Downloads.rar

Target

Downloads.rar

Size

139MB

Sample

201118-htd4fq29va

Score

10 ^/10

MD5

24cd2246d5a28f79a7e95a74c7d282c6

SHA1

6d4953d61b602667475e28d4f8eb2aae166cfcd4

SHA256

390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

SHA512

95983ce807050d66d89630c0ff40545891c1ba2a317e94fca6a2b263057bbc1dfceea7ec4a7764dcaae83921eb5607c28be42e416f736b9bcec27ef89e00a8fe

Extracted

Family	formbook
C2	http://www.worstig.com/w9z/ http://www.joomlas123.com/i0qi/ http://www.norjax.com/app/ http://www.worstig.com/w9z/ http://www.joomlas123.com/i0qi/ http://www.norjax.com/app/
Decoy	crazzysex.com hanferd.com gteesrd.com bayfrontbabyplace.com jicuiquan.net relationshiplink.net ohchacyberphoto.com kauegimenes.com powerful-seldom.com ketotoken.com make-money-online-success.com redgoldcollection.com hannan-football.com hamptondc.com vllii.com aa8520.com platform35markethall.com larozeimmo.com oligopoly.net llhak.info fisioservice.com tesla-magnumopus.com cocodrilodigital.com pinegrovesg.com traveladventureswithme.com hebitaixin.com golphysi.com gayjeans.com quickhire.expert randomviews1.com eatatnobu.com topmabati.com mediaupside.com spillerakademi.com thebowtie.store sensomaticloadcell.com turismodemadrid.net yuhe89.com wernerkrug.com cdpogo.net dannynhois.com realestatestructureddata.com matewhereareyou.net laimeibei.ltd sw328.com lmwworks.net xtremefish.com tonerias.com dsooneclinicianexpert.com 281clara.com smmcommunity.net dreamneeds.info twocraft.com yasasiite.salon advk8qi.top drabist.com europartnersplus.com saltbgone.com teslaoceanic.info bestmedicationstore.com buynewcartab.live prospect.money viebrocks.com transportationhappy.com crazzysex.com hanferd.com gteesrd.com bayfrontbabyplace.com jicuiquan.net relationshiplink.net ohchacyberphoto.com kauegimenes.com powerful-seldom.com ketotoken.com make-money-online-success.com redgoldcollection.com hannan-football.com hamptondc.com vllii.com aa8520.com platform35markethall.com larozeimmo.com oligopoly.net llhak.info fisioservice.com tesla-magnumopus.com cocodrilodigital.com pinegrovesg.com traveladventureswithme.com hebitaixin.com golphysi.com gayjeans.com quickhire.expert randomviews1.com eatatnobu.com topmabati.com mediaupside.com spillerakademi.com thebowtie.store sensomaticloadcell.com turismodemadrid.net yuhe89.com wernerkrug.com cdpogo.net dannynhois.com realestatestructureddata.com matewhereareyou.net laimeibei.ltd sw328.com lmwworks.net xtremefish.com tonerias.com dsooneclinicianexpert.com 281clara.com smmcommunity.net dreamneeds.info twocraft.com yasasiite.salon advk8qi.top drabist.com europartnersplus.com saltbgone.com teslaoceanic.info bestmedicationstore.com buynewcartab.live prospect.money viebrocks.com transportationhappy.com

Extracted

Family	gozi_rm3
Botnet	86920224
C2	https://sibelikinciel.xyz https://sibelikinciel.xyz
Attributes	build 300869 exe_type loader server_id 12 url_path index.htm
rsa_pubkey.base64
serpent.plain

Extracted

Family	danabot
C2	92.204.160.54 2.56.213.179 45.153.186.47 93.115.21.29 185.45.193.50 193.34.166.247 92.204.160.54 2.56.213.179 45.153.186.47 93.115.21.29 185.45.193.50 193.34.166.247
rsa_pubkey.plain

