Overview

overview

10

Static

static

10

foo/0044d6...f7.exe

windows7_x64

1

foo/0044d6...f7.exe

windows10_x64

1

foo/034e4c...a9.exe

windows7_x64

4

foo/034e4c...a9.exe

windows10_x64

4

foo/035fa2...72.exe

windows7_x64

10

foo/035fa2...72.exe

windows10_x64

10

foo/04884a...1b.exe

windows7_x64

8

foo/04884a...1b.exe

windows10_x64

8

foo/06ed82...59.exe

windows7_x64

7

foo/06ed82...59.exe

windows10_x64

7

foo/07470b...68.exe

windows7_x64

8

foo/07470b...68.exe

windows10_x64

8

foo/078adb...c0.exe

windows7_x64

10

foo/078adb...c0.exe

windows10_x64

10

foo/09e5c8...b4.exe

windows7_x64

1

foo/09e5c8...b4.exe

windows10_x64

1

foo/0becfe...f4.exe

windows7_x64

10

foo/0becfe...f4.exe

windows10_x64

10

foo/1a78d3...a3.exe

windows7_x64

5

foo/1a78d3...a3.exe

windows10_x64

5

foo/1ffe82...a6.exe

windows7_x64

10

foo/1ffe82...a6.exe

windows10_x64

10

foo/255028...e1.dll

windows7_x64

1

foo/255028...e1.dll

windows10_x64

1

foo/27601d...cc.exe

windows7_x64

8

foo/27601d...cc.exe

windows10_x64

8

foo/27f911...49.exe

windows7_x64

10

foo/27f911...49.exe

windows10_x64

10

foo/28408c...c5.exe

windows7_x64

10

foo/28408c...c5.exe

windows10_x64

10

foo/296822...e4.dll

windows7_x64

3

foo/296822...e4.dll

windows10_x64

3

foo/2de7b8...a4.exe

windows7_x64

10

foo/2de7b8...a4.exe

windows10_x64

10

foo/2e00df...8b.exe

windows7_x64

9

foo/2e00df...8b.exe

windows10_x64

9

foo/2e90a1...22.exe

windows7_x64

6

foo/2e90a1...22.exe

windows10_x64

6

foo/2f215e...b0.dll

windows7_x64

10

foo/2f215e...b0.dll

windows10_x64

10

foo/30bc06...3e.exe

windows7_x64

10

foo/30bc06...3e.exe

windows10_x64

10

foo/312e67...f3.exe

windows7_x64

4

foo/312e67...f3.exe

windows10_x64

4

foo/383497...1b.exe

windows7_x64

10

foo/383497...1b.exe

windows10_x64

10

foo/39555e...ec.exe

windows7_x64

10

foo/39555e...ec.exe

windows10_x64

10

foo/39e531...04.exe

windows7_x64

10

foo/39e531...04.exe

windows10_x64

10

foo/3aba72...cd.exe

windows7_x64

1

foo/3aba72...cd.exe

windows10_x64

1

foo/406c9b...fe.exe

windows7_x64

10

foo/406c9b...fe.exe

windows10_x64

10

foo/457cfd...ca.exe

windows7_x64

7

foo/457cfd...ca.exe

windows10_x64

7

foo/4761e4...60.exe

windows7_x64

8

foo/4761e4...60.exe

windows10_x64

8

foo/487f1b...04.exe

windows7_x64

8

foo/487f1b...04.exe

windows10_x64

7

foo/4a74c9...cf.exe

windows7_x64

10

foo/4a74c9...cf.exe

windows10_x64

10

foo/4b2d78...4b.exe

windows7_x64

8

foo/4b2d78...4b.exe

windows10_x64

8

foo/4c49c2...ba.exe

windows7_x64

1

foo/4c49c2...ba.exe

windows10_x64

1

foo/4cfe8f...77.exe

windows7_x64

9

foo/4cfe8f...77.exe

windows10_x64

9

foo/4ea454...13.exe

windows7_x64

8

foo/4ea454...13.exe

windows10_x64

8

foo/52d6c5...7e.exe

windows7_x64

7

foo/52d6c5...7e.exe

windows10_x64

7

foo/55fc11...e0.exe

windows7_x64

foo/55fc11...e0.exe

windows10_x64

10

foo/59f0fb...06.exe

windows7_x64

1

foo/59f0fb...06.exe

windows10_x64

1

foo/5b1c0d...cb.exe

windows7_x64

1

foo/5b1c0d...cb.exe

windows10_x64

1

foo/5bc72a...ea.exe

windows7_x64

8

foo/5bc72a...ea.exe

windows10_x64

8

foo/5d3305...2a.exe

windows7_x64

7

foo/5d3305...2a.exe

windows10_x64

7

foo/5d9775...39.exe

windows7_x64

8

foo/5d9775...39.exe

windows10_x64

8

foo/60121e...3e.exe

windows7_x64

9

foo/60121e...3e.exe

windows10_x64

9

foo/62565a...fd.exe

windows7_x64

10

foo/62565a...fd.exe

windows10_x64

10

foo/62a3fd...64.exe

windows7_x64

8

foo/62a3fd...64.exe

windows10_x64

10

foo/63e9ce...d0.exe

windows7_x64

8

foo/63e9ce...d0.exe

windows10_x64

8

foo/6497ba...c5.exe

windows7_x64

10

foo/6497ba...c5.exe

windows10_x64

10

foo/698cc8...31.exe

windows7_x64

7

foo/698cc8...31.exe

windows10_x64

7

foo/6f2c5c...d5.exe

windows7_x64

7

foo/6f2c5c...d5.exe

windows10_x64

7

foo/798f5e...ba.exe

windows7_x64

10

foo/798f5e...ba.exe

windows10_x64

10

foo/7aec86...51.exe

windows7_x64

1

foo/7aec86...51.exe

windows10_x64

1

foo/84bf6e...64.exe

windows7_x64

8

foo/84bf6e...64.exe

windows10_x64

8

foo/907b7d...b3.exe

windows7_x64

8

foo/907b7d...b3.exe

windows10_x64

8

foo/928f1d...ee.exe

windows7_x64

1

foo/928f1d...ee.exe

windows10_x64

1

foo/9401b0...6c.exe

windows7_x64

1

foo/9401b0...6c.exe

windows10_x64

1

foo/97dd87...84.exe

windows7_x64

10

foo/97dd87...84.exe

windows10_x64

10

foo/9b8c48...a4.exe

windows7_x64

8

foo/9b8c48...a4.exe

windows10_x64

8

foo/9cde71...cd.exe

windows7_x64

6

foo/9cde71...cd.exe

windows10_x64

6

foo/9d3438...4b.exe

windows7_x64

8

foo/9d3438...4b.exe

windows10_x64

1

foo/9f8818...2d.exe

windows7_x64

8

foo/9f8818...2d.exe

windows10_x64

3

foo/a17bdc...cf.exe

windows7_x64

9

foo/a17bdc...cf.exe

windows10_x64

9

foo/a29811...46.exe

windows7_x64

10

foo/a29811...46.exe

windows10_x64

10

foo/aa3b51...52.exe

windows7_x64

10

foo/aa3b51...52.exe

windows10_x64

10

foo/acf0b7...c4.exe

windows7_x64

8

foo/acf0b7...c4.exe

windows10_x64

8

foo/aeca5c...f7.exe

windows7_x64

1

foo/aeca5c...f7.exe

windows10_x64

1

foo/b10714...f3.exe

windows7_x64

8

foo/b10714...f3.exe

windows10_x64

8

foo/b23652...9f.exe

windows7_x64

6

foo/b23652...9f.exe

windows10_x64

6

foo/b514b5...fc.exe

windows7_x64

1

foo/b514b5...fc.exe

windows10_x64

1

foo/b64196...23.exe

windows7_x64

7

foo/b64196...23.exe

windows10_x64

7

foo/b693df...60.exe

windows7_x64

7

foo/b693df...60.exe

windows10_x64

7

foo/b6e7c9...bc.exe

windows7_x64

10

foo/b6e7c9...bc.exe

windows10_x64

10

foo/b7d5f0...4a.exe

windows7_x64

10

foo/b7d5f0...4a.exe

windows10_x64

10

foo/ba2d46...29.exe

windows7_x64

1

foo/ba2d46...29.exe

windows10_x64

1

foo/bad78e...e5.exe

windows7_x64

9

foo/bad78e...e5.exe

windows10_x64

9

foo/bc6536...b9.exe

windows7_x64

10

foo/bc6536...b9.exe

windows10_x64

10

foo/be85e0...2c.exe

windows7_x64

1

foo/be85e0...2c.exe

windows10_x64

1

foo/c914b1...ee.exe

windows7_x64

3

foo/c914b1...ee.exe

windows10_x64

3

foo/c944ea...cc.exe

windows7_x64

8

foo/c944ea...cc.exe

windows10_x64

8

foo/cad363...8b.exe

windows7_x64

6

foo/cad363...8b.exe

windows10_x64

6

foo/cd89b6...df.exe

windows7_x64

8

foo/cd89b6...df.exe

windows10_x64

8

foo/d81e76...c4.exe

windows7_x64

10

foo/d81e76...c4.exe

windows10_x64

10

foo/d86d2c...08.exe

windows7_x64

10

foo/d86d2c...08.exe

windows10_x64

10

foo/d8e37d...98.exe

windows7_x64

9

foo/d8e37d...98.exe

windows10_x64

9

foo/dea515...e1.exe

windows7_x64

10

foo/dea515...e1.exe

windows10_x64

6

foo/dfcc55...b8.exe

windows7_x64

7

foo/dfcc55...b8.exe

windows10_x64

7

foo/e03bd4...fe.exe

windows7_x64

8

foo/e03bd4...fe.exe

windows10_x64

8

foo/e16ec7...2d.exe

windows7_x64

8

foo/e16ec7...2d.exe

windows10_x64

8

foo/e61c0e...0e.exe

windows7_x64

7

foo/e61c0e...0e.exe

windows10_x64

7

foo/e78fad...51.exe

windows7_x64

8

foo/e78fad...51.exe

windows10_x64

8

foo/e7ad45...88.exe

windows7_x64

3

foo/e7ad45...88.exe

windows10_x64

3

foo/e95678...8f.exe

windows7_x64

1

foo/e95678...8f.exe

windows10_x64

1

foo/edf723...ee.dll

windows7_x64

1

foo/edf723...ee.dll

windows10_x64

1

foo/f2366f...f5.exe

windows7_x64

1

foo/f2366f...f5.exe

windows10_x64

1

foo/f645a9...1f.exe

windows7_x64

1

foo/f645a9...1f.exe

windows10_x64

1

foo/f65e75...56.exe

windows7_x64

1

foo/f65e75...56.exe

windows10_x64

1

foo/f66028...2b.exe

windows7_x64

8

foo/f66028...2b.exe

windows10_x64

8

foo/f6c1c7...89.exe

windows7_x64

10

foo/f6c1c7...89.exe

windows10_x64

10

foo/fbab90...7c.exe

windows7_x64

7

foo/fbab90...7c.exe

windows10_x64

7

foo/fcdc00...b3.exe

windows7_x64

8

foo/fcdc00...b3.exe

windows10_x64

8

foo/fffb61...ba.exe

windows7_x64

1

foo/fffb61...ba.exe

windows10_x64

1

General

  • Target

    foo.zip

  • Size

    148.2MB

  • Sample

    200811-8q4fq2yyya

  • MD5

    875294d0dba88dbc80c33a5cbb110b41

  • SHA1

    3727db2a114f7302be5d5a3ef212bc0922060346

  • SHA256

    46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

  • SHA512

    4482e49c33c076cbde30a4da9c7283ef9cc67ae3ae75d9217ea402c206f6fc82aa4ffe90b76ab18c79cda6a7c1e302c02abda6736d594df2b2db273d013e07ab

