d8ab349

  • SHA512

    674c3048cf7798c407138474a40b318f1465d920493d6a057de0cbd6befb66649a0f9e0059b042c1141cad40ae38800c8b98a9ea3140d6ae998b88aa1d2ec9ae

  Score

  10^/10

  hawkeyekeyloggerpersistencespywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral47behavioral48

• • Target

    foo/39e5310f67f0b1bf98604a2e0edb9204

  • Size

    104KB

  • MD5

    39e5310f67f0b1bf98604a2e0edb9204

  • SHA1

    3a2d3638449252c6d890c4061bcd92e733a7cdb3

  • SHA256

    4f91d0b1c9a27ac005f37227e1ef9f9e796cbbe896be2407d23a89734ddbdf3f

  • SHA512

    30c373c76c2910d4aa4671c06fde272ca40d012a353f7c6004643c95da5a486c124662bd303b42501ac29b801cdcfc05cf853764477184d247ffbaf4f02838c8

  Score

  10^/10

  evasionpersistencetrojan

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Disables Task Manager via registry modification

    evasion

  • Modifies Windows Firewall

    evasion

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan
  behavioral49behavioral50

• • Target

    foo/3aba72d1f87f4372162972b6a45ed8cd

  • Size

    364KB

  • MD5

    3aba72d1f87f4372162972b6a45ed8cd

  • SHA1

    62eaec946e6c05d6279737e9e5583831beb383e8

  • SHA256

    31bae2c85740d091f58896a36a461191d666e33f3ad5d8a4e529bc74bf024b6c

  • SHA512

    d66f28238e74c13057da5f8a6d89807d7d513c542dd65d5005334e360b22d82cc4be7826ce1e3d1372c44c68a4acd8ff662adddb4affffbadfd174ccbd016249

  Score

  1^/10
  behavioral51behavioral52

• • Target

    foo/406c9b9529109f835fe7292e6cf3fefe

  • Size

    468KB

  • MD5

    406c9b9529109f835fe7292e6cf3fefe

  • SHA1

    80a616526044d8b3dfe9848b73c8873f474b27ae

  • SHA256

    eeaed429ed196822dfded9099479bbb7d9cd48cdb96a986627512e607badfa66

  • SHA512

    ce013422daaea03d9d31c713cc6ce1e0349b862f3d2b52ef9ee151b6e1e20ea0724e71000d6f2d10b953cd3bcc5b5e2dd69cbfe858b451811a2152c623e7a92d

  Score

  10^/10

  agentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spyware

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spyware

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral53behavioral54

• • Target

    foo/457cfd3e7a53e7500f8206b3ea300aca

  • Size

    193KB

  • MD5

    457cfd3e7a53e7500f8206b3ea300aca

  • SHA1

    7426d503db90a0795e279968009ac03853cdfbed

  • SHA256

    feb51e59044de8b60c0e72553b2cfc7aea655af83068cf934525eec303d65c10

  • SHA512

    cd1896539b4f1732ee6be803ca5eb012d1ed69d0bb2be71dd09d17fc7d831a2a7bbfb78cee1b1a6545c7bf00c1855dc502ce1ab0ace7432cabc2d2a00db8df43

  Score

  7^/10

  adwarediscoverypersistencestealer

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Drops file in System32 directory

  behavioral55behavioral56

• • Target

    foo/4761e4b165f62d326b9032d96329e460

  • Size

    793KB

  • MD5

    4761e4b165f62d326b9032d96329e460

  • SHA1

    59aaeba76ac34841d60aef175309161d2b5e4992

  • SHA256

    5f6884586533f6065ec2c0557e63e1b5865f0b22c42a386a338cc211ec1a308b

  • SHA512

    c2ce8e91fcd7697b5f7b6e5a7a62f2552be4388f3fbc1dc0003893edb133731160736852f2fab62c18f06d8f773e7dca96ade6e151b2c0163599d49269e46a9d

  Score

  8^/10

  persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral57behavioral58

• • Target

    foo/487f1b1f30212eaa9104c084a667f104

  • Size

    5.7MB

  • MD5

    487f1b1f30212eaa9104c084a667f104

  • SHA1

    e562c8d364fea1f1f4524c30a0606598b8814096

  • SHA256

    8b72156895f47b7f216b544937a46a3909bc07134ebac1c586de7aac3eab18a5

  • SHA512

    c6ad92308792d2135ce918fcc1b88a15a3c928c30a99de2366f7477df9196dff9d287e8d84c2176f4b7385adee5b2601402cc2deee84d26060057ea044d59ddd

  Score

  8^/10

  spywareupx

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  behavioral59behavioral60

• • Target

    foo/4a74c9f378007412ec2c8b2eea6da4cf

  • Size

    512KB

  • MD5

    4a74c9f378007412ec2c8b2eea6da4cf

  • SHA1

    7ed849c7e9f2c70af40a6feb46d57bd5f06c3a8d

  • SHA256

    4ef7144d88b296b15236dd8866cf50d4f20657551da60897ceb2e67ec8bad793

  • SHA512

    5043709c2e1f1b339df4cd035ad959746ebe6ecbf43ee2ebe9718367581a6c557ccd3a0c3f2615e8fe0ce6ac1efc169348ddafde77f2d82984eb945d09d4f4d2

  Score

  10^/10

  lokibotpersistencespywarestealertrojan

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral61behavioral62

• • Target

    foo/4b2d7854b47943b118e24c6ec79b974b

  • Size

    4.2MB

  • MD5

    4b2d7854b47943b118e24c6ec79b974b

  • SHA1

    e80270395d82212d41e64f8afe0203b8061bf9fe

  • SHA256

    ccce7394fc1a6e1730f440e2d20183c830f30bb7cb446a54ca18277974205503

  • SHA512

    64216c5bbd286496e33adb03e80e1aec67a2c6e2f8f1088804dc95182d42e978aa77f8366c384b4bed5eebdd5e15ad5484bf839b6fb8a35799819c64d05f3162

  Score

  8^/10

  • Executes dropped EXE

  • Loads dropped DLL

  behavioral63behavioral64

• • Target

    foo/4c49c2496ae538bcec9e1510f3eb8eba

  • Size

    176KB

  • MD5

    4c49c2496ae538bcec9e1510f3eb8eba

  • SHA1

    2d62b087f6a1504b57fe65fef38ee8c831bf7aa5

  • SHA256

    a149cb7f8d29506837ecad9e9b7e7a1e8fd23ba5716c653b2bd3d9bac9eccd6e

  • SHA512

    8cfecc9d516603a41c0801f75cec51b318d39b4985745439a433cfc0c1eded9dc8d5c2258ff7de358191211041345eb7c74e969dd69262cf09cb724eb59333b6