Extracted

Family	qakbot
Botnet	spx129
Campaign	1590734339
C2	94.10.81.239:443 94.52.160.116:443 67.0.74.119:443 175.137.136.79:443 73.232.165.200:995 79.119.67.149:443 62.38.111.70:2222 108.58.9.238:993 216.110.249.252:2222 67.209.195.198:3389 84.247.55.190:443 96.37.137.42:443 94.176.220.76:2222 173.245.152.231:443 96.227.122.123:443 188.192.75.8:995 24.229.245.124:995 71.163.225.75:443 75.71.77.59:443 104.36.135.227:443 173.173.77.164:443 207.255.161.8:2222 68.39.177.147:995 178.193.33.121:2222 72.209.191.27:443 67.165.206.193:995 64.19.74.29:995 117.199.195.112:443 75.87.161.32:995 188.173.214.88:443 173.22.120.11:2222 96.41.93.96:443 86.125.210.26:443 24.10.42.174:443 47.201.1.210:443 69.92.54.95:995 24.202.42.48:2222 47.205.231.60:443 66.26.160.37:443 65.131.44.40:995 24.110.96.149:443 108.58.9.238:443 77.159.149.74:443 74.56.167.31:443 75.137.239.211:443 47.153.115.154:995 173.172.205.216:443 184.98.104.7:995 24.46.40.189:2222 98.115.138.61:443 35.142.12.163:2222 189.231.198.212:443 47.146.169.85:443 173.21.10.71:2222 24.42.14.241:443 188.27.6.170:443 89.137.77.237:443 5.13.99.38:995 93.113.90.128:443 72.179.242.236:0 73.210.114.187:443 80.240.26.178:443 85.186.141.62:995 81.103.144.77:443 98.4.227.199:443 24.122.228.88:443 150.143.128.70:2222 47.153.115.154:443 65.116.179.83:443 50.29.181.193:995 189.140.112.184:443 142.129.227.86:443 74.134.46.7:443 220.135.31.140:2222 172.78.87.180:443 24.201.79.208:2078 97.127.144.203:2222 100.4.173.223:443 59.124.10.133:443 89.43.108.19:443 216.163.4.91:443 67.83.54.76:2222 72.204.242.138:443 24.43.22.220:995 67.250.184.157:443 78.97.145.242:443 203.198.96.239:443 104.174.71.153:2222 24.28.183.107:995 197.160.20.211:443 79.117.161.67:21 82.76.239.193:443 69.246.151.5:443 78.96.192.26:443 216.201.162.158:995 108.21.107.203:443 107.2.148.99:443 189.236.218.181:443 75.110.250.89:443 211.24.72.253:443 207.255.161.8:443 162.154.223.73:443 50.104.186.71:443 100.38.123.22:443 96.18.240.158:443 108.183.200.239:443 173.187.170.190:443 100.40.48.96:443 71.80.66.107:443 67.197.97.144:443 69.28.222.54:443 47.136.224.60:443 47.202.98.230:443 184.180.157.203:2222 104.221.4.11:2222 70.173.46.139:443 213.67.45.195:2222 71.31.160.43:22 189.159.113.190:995 98.148.177.77:443 98.116.62.242:443 68.4.137.211:443 108.227.161.27:995 173.187.103.35:443 117.216.185.86:443 75.132.35.60:443 98.219.77.197:443 24.43.22.220:443 207.255.161.8:2087 72.190.101.70:443 189.160.217.221:443 207.255.161.8:32102 24.226.137.154:443 66.222.88.126:995 108.58.9.238:995 1.40.42.4:443 47.152.210.233:443 72.45.14.185:443 82.127.193.151:2222 101.108.113.6:443 98.13.0.128:443 175.111.128.234:995 175.111.128.234:443 216.137.140.236:2222 24.191.214.43:2083 72.177.157.217:443 72.29.181.77:2078 203.106.195.139:443 98.114.185.3:443 94.10.81.239:443 94.52.160.116:443 67.0.74.119:443 175.137.136.79:443 73.232.165.200:995 79.119.67.149:443 62.38.111.70:2222 108.58.9.238:993 216.110.249.252:2222 67.209.195.198:3389 84.247.55.190:443 96.37.137.42:443 94.176.220.76:2222 173.245.152.231:443 96.227.122.123:443 188.192.75.8:995 24.229.245.124:995 71.163.225.75:443 75.71.77.59:443 104.36.135.227:443 173.173.77.164:443 207.255.161.8:2222 68.39.177.147:995 178.193.33.121:2222 72.209.191.27:443 67.165.206.193:995 64.19.74.29:995 117.199.195.112:443 75.87.161.32:995 188.173.214.88:443 173.22.120.11:2222 96.41.93.96:443 86.125.210.26:443 24.10.42.174:443 47.201.1.210:443 69.92.54.95:995 24.202.42.48:2222 47.205.231.60:443 66.26.160.37:443 65.131.44.40:995 24.110.96.149:443 108.58.9.238:443 77.159.149.74:443 74.56.167.31:443 75.137.239.211:443 47.153.115.154:995 173.172.205.216:443 184.98.104.7:995 24.46.40.189:2222 98.115.138.61:443 35.142.12.163:2222 189.231.198.212:443 47.146.169.85:443 173.21.10.71:2222 24.42.14.241:443 188.27.6.170:443 89.137.77.237:443 5.13.99.38:995 93.113.90.128:443 72.179.242.236:0 73.210.114.187:443 80.240.26.178:443 85.186.141.62:995 81.103.144.77:443 98.4.227.199:443 24.122.228.88:443 150.143.128.70:2222 47.153.115.154:443 65.116.179.83:443 50.29.181.193:995 189.140.112.184:443 142.129.227.86:443 74.134.46.7:443 220.135.31.140:2222 172.78.87.180:443 24.201.79.208:2078 97.127.144.203:2222 100.4.173.223:443 59.124.10.133:443 89.43.108.19:443 216.163.4.91:443 67.83.54.76:2222 72.204.242.138:443 24.43.22.220:995 67.250.184.157:443 78.97.145.242:443 203.198.96.239:443 104.174.71.153:2222 24.28.183.107:995 197.160.20.211:443 79.117.161.67:21 82.76.239.193:443 69.246.151.5:443 78.96.192.26:443 216.201.162.158:995 108.21.107.203:443 107.2.148.99:443 189.236.218.181:443 75.110.250.89:443 211.24.72.253:443 207.255.161.8:443 162.154.223.73:443 50.104.186.71:443 100.38.123.22:443 96.18.240.158:443 108.183.200.239:443 173.187.170.190:443 100.40.48.96:443 71.80.66.107:443 67.197.97.144:443 69.28.222.54:443 47.136.224.60:443 47.202.98.230:443 184.180.157.203:2222 104.221.4.11:2222 70.173.46.139:443 213.67.45.195:2222 71.31.160.43:22 189.159.113.190:995 98.148.177.77:443 98.116.62.242:443 68.4.137.211:443 108.227.161.27:995 173.187.103.35:443 117.216.185.86:443 75.132.35.60:443 98.219.77.197:443 24.43.22.220:443 207.255.161.8:2087 72.190.101.70:443 189.160.217.221:443 207.255.161.8:32102 24.226.137.154:443 66.222.88.126:995 108.58.9.238:995 1.40.42.4:443 47.152.210.233:443 72.45.14.185:443 82.127.193.151:2222 101.108.113.6:443 98.13.0.128:443 175.111.128.234:995 175.111.128.234:443 216.137.140.236:2222 24.191.214.43:2083 72.177.157.217:443 72.29.181.77:2078 203.106.195.139:443 98.114.185.3:443

