Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    1.bin

  • Size

    12.5MB

  • MD5

    af8e86c5d4198549f6375df9378f983c

  • SHA1

    7ab5ed449b891bd4899fba62d027a2cc26a05e6f

  • SHA256

    7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

  • SHA512

    137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

  Score

  10^/10

  smokeloaderbackdoortrojan

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

  behavioral1

• • Target

    VPN/VyprVPN.exe

  • Size

    1.6MB

  • MD5

    f1d5f022e71b8bc9e3241fbb72e87be2

  • SHA1

    1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c

  • SHA256

    08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d

  • SHA512

    f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f

  Score

  10^/10

  agenttesladanabotdharmaformbookgozi_rm3guloadernanocoreqakbot86920224spx1291590734339agilenetbankerbotnetcoreentitycryptonedownloaderevasionguloaderkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • CoreEntity .NET Packer

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot

  • Danabot x86 payload

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot

  • AgentTesla Payload

  • CryptOne packer

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Formbook Payload

    rat

  • Guloader Payload

    guloader

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • ReZer0 packer

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Drops startup file

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral2

• • Target

    VPN/xNet.dll

  • Size

    99KB

  • MD5

    bf1f76644bddd20339548ebacf7a48eb

  • SHA1

    38114702114105eb3df3f74bf4c68ef7db436f47

  • SHA256

    5d9c2b1822bcaa71ddeaa5426d4312d8e174766ae8864c7add29d7f44cea87f2

  • SHA512

    76132c9e29a0a3054cd41c56d5184951d392a2abd1995e14b34c40f14b154914a6990c107e7fcf4139344759ae6048e9ecf0bdaf0447c1cd589dfacbf901b7c5

  Score

  10^/10

  azorultplugxbootkitdiscoveryevasioninfostealermacropersistencespywarestealertrojanupxxlm

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • Nirsoft

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Suspicious Office macro

    Office document equipped with 4.0 macros.

    macroxlm

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral3

• • Target

    2019-09-02_22-41-10.bin

  • Size

    251KB

  • MD5

    924aa6c26f6f43e0893a40728eac3b32

  • SHA1

    baa9b4c895b09d315ed747b3bd087f4583aa84fc

  • SHA256

    30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

  • SHA512

    3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

  Score

  8^/10

  discoverypersistencespywarestealer

  • Creates new service(s)

    persistence

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral4

• • Target

    31.bin

  • Size

    12.5MB

  • MD5

    af8e86c5d4198549f6375df9378f983c

  • SHA1

    7ab5ed449b891bd4899fba62d027a2cc26a05e6f

  • SHA256

    7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

  • SHA512

    137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

  Score

  3^/10
  behavioral5

• • Target

    3DMark 11 Advanced Edition.bin

  • Size

    11.6MB

  • MD5

    236d7524027dbce337c671906c9fe10b

  • SHA1

    7d345aa201b50273176ae0ec7324739d882da32e

  • SHA256

    400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

  • SHA512

    e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

  Score

  10^/10

  azorultponydiscoveryevasioninfostealerpersistenceratspywarestealertrojanupx

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral6

• • Target

    Archive.zip__ccacaxs2tbz2t6ob3e.bin

  • Size

    430KB

  • MD5

    a3cab1a43ff58b41f61f8ea32319386b

  • SHA1

    94689e1a9e1503f1082b23e6d5984d4587f3b9ec

  • SHA256

    005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6

  • SHA512

    8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d

  Score

  10^/10

  dcratinfostealerrat

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Executes dropped EXE

  behavioral7

• • Target

    CVE-2018-15982_PoC.swf

  • Size

    12KB

  • MD5

    82fe94beb621a4368e76aa4a51998c00

  • SHA1

    b7c79b8f05c3d998e21d01b07b9ba157160581a9

  • SHA256

    c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb

  • SHA512

    055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27

  Score

  10^/10

  smokeloaderbackdoorpersistencetrojan

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Executes dropped EXE

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  behavioral8

• • Target

    WSHSetup[1].bin

  • Size

    898KB

  • MD5

    cb2b4cd74c7b57a12bd822a168e4e608

  • SHA1

    f2182062719f0537071545b77ca75f39c2922bf5

  • SHA256

    5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

  • SHA512

    7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

  Score

  10^/10

  asyncratazorultmodiloaderoskiraccoonc6f4c67877b4427c759f396ca4c1dff4761d3cc9discoveryevasioninfostealerpersistenceratspywarestealertrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon

  • Async RAT payload

    rat

  • ModiLoader First Stage

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops desktop.ini file(s)

  • Suspicious use of SetThreadContext

  behavioral9

• • Target

    DiskInternals_Uneraser_v5_keygen.bin

  • Size

    12.9MB

  • MD5

    17c4b227deaa34d22dd0addfb0034e04

  • SHA1

    0cf926384df162bc88ae7c97d1b1b9523ac6b88c

  • SHA256

    a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e

  • SHA512

    691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c

  Score

  10^/10

  azorultrmsxmrigaspackv2discoveryevasioninfostealerminerpersistenceratspywarestealertrojanupx

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Detected Stratum cryptominer command

    Looks to be attempting to contact Stratum mining pool.

    miner

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • XMRig Miner Payload

    miner

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

    evasion

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Registers new Print Monitor

    persistence

  • Sets DLL path for service in the registry

    persistence

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Stops running service(s)

    evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    persistence
  behavioral10

• • Target

    ForceOp 2.8.7 - By RaiSence.bin

  • Size

    1.0MB

  • MD5

    0a88ebdd3ae5ab0b006d4eaa2f5bc4b2

  • SHA1

    6bf1215ac7b1fde54442a9d075c84544b6e80d50

  • SHA256

    26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680

  • SHA512

    54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37

  Score

  8^/10

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Checks for any installed AV software in registry

  • Drops file in System32 directory

  behavioral11

• • Target

    HYDRA.bin

  • Size

    2.6MB

  • MD5

    c52bc39684c52886712971a92f339b23

  • SHA1

    c5cb39850affb7ed322bfb0a4900e17c54f95a11

  • SHA256

    f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

  • SHA512

    2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

  Score

  10^/10

  azorultbootkitevasioninfostealermacropersistencespywarestealertrojanupxxlm

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Nirsoft

  • Executes dropped EXE

  • Suspicious Office macro

    Office document equipped with 4.0 macros.

    macroxlm

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral12

• • Target

    Keygen.bin

  • Size

    849KB

  • MD5

    dbde61502c5c0e17ebc6919f361c32b9

  • SHA1

    189749cf0b66a9f560b68861f98c22cdbcafc566

  • SHA256

    88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b

  • SHA512

    d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

  Score

  10^/10

  azorultbootkitevasioninfostealermacropersistencespywarestealertrojanupxxlm

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Nirsoft

  • Executes dropped EXE

  • Suspicious Office macro

    Office document equipped with 4.0 macros.