  Score

  1^/10
  behavioral65behavioral66

• • Target

    foo/4cfe8f3aa1592035b9a2cdb2c4f54c77

  • Size

    2.0MB

  • MD5

    4cfe8f3aa1592035b9a2cdb2c4f54c77

  • SHA1

    ed8024ea02ca996e74c40459ff35c78cefdf111f

  • SHA256

    0aa9b861be9e293f3d71e39949141e7c87c52e3f4f8b0ea4d26b768b0c188bc2

  • SHA512

    42cc40eb614b4afbf08ae8646c7511ffcdfbf3c3af924ff20d40b5499acf1f1136e4809aa5428c5b260e4b8676041cdb70ef74904b0c09ab5944db1cf89cff3e

  Score

  9^/10

  evasion

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral67behavioral68

• • Target

    foo/4ea45460c3e7c3d8486d3f7bec90c613

  • Size

    6.0MB

  • MD5

    4ea45460c3e7c3d8486d3f7bec90c613

  • SHA1

    303c290738a2d89d4bbd365da80650ef5a55bcab

  • SHA256

    a0ea757d9a9ec9e09bc806dbb1526fb5b90692ccc1f31aded8e3dbd0abcde5ec

  • SHA512

    1ad7731246a7dfce4cc656481af68f8f4f37d511b453431f32dfec6078313eb636047031d9341e4e62b969ae95c600877b9c49a28168e3c7e02de4371be88228

  Score

  8^/10

  • Executes dropped EXE

  • Loads dropped DLL

  behavioral69behavioral70

• • Target

    foo/52d6c59fcfe73048a240c7fdd1f04d7e

  • Size

    9.7MB

  • MD5

    52d6c59fcfe73048a240c7fdd1f04d7e

  • SHA1

    e8af78f67fb5859b54d10e865b7a1070b4d34f46

  • SHA256

    93b36133201cfe77b1319c72d9b0b4ed471a6337a58f6b30f926f1786159ec82

  • SHA512

    cfd767ea4063205a57894d9d8f09f205c8e9bc71b8052985076496c136b98f037aa7b274cc225c5ad759ddc530ccb6201cacdfa8c6a015311331f2589b4ff8ca

  Score

  7^/10

  • Loads dropped DLL

  behavioral71behavioral72

• • Target

    foo/55fc11ec67a00177d047d5abc84231e0

  • Size

    35KB

  • MD5

    55fc11ec67a00177d047d5abc84231e0

  • SHA1

    acbd513fa686cdbc50ae7f69d41fb8384255658a

  • SHA256

    d65e0dea8a361b12e8d278afbf103d0bda2753fd9c1e14a779bc92fbc4c1e144

  • SHA512

    206a0f9fe46bd39910f6224f41dab028b74312b1ed9a3052f97f44771a5d43b01e32ba5b3bab40adf7b877a1d48371d140dfa4b3241ab2b54d8bfc3cc74f930e

  Score

  10^/10

  njratevasionpersistencetrojan

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  behavioral73behavioral74

• • Target

    foo/59f0fbc29bace019804b8a181ce75a06

  • Size

    568KB

  • MD5

    59f0fbc29bace019804b8a181ce75a06

  • SHA1

    c3a44b6ea913ce4eb32f04930ea60043d79c3a0a

  • SHA256

    b2e8676b7a04f3582470aa3de91b39ba731fdf072907d8d843d052d73c87405e

  • SHA512

    a68ce42173331381d1618929cdb7cff9d3220afd151856c62c6eb015faaba61c1141a7bb2af5d1b58b1732cafa2286acbd2c95115f2a789c7a3454bc96b63ce2

  Score

  1^/10
  behavioral75behavioral76

• • Target

    foo/5b1c0df2be80006ec3af6a5eeea17ecb

  • Size

    777KB

  • MD5

    5b1c0df2be80006ec3af6a5eeea17ecb

  • SHA1

    b2353f17d51fc76dec8681df4526406e7c9113a6

  • SHA256

    6ad2f4284d0c364d7a2664100ec5448607d1e064c3d1a65e4e737769ba3cda25

  • SHA512

    607334838181a37883132906e562944cd54221f28c2efa279cade7ce8829550d20c11d864797118ff476497144cd84218282bb97cd4b4cf8fa13f753459ad7eb

  Score

  1^/10
  behavioral77behavioral78

• • Target

    foo/5bc72a1ae433663758319d97917b77ea

  • Size

    5.5MB

  • MD5

    5bc72a1ae433663758319d97917b77ea

  • SHA1

    889f6f4ec2347ded9924ff9a51c14d0e0347feaa

  • SHA256

    c84eb9ad415a282bbdb0adced711af66631e29a4e0606a566f1477018f9315f5

  • SHA512

    8e3000e76531bc8332003016ff926e9330ef28d154f8f04d2f522b6cb822df10323d811fc5116919944e74483fd3bcded30bbcc0b14fd26e5041a68dcdace551

  Score

  8^/10

  bootkitpersistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral79behavioral80

• • Target

    foo/5d33050f0514054c49f2bc2ff9abee2a

  • Size

    272KB

  • MD5

    5d33050f0514054c49f2bc2ff9abee2a

  • SHA1

    2cdf78701185d2d773666af2d8ea4e0b04781bf9

  • SHA256

    65b2fb3df4cf7da2980a6af696bdee3df2effd65228cc56f51a5d8fb29469e68

  • SHA512

    e22b419fd86cc4d0af4c48c0a53abf1afda4715dd92acbb3296f4e1f32a588364c1b48c9eb3b2214c1f834d79ca541cdd79a13d8975d91337970d7cf320f61be

  Score

  7^/10

  • Loads dropped DLL

  behavioral81behavioral82

• • Target

    foo/5d9775622b5e7123d5796d4de5dc2839

  • Size

    133KB

  • MD5

    5d9775622b5e7123d5796d4de5dc2839

  • SHA1

    176ef2d48f75b9be26882040e69fc95fa8b02e5b

  • SHA256

    a57aefff0656b1266ff25b5e4972e6829ffec6a5855597587e026d28881dc62c

  • SHA512

    ffd89d99223fabfe4def0b27bab031ea76f50fd3be36b27f3d76754bb333784f91985e1c88a7e1991ee334ab98b42f3b0cb2e38dcb5d6599bf0d98ac8f73089e

  Score

  8^/10

  persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral83behavioral84

• • Target

    foo/60121ea2ab380455f7e143cd9438443e

  • Size

    98KB

  • MD5

    60121ea2ab380455f7e143cd9438443e

  • SHA1

    091fd74c5caebd9f53c34781ad6b0241883fe698

  • SHA256

    b8f7c90cd170ba8c79c472997c17509e2d241a54a9cef7efea4dac23b043afe8

  • SHA512

    3f42a0756999d6441721f8d4663c8af677c895c4e11ddff25d7a1216b3b4a015b7d3763c0e06f616f73eb5e9df3b42e07baf8d5ec910632f3e275c8d2fd388e6