Extracted

Path	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Ransom Note	YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email Bit_decrypt@protonmail.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: Bit_decrypt@protonmail.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails	Bit_decrypt@protonmail.com

Extracted

Family	smokeloader
Version	2019
C2	http://advertserv25.world/logstatx77/ http://mailstatm74.club/logstatx77/ http://kxservx7zx.club/logstatx77/ http://dsmail977sx.xyz/logstatx77/ http://fdmail709.club/logstatx77/ http://servicestar751.club/logstatx77/ http://staradvert9075.club/logstatx77/ http://staradvert1883.club/logstatx77/ http://10022020newfolder1002002131-service1002.space/ http://10022020newfolder1002002231-service1002.space/ http://10022020newfolder3100231-service1002.space/ http://10022020newfolder1002002431-service1002.space/ http://10022020newfolder1002002531-service1002.space/ http://10022020newfolder33417-01242510022020.space/ http://10022020test125831-service1002012510022020.space/ http://10022020test136831-service1002012510022020.space/ http://10022020test147831-service1002012510022020.space/ http://10022020test146831-service1002012510022020.space/ http://10022020test134831-service1002012510022020.space/ http://10022020est213531-service100201242510022020.ru/ http://10022020yes1t3481-service1002012510022020.ru/ http://10022020test13561-service1002012510022020.su/ http://10022020test14781-service1002012510022020.info/ http://10022020test13461-service1002012510022020.net/ http://10022020test15671-service1002012510022020.tech/ http://10022020test12671-service1002012510022020.online/ http://10022020utest1341-service1002012510022020.ru/ http://10022020uest71-service100201dom2510022020.ru/ http://10022020test61-service1002012510022020.website/ http://10022020test51-service1002012510022020.xyz/ http://10022020test41-service100201pro2510022020.ru/ http://10022020yest31-service100201rus2510022020.ru/ http://10022020rest21-service1002012510022020.eu/ http://10022020test11-service1002012510022020.press/ http://10022020newfolder4561-service1002012510022020.ru/ http://10022020rustest213-service1002012510022020.ru/ http://10022020test281-service1002012510022020.ru/ http://10022020test261-service1002012510022020.space/ http://10022020yomtest251-service1002012510022020.ru/ http://10022020yirtest231-service1002012510022020.ru/ http://advertserv25.world/logstatx77/ http://mailstatm74.club/logstatx77/ http://kxservx7zx.club/logstatx77/ http://dsmail977sx.xyz/logstatx77/ http://fdmail709.club/logstatx77/ http://servicestar751.club/logstatx77/ http://staradvert9075.club/logstatx77/ http://staradvert1883.club/logstatx77/ http://10022020newfolder1002002131-service1002.space/ http://10022020newfolder1002002231-service1002.space/ http://10022020newfolder3100231-service1002.space/ http://10022020newfolder1002002431-service1002.space/ http://10022020newfolder1002002531-service1002.space/ http://10022020newfolder33417-01242510022020.space/ http://10022020test125831-service1002012510022020.space/ http://10022020test136831-service1002012510022020.space/ http://10022020test147831-service1002012510022020.space/ http://10022020test146831-service1002012510022020.space/ http://10022020test134831-service1002012510022020.space/ http://10022020est213531-service100201242510022020.ru/ http://10022020yes1t3481-service1002012510022020.ru/ http://10022020test13561-service1002012510022020.su/ http://10022020test14781-service1002012510022020.info/ http://10022020test13461-service1002012510022020.net/ http://10022020test15671-service1002012510022020.tech/ http://10022020test12671-service1002012510022020.online/ http://10022020utest1341-service1002012510022020.ru/ http://10022020uest71-service100201dom2510022020.ru/ http://10022020test61-service1002012510022020.website/ http://10022020test51-service1002012510022020.xyz/ http://10022020test41-service100201pro2510022020.ru/ http://10022020yest31-service100201rus2510022020.ru/ http://10022020rest21-service1002012510022020.eu/ http://10022020test11-service1002012510022020.press/ http://10022020newfolder4561-service1002012510022020.ru/ http://10022020rustest213-service1002012510022020.ru/ http://10022020test281-service1002012510022020.ru/ http://10022020test261-service1002012510022020.space/ http://10022020yomtest251-service1002012510022020.ru/ http://10022020yirtest231-service1002012510022020.ru/
rc4.i32
rc4.i32

Extracted

Family	azorult
C2	http://kvaka.li/1210776429.php http://195.245.112.115/index.php http://kvaka.li/1210776429.php http://195.245.112.115/index.php

Extracted

Family	smokeloader
Version	2020
C2	http://naritouzina.net/ http://nukaraguasleep.net/ http://notfortuaj.net/ http://natuturalistic.net/ http://zaniolofusa.net/ http://vintrsi.com/upload/ http://woatdert.com/upload/ http://waruse.com/upload/ http://naritouzina.net/ http://nukaraguasleep.net/ http://notfortuaj.net/ http://natuturalistic.net/ http://zaniolofusa.net/ http://vintrsi.com/upload/ http://woatdert.com/upload/ http://waruse.com/upload/
rc4.i32
rc4.i32

Extracted

Path	C:\_readme.txt
Ransom Note	ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: blower@india.com Reserve e-mail address to contact us: blower@firemail.cc Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
Emails	blower@india.com blower@firemail.cc
URLs	https://we.tl/t-T9WE5uiVT6

Extracted

Family	smokeloader
Version	2017
C2	http://92.53.105.14/ http://92.53.105.14/

Extracted

Language	ps1
Source
URLs	http://zxvbcrt.ug/zxcvb.exe http://zxvbcrt.ug/zxcvb.exe ps1.dropper http://zxvbcrt.ug/zxcvb.exe exe.dropper http://zxvbcrt.ug/zxcvb.exe