Malware Config

Extracted

Family

cobaltstrike

C2

http://www.google.com:443/__utm.gif

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    www.google.com,/__utm.gif

  • http_header1

    AAAACQAAABJ1dG1hYz1VQS0yMjAyNjA0LTIAAAAJAAAAB3V0bWNuPTEAAAAJAAAAEHV0bWNzPUlTTy04ODU5LTEAAAAJAAAAD3V0bXNyPTEyODB4MTAyNAAAAAkAAAAMdXRtc2M9MzItYml0AAAACQAAAAt1dG11bD1lbi1VUwAAAAoAAAAoSG9zdDogdHJhbnNsYXRlc2VydmljZXVwZGF0ZS5hcHBzcG90LmNvbQAAAAcAAAAAAAAACAAAAAIAAAAGX191dG1hAAAABQAAAAV1dG1jYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAAAgAAAAZVQS0yMjAAAAABAAAAAi0yAAAABQAAAAV1dG1hYwAAAAkAAAAHdXRtY249MQAAAAkAAAAQdXRtY3M9SVNPLTg4NTktMQAAAAkAAAAPdXRtc3I9MTI4MHgxMDI0AAAACQAAAAx1dG1zYz0zMi1iaXQAAAAJAAAAC3V0bXVsPWVuLVVTAAAACgAAAChIb3N0OiB0cmFuc2xhdGVzZXJ2aWNldXBkYXRlLmFwcHNwb3QuY29tAAAABwAAAAEAAAAEAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+xef42wyX1NAUR5Ukrnj2L8wg2GQ3+zg6SV5+gTlXxdgo8apUHH/mtKv7A+Fa5aReI1QBvVbMdkwq7A1YwJpBtFUBouokiqs8MjBWWrcftqQno/goPu3jDA1eHNyB8Hn+E4URKzRBBwQBduCA6fvUK83z/jAh062sZrZaFGE6dwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    6.71092736e+08

  • unknown2

    AAAABAAAAAIAAAAPAAAAAgAAAA8AAAACAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /___utm.gif

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

Extracted

Family

smokeloader

Version

2018

C2

http://segodnya.bit/biologe/

rc4.i32
rc4.i32

Extracted

Family

lokibot

C2

http://clogwars.com/~zadmin/lmark/seng/link.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://hawkcarts.info/jeff/five/fre.php

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    files.000webhost.com
  • Port:
    21
  • Username:
    foroni

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Campaign

1535648626

Credentials

  • Protocol:
    ftp
  • Host:
    37.60.244.211
  • Port:
    21
  • Username:
    backup_manager@garciasdrywall.com
  • Password:
    4AsEzIaMwi2d

  • Protocol:
    ftp
  • Host:
    198.38.77.162
  • Port:
    21
  • Username:
    backup_manager@worldexpresscargo.com
  • Password:
    kJm6DKVPfyiv

  • Protocol:
    ftp
  • Host:
    61.221.12.26
  • Port:
    21
  • Username:
    logger@ostergift.com
  • Password:
    346HZGCMlwecz9S

  • Protocol:
    ftp
  • Host:
    67.222.137.18
  • Port:
    21
  • Username:
    logger@grupocrepusculo.net
  • Password:
    p4a8k6fE1FtA3pR

  • Protocol:
    ftp
  • Host:
    107.6.152.61
  • Port:
    21
  • Username:
    logger@trussedup.com
  • Password:
    RoP4Af0RKAAQ74V
C2

190.185.219.110:443

73.74.72.141:443

65.116.179.83:443

50.198.141.161:2078

70.183.154.153:995

68.49.120.179:443

70.94.109.57:443

24.45.54.50:2222

190.80.21.204:2222

216.201.159.118:443

74.88.210.56:995

75.189.235.216:443

47.48.236.98:2222

68.59.209.183:995

75.3.101.153:443

108.17.25.169:443

185.219.83.73:443

184.180.157.203:2222

207.178.109.161:443

174.48.72.160:443

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

  • Protocol:
    smtp
  • Host:
    mail.mwanzompya.com
  • Port:
    587
  • Username:
    info@mwanzompya.com
  • Password:
    mwanzo#05
Mutex

382536c5-1156-46e8-b78f-7f58423a46e3

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:mwanzo#05 _EmailPort:587 _EmailSSL:false _EmailServer:mail.mwanzompya.com _EmailUsername:info@mwanzompya.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:382536c5-1156-46e8-b78f-7f58423a46e3 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.mwanzompya.com
  • Port:
    587
  • Username:
    info@mwanzompya.com
  • Password:
    mwanzo#05

Extracted

Family

remcos

C2

185.244.29.195:1991

Targets

    • Target

      foo/0044d66e4abf7c4af6b5d207065320f7

    • Size

      127KB

    • MD5

      0044d66e4abf7c4af6b5d207065320f7

    • SHA1

      07e73ac58bee7bdc26d289bb2697d2588a6b7e64

    • SHA256

      b6d19c3e6e82bbde62984f50144ce4d98a18871374ec5d313489d5831317c480

    • SHA512

      25633ea2e3cc78262ba69de30d2d3b7f6c013ce3bcbad2eda3c424ac50d7c0b7169372c5ad2b2cd81748ea0622f3db5ba3429f0d3ecfd3feabbfc65d961af5dd

    Score
    1/10
    • Target

      foo/034e4c62965f8d5dd5d5a2ce34a53ba9

    • Size

      416KB

    • MD5

      034e4c62965f8d5dd5d5a2ce34a53ba9

    • SHA1

      edc165e7e833a5e5345f675467398fb38cf6c16f

    • SHA256

      52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f

    • SHA512

      c2de626a339d21e5fd287c0e625bca02c770e09f9cad01005160d473164fa8edc5fc381b6ddd01293bdd31f2d7de1b0171674d12ec428e42a97d0ed0b7efb9dd

    Score
    4/10
    • Target

      foo/035fa2f2fae0a8fad733686a7d9ea772

    • Size

      291KB

    • MD5

      035fa2f2fae0a8fad733686a7d9ea772

    • SHA1

      411ee99b26bb612b1905b0c7254129fb1dd0cb56

    • SHA256

      f823ee1362132d0c4cb632829abbaae16b7ae8f938e86a10bdab3897e4f5dc8c

    • SHA512

      9a58f3b940e83e79fd7c7353b8d20947ab45ee48c617217f7c5ac58b1a0d0b5904eda1d49eb118a55f309291055b50b4710a6ab598ae5b29bbb6ff541ab599f1

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      foo/04884a82d01d733f245d921e1f74fb1b

    • Size

      2.9MB

    • MD5

      04884a82d01d733f245d921e1f74fb1b

    • SHA1

      975c743feccce12419d4d72f26c2d44c8591118a

    • SHA256

      e3d13acdbf704b60569fad130fec670ff20d99183fb4bfb32f339dd3138a5f2f

    • SHA512

      c7f26c9656a14a2865da01e7903f29b2474e5fb3bb7a054d09fdd7ea476f7c3666bf4b3fc87e676c4829c0f51942273bb8161b448e42246898985874389a072c

    Score
    8/10
    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      foo/06ed82e88e1f68cc08602d7cd8ec5f59

    • Size

      12.2MB

    • MD5

      06ed82e88e1f68cc08602d7cd8ec5f59

    • SHA1

      37d4750e5f22cc395dd721dd5df73aeccc095bb5

    • SHA256

      43eebbd84e92a99b2bbca0b578df68dc07756e2c5fe908c668ac8c69f934a7e5

    • SHA512

      63060f8723b2ad50b8bfc225af22156215d5362bcf4a3ad77d9fe9059414b8ba69679f5fcf83159da224f165a83ebee74a306300f41205a887a06ec0bb86f895

    Score
    7/10
    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      foo/07470b6ede84f02ec31ab0a601cdc068

    • Size

      199KB

    • MD5

      07470b6ede84f02ec31ab0a601cdc068

    • SHA1

      2ca5cc5bf36cf0dfc95a128267e5ca1bdead991b

    • SHA256

      c7307db0fdd462a0415cec9cb707045f575d28ae18f2db8efcedd7a2db3079ac

    • SHA512

      002bd7b302ce582ae8921f2613ab340a366a5928e32d1bddf6fbfc16f8fbde2ea93668775d418ea1b3375a32eff24d3f8e32a8f17d7549a743b545f873a0dab7

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      foo/078adb95b1a0a6449d8c4ece796deac0

    • Size

      349KB

    • MD5

      078adb95b1a0a6449d8c4ece796deac0

    • SHA1

      412cbff9af426e0af43b9b860150c7c30ebce654

    • SHA256

      94a65945d7cebe9755b6cb5cffe7139c848bcbbf5988b07a3d195c57f5e44a89

    • SHA512

      32b58760617c268de6571bae946d3757f021fc975e3546333371d1667e592057a71956578039e75ad953e8a8aff18d1f871e2fe360abe13a9866f1d56f5ea3e0

    Score
    10/10
    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

    • Drops desktop.ini file(s)

    • Target

      foo/09e5c88a0592763e0c4f30fb88d663b4

    • Size

      713KB

    • MD5

      09e5c88a0592763e0c4f30fb88d663b4

    • SHA1

      939a8f3e7477ce8ee6406ac2b8aa58bd8399e1b4

    • SHA256

      9aac9319312f83811ad3ee68cd0ae467c088fa484ce921271be0382dc0d027fc

    • SHA512

      aa8aaa125fc6a47db42b882c960dc52e16df2a308675382f761a66060da414c26345fa526c92e322104b563372f7de6c305645d7a626fd5e4b5c100bdaba089b

    Score
    1/10
    • Target

      foo/0becfedf4d0b9ad5251aca33274a4cf4

    • Size

      443KB

    • MD5

      0becfedf4d0b9ad5251aca33274a4cf4

    • SHA1

      5d6faf04a6215b08988f289373f3b239d5878d06

    • SHA256

      235b35c4574f4d28ac034e7fbd4827384f6243d591d1d1bd76e320905f5b0242

    • SHA512

      0e835c83ff46c74acf6140bd434666ddffd2c0aa9875fc9899daff62b473ab98ee0947c226e9ffd8c4322b418574e9f5e2d2d32415b232667921c3db404dcd35