  Score

  9^/10

  evasionransomware

  • Clears Windows event logs

    evasionransomware

  • Executes dropped EXE

  • Deletes itself

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry

    ransomware
  behavioral85behavioral86

• • Target

    foo/62565a39c4a264e48e0678edad5d60fd

  • Size

    856KB

  • MD5

    62565a39c4a264e48e0678edad5d60fd

  • SHA1

    1dc0f3920082e9f3e789d5d1587d9c7b47d58a5e

  • SHA256

    d9d3596268e269cb48aee92aaa47a50f785f8568f319aad812af163da28e7a40

  • SHA512

    9b851c15b072ba5e0b316f2f02ff49fbb483fd5b4545d7c225f27ddfe8ef0fc99747a5b14bbad6b6373c1b562984c22d52d83c65970ce5ffc5209a5dc1e715cc

  Score

  10^/10

  qakbot1535648626bankerpersistencestealertrojan

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral87behavioral88

• • Target

    foo/62a3fd9b4932e59a7192813c22617764

  • Size

    453KB

  • MD5

    62a3fd9b4932e59a7192813c22617764

  • SHA1

    202a619fdab056d51bde34db8683839feccf0da5

  • SHA256

    8b433a97defbbddb0922aa477226ab820f388d9d38ba10d8d8b89917053880be

  • SHA512

    87846d0a4d55c209dc5dcdec1e9c9dee7beedce840d099df4fa5ced0e814183162d25a3e3ae8b56dc533ac9dedfc612631559da7e5cc19985a6bb3d0ff80ba54

  Score

  10^/10

  imminentpersistencespywaretrojan

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent

  • Executes dropped EXE

  • Deletes itself

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral89behavioral90

• • Target

    foo/63e9ce22dbf66934fd75c77bc84954d0

  • Size

    563KB

  • MD5

    63e9ce22dbf66934fd75c77bc84954d0

  • SHA1

    c48e6b5974e2f10c5c4e0426a898fbcf7a67c8cf

  • SHA256

    550d461697099ebb3a5ee86336bd3358a05850f2835738d6520a552527b096a6

  • SHA512

    e14692ed9673f2926ea62b6e9f128953fa79b1ce3df8452656e11e479af7a187784a5aa893719d3e8438e8697b7793292d46a0a9adc6a400e610eb288976036a

  Score

  8^/10

  • Executes dropped EXE

  • Drops startup file

  • Loads dropped DLL

  behavioral91behavioral92

• • Target

    foo/6497ba06c339ec8ca438ddf0dd2f8fc5

  • Size

    29KB

  • MD5

    6497ba06c339ec8ca438ddf0dd2f8fc5

  • SHA1

    4287ee2103467196df93fad515a844bd2b94df78

  • SHA256

    dcf7b759aae3ce6597eeca586238419728e432770451522a0f0d1873463aac20

  • SHA512

    45b97bcc1dbc060cb5d461fd945759c60fa943f18e1b777592183fdc6cb9719578669d5ab914e4e0be1fd3e2356e88bd2e54f71f13b586c9892d034b751c5277

  Score

  10^/10

  limeratrat

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat

  • Executes dropped EXE

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  behavioral93behavioral94

• • Target

    foo/698cc868cdae13a5cc744020ec00e331

  • Size

    2.5MB

  • MD5

    698cc868cdae13a5cc744020ec00e331

  • SHA1

    cb498c95868eb907422351cff294476fa474f856

  • SHA256

    2e0bbdb1882e670a907d79987fb5ea80a050f7a57b17196bdd2ec42e3c4e2b95

  • SHA512

    e8b7631c4bc2c76a4ed9b706636f6bd25c6556d1bcb1c21e296022d030005cee29f692f5f773fe47511b66e3bf45005f7d0e7b4b3cc19cde38632029759e2b3b

  Score

  7^/10

  • Loads dropped DLL

  behavioral95behavioral96

• • Target

    foo/6f2c5c31fefa00afa2af1adcbdd93ad5

  • Size

    6.1MB

  • MD5

    6f2c5c31fefa00afa2af1adcbdd93ad5

  • SHA1

    f460f3caff95e713dea4105ab48aa06331ea5d5e

  • SHA256

    00ba0c7b8b90f5ef0a432c893ef0f90fa91b1e7c4a74d1c49d8fc9a63c6e8a17

  • SHA512

    fe9564cecf0997cbfefe5818688261f894179101a71315f4351addd35d0e3539e2e67f79fa9e45bc02f57bd8e325cea9763978df52522fc4d7774e70c18daa13

  Score

  7^/10

  • Loads dropped DLL

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral97behavioral98

• • Target

    foo/798f5e61531f527821a490a15ef957ba

  • Size

    100KB

  • MD5

    798f5e61531f527821a490a15ef957ba

  • SHA1

    8b9cf50467ecccda66fe065e52994a0df369b139

  • SHA256

    1b2d37bb6b98fb77496db754816296b740a2fe7a8e3d0a5263a8002d16a1b5f9

  • SHA512

    9706113b056b96f4c5f89a3991a2adddbe1d7a6e44d03ce919edf88ead8e500eed4b84d5b2886ec4f733003bd751ba9653ad810bf7b8046aa94711f2552d628e

  Score

  10^/10

  evasionpersistencetrojanupx

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence
  behavioral99behavioral100

• • Target

    foo/7aec86c6c4cc35139b7874a0117e4451

  • Size

    707KB

  • MD5

    7aec86c6c4cc35139b7874a0117e4451

  • SHA1

    b597ea073119727156f95b5224d6db7ddc370bee

  • SHA256

    48749cd789a40b8358f06ce41100985b4544162df8ed47bfc17c72242756d50b

  • SHA512

    7f8f596607a925bb72b91b7a9fc78d9094ec4a5a5dc41c866f9dcf961daee52dc4052d2ace663b021301e1cb715c3ba9f209ddc7e48ef07b46283673b647c561

  Score

  1^/10
  behavioral101behavioral102

• • Target

    foo/84bf6e1a8fcd94cf6cba6ac7e2a95b64

  • Size

    685KB

  • MD5

    84bf6e1a8fcd94cf6cba6ac7e2a95b64

  • SHA1

    cc788b747b956cac871f55be59995e4bf57901db

  • SHA256

    f2e8ae7bffb3210efb4a5baf9ee1875e1143d2d73614adb292b44bb143b3ffd9

  • SHA512

    058fd21be218125c20aa1a715d9c53151ed68283465a2e2a8acdb534e95818bc8f9b99a74a13c963c2839b3955e38f217d8475fafd91eec0eaebeeba152e6b65

  Score

  8^/10

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  behavioral103behavioral104