Extracted

Language	ps1
Source
URLs	http://bit.do/fqhHT http://bit.do/fqhHT ps1.dropper http://bit.do/fqhHT exe.dropper http://bit.do/fqhHT

Extracted

Language	ps1
Source
URLs	http://bit.do/fqhJv http://bit.do/fqhJv ps1.dropper http://bit.do/fqhJv exe.dropper http://bit.do/fqhJv

Extracted

Language	ps1
Source
URLs	http://pdshcjvnv.ug/zxcvb.exe http://pdshcjvnv.ug/zxcvb.exe ps1.dropper http://pdshcjvnv.ug/zxcvb.exe exe.dropper http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language	ps1
Source
URLs	http://bit.do/fqhJD http://bit.do/fqhJD ps1.dropper http://bit.do/fqhJD exe.dropper http://bit.do/fqhJD

Extracted

Language	ps1
Source
URLs	http://rbcxvnb.ug/zxcvb.exe http://rbcxvnb.ug/zxcvb.exe ps1.dropper http://rbcxvnb.ug/zxcvb.exe exe.dropper http://rbcxvnb.ug/zxcvb.exe

Extracted

Family	raccoon
Botnet	5e4db353b88c002ba6466c06437973619aad03b3
Attributes	url4cnc https://telete.in/brikitiki
rc4.plain
rc4.plain

Extracted

Family	asyncrat
Version	0.5.7B
C2	agentttt.ac.ug:6970 agentpurple.ac.ug:6970 agentttt.ac.ug:6970 agentpurple.ac.ug:6970
Attributes	aes_key 16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr anti_detection false autorun false bdos false delay Default host agentttt.ac.ug,agentpurple.ac.ug hwid 3 install_file install_folder %AppData% mutex AsyncMutex_6SI8OkPnk pastebin_config null port 6970 version 0.5.7B
aes.plain

Extracted

Credentials

Protocol: ftp

Host: 109.248.203.81

Port: 21

Username: alex

Password: easypassword

Extracted

Family	remcos
C2	taenaia.ac.ug:6969 agentpapple.ac.ug:6969 taenaia.ac.ug:6969 agentpapple.ac.ug:6969

Extracted

Credentials

Protocol: ftp

Host: 45.141.184.35

Port: 21

Username: alex

Password: easypassword

Extracted

Credentials

Protocol: ftp

Host: 109.248.203.91

Port: 21

Username: alex

Password: easypassword

Target

1.bin/1.exe

MD5

af8e86c5d4198549f6375df9378f983c

Filesize

12MB

Score

10 ^/10

SHA1

7ab5ed449b891bd4899fba62d027a2cc26a05e6f

SHA256

7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

SHA512

137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

Tags

agenttesla danabot dharma formbook gozi_rm3 qakbot 86920224 spx129 1590734339 agilenet banker botnet coreentity cryptone evasion keylogger packer persistence ransomware rat rezer0 spyware stealer trojan

Signatures

AgentTesla

Description

Agent Tesla is a remote access tool (RAT) written in visual basic.

Tags

keylogger trojan stealer spyware agenttesla
CoreEntity .NET Packer

Description

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

Tags

coreentity
Danabot

Description

Danabot is a modular banking Trojan that has been linked with other malware.

Tags

trojan banker danabot
Danabot x86 payload

Description

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

Tags

botnet
Dharma

Description

Dharma is a ransomware that uses security software installation to hide malicious activities.

Tags

ransomware dharma
Formbook

Description

Formbook is a data stealing malware which is capable of stealing data.

Tags

trojan spyware stealer formbook
Gozi RM3

Description

A heavily modified version of Gozi using RM3 loader.

Tags

banker trojan gozi_rm3
Qakbot/Qbot

Description

Qbot or Qakbot is a sophisticated worm with banking capabilities.

Tags

trojan banker stealer qakbot
AgentTesla Payload
CryptOne packer

Description

Detects CryptOne packer defined in NCC blogpost.

Tags

cryptone packer
Formbook Payload

Tags

rat
Looks for VirtualBox Guest Additions in registry

Tags

evasion

TTPs

Query Registry Virtualization/Sandbox Evasion
rezer0

Description

Detects ReZer0, a packer with multiple versions used in various campaigns.

Tags

rezer0
Executes dropped EXE
Looks for VMWare Tools registry key

Tags

evasion

TTPs

Query Registry Virtualization/Sandbox Evasion
Checks BIOS information in registry

Description

BIOS information is often read in order to detect sandboxing environments.

TTPs

Query Registry System Information Discovery
Drops startup file
Loads dropped DLL
Obfuscated with Agile.Net obfuscator

Description

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

Tags

agilenet
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Drops desktop.ini file(s)
Maps connected drives based on registry

Description

Disk information is often read in order to detect sandboxing environments.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral1

Target

2019-09-02_22-41-10.exe

MD5

924aa6c26f6f43e0893a40728eac3b32

Filesize

251KB

Score

10 ^/10

SHA1

baa9b4c895b09d315ed747b3bd087f4583aa84fc

SHA256

30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

SHA512

3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

Tags

smokeloader backdoor trojan

Signatures

SmokeLoader

Description

Modular backdoor trojan in use since 2014.

Tags

trojan backdoor smokeloader
Loads dropped DLL
Suspicious use of SetThreadContext

Related Tasks

behavioral2

Target

31.exe

MD5

af8e86c5d4198549f6375df9378f983c

Filesize

12MB

Score

10 ^/10

SHA1

7ab5ed449b891bd4899fba62d027a2cc26a05e6f

SHA256

7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

SHA512

137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

Signatures

AgentTesla

Description

Agent Tesla is a remote access tool (RAT) written in visual basic.