    macroxlm

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral13

• • Target

    LtHv0O2KZDK4M637.bin

  • Size

    10.6MB

  • MD5

    5e25abc3a3ad181d2213e47fa36c4a37

  • SHA1

    ba365097003860c8fb9d332f377e2f8103d220e0

  • SHA256

    3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9

  • SHA512

    676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681

  Score

  10^/10

  persistencespywarestealer

  • Modifies WinLogon for persistence

    persistence

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral14

• • Target

    OnlineInstaller.bin

  • Size

    3.6MB

  • MD5

    4b042bfd9c11ab6a3fb78fa5c34f55d0

  • SHA1

    b0f506640c205d3fbcfe90bde81e49934b870eab

  • SHA256

    59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

  • SHA512

    dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

  Score

  4^/10
  behavioral15

• • Target

    Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin

  • Size

    9.5MB

  • MD5

    edcc1a529ea8d2c51592d412d23c057e

  • SHA1

    1d62d278fe69be7e3dde9ae96cc7e6a0fa960331

  • SHA256

    970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d

  • SHA512

    c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab

  Score

  7^/10

  bootkitpersistencespywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral16

• • Target

    Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin

  • Size

    10.5MB

  • MD5

    8103aad9a6f5ee1fb4f764fc5782822a

  • SHA1

    4fb4f963243d7cb65394e59de787aebe020b654c

  • SHA256

    4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40

  • SHA512

    e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8

  Score

  3^/10
  behavioral17

• • Target

    VyprVPN.exe

  • Size

    1.6MB

  • MD5

    f1d5f022e71b8bc9e3241fbb72e87be2

  • SHA1

    1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c

  • SHA256

    08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d

  • SHA512

    f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f

  Score

  10^/10

  phorphiexevasionloaderpersistencetrojanupxworm

  • Phorphiex Worm

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex

  • Windows security bypass

    evasiontrojan

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence
  behavioral18

• • Target

    WSHSetup[1].bin

  • Size

    898KB

  • MD5

    cb2b4cd74c7b57a12bd822a168e4e608

  • SHA1

    f2182062719f0537071545b77ca75f39c2922bf5

  • SHA256

    5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

  • SHA512

    7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

  Score

  8^/10

  persistence

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral19

• • Target

    api

  • Size

    22.9MB

  • MD5

    3561a1c35184a0b60b89f4b560a9660d

  • SHA1

    e39442388db90a088a8eb8ce46d4f61182334a1b

  • SHA256

    3f1e28e961239c01602b1ce7555f51778c9f369b059ef07b75a7d9dee70ff8b1

  • SHA512

    7a83a669e8a72d6ec83952c9d57cc8059a6fff6f3564dab69ad50ca939a7d8e3f3d7d9ed74f8d06d060a39f8c4525fcfdcdecf2550c6fe57da0bef3df1f5ee75

  Score

  10^/10

  azorultredlinermsxmrigaspackv2discoveryevasioninfostealerminerpersistenceratspywarestealertrojanupx

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Detected Stratum cryptominer command

    Looks to be attempting to contact Stratum mining pool.

    miner

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • XMRig Miner Payload

    miner

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

    evasion

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets DLL path for service in the registry

    persistence

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Stops running service(s)

    evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  behavioral20

• • Target

    efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js

  • Size

    920KB

  • MD5

    4339e3b6d6cf2603cc780e8e032e82f6

  • SHA1

    195c244a037815ec13d469e3b28e62a0e10bed56

  • SHA256

    efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4

  • SHA512

    a87c47c998f667eb8ac280f4e6dc3df182d721c44267c68ee042c17e8168115e38f2e1d59c6928ca595bb93b3bfd112cbd7bffb0ee6ff8ca81f469056f26ff87

  Score

  1^/10
  behavioral21

• • Target

    good.bin

  • Size

    143KB

  • MD5

    b034e2a7cd76b757b7c62ce514b378b4

  • SHA1

    27d15f36cb5e3338a19a7f6441ece58439f830f2

  • SHA256

    90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

  • SHA512

    1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385

  Score

  1^/10
  behavioral22

• • Target

    infected dot net installer.bin

  • Size

    1.7MB

  • MD5

    6eb2b081d12ad12c2ce50da34438651d

  • SHA1

    2092c0733ec3a3c514568b6009ee53b9d2ad8dc4

  • SHA256

    1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104

  • SHA512

    881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b

  Score

  10^/10

  agenttesladanabotdharmaformbookgozi_rm3qakbot86920224spx1291590734339agilenetbankerbotnetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • CoreEntity .NET Packer

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot

  • Danabot x86 payload

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot

  • AgentTesla Payload

  • CryptOne packer

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker

  • Formbook Payload

    rat

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • ReZer0 packer

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Drops startup file

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral23

• • Target

    update.bin

  • Size

    12.0MB

  • MD5

    c5c8d4f5d9f26bac32d43854af721fb3

  • SHA1

    e4119a28baa102a28ff9b681f6bbb0275c9627c7

  • SHA256

    3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402

  • SHA512

    09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828

  Score

  10^/10

  persistencespywarestealer

  • Modifies WinLogon for persistence

    persistence

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral24

• • Target

    vir1.xls

  • Size

    303KB

  • MD5

    f5ec41ec42ebdec9404692dde8fb9d15

  • SHA1

    39f10e1ea5153fa70be025a2d392dcf62966412e

  • SHA256

    7a5d5f4ceb3c815d6fb882777d0859b9757e27edd5a95eb1c2b88dc438d09c92

  • SHA512

    359fddc66f069137e030d2a039ddcfc76ab0e22769ff58f3a0571bae81fb94f87aed23c995eeab545c578e065339f3c1ea2b0623d33835f44054672f717f9952

  Score

  1^/10
  behavioral25

• • Target

    xNet.dll

  • Size

    99KB

  • MD5

    bf1f76644bddd20339548ebacf7a48eb

  • SHA1

    38114702114105eb3df3f74bf4c68ef7db436f47

  • SHA256

    5d9c2b1822bcaa71ddeaa5426d4312d8e174766ae8864c7add29d7f44cea87f2

  • SHA512

    76132c9e29a0a3054cd41c56d5184951d392a2abd1995e14b34c40f14b154914a6990c107e7fcf4139344759ae6048e9ecf0bdaf0447c1cd589dfacbf901b7c5

  Score

  3^/10
  behavioral26