• • Target

    foo/907b7d9a23ed7821abb700fcbe1c9bb3

  • Size

    3.7MB

  • MD5

    907b7d9a23ed7821abb700fcbe1c9bb3

  • SHA1

    6caba04b65d28c5a0d0666572c40022fa1f1acca

  • SHA256

    e37ca180d6f18e361f5cbc3f6c6f0ae4d301018e45891b32cf93da490d62f607

  • SHA512

    d407ddae4f820e1aff994adf9e88952d5756fd1c0b6eef58e28a72fc7c455af991fb4294931ebb2eaee5133d2e56f72f5013e45a1b5d0fe17416d1b0583346f1

  Score

  8^/10

  upx

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral105behavioral106

• • Target

    foo/928f1db0c63d122f0183686a3bdfccee

  • Size

    842KB

  • MD5

    928f1db0c63d122f0183686a3bdfccee

  • SHA1

    8fb82a9595afb94e6e77a9ac3555e2b1abfdbbb5

  • SHA256

    78fabf339b726203334bb592812ab42c8652ab37535eeccf2e457df257d7a881

  • SHA512

    6f500e95cdb91a07fb0af0aff671054f6628752d563c34a0ad691c2727ffd9f7107da71f7c84550a95a2850eae1bb60b5271fbca7d648d88748a28859310ccb5

  Score

  1^/10
  behavioral107behavioral108

• • Target

    foo/9401b0788dc22eeb1dace02d23a9596c

  • Size

    552KB

  • MD5

    9401b0788dc22eeb1dace02d23a9596c

  • SHA1

    b5dde6f4feaec905d14dedd1d7957e556797e84c

  • SHA256

    048d9773dc60db5173e4cc0ccdb9eff1ca61e2a7bd1b7e357388d9cd8e94ada5

  • SHA512

    5d3796bb2e9c5a1753a7ad9ddff26eed7f1289196c5d40b0be946a52b3818406cf9b7b776f677c5e252b2eb294077034aaaf4cbe05cf64a66eeeb0466965264d

  Score

  1^/10
  behavioral109behavioral110

• • Target

    foo/97dd8726304f889ef12ef1beb510be84

  • Size

    679KB

  • MD5

    97dd8726304f889ef12ef1beb510be84

  • SHA1

    2358917da7fcf07e9b165dfb3961b9212e37b671

  • SHA256

    424ef529e699a29eb1324f71f56a3d0728079926ea793cb8ebbee71ddbfeabf1

  • SHA512

    d141a224a4c55b4b4c7ef2348b5accd7a3ba9bebb0dd5eaafbc08060746a0a9082c7ab93a022b20ac2fb2255293430da729d995ab5b0106ab064c0c0c5b4eeb4

  Score

  10^/10

  gozi_ifsbbankertrojan

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  behavioral111behavioral112

• • Target

    foo/9b8c48e6186718b7b290ceed9369a1a4

  • Size

    826KB

  • MD5

    9b8c48e6186718b7b290ceed9369a1a4

  • SHA1

    816a6a15054568dd2f51e25ac73178f9a0182d82

  • SHA256

    f05ec8838752a3b917acbd2e742e03646f091ef5ce97bf1eef75810cebbfc93b

  • SHA512

    6ff8ac1f9b6c296679458022b375548e8c322809e4a1887551ca0cb553f0cf864e43361edd6e1a2ee8a9b3b3a5680a95689b2bf91785aea68baaca6be91339b9

  Score

  8^/10

  discovery

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  behavioral113behavioral114

• • Target

    foo/9cde71abfd2a6aeb83cdd233cbc04fcd

  • Size

    146KB

  • MD5

    9cde71abfd2a6aeb83cdd233cbc04fcd

  • SHA1

    a1cb6ad95fe9df8fefe9dd0753b88cfc852368f0

  • SHA256

    e742096e51fcd3e8c19d43cd26dd25235f04a0af5a64343754e2e46bb90c3816

  • SHA512

    8a6a152626b9b912089e6c68193788fbc2258f56b359fa20d0b09f4033cdd357d9e661de6c0a8378aeaf2c66f6ccef8f86cc624fcf97d90f004213eb2ebbfe04

  Score

  6^/10

  discovery

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  behavioral115behavioral116

• • Target

    foo/9d3438ba1dbdbcc2a65451893e38004b

  • Size

    2.0MB

  • MD5

    9d3438ba1dbdbcc2a65451893e38004b

  • SHA1

    d981bd3d2abb18bcd1421c9de38bf1854f4c13b1

  • SHA256

    8f04cf8f8be775e065bce4ff33ca3afc7711aea57b5fb91c488bc03af1df58da

  • SHA512

    6818546c2a967a0d63814e77e339656939eaae510591e3888b8abb8626d89132ac51774efe0912c083072b2314040d1d5c2f0ccc463669a7bc34b2d134b714ba

  Score

  8^/10

  upx

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral117behavioral118

• • Target

    foo/9f88187d774cc9eaf89dc65479c4302d

  • Size

    326KB

  • MD5

    9f88187d774cc9eaf89dc65479c4302d

  • SHA1

    4c1e5e0bb72c78c4ce0d37aed939478aaa35a94f

  • SHA256

    5ee12dd028f5f8c2c0eb76f28c2ce273423998b36f3fc20c9e291f39825601f9

  • SHA512

    e03a4000bc7cac0332f2060ad58cadbe65a4283d012606f8395a6e63c42fa5e7b98f8ebf40d438c56332e19e845658d70a7ef99d2343323bd701e56c3b0cd0e7

  Score

  8^/10

  • Executes dropped EXE

  • Deletes itself

  behavioral119behavioral120

• • Target

    foo/a17bdcde184026e23ae6dc8723f73fcf

  • Size

    784KB

  • MD5

    a17bdcde184026e23ae6dc8723f73fcf

  • SHA1

    faea5147df4768b101d0fd214c7fbf7a9cb048a0

  • SHA256

    a358e56c91218b5f21d54556fb7aef5de158da4764c9cf8e5d71e3e41ff4841f

  • SHA512

    90d58f8e290bc751fd3f945ad5de218f93d8605578c87972359edcc9e87d84473f2ebd54452c09d2bc9ba4d11f9412742e9f1d3bb9c9cd67a17cd58693624616

  Score

  9^/10

  evasionpersistence

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Adds Run key to start application

    persistence
  behavioral121behavioral122

• • Target

    foo/a2981192a30538e97b55f363abbce946

  • Size

    804KB

  • MD5

    a2981192a30538e97b55f363abbce946

  • SHA1

    ae16cec3416895c912b03b7f76be2177aede6745

  • SHA256

    99e7e093c6f7be4cf21b5068a4ae746be2b3a4475ec251288d02a3985de70d48

  • SHA512

    b03fa2f833951441f5bf56711296b48a6ece3b3964d15893fcff78563e808de88fff9d644c4b73253add71eb729a7e1dc4095abdd33a7a26d60eab904e7661d3