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • UAC bypass

    • Windows security bypass

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops startup file

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

    • Target

      foo/1a78d313f2891bd468f78694814a28a3

    • Size

      5.5MB

    • MD5

      1a78d313f2891bd468f78694814a28a3

    • SHA1

      7b10daf92b6bb599c68379909fbc951955e9335e

    • SHA256

      b8953f266d0ec05808dd5ba4799986c61bfc4d6e5308b0da84cbc8afe19de4df

    • SHA512

      4a9d76516888a4abff4acb29712abdc65674d5a9a3e69b0e30fa0cf815267d7d45f02d4879383232eb44c5503256af3adc4cb3db201e603816ccc983666475cb

    Score
    5/10
    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      foo/1ffe827beb75335731cb6f052a8ec3a6

    • Size

      468KB

    • MD5

      1ffe827beb75335731cb6f052a8ec3a6

    • SHA1

      381ff47af182f52185fe2ff8d01453c5f611b04a

    • SHA256

      bf26329c083407931e46c85220e294904dc532e1095823290c04537f15316e47

    • SHA512

      fe1d68657aa99cb2949aa4aee3c12a70ba4f1fa9542f4606fb6a63627c593c74ce2188ebba15c2e366d8c79c4591e2bc048505abf4eed16d156a9b2ecf6334c8

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      foo/255028f2f37838e92f84f27c68aaf4e1

    • Size

      536KB

    • MD5

      255028f2f37838e92f84f27c68aaf4e1

    • SHA1

      64e6d06aba93b91fbda44364278f2a91e91c6cf3

    • SHA256

      db04d912a4fa503b27bea546ca8160b040e3eaf8eabfa5ee0dc30b64738976e2

    • SHA512

      be1f9a5005c9c446a100891c9c955336e011ba550ca7c1f5dd4dd9c3f3041ff20fa30445f117331b6d121b0e89361bead40b981c50f01ce185fa3acf2b7d00d8

    Score
    1/10
    • Target

      foo/27601d095e5b3761d9289584415a73cc

    • Size

      565KB

    • MD5

      27601d095e5b3761d9289584415a73cc

    • SHA1

      9570f23b5abe2ef46a23ded17adb2fb6c203a201

    • SHA256

      749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4

    • SHA512

      066263bf8f11d48b4e3715b8962686e0ca32aa8647b642a193b5331513538a44bb49edad5ef6a08ae6cc6401504fadc7adf38efb07c9ae9560e947aac443e0e7

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      foo/27f9116902c35a9b784c703762bbd249

    • Size

      1.3MB

    • MD5

      27f9116902c35a9b784c703762bbd249

    • SHA1

      1f398a7f5bb032a30c2207e5e692524691b8a09e

    • SHA256

      548b424bedcb831086fb9ab5b6e284a7a71a53e430acad99155153a869844570

    • SHA512

      c046022a16f572eda5f60484d61190491579ee0d9d883d8f760859bbde0730dcfe4a603f847162d8901f6a87140da6a9c53134e8b7c2f9fa6192584765e94ff6

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      foo/28408caa2961caecd35c9f8f7c1aecc5

    • Size

      290KB

    • MD5

      28408caa2961caecd35c9f8f7c1aecc5

    • SHA1

      2df15d3bc4f7623ca3a18665b3c666ec8b70baa6

    • SHA256

      fe99d5ab8be0c9830fd97c1ed127b0c236da75b43a42a58fcd46cb8d46dc3c34

    • SHA512

      a4fdb80d3ac39a2fa46f19c8b5a803ded144e97dd7a3f194177ddaba15b8e0a0486e7b4de2e8c9c957eac4398487fe5872e54ad8e866e68e0beb283c937d0cbd

    • Target

      foo/29682275a385f42634ee312db7f666e4

    • Size

      8.3MB

    • MD5

      29682275a385f42634ee312db7f666e4

    • SHA1

      660661c84c925dd781c327bbdd519b89bcf378c3

    • SHA256

      9bf25bf1e0f9bfb8381dc1ec57ee256ef77d294259468fc17bbab9fe50b8b4a3

    • SHA512

      c03ee099bfb533ae5f88a31499e428588de0bbbc2864a057873355d26b89a9a3b8da73a706fc08e8633b09e73018fbf4406fd2c8cc7738b605a0b2eeac23db36

    Score
    3/10
    • Target

      foo/2de7b886ed3bf5455694d76ac69a96a4

    • Size

      99KB

    • MD5

      2de7b886ed3bf5455694d76ac69a96a4

    • SHA1

      8e80636a30b25b9aba51bc048882a43b9914f631

    • SHA256

      1cc983ae1831efb88cafacc5e7efcdf60ee5d3637a3d8e2336f14fa2bf53e606

    • SHA512

      abe16eb7e94e947507a3276e3d94be5e4c56055263e5aa4ebb5449dc969401d3659460bc152a67001a01874054a4968fcaa9720f81514ab6560ae18cd637f9ca

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      foo/2e00df497f82c0bf215548969fefc18b

    • Size

      8.6MB

    • MD5

      2e00df497f82c0bf215548969fefc18b

    • SHA1

      6f1f6f9e8f40055644670378da81ea668c8b69f5

    • SHA256

      3386ab7ec029dca692f7f8e3214fcfa97f88c42cf384807d9a5c56a146e89ed9

    • SHA512

      0ce197d3f63995265d4c9d8c51ffd2317065c8d653dd8135882ba0fe2201fbb3cfff66b8a88a6f2626a292918cdeccda026b6f9430c6d57196c162688dd03a0b

    Score
    9/10
    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      foo/2e90a15707ad3eb4cd06bd8a05463922

    • Size

      403KB

    • MD5

      2e90a15707ad3eb4cd06bd8a05463922

    • SHA1

      5190382aaac9a76a31315f3e3b3bc6b12fac2738

    • SHA256

      b594e7917381e1089e150150bb0db36cef541d0226fec4ff681f3cf32cb8be36

    • SHA512

      1838ba984c52c21621e68b87fb257590255085177a073b3b0d318802fa24a79317fa96a07d87068ae8b57418adf2fbf93cf9a313e20ba19b6a82420f00427358

    Score
    6/10
    • Target

      foo/2f215e008c6a7d8886c578e442b8f1b0

    • Size

      200KB

    • MD5

      2f215e008c6a7d8886c578e442b8f1b0

    • SHA1

      a4409e2c333fa3aaa4e0b718775d325fcf76cb41

    • SHA256

      6903fcc0ca7851ca2aad10ae4ebc3533eda1f1d85f7f0f6df39082d6c562b867

    • SHA512

      4cf2365b786d5894d335c2fa421901fd45dcac709974eda1ed2bb2f8d7c443c20b5975af17ee337d81986909c03786800929a36d53ed317a353a2e88bb621a3c

    • Target

      foo/30bc06d0add076dd6500fcdfbc12643e

    • Size

      322KB

    • MD5

      30bc06d0add076dd6500fcdfbc12643e

    • SHA1

      def54b6b4ca0d0ea952510cb8c0e3ee2a5f85a3e

    • SHA256

      5038cf5a6ef817ad95a57c8cc8da89e66e24c83fafef450618b4d3e18ebdd9b4

    • SHA512

      6576b45177e01f0c8bec1e1728ed69df450b2f6f7c62aeb8ba85df54b48a37e90925eddfbbce4080fd44c08266a5fec92cdfcb6efb7518e1e808b3b488686314

    Score
    10/10
    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

    • Drops desktop.ini file(s)

    • Target

      foo/312e67dc35992949937d1bad6ba529f3

    • Size

      476KB

    • MD5

      312e67dc35992949937d1bad6ba529f3

    • SHA1

      b1b33ac2b7b82240369b43289c9dafe498df63d5

    • SHA256

      0a58ffc4705b353154ea7347fd495b0e34d25da5f3094f52d43e312ea8163f81

    • SHA512

      9097b5896ea47777fbe389e0cf75ebbdf943695559db78b2fd06aae400ab8a852d7d216fe7687e78418404d238092eec77b4e9601dd33fe34accab0a2791dbb3

    Score
    4/10
    • Target

      foo/383497fda5ca670a06dc688443c2011b

    • Size

      623KB

    • MD5

      383497fda5ca670a06dc688443c2011b

    • SHA1

      c622ebf694003368c3246e166a3a7bfc6b787652

    • SHA256

      d84d8ebcdfb0abcd821c24197517a5e329a1a6ae8e534509db78899b147cd60f

    • SHA512

      5f1f854690f9743a09fcdd0b6be43fd09af3eb5bc0f1ee4c20659458e34f46c33eec8eb651e569315902d99a12a217e5dea750411effca79485fa343c24d0129

    • Matrix Ransomware

      Targeted ransomware with information collection and encryption functionality.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      foo/39555eb0403a69906729713ad20888ec

    • Size

      502KB

    • MD5

      39555eb0403a69906729713ad20888ec

    • SHA1

      3496ed1ff1c3ede32a025b33eec820cdf5512ca9

    • SHA256

      7926fbb4fe0c69379b2c1ac217cfd0a09ff9a73e48c24d3c464785119d8ab349

    • SHA512

      674c3048cf7798c407138474a40b318f1465d920493d6a057de0cbd6befb66649a0f9e0059b042c1141cad40ae38800c8b98a9ea3140d6ae998b88aa1d2ec9ae

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      foo/39e5310f67f0b1bf98604a2e0edb9204

    • Size

      104KB

    • MD5

      39e5310f67f0b1bf98604a2e0edb9204

    • SHA1

      3a2d3638449252c6d890c4061bcd92e733a7cdb3

    • SHA256

      4f91d0b1c9a27ac005f37227e1ef9f9e796cbbe896be2407d23a89734ddbdf3f

    • SHA512

      30c373c76c2910d4aa4671c06fde272ca40d012a353f7c6004643c95da5a486c124662bd303b42501ac29b801cdcfc05cf853764477184d247ffbaf4f02838c8

    • Target

      foo/3aba72d1f87f4372162972b6a45ed8cd

    • Size

      364KB

    • MD5

      3aba72d1f87f4372162972b6a45ed8cd

    • SHA1

      62eaec946e6c05d6279737e9e5583831beb383e8

    • SHA256

      31bae2c85740d091f58896a36a461191d666e33f3ad5d8a4e529bc74bf024b6c

    • SHA512

      d66f28238e74c13057da5f8a6d89807d7d513c542dd65d5005334e360b22d82cc4be7826ce1e3d1372c44c68a4acd8ff662adddb4affffbadfd174ccbd016249