Tags

keylogger trojan stealer spyware agenttesla
CoreEntity .NET Packer

Description

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

Tags

coreentity
Danabot

Description

Danabot is a modular banking Trojan that has been linked with other malware.

Tags

trojan banker danabot
Danabot x86 payload

Description

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

Tags

botnet
Dharma

Description

Dharma is a ransomware that uses security software installation to hide malicious activities.

Tags

ransomware dharma
Formbook

Description

Formbook is a data stealing malware which is capable of stealing data.

Tags

trojan spyware stealer formbook
Gozi RM3

Description

A heavily modified version of Gozi using RM3 loader.

Tags

banker trojan gozi_rm3
Qakbot/Qbot

Description

Qbot or Qakbot is a sophisticated worm with banking capabilities.

Tags

trojan banker stealer qakbot
AgentTesla Payload
CryptOne packer

Description

Detects CryptOne packer defined in NCC blogpost.

Tags

cryptone packer
Formbook Payload

Tags

rat
Looks for VirtualBox Guest Additions in registry

Tags

evasion

TTPs

Query Registry Virtualization/Sandbox Evasion
rezer0

Description

Detects ReZer0, a packer with multiple versions used in various campaigns.

Tags

rezer0
Executes dropped EXE
Looks for VMWare Tools registry key

Tags

evasion

TTPs

Query Registry Virtualization/Sandbox Evasion
Checks BIOS information in registry

Description

BIOS information is often read in order to detect sandboxing environments.

TTPs

Query Registry System Information Discovery
Drops startup file
Loads dropped DLL
Obfuscated with Agile.Net obfuscator

Description

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

Tags

agilenet
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Drops desktop.ini file(s)
Maps connected drives based on registry

Description

Disk information is often read in order to detect sandboxing environments.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral3

Target

3DMark 11 Advanced Edition.exe

MD5

236d7524027dbce337c671906c9fe10b

Filesize

11MB

Score

10 ^/10

SHA1

7d345aa201b50273176ae0ec7324739d882da32e

SHA256

400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

SHA512

e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

Tags

agenttesla azorult plugx redline smokeloader tofsee xmrig backdoor bootkit discovery evasion infostealer keylogger macro miner persistence spyware stealer trojan upx vmprotect

Signatures

AgentTesla

Description

Agent Tesla is a remote access tool (RAT) written in visual basic.

Tags

keylogger trojan stealer spyware agenttesla
Azorult

Description

An information stealer that was first discovered in 2016, targeting browsing history and passwords.

Tags

trojan infostealer azorult
PlugX

Description

PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

Tags

trojan plugx
RedLine

Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.

Tags

infostealer redline
SmokeLoader

Description

Modular backdoor trojan in use since 2014.

Tags

trojan backdoor smokeloader
Tofsee

Description

Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

Tags

trojan tofsee
Windows security bypass

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
xmrig

Description

XMRig is a high performance, open source, cross platform CPU/GPU miner.

Tags

miner xmrig
AgentTesla Payload

Tags

keylogger stealer
XMRig Miner Payload

Tags

miner
Creates new service(s)

Tags

persistence

TTPs

New Service
Executes dropped EXE
Modifies Windows Firewall

Tags

evasion

TTPs

Modify Existing Service
Sets service image path in registry

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Suspicious Office macro

Description

Office document equipped with 4.0 macros.

Tags

macro
UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx
VMProtect packed file

Description

Detects executables packed with VMProtect commercial packer.

Tags

vmprotect
Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery
Drops startup file
Loads dropped DLL
Modifies file permissions

Tags

discovery

TTPs

File Permissions Modification
Reads user/profile data of local email clients

Description

Email clients store some user data on disk where infostealers will often target it.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Accesses 2FA software files, possible credential harvesting

Tags

spyware stealer

TTPs

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled

Tags

evasion trojan

TTPs

System Information Discovery
Enumerates connected drives

Description

Attempts to read the root path of hard drives other than the default C: drive.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2

TTPs

Web Service
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Writes to the Master Boot Record (MBR)

Description

Bootkits write to the MBR to gain persistence at a level below the operating system.

Tags

bootkit persistence

TTPs

Bootkit
Drops file in System32 directory
Modifies service

Tags

persistence

TTPs

Modify Registry Modify Existing Service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral4

Target

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

MD5

ead18f3a909685922d7213714ea9a183

Filesize

669KB

Score

10 ^/10

SHA1

1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512

6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Tags

discovery persistence ransomware upx

Signatures

Executes dropped EXE
Modifies Installed Components in the registry

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx
Modifies file permissions

Tags

discovery

TTPs

File Permissions Modification
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Drops desktop.ini file(s)
Enumerates connected drives

Description

Attempts to read the root path of hard drives other than the default C: drive.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

behavioral5

Target

Archive.zip__ccacaxs2tbz2t6ob3e.exe

MD5

a3cab1a43ff58b41f61f8ea32319386b

Filesize

430KB

Score

8 ^/10

SHA1

94689e1a9e1503f1082b23e6d5984d4587f3b9ec

SHA256

005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6

SHA512

8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d

Tags

discovery persistence spyware

Signatures

Creates new service(s)

Tags

persistence

TTPs

New Service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2

TTPs

Web Service
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Drops file in System32 directory

Related Tasks

behavioral6

Target

CVE-2018-15982_PoC.swf

MD5

82fe94beb621a4368e76aa4a51998c00

Filesize

12KB

Score

3 ^/10

SHA1

b7c79b8f05c3d998e21d01b07b9ba157160581a9

SHA256

c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb

SHA512

055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27

Related Tasks

behavioral7

Target

CVWSHSetup[1].bin/WSHSetup[1].exe

MD5

cb2b4cd74c7b57a12bd822a168e4e608

Filesize

898KB

Score

4 ^/10

SHA1

f2182062719f0537071545b77ca75f39c2922bf5

SHA256

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

SHA512

7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

Related Tasks

behavioral8

Target

DiskInternals_Uneraser_v5_keygen.exe

MD5

17c4b227deaa34d22dd0addfb0034e04

Filesize

12MB

Score

10 ^/10

SHA1

0cf926384df162bc88ae7c97d1b1b9523ac6b88c

SHA256

a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e

SHA512

691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c

Tags

azorult pony discovery evasion infostealer persistence rat spyware stealer trojan upx

Signatures

Azorult

Description

An information stealer that was first discovered in 2016, targeting browsing history and passwords.