  Score

  10^/10

  xmrigminer

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Executes dropped EXE

  • Loads dropped DLL

  • Drops file in System32 directory

  behavioral123behavioral124

• • Target

    foo/aa3b51bd50bcc98f763cffcf7f907152

  • Size

    840KB

  • MD5

    aa3b51bd50bcc98f763cffcf7f907152

  • SHA1

    17868a0f0c8d52ffb80e120a010fd7737e0ecd4c

  • SHA256

    dd518cbba0506c2392969aa01ba4b9f5216724d9234055d7f0ac1db93227baf4

  • SHA512

    aba0fb7359b45e7f206632219873ee6834c01b89a9f6b4001b8299ee5422a02cfc25cf17c40522349e98b5911b09d771ec793a70e29d9770b51cf873c64249cd

  Score

  10^/10

  azorultinfostealerpersistencetrojan

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral125behavioral126

• • Target

    foo/acf0b7f4fe980501192187bb9b8e20c4

  • Size

    872KB

  • MD5

    acf0b7f4fe980501192187bb9b8e20c4

  • SHA1

    f627019b79fd174403cb81c9a59b1ed81b658e81

  • SHA256

    d8f2f635135cc57f0d566646bbe5c6f22be2aa4d9fcab74c272b22f7e4b28f6c

  • SHA512

    df3afaf21da7bfca412a6bcfea39913904d5a95767220f30e07d23487276fbce7bb489bf12b11f68e2a5651fc3c2b4041d76e201d3416a8bea460418d7a25683

  Score

  8^/10

  evasionpersistencetrojan

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral127behavioral128

• • Target

    foo/aeca5c301d02253e8ffcc240c08f61f7

  • Size

    105KB

  • MD5

    aeca5c301d02253e8ffcc240c08f61f7

  • SHA1

    a7d94fc834a9e73e35ea48d0d1630e2a8cfebf97

  • SHA256

    ae2b285ce6b791fc7b0b01e923db298cb53b43e646a7f34bf1c8c79c94cfc0d2

  • SHA512

    f72e6608f437f59ad924ffd5de19785262931b6e4ab2a8a70970c9aa60488ea5df08b284bb3ecbda5ae2c9b8395c2919f34e0cb051b042a41782a7a59d66fcd2

  Score

  1^/10
  behavioral129behavioral130

• • Target

    foo/b1071426aa88f31339f1b369cf13cef3

  • Size

    504KB

  • MD5

    b1071426aa88f31339f1b369cf13cef3

  • SHA1

    69ff5bd81f366fece2d36c98cc3bf4a2d41b8f68

  • SHA256

    08dca503de70aabb60f5edb4ca366523a86084cf4546ad25e338c2ced99f2f6c

  • SHA512

    a6e1dd3c13dd952d09ae9cdcf1b94c99ab9b0fe7c58d957eb558353f61084ec6ae9e133f8c449ffc434efaaf3f767e30709547e3efb2106839e2d31574b18ac1

  Score

  8^/10

  persistenceransomwarespyware

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral131behavioral132

• • Target

    foo/b2365260985173cc758575cd8059459f

  • Size

    645KB

  • MD5

    b2365260985173cc758575cd8059459f

  • SHA1

    f6e874021db45fcd4042c621499ab925b4dec1c8

  • SHA256

    d30b001d1a77d323443e37323aabc9c316dbd3be556cb57854644cd875885ba8

  • SHA512

    6fec4a3b28f4f1c8fae9e0c2f04d0157f6b4a2db87b98837dc0330820dac97c373c10cd323af421d2e3dc1be93862d645a3620c9e8f86717d65eb695c65cecca

  Score

  6^/10

  evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan
  behavioral133behavioral134

• • Target

    foo/b514b59324818c52140b431aeac96bfc

  • Size

    155KB

  • MD5

    b514b59324818c52140b431aeac96bfc

  • SHA1

    83d7256670dccce993acf2df73872abda39bb5be

  • SHA256

    ae57d0af018f011cd42ed91caba202201069be6fc5de6b8b3ab14162cbcbfbe5

  • SHA512

    4bfb86bd70c1f1b376255972708efd2dadc252566625d02e84ec5297580edfa50a9e321ae1503bdc6bcbe1beea8b607f445caa4bb1c940363f47512407ca6649

  Score

  1^/10
  behavioral135behavioral136

• • Target

    foo/b641961018d09dfbd7fa9c15f09a7723

  • Size

    8.9MB

  • MD5

    b641961018d09dfbd7fa9c15f09a7723

  • SHA1

    69e515dd8840866fbfb1e239daf80f6fcb745f1b

  • SHA256

    44095d0a22646ef5b369ade7ce87d2f9bd51402de73f977f352de9a3a3eeed6c

  • SHA512

    e9e43f1d59be84fbc918ea601a7b489286661a81919b760e2a0339fedb93b9d3a33b148cfefdd584c163957107194b764eb2ddbad79ca2af9a5e90db3c1c9beb

  Score

  7^/10

  • Loads dropped DLL

  behavioral137behavioral138

• • Target

    foo/b693dfe99d2915616044eea2cfe18360

  • Size

    286KB

  • MD5

    b693dfe99d2915616044eea2cfe18360

  • SHA1

    6415634e1fcc51714e871ccb08f26b4806aed3b0

  • SHA256

    1d4169bb0978e88bdff29844645d54763e62db8af10abc324fb2145f64304024

  • SHA512

    95081c20adc6363ba3c0f7d6390a98c5f47074a270f112a002f549009d6c50654756b89f59737b7554e3186c17355dcda57424e255aba1392a574a4b27734efb

  Score

  7^/10

  • Loads dropped DLL

  behavioral139behavioral140

• • Target

    foo/b6e7c9793cf40153bf8865195e06ecbc

  • Size

    3.3MB

  • MD5

    b6e7c9793cf40153bf8865195e06ecbc

  • SHA1

    fef5dbf8ef53dafd676818196815e6b110f2bc03

  • SHA256

    0e0cb0d76bc848f729878dab7218f4e12c9c0cc7d5c939e5d92995ba422ea7ec

  • SHA512

    d12eb44304f7054e060a105bff9f3861aa16bb10fd72bbd819a8ffe3d23818ce66f5d790a929d41cee4161bbbe78d0077d167fe792c3e27c018dc88632a5e5ee

  Score

  10^/10

  gozi_ifsbbankerbootkitevasionpersistencetrojan

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Executes dropped EXE

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral141behavioral142

• • Target

    foo/b7d5f0b9bf2e6e13c5b3ca1c2a0a8b4a

  • Size

    99KB

  • MD5

    b7d5f0b9bf2e6e13c5b3ca1c2a0a8b4a

  • SHA1

    15a0e8dea24b904cd083ed51b28098726ecceed4

  • SHA256

    0b499361076d8d02fa6b313a08199fd10cd9af1abc7fae0b091039be0194c0f3

  • SHA512

    674d28fb9900070fd0cc58940fb97fbbeabea2d167ad19e248fe8a980221f6ea79d9f1795c019b844896e8b19ce1d746bda6c34040c1ae535b9e22135692a0d0