    Score
    1/10
    • Target

      foo/406c9b9529109f835fe7292e6cf3fefe

    • Size

      468KB

    • MD5

      406c9b9529109f835fe7292e6cf3fefe

    • SHA1

      80a616526044d8b3dfe9848b73c8873f474b27ae

    • SHA256

      eeaed429ed196822dfded9099479bbb7d9cd48cdb96a986627512e607badfa66

    • SHA512

      ce013422daaea03d9d31c713cc6ce1e0349b862f3d2b52ef9ee151b6e1e20ea0724e71000d6f2d10b953cd3bcc5b5e2dd69cbfe858b451811a2152c623e7a92d

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      foo/457cfd3e7a53e7500f8206b3ea300aca

    • Size

      193KB

    • MD5

      457cfd3e7a53e7500f8206b3ea300aca

    • SHA1

      7426d503db90a0795e279968009ac03853cdfbed

    • SHA256

      feb51e59044de8b60c0e72553b2cfc7aea655af83068cf934525eec303d65c10

    • SHA512

      cd1896539b4f1732ee6be803ca5eb012d1ed69d0bb2be71dd09d17fc7d831a2a7bbfb78cee1b1a6545c7bf00c1855dc502ce1ab0ace7432cabc2d2a00db8df43

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Drops file in System32 directory

    • Target

      foo/4761e4b165f62d326b9032d96329e460

    • Size

      793KB

    • MD5

      4761e4b165f62d326b9032d96329e460

    • SHA1

      59aaeba76ac34841d60aef175309161d2b5e4992

    • SHA256

      5f6884586533f6065ec2c0557e63e1b5865f0b22c42a386a338cc211ec1a308b

    • SHA512

      c2ce8e91fcd7697b5f7b6e5a7a62f2552be4388f3fbc1dc0003893edb133731160736852f2fab62c18f06d8f773e7dca96ade6e151b2c0163599d49269e46a9d

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      foo/487f1b1f30212eaa9104c084a667f104

    • Size

      5.7MB

    • MD5

      487f1b1f30212eaa9104c084a667f104

    • SHA1

      e562c8d364fea1f1f4524c30a0606598b8814096

    • SHA256

      8b72156895f47b7f216b544937a46a3909bc07134ebac1c586de7aac3eab18a5

    • SHA512

      c6ad92308792d2135ce918fcc1b88a15a3c928c30a99de2366f7477df9196dff9d287e8d84c2176f4b7385adee5b2601402cc2deee84d26060057ea044d59ddd

    Score
    8/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      foo/4a74c9f378007412ec2c8b2eea6da4cf

    • Size

      512KB

    • MD5

      4a74c9f378007412ec2c8b2eea6da4cf

    • SHA1

      7ed849c7e9f2c70af40a6feb46d57bd5f06c3a8d

    • SHA256

      4ef7144d88b296b15236dd8866cf50d4f20657551da60897ceb2e67ec8bad793

    • SHA512

      5043709c2e1f1b339df4cd035ad959746ebe6ecbf43ee2ebe9718367581a6c557ccd3a0c3f2615e8fe0ce6ac1efc169348ddafde77f2d82984eb945d09d4f4d2

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      foo/4b2d7854b47943b118e24c6ec79b974b

    • Size

      4.2MB

    • MD5

      4b2d7854b47943b118e24c6ec79b974b

    • SHA1

      e80270395d82212d41e64f8afe0203b8061bf9fe

    • SHA256

      ccce7394fc1a6e1730f440e2d20183c830f30bb7cb446a54ca18277974205503

    • SHA512

      64216c5bbd286496e33adb03e80e1aec67a2c6e2f8f1088804dc95182d42e978aa77f8366c384b4bed5eebdd5e15ad5484bf839b6fb8a35799819c64d05f3162

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      foo/4c49c2496ae538bcec9e1510f3eb8eba

    • Size

      176KB

    • MD5

      4c49c2496ae538bcec9e1510f3eb8eba

    • SHA1

      2d62b087f6a1504b57fe65fef38ee8c831bf7aa5

    • SHA256

      a149cb7f8d29506837ecad9e9b7e7a1e8fd23ba5716c653b2bd3d9bac9eccd6e

    • SHA512

      8cfecc9d516603a41c0801f75cec51b318d39b4985745439a433cfc0c1eded9dc8d5c2258ff7de358191211041345eb7c74e969dd69262cf09cb724eb59333b6

    Score
    1/10
    • Target

      foo/4cfe8f3aa1592035b9a2cdb2c4f54c77

    • Size

      2.0MB

    • MD5

      4cfe8f3aa1592035b9a2cdb2c4f54c77

    • SHA1

      ed8024ea02ca996e74c40459ff35c78cefdf111f

    • SHA256

      0aa9b861be9e293f3d71e39949141e7c87c52e3f4f8b0ea4d26b768b0c188bc2

    • SHA512

      42cc40eb614b4afbf08ae8646c7511ffcdfbf3c3af924ff20d40b5499acf1f1136e4809aa5428c5b260e4b8676041cdb70ef74904b0c09ab5944db1cf89cff3e

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      foo/4ea45460c3e7c3d8486d3f7bec90c613

    • Size

      6.0MB

    • MD5

      4ea45460c3e7c3d8486d3f7bec90c613

    • SHA1

      303c290738a2d89d4bbd365da80650ef5a55bcab

    • SHA256

      a0ea757d9a9ec9e09bc806dbb1526fb5b90692ccc1f31aded8e3dbd0abcde5ec

    • SHA512

      1ad7731246a7dfce4cc656481af68f8f4f37d511b453431f32dfec6078313eb636047031d9341e4e62b969ae95c600877b9c49a28168e3c7e02de4371be88228

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      foo/52d6c59fcfe73048a240c7fdd1f04d7e

    • Size

      9.7MB

    • MD5

      52d6c59fcfe73048a240c7fdd1f04d7e

    • SHA1

      e8af78f67fb5859b54d10e865b7a1070b4d34f46

    • SHA256

      93b36133201cfe77b1319c72d9b0b4ed471a6337a58f6b30f926f1786159ec82

    • SHA512

      cfd767ea4063205a57894d9d8f09f205c8e9bc71b8052985076496c136b98f037aa7b274cc225c5ad759ddc530ccb6201cacdfa8c6a015311331f2589b4ff8ca

    Score
    7/10
    • Loads dropped DLL

    • Target

      foo/55fc11ec67a00177d047d5abc84231e0

    • Size

      35KB

    • MD5

      55fc11ec67a00177d047d5abc84231e0

    • SHA1

      acbd513fa686cdbc50ae7f69d41fb8384255658a

    • SHA256

      d65e0dea8a361b12e8d278afbf103d0bda2753fd9c1e14a779bc92fbc4c1e144

    • SHA512

      206a0f9fe46bd39910f6224f41dab028b74312b1ed9a3052f97f44771a5d43b01e32ba5b3bab40adf7b877a1d48371d140dfa4b3241ab2b54d8bfc3cc74f930e

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      foo/59f0fbc29bace019804b8a181ce75a06

    • Size

      568KB

    • MD5

      59f0fbc29bace019804b8a181ce75a06

    • SHA1

      c3a44b6ea913ce4eb32f04930ea60043d79c3a0a

    • SHA256

      b2e8676b7a04f3582470aa3de91b39ba731fdf072907d8d843d052d73c87405e

    • SHA512

      a68ce42173331381d1618929cdb7cff9d3220afd151856c62c6eb015faaba61c1141a7bb2af5d1b58b1732cafa2286acbd2c95115f2a789c7a3454bc96b63ce2

    Score
    1/10
    • Target

      foo/5b1c0df2be80006ec3af6a5eeea17ecb

    • Size

      777KB

    • MD5

      5b1c0df2be80006ec3af6a5eeea17ecb

    • SHA1

      b2353f17d51fc76dec8681df4526406e7c9113a6

    • SHA256

      6ad2f4284d0c364d7a2664100ec5448607d1e064c3d1a65e4e737769ba3cda25

    • SHA512

      607334838181a37883132906e562944cd54221f28c2efa279cade7ce8829550d20c11d864797118ff476497144cd84218282bb97cd4b4cf8fa13f753459ad7eb

    Score
    1/10
    • Target

      foo/5bc72a1ae433663758319d97917b77ea

    • Size

      5.5MB

    • MD5

      5bc72a1ae433663758319d97917b77ea

    • SHA1

      889f6f4ec2347ded9924ff9a51c14d0e0347feaa

    • SHA256

      c84eb9ad415a282bbdb0adced711af66631e29a4e0606a566f1477018f9315f5

    • SHA512

      8e3000e76531bc8332003016ff926e9330ef28d154f8f04d2f522b6cb822df10323d811fc5116919944e74483fd3bcded30bbcc0b14fd26e5041a68dcdace551

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      foo/5d33050f0514054c49f2bc2ff9abee2a

    • Size

      272KB

    • MD5

      5d33050f0514054c49f2bc2ff9abee2a

    • SHA1

      2cdf78701185d2d773666af2d8ea4e0b04781bf9

    • SHA256

      65b2fb3df4cf7da2980a6af696bdee3df2effd65228cc56f51a5d8fb29469e68

    • SHA512

      e22b419fd86cc4d0af4c48c0a53abf1afda4715dd92acbb3296f4e1f32a588364c1b48c9eb3b2214c1f834d79ca541cdd79a13d8975d91337970d7cf320f61be

    Score
    7/10
    • Loads dropped DLL

    • Target

      foo/5d9775622b5e7123d5796d4de5dc2839

    • Size

      133KB

    • MD5

      5d9775622b5e7123d5796d4de5dc2839

    • SHA1

      176ef2d48f75b9be26882040e69fc95fa8b02e5b

    • SHA256

      a57aefff0656b1266ff25b5e4972e6829ffec6a5855597587e026d28881dc62c

    • SHA512

      ffd89d99223fabfe4def0b27bab031ea76f50fd3be36b27f3d76754bb333784f91985e1c88a7e1991ee334ab98b42f3b0cb2e38dcb5d6599bf0d98ac8f73089e

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      foo/60121ea2ab380455f7e143cd9438443e

    • Size

      98KB

    • MD5

      60121ea2ab380455f7e143cd9438443e

    • SHA1

      091fd74c5caebd9f53c34781ad6b0241883fe698

    • SHA256

      b8f7c90cd170ba8c79c472997c17509e2d241a54a9cef7efea4dac23b043afe8

    • SHA512

      3f42a0756999d6441721f8d4663c8af677c895c4e11ddff25d7a1216b3b4a015b7d3763c0e06f616f73eb5e9df3b42e07baf8d5ec910632f3e275c8d2fd388e6