Tags

trojan infostealer azorult
Pony,Fareit

Description

Pony is a Remote Access Trojan application that steals information.

Tags

rat spyware stealer pony
Identifies VirtualBox via ACPI registry values (likely anti-VM)

Tags

evasion

TTPs

Query Registry Virtualization/Sandbox Evasion
Blocklisted process makes network request
Executes dropped EXE
UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx
Checks BIOS information in registry

Description

BIOS information is often read in order to detect sandboxing environments.

TTPs

Query Registry System Information Discovery
Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery
Identifies Wine through registry keys

Description

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Tags

evasion

TTPs

Query Registry Virtualization/Sandbox Evasion
Loads dropped DLL
Reads data files stored by FTP clients

Description

Tries to access configuration files associated with programs like FileZilla.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Legitimate hosting services abused for malware hosting/C2

TTPs

Web Service
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral9

Target

ForceOp 2.8.7 - By RaiSence.exe

MD5

0a88ebdd3ae5ab0b006d4eaa2f5bc4b2

Filesize

1MB

Score

10 ^/10

SHA1

6bf1215ac7b1fde54442a9d075c84544b6e80d50

SHA256

26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680

SHA512

54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess
Executes dropped EXE

Related Tasks

behavioral10

Target

HYDRA.exe

MD5

c52bc39684c52886712971a92f339b23

Filesize

2MB

Score

10 ^/10

SHA1

c5cb39850affb7ed322bfb0a4900e17c54f95a11

SHA256

f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

SHA512

2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

Tags

smokeloader backdoor persistence trojan

Signatures

SmokeLoader

Description

Modular backdoor trojan in use since 2014.

Tags

trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Drops startup file
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Maps connected drives based on registry

Description

Disk information is often read in order to detect sandboxing environments.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery

Related Tasks

behavioral11

Target

Keygen.exe

MD5

dbde61502c5c0e17ebc6919f361c32b9

Filesize

849KB

Score

10 ^/10

SHA1

189749cf0b66a9f560b68861f98c22cdbcafc566

SHA256

88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b

SHA512

d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

Tags

asyncrat azorult modiloader oski raccoon 5e4db353b88c002ba6466c06437973619aad03b3 discovery evasion infostealer rat spyware stealer trojan

Signatures

AsyncRat

Description

AsyncRAT is designed to remotely monitor and control other computers.

Tags

rat asyncrat
Azorult

Description

An information stealer that was first discovered in 2016, targeting browsing history and passwords.

Tags

trojan infostealer azorult
Contains code to disable Windows Defender

Description

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
ModiLoader, DBatLoader

Description

ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

Tags

trojan modiloader
Modifies Windows Defender Real-time Protection settings

Tags

evasion trojan

TTPs

Modify Registry Modify Existing Service Disabling Security Tools
Oski

Description

Oski is an infostealer targeting browser data, crypto wallets.

Tags

infostealer oski
Raccoon

Description

Simple but powerful infostealer which was very active in 2019.

Tags

stealer raccoon
Async RAT payload

Tags

rat
ModiLoader First Stage
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients

Description

Email clients store some user data on disk where infostealers will often target it.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Windows security modification

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local System Credentials in Files
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral12

Target

Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe

MD5

48c356e14b98fb905a36164e28277ae5

Filesize

13MB

Score

10 ^/10

SHA1

d7630bd683af02de03aebc8314862c512acd5656

SHA256

b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c

SHA512

278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b

Tags

pony discovery persistence rat spyware stealer upx vmprotect

Signatures

Pony,Fareit

Description

Pony is a Remote Access Trojan application that steals information.

Tags

rat spyware stealer pony
Nirsoft
Executes dropped EXE
UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx
VMProtect packed file

Description

Detects executables packed with VMProtect commercial packer.

Tags

vmprotect
Reads data files stored by FTP clients

Description

Tries to access configuration files associated with programs like FileZilla.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Legitimate hosting services abused for malware hosting/C2

TTPs

Web Service
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Suspicious use of SetThreadContext

Related Tasks

behavioral13

Target

LtHv0O2KZDK4M637.exe

MD5

5e25abc3a3ad181d2213e47fa36c4a37

Filesize

10MB

Score

10 ^/10

SHA1

ba365097003860c8fb9d332f377e2f8103d220e0

SHA256

3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9

SHA512

676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681

Tags

azorult rms xmrig aspackv2 discovery evasion infostealer miner persistence rat spyware trojan upx

Signatures

Azorult

Description

An information stealer that was first discovered in 2016, targeting browsing history and passwords.

Tags

trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings

Tags

evasion trojan

TTPs

Modify Registry Modify Existing Service Disabling Security Tools
Modifies visiblity of hidden/system files in Explorer

Tags

evasion

TTPs

Hidden Files and Directories Modify Registry
RMS

Description

Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

Tags

trojan rat rms
UAC bypass

Tags

evasion trojan

TTPs

Bypass User Account Control Disabling Security Tools Modify Registry
Windows security bypass

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
xmrig

Description

XMRig is a high performance, open source, cross platform CPU/GPU miner.