  Score

  10^/10

  warzoneratinfostealerpersistencerat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT Payload

    rat

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral143behavioral144

• • Target

    foo/ba2d460199eb2d9e9d6d0559bb455529

  • Size

    39KB

  • MD5

    ba2d460199eb2d9e9d6d0559bb455529

  • SHA1

    8c50ef4cd9feadf857ad2d501e3d03bd55d5de4d

  • SHA256

    a3f13a940ae3f6d0a8e94c8ab203005cd737a899962425f1600a4bdf30877375

  • SHA512

    dd376f8f9f05d509eca465c04c451d83a12043f614d90a04c63b25f202f9e87e3960666e2710e19538c9818a778fd81832b45c1e495c263b6725991413755fcc

  Score

  1^/10
  behavioral145behavioral146

• • Target

    foo/bad78e11371381ce9e1d703aac2821e5

  • Size

    210KB

  • MD5

    bad78e11371381ce9e1d703aac2821e5

  • SHA1

    76ad0abaf1c99c741352a16e5b2f71fb38fed0e4

  • SHA256

    18dfcf81046272e08f6ef3230df83008cb78eb30cda341c59ceb33c5be542d85

  • SHA512

    8bccc4535dd97b483f10eda69f91a17e794b122215bb2e926a114ec46e8935ab0a1e5e1cb0b6fa3b6bb0a5a6d1b669a87579850197af4a0c33b3bb57a7f00b25

  Score

  9^/10

  ransomwarespyware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Deletes itself

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware

  • Drops desktop.ini file(s)

  behavioral147behavioral148

• • Target

    foo/bc6536b86b04cf5b3bf7cd353d615ab9

  • Size

    583KB

  • MD5

    bc6536b86b04cf5b3bf7cd353d615ab9

  • SHA1

    5e796021e22ed016697d6aefb0b955c57b4b8dc8

  • SHA256

    1e8dbcedd0e30e32583548508edc4cf2b8f3d0f731a1a65559fe83382298136f

  • SHA512

    f1f3fd81b2e56daa77cabbed191978b51308d8202e35d34cdc300d9fa429a426f88fad618ae7df9bed0a6f2ce665ad4586a5d5cbc6099e98e4b9bcda1cd160ab

  Score

  10^/10

  xmrigdiscoveryevasionminerpersistenceupx

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Creates new service(s)

    persistence

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets file execution options in registry

    persistence

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Stops running service(s)

    evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  behavioral149behavioral150

• • Target

    foo/be85e0b2608a55942aa101c66ce6c32c

  • Size

    728KB

  • MD5

    be85e0b2608a55942aa101c66ce6c32c

  • SHA1

    77e651fa75f8221458777a0d290ccae73682204a

  • SHA256

    c77d9095b13bfa202cfdfa87475cb1799fcdf8152a3d298300d63ca16abd3757

  • SHA512

    f0a2f943e251cc96ee7026bdc25cc920afd79d42ab1ec112a641d881602117fa1cfd8b39b18b9e28a9e6b1401fcf133e052be2e63a654eaf34075342a7d5a3bd

  Score

  1^/10
  behavioral151behavioral152

• • Target

    foo/c914b169d1388c5e78421045d05946ee

  • Size

    3.5MB

  • MD5

    c914b169d1388c5e78421045d05946ee

  • SHA1

    4f2de494d334710253cf3ad40faf1d07e048d55c

  • SHA256

    e1ee4f9cb208e3560177f49c3e809a29ff9fa0b0daed5316f17caf22647e4eef

  • SHA512

    96dc235e2a93f99682f26f95ff0986db2b8a09e5b3470122270de5c3ea77575356178a51c6d7e3515f68fad894ebb63e2b86e3766f6f12ffa3930ca1192205f2

  Score

  3^/10
  behavioral153behavioral154

• • Target

    foo/c944eadb6e032fd9e7a0988464a6f1cc

  • Size

    160KB

  • MD5

    c944eadb6e032fd9e7a0988464a6f1cc

  • SHA1

    c21551f6885ac52f80a5e303ef3cb6d40c182d11

  • SHA256

    2e4a248e3f279a42e2bea37409ab0de8770a3cd4a3b5fcccd701a535c2436d52

  • SHA512

    475ed1d94361538bdd71d21b4127fc1b7bab5edfc0ad917b7c3bbdfa51a8ed11ff6f0d4df47e3be266f07a4722448d53a926d041a161a5646efec94eecd3bde9

  Score

  8^/10

  upx

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  behavioral155behavioral156

• • Target

    foo/cad3634df5d5058551bed38237ab8e8b

  • Size

    823KB

  • MD5

    cad3634df5d5058551bed38237ab8e8b

  • SHA1

    2f2ac22494e49ce18470677690ee9bdfcd9f0c74

  • SHA256

    663ef562dbd3a7fc7490fd6ebc11c328450db6f5a9f9e058c4d3ec663b925147

  • SHA512

    bc1eee26f9375f0138fc571aaf2602d9b4c14e7052867e739fd131450b3453a1a19424031ae6ff80c1cfac4a6e71e9087255e97a3f3d9053f84451b745054ebe

  Score

  6^/10

  • Legitimate hosting services abused for malware hosting/C2

  behavioral157behavioral158

• • Target

    foo/cd89b6c808c296cde0bc77ee630dc7df

  • Size

    284KB

  • MD5

    cd89b6c808c296cde0bc77ee630dc7df

  • SHA1

    47a17c5b8263acb882f078b81897f615c25de0ca

  • SHA256

    246ad930ec77776b847e9470b725029f5dd5e0384b869d6105c3571b8cb8189a

  • SHA512

    a51620d5170356cabb73cfe2f9f2de54d52467c3a126b2b34eef5d18a84b6cd6e68b2003168c8b077abee1d58d1aa9e5af58ee65eaaee4a75f9414c04bc169fa

  Score

  8^/10

  persistencespyware

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spyware

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spyware

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral159behavioral160

• • Target

    foo/d81e76123ccb64b73eeac2f31a7434c4

  • Size

    4.7MB

  • MD5

    d81e76123ccb64b73eeac2f31a7434c4

  • SHA1

    6a32284225e897965972ba4915e5c327b900b81a

  • SHA256

    695ac197f95781e22c61604838e3e339285b08259a971289ce6993d409fcbc4a

  • SHA512

    37404b0e8fa7825f837ff9d6ab1e487bc1591daf46b57bfe030b7c015937ba80605db96f649ec024761d13eeb2cba86ab50870af9007bc75fe6043fd8b8f6cc0