    Score
    9/10
    • Clears Windows event logs

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

    • Target

      foo/62565a39c4a264e48e0678edad5d60fd

    • Size

      856KB

    • MD5

      62565a39c4a264e48e0678edad5d60fd

    • SHA1

      1dc0f3920082e9f3e789d5d1587d9c7b47d58a5e

    • SHA256

      d9d3596268e269cb48aee92aaa47a50f785f8568f319aad812af163da28e7a40

    • SHA512

      9b851c15b072ba5e0b316f2f02ff49fbb483fd5b4545d7c225f27ddfe8ef0fc99747a5b14bbad6b6373c1b562984c22d52d83c65970ce5ffc5209a5dc1e715cc

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      foo/62a3fd9b4932e59a7192813c22617764

    • Size

      453KB

    • MD5

      62a3fd9b4932e59a7192813c22617764

    • SHA1

      202a619fdab056d51bde34db8683839feccf0da5

    • SHA256

      8b433a97defbbddb0922aa477226ab820f388d9d38ba10d8d8b89917053880be

    • SHA512

      87846d0a4d55c209dc5dcdec1e9c9dee7beedce840d099df4fa5ced0e814183162d25a3e3ae8b56dc533ac9dedfc612631559da7e5cc19985a6bb3d0ff80ba54

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      foo/63e9ce22dbf66934fd75c77bc84954d0

    • Size

      563KB

    • MD5

      63e9ce22dbf66934fd75c77bc84954d0

    • SHA1

      c48e6b5974e2f10c5c4e0426a898fbcf7a67c8cf

    • SHA256

      550d461697099ebb3a5ee86336bd3358a05850f2835738d6520a552527b096a6

    • SHA512

      e14692ed9673f2926ea62b6e9f128953fa79b1ce3df8452656e11e479af7a187784a5aa893719d3e8438e8697b7793292d46a0a9adc6a400e610eb288976036a

    Score
    8/10
    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Target

      foo/6497ba06c339ec8ca438ddf0dd2f8fc5

    • Size

      29KB

    • MD5

      6497ba06c339ec8ca438ddf0dd2f8fc5

    • SHA1

      4287ee2103467196df93fad515a844bd2b94df78

    • SHA256

      dcf7b759aae3ce6597eeca586238419728e432770451522a0f0d1873463aac20

    • SHA512

      45b97bcc1dbc060cb5d461fd945759c60fa943f18e1b777592183fdc6cb9719578669d5ab914e4e0be1fd3e2356e88bd2e54f71f13b586c9892d034b751c5277

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      foo/698cc868cdae13a5cc744020ec00e331

    • Size

      2.5MB

    • MD5

      698cc868cdae13a5cc744020ec00e331

    • SHA1

      cb498c95868eb907422351cff294476fa474f856

    • SHA256

      2e0bbdb1882e670a907d79987fb5ea80a050f7a57b17196bdd2ec42e3c4e2b95

    • SHA512

      e8b7631c4bc2c76a4ed9b706636f6bd25c6556d1bcb1c21e296022d030005cee29f692f5f773fe47511b66e3bf45005f7d0e7b4b3cc19cde38632029759e2b3b

    Score
    7/10
    • Loads dropped DLL

    • Target

      foo/6f2c5c31fefa00afa2af1adcbdd93ad5

    • Size

      6.1MB

    • MD5

      6f2c5c31fefa00afa2af1adcbdd93ad5

    • SHA1

      f460f3caff95e713dea4105ab48aa06331ea5d5e

    • SHA256

      00ba0c7b8b90f5ef0a432c893ef0f90fa91b1e7c4a74d1c49d8fc9a63c6e8a17

    • SHA512

      fe9564cecf0997cbfefe5818688261f894179101a71315f4351addd35d0e3539e2e67f79fa9e45bc02f57bd8e325cea9763978df52522fc4d7774e70c18daa13

    Score
    7/10
    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      foo/798f5e61531f527821a490a15ef957ba

    • Size

      100KB

    • MD5

      798f5e61531f527821a490a15ef957ba

    • SHA1

      8b9cf50467ecccda66fe065e52994a0df369b139

    • SHA256

      1b2d37bb6b98fb77496db754816296b740a2fe7a8e3d0a5263a8002d16a1b5f9

    • SHA512

      9706113b056b96f4c5f89a3991a2adddbe1d7a6e44d03ce919edf88ead8e500eed4b84d5b2886ec4f733003bd751ba9653ad810bf7b8046aa94711f2552d628e

    • Modifies Windows Defender Real-time Protection settings

    • Windows security bypass

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Target

      foo/7aec86c6c4cc35139b7874a0117e4451

    • Size

      707KB

    • MD5

      7aec86c6c4cc35139b7874a0117e4451

    • SHA1

      b597ea073119727156f95b5224d6db7ddc370bee

    • SHA256

      48749cd789a40b8358f06ce41100985b4544162df8ed47bfc17c72242756d50b

    • SHA512

      7f8f596607a925bb72b91b7a9fc78d9094ec4a5a5dc41c866f9dcf961daee52dc4052d2ace663b021301e1cb715c3ba9f209ddc7e48ef07b46283673b647c561

    Score
    1/10
    • Target

      foo/84bf6e1a8fcd94cf6cba6ac7e2a95b64

    • Size

      685KB

    • MD5

      84bf6e1a8fcd94cf6cba6ac7e2a95b64

    • SHA1

      cc788b747b956cac871f55be59995e4bf57901db

    • SHA256

      f2e8ae7bffb3210efb4a5baf9ee1875e1143d2d73614adb292b44bb143b3ffd9

    • SHA512

      058fd21be218125c20aa1a715d9c53151ed68283465a2e2a8acdb534e95818bc8f9b99a74a13c963c2839b3955e38f217d8475fafd91eec0eaebeeba152e6b65

    Score
    8/10
    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Target

      foo/907b7d9a23ed7821abb700fcbe1c9bb3

    • Size

      3.7MB

    • MD5

      907b7d9a23ed7821abb700fcbe1c9bb3

    • SHA1

      6caba04b65d28c5a0d0666572c40022fa1f1acca

    • SHA256

      e37ca180d6f18e361f5cbc3f6c6f0ae4d301018e45891b32cf93da490d62f607

    • SHA512

      d407ddae4f820e1aff994adf9e88952d5756fd1c0b6eef58e28a72fc7c455af991fb4294931ebb2eaee5133d2e56f72f5013e45a1b5d0fe17416d1b0583346f1

    Score
    8/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      foo/928f1db0c63d122f0183686a3bdfccee

    • Size

      842KB

    • MD5

      928f1db0c63d122f0183686a3bdfccee

    • SHA1

      8fb82a9595afb94e6e77a9ac3555e2b1abfdbbb5

    • SHA256

      78fabf339b726203334bb592812ab42c8652ab37535eeccf2e457df257d7a881

    • SHA512

      6f500e95cdb91a07fb0af0aff671054f6628752d563c34a0ad691c2727ffd9f7107da71f7c84550a95a2850eae1bb60b5271fbca7d648d88748a28859310ccb5

    Score
    1/10
    • Target

      foo/9401b0788dc22eeb1dace02d23a9596c

    • Size

      552KB

    • MD5

      9401b0788dc22eeb1dace02d23a9596c

    • SHA1

      b5dde6f4feaec905d14dedd1d7957e556797e84c

    • SHA256

      048d9773dc60db5173e4cc0ccdb9eff1ca61e2a7bd1b7e357388d9cd8e94ada5

    • SHA512

      5d3796bb2e9c5a1753a7ad9ddff26eed7f1289196c5d40b0be946a52b3818406cf9b7b776f677c5e252b2eb294077034aaaf4cbe05cf64a66eeeb0466965264d

    Score
    1/10
    • Target

      foo/97dd8726304f889ef12ef1beb510be84

    • Size

      679KB

    • MD5

      97dd8726304f889ef12ef1beb510be84

    • SHA1

      2358917da7fcf07e9b165dfb3961b9212e37b671

    • SHA256

      424ef529e699a29eb1324f71f56a3d0728079926ea793cb8ebbee71ddbfeabf1

    • SHA512

      d141a224a4c55b4b4c7ef2348b5accd7a3ba9bebb0dd5eaafbc08060746a0a9082c7ab93a022b20ac2fb2255293430da729d995ab5b0106ab064c0c0c5b4eeb4

    Score
    10/10
    • Target

      foo/9b8c48e6186718b7b290ceed9369a1a4

    • Size

      826KB

    • MD5

      9b8c48e6186718b7b290ceed9369a1a4

    • SHA1

      816a6a15054568dd2f51e25ac73178f9a0182d82

    • SHA256

      f05ec8838752a3b917acbd2e742e03646f091ef5ce97bf1eef75810cebbfc93b

    • SHA512

      6ff8ac1f9b6c296679458022b375548e8c322809e4a1887551ca0cb553f0cf864e43361edd6e1a2ee8a9b3b3a5680a95689b2bf91785aea68baaca6be91339b9

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      foo/9cde71abfd2a6aeb83cdd233cbc04fcd

    • Size

      146KB

    • MD5

      9cde71abfd2a6aeb83cdd233cbc04fcd

    • SHA1

      a1cb6ad95fe9df8fefe9dd0753b88cfc852368f0

    • SHA256

      e742096e51fcd3e8c19d43cd26dd25235f04a0af5a64343754e2e46bb90c3816

    • SHA512

      8a6a152626b9b912089e6c68193788fbc2258f56b359fa20d0b09f4033cdd357d9e661de6c0a8378aeaf2c66f6ccef8f86cc624fcf97d90f004213eb2ebbfe04

    Score
    6/10
    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      foo/9d3438ba1dbdbcc2a65451893e38004b

    • Size

      2.0MB

    • MD5

      9d3438ba1dbdbcc2a65451893e38004b

    • SHA1

      d981bd3d2abb18bcd1421c9de38bf1854f4c13b1

    • SHA256

      8f04cf8f8be775e065bce4ff33ca3afc7711aea57b5fb91c488bc03af1df58da

    • SHA512

      6818546c2a967a0d63814e77e339656939eaae510591e3888b8abb8626d89132ac51774efe0912c083072b2314040d1d5c2f0ccc463669a7bc34b2d134b714ba

    Score
    8/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      foo/9f88187d774cc9eaf89dc65479c4302d

    • Size

      326KB

    • MD5

      9f88187d774cc9eaf89dc65479c4302d

    • SHA1

      4c1e5e0bb72c78c4ce0d37aed939478aaa35a94f

    • SHA256

      5ee12dd028f5f8c2c0eb76f28c2ce273423998b36f3fc20c9e291f39825601f9

    • SHA512

      e03a4000bc7cac0332f2060ad58cadbe65a4283d012606f8395a6e63c42fa5e7b98f8ebf40d438c56332e19e845658d70a7ef99d2343323bd701e56c3b0cd0e7