Tags

miner xmrig
ACProtect 1.3x - 1.4x DLL software

Description

Detects file using ACProtect software.
Detected Stratum cryptominer command

Description

Looks to be attempting to contact Stratum mining pool.

Tags

miner
Grants admin privileges

Description

Uses net.exe to modify the user's privileges.

TTPs

Account Manipulation
XMRig Miner Payload

Tags

miner
ASPack v2.12-2.42

Description

Detects executables packed with ASPack v2.12-2.42

Tags

aspackv2
Blocks application from running via registry modification

Description

Adds application to list of disallowed applications.

Tags

evasion
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall

Tags

evasion

TTPs

Modify Existing Service
Registers new Print Monitor

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Sets DLL path for service in the registry

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Sets file to hidden

Description

Modifies file attributes to stop it showing in Explorer etc.

Tags

evasion

TTPs

Hidden Files and Directories
Stops running service(s)

Tags

evasion

TTPs

Modify Existing Service Service Stop
UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx
Loads dropped DLL
Modifies file permissions

Tags

discovery

TTPs

File Permissions Modification
Reads data files stored by FTP clients

Description

Tries to access configuration files associated with programs like FileZilla.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of local email clients

Description

Email clients store some user data on disk where infostealers will often target it.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled

Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2

TTPs

Web Service
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Modifies WinLogon

Tags

persistence

TTPs

Winlogon Helper DLL Modify Registry

Related Tasks

behavioral14

Target

Magic_File_v3_keygen_by_KeygenNinja.exe

MD5

80e5a163c5396401b58a3b24f2e00d38

Filesize

8MB

Score

10 ^/10

SHA1

589accaeeca95b8d69fa7bc14f402925dd338a6a

SHA256

72fae9a9d8cfd546975fd86222bc1f7f70133d0845798a683569bb8119ffa3b1

SHA512

cc0ede6416032035943522e5249ac378da4ba58ab836d13b53907567a65f0c296aa7263523ca23f1843fb86a88d123864e9385f4b97bac870a110f6fd2ddf1e6

Tags

pony bootkit discovery evasion persistence rat rezer0 spyware stealer trojan upx

Signatures

Pony,Fareit

Description

Pony is a Remote Access Trojan application that steals information.

Tags

rat spyware stealer pony
Nirsoft
rezer0

Description

Detects ReZer0, a packer with multiple versions used in various campaigns.

Tags

rezer0
Blocklisted process makes network request
Executes dropped EXE
UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx
Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery
Reads data files stored by FTP clients

Description

Tries to access configuration files associated with programs like FileZilla.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled

Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2

TTPs

Web Service
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Writes to the Master Boot Record (MBR)

Description

Bootkits write to the MBR to gain persistence at a level below the operating system.

Tags

bootkit persistence

TTPs

Bootkit
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral15

Target

OnlineInstaller.exe

MD5

4b042bfd9c11ab6a3fb78fa5c34f55d0

Filesize

3MB

Score

8 ^/10

SHA1

b0f506640c205d3fbcfe90bde81e49934b870eab

SHA256

59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

SHA512

dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

Signatures

Drops file in Drivers directory
Executes dropped EXE
Checks for any installed AV software in registry

TTPs

Security Software Discovery
Drops file in System32 directory

Related Tasks

behavioral16

Target

Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

MD5

edcc1a529ea8d2c51592d412d23c057e

Filesize

9MB

Score

10 ^/10

SHA1

1d62d278fe69be7e3dde9ae96cc7e6a0fa960331

SHA256

970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d

SHA512

c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab

Tags

azorult smokeloader tofsee xmrig backdoor bootkit discovery evasion infostealer macro miner persistence spyware stealer trojan upx

Signatures

Azorult

Description

An information stealer that was first discovered in 2016, targeting browsing history and passwords.

Tags

trojan infostealer azorult
Deletes Windows Defender Definitions

Description

Uses mpcmdrun utility to delete all AV definitions.

Tags

evasion

TTPs

Disabling Security Tools Command-Line Interface
SmokeLoader

Description

Modular backdoor trojan in use since 2014.

Tags

trojan backdoor smokeloader
Tofsee

Description

Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

Tags

trojan tofsee
Windows security bypass

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
xmrig

Description

XMRig is a high performance, open source, cross platform CPU/GPU miner.

Tags

miner xmrig
XMRig Miner Payload

Tags

miner
Creates new service(s)

Tags

persistence

TTPs

New Service
Disables Task Manager via registry modification

Tags

evasion
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall

Tags

evasion

TTPs

Modify Existing Service
Sets service image path in registry

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Suspicious Office macro

Description

Office document equipped with 4.0 macros.

Tags

macro
UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx
Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery
Drops startup file
Loads dropped DLL
Modifies file permissions

Tags

discovery

TTPs

File Permissions Modification
Reads user/profile data of local email clients

Description

Email clients store some user data on disk where infostealers will often target it.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Accesses 2FA software files, possible credential harvesting

Tags

spyware stealer

TTPs

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled

Tags

evasion trojan

TTPs

System Information Discovery
Enumerates connected drives

Description

Attempts to read the root path of hard drives other than the default C: drive.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2

TTPs

Web Service
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Writes to the Master Boot Record (MBR)

Description

Bootkits write to the MBR to gain persistence at a level below the operating system.