  Score

  10^/10

  gluptebadropperevasionloaderpersistencetrojanupx

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Windows security bypass

    evasiontrojan

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence
  behavioral161behavioral162

• • Target

    foo/d86d2cb12111422ad0b401afa523e308

  • Size

    894KB

  • MD5

    d86d2cb12111422ad0b401afa523e308

  • SHA1

    d019e10b793b78f2da2f006acdb0aeff6b57d927

  • SHA256

    bfefbd8050f0dfbe1047ddcc07e951967a5b8395190127d97d0c3a4441c919bf

  • SHA512

    e9bea547df7cd2b5cfab5890245ca2540828eb87aba7052a3d5c0cc11d03552c8d39ba0bfc9994acafc257facf9797f1cbaa149e7628d99124bf2b53b840a78e

  Score

  10^/10

  hawkeye_rebornm00nd3v_loggerkeyloggerspywarestealertrojan

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger

  • M00nD3v Logger Payload

    Detects M00nD3v Logger payload in memory.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Drops startup file

  • Uses the VBS compiler for execution

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral163behavioral164

• • Target

    foo/d8e37dd7ca017370a0b54147a27a7498

  • Size

    8.4MB

  • MD5

    d8e37dd7ca017370a0b54147a27a7498

  • SHA1

    c6167da141d215d31aef6ac9e332f58118edb70d

  • SHA256

    00ef059476bea303a3d8c6621e7286c32a953e4c83c30361938fd338e9665f9b

  • SHA512

    6a0c989f8ebfe2dc2706a4241db52962dadc6cf94749a9408dd534531582a061be3aa860e65b15e96c172292b607c8606e4e8fde11e05b0840f4eb2e4540b355

  Score

  9^/10

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Loads dropped DLL

  behavioral165behavioral166

• • Target

    foo/dea515c25081073ec2cee293b2991ee1

  • Size

    1.4MB

  • MD5

    dea515c25081073ec2cee293b2991ee1

  • SHA1

    811a254ac1f803d5707310f87e454bb7504f0757

  • SHA256

    9ee19d067ec19b2c6d07726448639c869d61138e2f53c9eed136c3a2622c881b

  • SHA512

    68886a649fbc0f53a63fd7f437508dd93dd7e8cd6ae67640a07206a4ffdf349c7e662721b42c9cb68a889888d29d6d693f26273ce2db27d36440f4482cb8d530

  Score

  10^/10

  remcospersistencerat

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral167behavioral168

• • Target

    foo/dfcc555a02bccc9c438b08555b5c2ab8

  • Size

    252KB

  • MD5

    dfcc555a02bccc9c438b08555b5c2ab8

  • SHA1

    5f10b75aa47823bc7e81a859fdced21b8556040d

  • SHA256

    1095b754656cf05da5e65406de095e1b1dd4b28c2c2f8efca5e34283bd17e0b5

  • SHA512

    fcb9ef49ec2f7eab67394997a92cdb15c11878434c6ed47240fafd71ea4c8993fbd0f986d4086e51473a5168d472e4eaeb993491bd36f0a804008dc5a0eb6b6c

  Score

  7^/10

  • Loads dropped DLL

  behavioral169behavioral170

• • Target

    foo/e03bd458de4a107688236bdc4ddc3afe

  • Size

    431KB

  • MD5

    e03bd458de4a107688236bdc4ddc3afe

  • SHA1

    55859c4fa195c36a48425bb8aca9ef3609b62e89

  • SHA256

    344bce1df6486b71b78e85d6dce7ba1929176afda786acac56b6a11b625cd21c

  • SHA512

    f4585ddb1aff65d34a5a33c95a29c0c816f0ed5009faf7cc7ba26adf9bea3e787c1efa82c9c8423fc2bfdc8d4b9324566f0ab33b4212bb625c36052fb27c5948

  Score

  8^/10

  upx

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Suspicious use of SetThreadContext

  behavioral171behavioral172

• • Target

    foo/e16ec7bc29b68f66e90fdbfefe1d3a2d

  • Size

    674KB

  • MD5

    e16ec7bc29b68f66e90fdbfefe1d3a2d

  • SHA1

    156d9d781a1302d8e958486effcec79713c41708

  • SHA256

    fe9470a406b6dadc18cb3a430671d3ac321e97eb8d1ecf0dc054db440df7187d

  • SHA512

    c9e7c58170fb110bb9b76ec17a4349f5a73b912cd6c36d85d1aca7f1c94cbf70563900c36c4702f49a3ff4776fd45162e4a0f94ca826b2eff60668bcca9c55ec

  Score

  8^/10

  • Executes dropped EXE

  • Loads dropped DLL

  behavioral173behavioral174

• • Target

    foo/e61c0e180c2616fa81e6c4d581a9520e

  • Size

    4.9MB

  • MD5

    e61c0e180c2616fa81e6c4d581a9520e

  • SHA1

    d91996fabaa7a1af229ce118551aeef66e389cb7

  • SHA256

    a2fd87672b5dc07057c47208124b7f02862c4f5512f1b667ea27bc79a8d57ba2

  • SHA512

    21c84bd84c125be26d7fe053a0b11d2c31f29a38355be85ed17d2303b5700c7b335a7c2a924e6a1c4c3b05ff9fbda88745a20ad3a0449f6c193d718f503e68de

  Score

  7^/10

  spyware

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spyware

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware
  behavioral175behavioral176

• • Target

    foo/e78fad8a5d0ea89127ed36ed20bc9351

  • Size

    11.1MB

  • MD5

    e78fad8a5d0ea89127ed36ed20bc9351

  • SHA1

    816c12862830ec0c0ec065c7d73f2128cb4cc9dd

  • SHA256

    b25d571c5210bb02ba01a54a75a781094397bda7bc4745b2aa4c4a971233fb56

  • SHA512

    515e6aac22e11d8fb9663fab08250afe56c94faf93fe8062cea079d8633d1338f4e94735a5a46cf75b16c05570090cb1a47a464aaa64e549432536f4dce03d9f

  Score

  8^/10

  • Executes dropped EXE

  • Loads dropped DLL

  behavioral177behavioral178

• • Target

    foo/e7ad45164be5c3c7f9936e9b5fb28788

  • Size

    558KB

  • MD5

    e7ad45164be5c3c7f9936e9b5fb28788

  • SHA1

    a2cd13bc8bce9b107ac38662c35d70c4ff1d16b8

  • SHA256

    8c9c9951c2bf631b818a5e1dcdf700342f1c0c05391ec3c9c4ee15496aa28f4f

  • SHA512

    1bc0e6e3b9e416cf152d2ddef23d928c90725b589eb30d62c1c6f880af83b3068de1d27050e89f9961d71f664f98a6694fc0cf698d1c861c9a7b131efa419bfa