    Score
    8/10
    • Executes dropped EXE

    • Deletes itself

    • Target

      foo/a17bdcde184026e23ae6dc8723f73fcf

    • Size

      784KB

    • MD5

      a17bdcde184026e23ae6dc8723f73fcf

    • SHA1

      faea5147df4768b101d0fd214c7fbf7a9cb048a0

    • SHA256

      a358e56c91218b5f21d54556fb7aef5de158da4764c9cf8e5d71e3e41ff4841f

    • SHA512

      90d58f8e290bc751fd3f945ad5de218f93d8605578c87972359edcc9e87d84473f2ebd54452c09d2bc9ba4d11f9412742e9f1d3bb9c9cd67a17cd58693624616

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Adds Run key to start application

    • Target

      foo/a2981192a30538e97b55f363abbce946

    • Size

      804KB

    • MD5

      a2981192a30538e97b55f363abbce946

    • SHA1

      ae16cec3416895c912b03b7f76be2177aede6745

    • SHA256

      99e7e093c6f7be4cf21b5068a4ae746be2b3a4475ec251288d02a3985de70d48

    • SHA512

      b03fa2f833951441f5bf56711296b48a6ece3b3964d15893fcff78563e808de88fff9d644c4b73253add71eb729a7e1dc4095abdd33a7a26d60eab904e7661d3

    Score
    10/10
    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      foo/aa3b51bd50bcc98f763cffcf7f907152

    • Size

      840KB

    • MD5

      aa3b51bd50bcc98f763cffcf7f907152

    • SHA1

      17868a0f0c8d52ffb80e120a010fd7737e0ecd4c

    • SHA256

      dd518cbba0506c2392969aa01ba4b9f5216724d9234055d7f0ac1db93227baf4

    • SHA512

      aba0fb7359b45e7f206632219873ee6834c01b89a9f6b4001b8299ee5422a02cfc25cf17c40522349e98b5911b09d771ec793a70e29d9770b51cf873c64249cd

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      foo/acf0b7f4fe980501192187bb9b8e20c4

    • Size

      872KB

    • MD5

      acf0b7f4fe980501192187bb9b8e20c4

    • SHA1

      f627019b79fd174403cb81c9a59b1ed81b658e81

    • SHA256

      d8f2f635135cc57f0d566646bbe5c6f22be2aa4d9fcab74c272b22f7e4b28f6c

    • SHA512

      df3afaf21da7bfca412a6bcfea39913904d5a95767220f30e07d23487276fbce7bb489bf12b11f68e2a5651fc3c2b4041d76e201d3416a8bea460418d7a25683

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      foo/aeca5c301d02253e8ffcc240c08f61f7

    • Size

      105KB

    • MD5

      aeca5c301d02253e8ffcc240c08f61f7

    • SHA1

      a7d94fc834a9e73e35ea48d0d1630e2a8cfebf97

    • SHA256

      ae2b285ce6b791fc7b0b01e923db298cb53b43e646a7f34bf1c8c79c94cfc0d2

    • SHA512

      f72e6608f437f59ad924ffd5de19785262931b6e4ab2a8a70970c9aa60488ea5df08b284bb3ecbda5ae2c9b8395c2919f34e0cb051b042a41782a7a59d66fcd2

    Score
    1/10
    • Target

      foo/b1071426aa88f31339f1b369cf13cef3

    • Size

      504KB

    • MD5

      b1071426aa88f31339f1b369cf13cef3

    • SHA1

      69ff5bd81f366fece2d36c98cc3bf4a2d41b8f68

    • SHA256

      08dca503de70aabb60f5edb4ca366523a86084cf4546ad25e338c2ced99f2f6c

    • SHA512

      a6e1dd3c13dd952d09ae9cdcf1b94c99ab9b0fe7c58d957eb558353f61084ec6ae9e133f8c449ffc434efaaf3f767e30709547e3efb2106839e2d31574b18ac1

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      foo/b2365260985173cc758575cd8059459f

    • Size

      645KB

    • MD5

      b2365260985173cc758575cd8059459f

    • SHA1

      f6e874021db45fcd4042c621499ab925b4dec1c8

    • SHA256

      d30b001d1a77d323443e37323aabc9c316dbd3be556cb57854644cd875885ba8

    • SHA512

      6fec4a3b28f4f1c8fae9e0c2f04d0157f6b4a2db87b98837dc0330820dac97c373c10cd323af421d2e3dc1be93862d645a3620c9e8f86717d65eb695c65cecca

    Score
    6/10
    • Target

      foo/b514b59324818c52140b431aeac96bfc

    • Size

      155KB

    • MD5

      b514b59324818c52140b431aeac96bfc

    • SHA1

      83d7256670dccce993acf2df73872abda39bb5be

    • SHA256

      ae57d0af018f011cd42ed91caba202201069be6fc5de6b8b3ab14162cbcbfbe5

    • SHA512

      4bfb86bd70c1f1b376255972708efd2dadc252566625d02e84ec5297580edfa50a9e321ae1503bdc6bcbe1beea8b607f445caa4bb1c940363f47512407ca6649

    Score
    1/10
    • Target

      foo/b641961018d09dfbd7fa9c15f09a7723

    • Size

      8.9MB

    • MD5

      b641961018d09dfbd7fa9c15f09a7723

    • SHA1

      69e515dd8840866fbfb1e239daf80f6fcb745f1b

    • SHA256

      44095d0a22646ef5b369ade7ce87d2f9bd51402de73f977f352de9a3a3eeed6c

    • SHA512

      e9e43f1d59be84fbc918ea601a7b489286661a81919b760e2a0339fedb93b9d3a33b148cfefdd584c163957107194b764eb2ddbad79ca2af9a5e90db3c1c9beb

    Score
    7/10
    • Loads dropped DLL

    • Target

      foo/b693dfe99d2915616044eea2cfe18360

    • Size

      286KB

    • MD5

      b693dfe99d2915616044eea2cfe18360

    • SHA1

      6415634e1fcc51714e871ccb08f26b4806aed3b0

    • SHA256

      1d4169bb0978e88bdff29844645d54763e62db8af10abc324fb2145f64304024

    • SHA512

      95081c20adc6363ba3c0f7d6390a98c5f47074a270f112a002f549009d6c50654756b89f59737b7554e3186c17355dcda57424e255aba1392a574a4b27734efb

    Score
    7/10
    • Loads dropped DLL

    • Target

      foo/b6e7c9793cf40153bf8865195e06ecbc

    • Size

      3.3MB

    • MD5

      b6e7c9793cf40153bf8865195e06ecbc

    • SHA1

      fef5dbf8ef53dafd676818196815e6b110f2bc03

    • SHA256

      0e0cb0d76bc848f729878dab7218f4e12c9c0cc7d5c939e5d92995ba422ea7ec

    • SHA512

      d12eb44304f7054e060a105bff9f3861aa16bb10fd72bbd819a8ffe3d23818ce66f5d790a929d41cee4161bbbe78d0077d167fe792c3e27c018dc88632a5e5ee

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      foo/b7d5f0b9bf2e6e13c5b3ca1c2a0a8b4a

    • Size

      99KB

    • MD5

      b7d5f0b9bf2e6e13c5b3ca1c2a0a8b4a

    • SHA1

      15a0e8dea24b904cd083ed51b28098726ecceed4

    • SHA256

      0b499361076d8d02fa6b313a08199fd10cd9af1abc7fae0b091039be0194c0f3

    • SHA512

      674d28fb9900070fd0cc58940fb97fbbeabea2d167ad19e248fe8a980221f6ea79d9f1795c019b844896e8b19ce1d746bda6c34040c1ae535b9e22135692a0d0

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      foo/ba2d460199eb2d9e9d6d0559bb455529

    • Size

      39KB

    • MD5

      ba2d460199eb2d9e9d6d0559bb455529

    • SHA1

      8c50ef4cd9feadf857ad2d501e3d03bd55d5de4d

    • SHA256

      a3f13a940ae3f6d0a8e94c8ab203005cd737a899962425f1600a4bdf30877375

    • SHA512

      dd376f8f9f05d509eca465c04c451d83a12043f614d90a04c63b25f202f9e87e3960666e2710e19538c9818a778fd81832b45c1e495c263b6725991413755fcc

    Score
    1/10
    • Target

      foo/bad78e11371381ce9e1d703aac2821e5

    • Size

      210KB

    • MD5

      bad78e11371381ce9e1d703aac2821e5

    • SHA1

      76ad0abaf1c99c741352a16e5b2f71fb38fed0e4

    • SHA256

      18dfcf81046272e08f6ef3230df83008cb78eb30cda341c59ceb33c5be542d85

    • SHA512

      8bccc4535dd97b483f10eda69f91a17e794b122215bb2e926a114ec46e8935ab0a1e5e1cb0b6fa3b6bb0a5a6d1b669a87579850197af4a0c33b3bb57a7f00b25

    Score
    9/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      foo/bc6536b86b04cf5b3bf7cd353d615ab9

    • Size

      583KB

    • MD5

      bc6536b86b04cf5b3bf7cd353d615ab9

    • SHA1

      5e796021e22ed016697d6aefb0b955c57b4b8dc8

    • SHA256

      1e8dbcedd0e30e32583548508edc4cf2b8f3d0f731a1a65559fe83382298136f

    • SHA512

      f1f3fd81b2e56daa77cabbed191978b51308d8202e35d34cdc300d9fa429a426f88fad618ae7df9bed0a6f2ce665ad4586a5d5cbc6099e98e4b9bcda1cd160ab

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Modifies WinLogon

    • Drops file in System32 directory

    • Target

      foo/be85e0b2608a55942aa101c66ce6c32c

    • Size

      728KB

    • MD5

      be85e0b2608a55942aa101c66ce6c32c

    • SHA1

      77e651fa75f8221458777a0d290ccae73682204a

    • SHA256

      c77d9095b13bfa202cfdfa87475cb1799fcdf8152a3d298300d63ca16abd3757

    • SHA512

      f0a2f943e251cc96ee7026bdc25cc920afd79d42ab1ec112a641d881602117fa1cfd8b39b18b9e28a9e6b1401fcf133e052be2e63a654eaf34075342a7d5a3bd

    Score
    1/10
    • Target

      foo/c914b169d1388c5e78421045d05946ee

    • Size

      3.5MB

    • MD5

      c914b169d1388c5e78421045d05946ee

    • SHA1

      4f2de494d334710253cf3ad40faf1d07e048d55c

    • SHA256

      e1ee4f9cb208e3560177f49c3e809a29ff9fa0b0daed5316f17caf22647e4eef

    • SHA512

      96dc235e2a93f99682f26f95ff0986db2b8a09e5b3470122270de5c3ea77575356178a51c6d7e3515f68fad894ebb63e2b86e3766f6f12ffa3930ca1192205f2

    Score
    3/10
    • Target

      foo/c944eadb6e032fd9e7a0988464a6f1cc

    • Size

      160KB

    • MD5

      c944eadb6e032fd9e7a0988464a6f1cc

    • SHA1

      c21551f6885ac52f80a5e303ef3cb6d40c182d11

    • SHA256

      2e4a248e3f279a42e2bea37409ab0de8770a3cd4a3b5fcccd701a535c2436d52

    • SHA512

      475ed1d94361538bdd71d21b4127fc1b7bab5edfc0ad917b7c3bbdfa51a8ed11ff6f0d4df47e3be266f07a4722448d53a926d041a161a5646efec94eecd3bde9

    Score
    8/10
    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Target

      foo/cad3634df5d5058551bed38237ab8e8b

    • Size

      823KB

    • MD5

      cad3634df5d5058551bed38237ab8e8b

    • SHA1

      2f2ac22494e49ce18470677690ee9bdfcd9f0c74

    • SHA256

      663ef562dbd3a7fc7490fd6ebc11c328450db6f5a9f9e058c4d3ec663b925147

    • SHA512

      bc1eee26f9375f0138fc571aaf2602d9b4c14e7052867e739fd131450b3453a1a19424031ae6ff80c1cfac4a6e71e9087255e97a3f3d9053f84451b745054ebe

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

    • Target

      foo/cd89b6c808c296cde0bc77ee630dc7df

    • Size

      284KB

    • MD5

      cd89b6c808c296cde0bc77ee630dc7df

    • SHA1

      47a17c5b8263acb882f078b81897f615c25de0ca

    • SHA256

      246ad930ec77776b847e9470b725029f5dd5e0384b869d6105c3571b8cb8189a

    • SHA512

      a51620d5170356cabb73cfe2f9f2de54d52467c3a126b2b34eef5d18a84b6cd6e68b2003168c8b077abee1d58d1aa9e5af58ee65eaaee4a75f9414c04bc169fa

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      foo/d81e76123ccb64b73eeac2f31a7434c4

    • Size

      4.7MB

    • MD5

      d81e76123ccb64b73eeac2f31a7434c4

    • SHA1

      6a32284225e897965972ba4915e5c327b900b81a

    • SHA256

      695ac197f95781e22c61604838e3e339285b08259a971289ce6993d409fcbc4a

    • SHA512

      37404b0e8fa7825f837ff9d6ab1e487bc1591daf46b57bfe030b7c015937ba80605db96f649ec024761d13eeb2cba86ab50870af9007bc75fe6043fd8b8f6cc0

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Target

      foo/d86d2cb12111422ad0b401afa523e308

    • Size

      894KB

    • MD5

      d86d2cb12111422ad0b401afa523e308

    • SHA1

      d019e10b793b78f2da2f006acdb0aeff6b57d927

    • SHA256

      bfefbd8050f0dfbe1047ddcc07e951967a5b8395190127d97d0c3a4441c919bf

    • SHA512

      e9bea547df7cd2b5cfab5890245ca2540828eb87aba7052a3d5c0cc11d03552c8d39ba0bfc9994acafc257facf9797f1cbaa149e7628d99124bf2b53b840a78e

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    • M00nD3v Logger Payload

      Detects M00nD3v Logger payload in memory.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops startup file

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      foo/d8e37dd7ca017370a0b54147a27a7498

    • Size

      8.4MB

    • MD5

      d8e37dd7ca017370a0b54147a27a7498

    • SHA1

      c6167da141d215d31aef6ac9e332f58118edb70d

    • SHA256

      00ef059476bea303a3d8c6621e7286c32a953e4c83c30361938fd338e9665f9b

    • SHA512

      6a0c989f8ebfe2dc2706a4241db52962dadc6cf94749a9408dd534531582a061be3aa860e65b15e96c172292b607c8606e4e8fde11e05b0840f4eb2e4540b355

    Score
    9/10
    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • Target

      foo/dea515c25081073ec2cee293b2991ee1

    • Size

      1.4MB

    • MD5

      dea515c25081073ec2cee293b2991ee1

    • SHA1

      811a254ac1f803d5707310f87e454bb7504f0757

    • SHA256

      9ee19d067ec19b2c6d07726448639c869d61138e2f53c9eed136c3a2622c881b

    • SHA512

      68886a649fbc0f53a63fd7f437508dd93dd7e8cd6ae67640a07206a4ffdf349c7e662721b42c9cb68a889888d29d6d693f26273ce2db27d36440f4482cb8d530

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      foo/dfcc555a02bccc9c438b08555b5c2ab8

    • Size

      252KB

    • MD5

      dfcc555a02bccc9c438b08555b5c2ab8

    • SHA1

      5f10b75aa47823bc7e81a859fdced21b8556040d

    • SHA256

      1095b754656cf05da5e65406de095e1b1dd4b28c2c2f8efca5e34283bd17e0b5

    • SHA512

      fcb9ef49ec2f7eab67394997a92cdb15c11878434c6ed47240fafd71ea4c8993fbd0f986d4086e51473a5168d472e4eaeb993491bd36f0a804008dc5a0eb6b6c

    Score
    7/10
    • Loads dropped DLL

    • Target

      foo/e03bd458de4a107688236bdc4ddc3afe

    • Size

      431KB

    • MD5

      e03bd458de4a107688236bdc4ddc3afe

    • SHA1

      55859c4fa195c36a48425bb8aca9ef3609b62e89

    • SHA256

      344bce1df6486b71b78e85d6dce7ba1929176afda786acac56b6a11b625cd21c

    • SHA512

      f4585ddb1aff65d34a5a33c95a29c0c816f0ed5009faf7cc7ba26adf9bea3e787c1efa82c9c8423fc2bfdc8d4b9324566f0ab33b4212bb625c36052fb27c5948

    Score
    8/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

    • Target

      foo/e16ec7bc29b68f66e90fdbfefe1d3a2d

    • Size

      674KB

    • MD5

      e16ec7bc29b68f66e90fdbfefe1d3a2d

    • SHA1

      156d9d781a1302d8e958486effcec79713c41708

    • SHA256

      fe9470a406b6dadc18cb3a430671d3ac321e97eb8d1ecf0dc054db440df7187d

    • SHA512

      c9e7c58170fb110bb9b76ec17a4349f5a73b912cd6c36d85d1aca7f1c94cbf70563900c36c4702f49a3ff4776fd45162e4a0f94ca826b2eff60668bcca9c55ec

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      foo/e61c0e180c2616fa81e6c4d581a9520e

    • Size

      4.9MB

    • MD5

      e61c0e180c2616fa81e6c4d581a9520e

    • SHA1

      d91996fabaa7a1af229ce118551aeef66e389cb7

    • SHA256

      a2fd87672b5dc07057c47208124b7f02862c4f5512f1b667ea27bc79a8d57ba2

    • SHA512

      21c84bd84c125be26d7fe053a0b11d2c31f29a38355be85ed17d2303b5700c7b335a7c2a924e6a1c4c3b05ff9fbda88745a20ad3a0449f6c193d718f503e68de

    Score
    7/10
    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Target

      foo/e78fad8a5d0ea89127ed36ed20bc9351

    • Size

      11.1MB

    • MD5

      e78fad8a5d0ea89127ed36ed20bc9351

    • SHA1

      816c12862830ec0c0ec065c7d73f2128cb4cc9dd

    • SHA256

      b25d571c5210bb02ba01a54a75a781094397bda7bc4745b2aa4c4a971233fb56

    • SHA512

      515e6aac22e11d8fb9663fab08250afe56c94faf93fe8062cea079d8633d1338f4e94735a5a46cf75b16c05570090cb1a47a464aaa64e549432536f4dce03d9f

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      foo/e7ad45164be5c3c7f9936e9b5fb28788

    • Size

      558KB

    • MD5

      e7ad45164be5c3c7f9936e9b5fb28788

    • SHA1

      a2cd13bc8bce9b107ac38662c35d70c4ff1d16b8

    • SHA256

      8c9c9951c2bf631b818a5e1dcdf700342f1c0c05391ec3c9c4ee15496aa28f4f

    • SHA512

      1bc0e6e3b9e416cf152d2ddef23d928c90725b589eb30d62c1c6f880af83b3068de1d27050e89f9961d71f664f98a6694fc0cf698d1c861c9a7b131efa419bfa

    Score
    3/10
    • Target

      foo/e95678212c7218c6e7944fca1631c88f

    • Size

      861KB

    • MD5

      e95678212c7218c6e7944fca1631c88f

    • SHA1

      45a011ec5b1eb913a6f9bf4b46389dbeeeb6e1f3

    • SHA256

      2a5100ba7bfe592e112ab0071d8ea1861b4d365fc4fb98f4e2be0459b990db72

    • SHA512

      16f286de9ceb5545efc477741ec0e69f4de40e1a864ed00d16854e1c0580655f5d0ea93450602c3a2598e889078ab8a12923244710c67b23e3f3551fd0f76b9e

    Score
    1/10
    • Target

      foo/edf723c8e404cd67041e7dfbbb1a6eee

    • Size

      75KB

    • MD5

      edf723c8e404cd67041e7dfbbb1a6eee

    • SHA1

      96a2fda8f26018724c86b275fe9396e24b26ec9e

    • SHA256

      bf2534b2f059547967bb453d67909921a41c10cdd19c1ec346a193060b094e2e

    • SHA512

      04bea993ba6af7e568bdfee4185e8145e4111af6bb92a68de3785658e0f5a65e741b378848eb9e77aa200cd72ab94339fcf852aae41cac45ea64bd430b8f9f50

    Score
    1/10
    • Target

      foo/f2366f48d3534bc8af573f2696dce4f5

    • Size

      191KB

    • MD5

      f2366f48d3534bc8af573f2696dce4f5

    • SHA1

      706750f403d6f12c10489befa6032c1c4eb30a3e

    • SHA256

      f7fab7d724f492cb7baccb49c5fdef8305bebe9896a6853913b5d3ec225d51b0

    • SHA512

      9fd4632204c33bbd124bfff5744c8da551a4a8f94c4f714413861e92f6b4d70f4f506d8079540adfd19ded4ace9c9745891617bbfa3d00784cfea24b04913c35

    Score
    1/10
    • Target

      foo/f645a94491240317caccd6f8508fba1f

    • Size

      1.9MB

    • MD5

      f645a94491240317caccd6f8508fba1f

    • SHA1

      59c94235d380d09a479291cd3400694d1c2ec18d

    • SHA256

      c130982342656ad1b4d588b0e985ec9d6169f279bbb748cd09727a3e96622fd2

    • SHA512

      8731c4c9cce9922793418ee7ae095893195f0609731aa0312fd38d548a94b2ba0a5bd437a8586c4c05f85cd45cac61caad3f1311b91b9db87baf61a2d4327280

    Score
    1/10
    • Target

      foo/f65e75d9675a50f9b4807e79dcc48d56

    • Size

      1.8MB

    • MD5

      f65e75d9675a50f9b4807e79dcc48d56

    • SHA1

      8ed35b0ce78c565441ee6ac5722347fbeb220305

    • SHA256

      36a4d9e2eb623e59acbaf14341c3998114fcce9bc37392572213d9d22b2fb450

    • SHA512

      9da997c23af8b5bb90abfa7eb7e967ef026645604d3652a39a7c2a9ce719e7110956fe7e491c9bf733fd1da14f0cc518681bde409498c12797678e166c72fc5f