  Score

  3^/10
  behavioral179behavioral180

• • Target

    foo/e95678212c7218c6e7944fca1631c88f

  • Size

    861KB

  • MD5

    e95678212c7218c6e7944fca1631c88f

  • SHA1

    45a011ec5b1eb913a6f9bf4b46389dbeeeb6e1f3

  • SHA256

    2a5100ba7bfe592e112ab0071d8ea1861b4d365fc4fb98f4e2be0459b990db72

  • SHA512

    16f286de9ceb5545efc477741ec0e69f4de40e1a864ed00d16854e1c0580655f5d0ea93450602c3a2598e889078ab8a12923244710c67b23e3f3551fd0f76b9e

  Score

  1^/10
  behavioral181behavioral182

• • Target

    foo/edf723c8e404cd67041e7dfbbb1a6eee

  • Size

    75KB

  • MD5

    edf723c8e404cd67041e7dfbbb1a6eee

  • SHA1

    96a2fda8f26018724c86b275fe9396e24b26ec9e

  • SHA256

    bf2534b2f059547967bb453d67909921a41c10cdd19c1ec346a193060b094e2e

  • SHA512

    04bea993ba6af7e568bdfee4185e8145e4111af6bb92a68de3785658e0f5a65e741b378848eb9e77aa200cd72ab94339fcf852aae41cac45ea64bd430b8f9f50

  Score

  1^/10
  behavioral183behavioral184

• • Target

    foo/f2366f48d3534bc8af573f2696dce4f5

  • Size

    191KB

  • MD5

    f2366f48d3534bc8af573f2696dce4f5

  • SHA1

    706750f403d6f12c10489befa6032c1c4eb30a3e

  • SHA256

    f7fab7d724f492cb7baccb49c5fdef8305bebe9896a6853913b5d3ec225d51b0

  • SHA512

    9fd4632204c33bbd124bfff5744c8da551a4a8f94c4f714413861e92f6b4d70f4f506d8079540adfd19ded4ace9c9745891617bbfa3d00784cfea24b04913c35

  Score

  1^/10
  behavioral185behavioral186

• • Target

    foo/f645a94491240317caccd6f8508fba1f

  • Size

    1.9MB

  • MD5

    f645a94491240317caccd6f8508fba1f

  • SHA1

    59c94235d380d09a479291cd3400694d1c2ec18d

  • SHA256

    c130982342656ad1b4d588b0e985ec9d6169f279bbb748cd09727a3e96622fd2

  • SHA512

    8731c4c9cce9922793418ee7ae095893195f0609731aa0312fd38d548a94b2ba0a5bd437a8586c4c05f85cd45cac61caad3f1311b91b9db87baf61a2d4327280

  Score

  1^/10
  behavioral187behavioral188

• • Target

    foo/f65e75d9675a50f9b4807e79dcc48d56

  • Size

    1.8MB

  • MD5

    f65e75d9675a50f9b4807e79dcc48d56

  • SHA1

    8ed35b0ce78c565441ee6ac5722347fbeb220305

  • SHA256

    36a4d9e2eb623e59acbaf14341c3998114fcce9bc37392572213d9d22b2fb450

  • SHA512

    9da997c23af8b5bb90abfa7eb7e967ef026645604d3652a39a7c2a9ce719e7110956fe7e491c9bf733fd1da14f0cc518681bde409498c12797678e166c72fc5f

  Score

  1^/10
  behavioral189behavioral190

• • Target

    foo/f660284cb3574213a512e3f03ca9012b

  • Size

    995KB

  • MD5

    f660284cb3574213a512e3f03ca9012b

  • SHA1

    8051d5262c8c67e8888fc1991fbe667d4b4e311d

  • SHA256

    f0d6ee327670c99e451f6e54b842a3ced72b1de7e586ba81bdd27dc5366613d0

  • SHA512

    3b54928c6d1eb9e36db5ec8aeffa06b08d3e5c4167d9a884d2133282e5511edcaa7eed45832ff172bd1e71ddd56150f726382c528960f7db82a6aa87c6e9d890

  Score

  8^/10

  discoveryspyware

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spyware

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral191behavioral192

• • Target

    foo/f6c1c72f3e45d2f3499b6bd6661b3289

  • Size

    387KB

  • MD5

    f6c1c72f3e45d2f3499b6bd6661b3289

  • SHA1

    aabaf0e9fbda0e00d53ef30ad736b9a3db9973c2

  • SHA256

    90120bc1c6a88ef6032b2ea5da0b8e9432ce6cfe126e9fef4515f0660a6a88ec

  • SHA512

    c50e1c73ea369c7dd87a650a635b3e9702a4be13ddba87cf1ba649e9ad8522503d643d256486dbd3973b35beb3e77d97d180c771d099c40f380834647ce9f318

  Score

  10^/10

  azorultinfostealertrojan

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  behavioral193behavioral194

• • Target

    foo/fbab903080d6a4e65a1a2f6bc4d97b7c

  • Size

    1.6MB

  • MD5

    fbab903080d6a4e65a1a2f6bc4d97b7c

  • SHA1

    0a7eee729e7d140ca81b9595578ee305651a6946

  • SHA256

    cf1b96af0838abbd8b8a292f4aa5e335743eb3d5da862254a86184db37ecf85e

  • SHA512

    894bc25e7bdab656988a8e6b419eeee4b696e9e644f38142fcb373f557dd7170dc7ce0979ccd3c6b84b0eea32822669c9f244182391d1719c8db22d5c61b1dd7

  Score

  7^/10

  • Loads dropped DLL

  • Drops file in System32 directory

  behavioral195behavioral196

• • Target

    foo/fcdc003a1529fe3660b160fd012173b3

  • Size

    3.4MB

  • MD5

    fcdc003a1529fe3660b160fd012173b3

  • SHA1

    a517d1137be23fc41f03efdb0e9354089bedf6ba

  • SHA256

    6490b57b8944f8f07e687a4dfa6ab76080de99ffc9d48d4c10f64dd88fa2cb95

  • SHA512

    a00b22d8a348891a828e4c16e0e56fc66caf29fa1f43ca3cd97ffa76675700446e905750016ea083a67592a7d2aea02c3396306527efb7fa255e08c9748e7d21

  Score

  8^/10

  upx

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  behavioral197behavioral198

• • Target

    foo/fffb61eaaac6e8a40bfaa7a4acb6b9ba

  • Size

    195KB

  • MD5

    fffb61eaaac6e8a40bfaa7a4acb6b9ba

  • SHA1

    84deb15aeea324b2d11922c2fa4aebd039a5f805

  • SHA256

    8e22a34621adf78355b916d1a96ef4a6de5caa0dcb6e7949fa2df88ddfd999fd

  • SHA512

    07a9f94e70e461142e3e06921bfca1f9fe8723a68b6ff067651f5685bbf1c823de4beda42dc4c1ef44c969a494682e2c41ba6a1235d0a978ce6d070f4b24bd38

  Score

  1^/10
  behavioral199behavioral200