    Score
    1/10
    • Target

      foo/f660284cb3574213a512e3f03ca9012b

    • Size

      995KB

    • MD5

      f660284cb3574213a512e3f03ca9012b

    • SHA1

      8051d5262c8c67e8888fc1991fbe667d4b4e311d

    • SHA256

      f0d6ee327670c99e451f6e54b842a3ced72b1de7e586ba81bdd27dc5366613d0

    • SHA512

      3b54928c6d1eb9e36db5ec8aeffa06b08d3e5c4167d9a884d2133282e5511edcaa7eed45832ff172bd1e71ddd56150f726382c528960f7db82a6aa87c6e9d890

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      foo/f6c1c72f3e45d2f3499b6bd6661b3289

    • Size

      387KB

    • MD5

      f6c1c72f3e45d2f3499b6bd6661b3289

    • SHA1

      aabaf0e9fbda0e00d53ef30ad736b9a3db9973c2

    • SHA256

      90120bc1c6a88ef6032b2ea5da0b8e9432ce6cfe126e9fef4515f0660a6a88ec

    • SHA512

      c50e1c73ea369c7dd87a650a635b3e9702a4be13ddba87cf1ba649e9ad8522503d643d256486dbd3973b35beb3e77d97d180c771d099c40f380834647ce9f318

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Target

      foo/fbab903080d6a4e65a1a2f6bc4d97b7c

    • Size

      1.6MB

    • MD5

      fbab903080d6a4e65a1a2f6bc4d97b7c

    • SHA1

      0a7eee729e7d140ca81b9595578ee305651a6946

    • SHA256

      cf1b96af0838abbd8b8a292f4aa5e335743eb3d5da862254a86184db37ecf85e

    • SHA512

      894bc25e7bdab656988a8e6b419eeee4b696e9e644f38142fcb373f557dd7170dc7ce0979ccd3c6b84b0eea32822669c9f244182391d1719c8db22d5c61b1dd7

    Score
    7/10
    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      foo/fcdc003a1529fe3660b160fd012173b3

    • Size

      3.4MB

    • MD5

      fcdc003a1529fe3660b160fd012173b3

    • SHA1

      a517d1137be23fc41f03efdb0e9354089bedf6ba

    • SHA256

      6490b57b8944f8f07e687a4dfa6ab76080de99ffc9d48d4c10f64dd88fa2cb95

    • SHA512

      a00b22d8a348891a828e4c16e0e56fc66caf29fa1f43ca3cd97ffa76675700446e905750016ea083a67592a7d2aea02c3396306527efb7fa255e08c9748e7d21

    Score
    8/10
    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Target

      foo/fffb61eaaac6e8a40bfaa7a4acb6b9ba

    • Size

      195KB

    • MD5

      fffb61eaaac6e8a40bfaa7a4acb6b9ba

    • SHA1

      84deb15aeea324b2d11922c2fa4aebd039a5f805

    • SHA256

      8e22a34621adf78355b916d1a96ef4a6de5caa0dcb6e7949fa2df88ddfd999fd

    • SHA512

      07a9f94e70e461142e3e06921bfca1f9fe8723a68b6ff067651f5685bbf1c823de4beda42dc4c1ef44c969a494682e2c41ba6a1235d0a978ce6d070f4b24bd38

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

4
T1053

Scripting

2
T1064

Command-Line Interface

1
T1059

Persistence

Bootkit

3
T1067

Winlogon Helper DLL

2
T1004

Modify Existing Service

9
T1031

Registry Run Keys / Startup Folder

26
T1060

New Service

2
T1050

Scheduled Task

4
T1053

Hidden Files and Directories

3
T1158

Browser Extensions

1
T1176

Account Manipulation

1
T1098

Privilege Escalation

Bypass User Account Control

2
T1088

New Service

2
T1050

Scheduled Task

4
T1053

Defense Evasion

Modify Registry

57
T1112

Bypass User Account Control

2
T1088

Disabling Security Tools

12
T1089

File Permissions Modification

2
T1222

Hidden Files and Directories

3
T1158

Scripting

2
T1064

Virtualization/Sandbox Evasion

6
T1497

Indicator Removal on Host

1
T1070

Install Root Certificate

4
T1130

File Deletion

2
T1107

Impair Defenses

1
T1562

Credential Access

Credentials in Files

15
T1081

Discovery

Query Registry

37
T1012

Peripheral Device Discovery

11
T1120

System Information Discovery

71
T1082

Virtualization/Sandbox Evasion

6
T1497

Process Discovery

1
T1057

Remote System Discovery

3
T1018

Collection

Data from Local System

15
T1005

Command and Control

Web Service

3
T1102

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks

static1

upxaspackv201535648626pyinstallerratvmprotectcobaltstrikeqakbotlimeratgozi_ifsbwarzonerat
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
4/10

behavioral4

Score
4/10

behavioral5

smokeloaderbackdoortrojan
Score
10/10

behavioral6

smokeloaderbackdoortrojan
Score
10/10

behavioral7

bootkitpersistence
Score
8/10

behavioral8

bootkitpersistence
Score
8/10

behavioral9

discovery
Score
7/10

behavioral10

discovery
Score
7/10

behavioral11

Score
8/10

behavioral12

Score
8/10

behavioral13

imminentspywaretrojan
Score
10/10

behavioral14

imminentspywaretrojan
Score
10/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

aspackv2evasionpersistencetrojanupx
Score
10/10

behavioral18

aspackv2evasionpersistencetrojanupx
Score
10/10

behavioral19

Score
5/10

behavioral20

Score
5/10

behavioral21

warzoneratinfostealerpersistencerat
Score
10/10

behavioral22

warzoneratinfostealerpersistencerat
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

discovery
Score
8/10

behavioral26

discovery
Score
8/10

behavioral27

betabotbackdoorbotnetevasiontrojan
Score
10/10

behavioral28

betabotbackdoorbotnetevasiontrojan
Score
10/10

behavioral29

lokibotspywarestealertrojan
Score
10/10

behavioral30

lokibotspywarestealertrojan
Score
10/10

behavioral31

Score
3/10

behavioral32

Score
3/10

behavioral33

tofseexmrigevasionminerpersistencetrojan
Score
10/10

behavioral34

tofseexmrigevasionminerpersistencetrojan
Score
10/10

behavioral35

upx
Score
9/10

behavioral36

upx
Score
9/10

behavioral37

persistence
Score
6/10

behavioral38

persistence
Score
6/10

behavioral39

cobaltstrikebackdoortrojan
Score
10/10

behavioral40

cobaltstrikebackdoortrojan
Score
10/10

behavioral41

imminentspywaretrojan
Score
10/10

behavioral42

imminentspywaretrojan
Score
10/10

behavioral43

Score
4/10

behavioral44

Score
4/10

behavioral45

matrixdiscoverypersistenceransomware
Score
10/10

behavioral46

matrixdiscoverypersistenceransomware
Score
10/10

behavioral47

hawkeyekeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral48

hawkeyekeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral49

evasionpersistencetrojan
Score
10/10

behavioral50

evasionpersistencetrojan
Score
10/10

behavioral51

Score
1/10

behavioral52

Score
1/10

behavioral53

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral54

agentteslakeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral55

adwarediscoverypersistencestealer
Score
7/10

behavioral56

adwarediscoverypersistencestealer
Score
7/10

behavioral57

persistence
Score
8/10

behavioral58

persistence
Score
8/10

behavioral59

spywareupx
Score
8/10

behavioral60

spyware
Score
7/10

behavioral61

lokibotpersistencespywarestealertrojan
Score
10/10

behavioral62

lokibotpersistencespywarestealertrojan
Score
10/10

behavioral63

Score
8/10

behavioral64

Score
8/10

behavioral65

Score
1/10

behavioral66

Score
1/10

behavioral67

evasion
Score
9/10

behavioral68

evasion
Score
9/10

behavioral69

Score
8/10

behavioral70

Score
8/10

behavioral71

Score
7/10

behavioral72

Score
7/10

behavioral73

Score
1/10

behavioral74

njratevasionpersistencetrojan
Score
10/10

behavioral75

Score
1/10

behavioral76

Score
1/10

behavioral77

Score
1/10

behavioral78

Score
1/10

behavioral79

bootkitpersistence
Score
8/10

behavioral80

bootkitpersistence
Score
8/10

behavioral81

Score
7/10

behavioral82

Score
7/10

behavioral83

persistence
Score
8/10

behavioral84

persistence
Score
8/10

behavioral85

evasionransomware
Score
9/10

behavioral86

evasionransomware
Score
9/10

behavioral87

qakbot1535648626bankerpersistencestealertrojan
Score
10/10

behavioral88

qakbot1535648626bankerpersistencestealertrojan
Score
10/10

behavioral89

Score
8/10

behavioral90

imminentpersistencespywaretrojan
Score
10/10

behavioral91

Score
8/10

behavioral92

Score
8/10

behavioral93

limeratrat
Score
10/10

behavioral94

limeratrat
Score
10/10

behavioral95

Score
7/10

behavioral96

Score
7/10

behavioral97

Score
7/10

behavioral98

Score
7/10

behavioral99

evasionpersistencetrojanupx
Score
10/10

behavioral100

evasionpersistencetrojanupx
Score
10/10

behavioral101

Score
1/10

behavioral102

Score
1/10

behavioral103

Score
8/10

behavioral104

Score
8/10

behavioral105

upx
Score
8/10

behavioral106

upx
Score
8/10

behavioral107

Score
1/10

behavioral108

Score
1/10

behavioral109

Score
1/10

behavioral110

Score
1/10

behavioral111

gozi_ifsbbankertrojan
Score
10/10

behavioral112

gozi_ifsbbankertrojan
Score
10/10

behavioral113

discovery
Score
8/10

behavioral114

discovery
Score
8/10

behavioral115

discovery
Score
6/10

behavioral116

discovery
Score
6/10

behavioral117

upx
Score
8/10

behavioral118

Score
1/10

behavioral119

Score
8/10

behavioral120

Score
3/10

behavioral121

evasionpersistence
Score
9/10

behavioral122

evasionpersistence
Score
9/10

behavioral123

xmrigminer
Score
10/10

behavioral124

xmrigminer
Score
10/10

behavioral125

azorultinfostealerpersistencetrojan
Score
10/10

behavioral126

azorultinfostealerpersistencetrojan
Score
10/10

behavioral127

evasionpersistencetrojan
Score
8/10

behavioral128

evasionpersistencetrojan
Score
8/10

behavioral129

Score
1/10

behavioral130

Score
1/10

behavioral131

persistenceransomwarespyware
Score
8/10