Tags

bootkit persistence

TTPs

Bootkit
Drops file in System32 directory
Modifies service

Tags

persistence

TTPs

Modify Registry Modify Existing Service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral17

Target

SecurityTaskManager_Setup.exe

MD5

444439bc44c476297d7f631a152ce638

Filesize

2MB

Score

8 ^/10

SHA1

820fcb951d1ac8c2fda1a1ae790f52eb1f8edf2e

SHA256

bc2d5417a6bf47d53c20c280f6e4b1a3e00dc0b6bbd3e26b2e591fd2f2dc4cc3

SHA512

160f4b095d37a9f4c6279a4a19f072e170c5f819d0e8e588b2503711b9e2eaac9567b48a9e42bf15af50ba60e64ef97a64e003230369aec0b032cb2030fdca00

Tags

discovery evasion spyware trojan

Signatures

Executes dropped EXE
Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled

Tags

evasion trojan

TTPs

System Information Discovery

Related Tasks

behavioral18

Target

Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

MD5

8103aad9a6f5ee1fb4f764fc5782822a

Filesize

10MB

Score

10 ^/10

SHA1

4fb4f963243d7cb65394e59de787aebe020b654c

SHA256

4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40

SHA512

e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8

Tags

azorult plugx pony raccoon redline smokeloader tofsee vidar xmrig backdoor bootkit discovery evasion infostealer macro miner persistence ransomware rat spyware stealer trojan upx vmprotect xlm

Signatures

Azorult

Description

An information stealer that was first discovered in 2016, targeting browsing history and passwords.

Tags

trojan infostealer azorult
Deletes Windows Defender Definitions

Description

Uses mpcmdrun utility to delete all AV definitions.

Tags

evasion

TTPs

Command-Line Interface
PlugX

Description

PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

Tags

trojan plugx
Pony,Fareit

Description

Pony is a Remote Access Trojan application that steals information.

Tags

rat spyware stealer pony
Raccoon

Description

Simple but powerful infostealer which was very active in 2019.

Tags

stealer raccoon
RedLine

Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.

Tags

infostealer redline
RedLine Payload
SmokeLoader

Description

Modular backdoor trojan in use since 2014.

Tags

trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee

Description

Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

Tags

trojan tofsee
Vidar

Description

Vidar is an infostealer based on Arkei stealer.

Tags

stealer vidar
Windows security bypass

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
xmrig

Description

XMRig is a high performance, open source, cross platform CPU/GPU miner.

Tags

miner xmrig
Nirsoft
XMRig Miner Payload

Tags

miner
Blocklisted process makes network request
Creates new service(s)

Tags

persistence

TTPs

New Service
Disables Task Manager via registry modification

Tags

evasion
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall

Tags

evasion

TTPs

Modify Existing Service
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
Sets service image path in registry

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Suspicious Office macro

Description

Office document equipped with 4.0 macros.

Tags

macro xlm
UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx
VMProtect packed file

Description

Detects executables packed with VMProtect commercial packer.

Tags

vmprotect
Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery
Drops startup file
Loads dropped DLL
Modifies file permissions

Tags

discovery

TTPs

File Permissions Modification
Reads data files stored by FTP clients

Description

Tries to access configuration files associated with programs like FileZilla.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of local email clients

Description

Email clients store some user data on disk where infostealers will often target it.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Accesses 2FA software files, possible credential harvesting

Tags

spyware stealer

TTPs

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled

Tags

evasion trojan

TTPs

System Information Discovery
Enumerates connected drives

Description

Attempts to read the root path of hard drives other than the default C: drive.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Legitimate hosting services abused for malware hosting/C2

TTPs

Web Service
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Writes to the Master Boot Record (MBR)

Description

Bootkits write to the MBR to gain persistence at a level below the operating system.

Tags

bootkit persistence

TTPs

Bootkit
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral19

Target

VyprVPN.exe

MD5

f1d5f022e71b8bc9e3241fbb72e87be2

Filesize

1MB

Score

10 ^/10

SHA1

1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c

SHA256

08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d

SHA512

f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f

Tags

persistence spyware

Signatures

Modifies WinLogon for persistence

Tags

persistence

TTPs

Winlogon Helper DLL Modify Registry
Executes dropped EXE
Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral20

Target

WSHSetup[1].exe

MD5

cb2b4cd74c7b57a12bd822a168e4e608

Filesize

898KB

Score

4 ^/10

SHA1

f2182062719f0537071545b77ca75f39c2922bf5

SHA256

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

SHA512

7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

Related Tasks

behavioral21

Target

___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe

MD5

54bef758433c98353b61bf1e2aecefb2

Filesize

545KB

Score

10 ^/10

SHA1

06feb43c6d58eab893396f63aa2e1d0e4542f7d1

SHA256

291f381da3286ea93c38bb325e19f35744349c3543708135d8be731f4bafb6e2

SHA512

3bfb51f9bee7033ebde0f418b88327b7c7a322b3e0572d92ad4cdf37c9fbed22d518c9ce2d8d5638381542bef83077d8054184b9f613b815df6906a99fd4526f

Tags

vidar discovery spyware stealer

Signatures

Vidar

Description

Vidar is an infostealer based on Arkei stealer.

Tags

stealer vidar
Reads user/profile data of local email clients

Description

Email clients store some user data on disk where infostealers will often target it.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Accesses 2FA software files, possible credential harvesting

Tags

spyware stealer

TTPs

Data from Local System Credentials in Files
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

behavioral22

Target

___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe

MD5

8399865e44e7d6a193f8c8acf547eb31

Filesize

228KB

Score

10 ^/10

SHA1

17e3bee5debada69dadec0b748256925a1a8b1ac

SHA256

aaf7bb9ad358726ca367f1827686dc15fea925f26ab1e201a2768c67472e8890

SHA512

bf9ceb3a36ca874dceb9ccfec8e7635f5f11f83f04226ceb4e2b4b2548dbcecf2618fe5063bec068b1571867984d0beece6b5f9be0747a13ddb53f9a09aa4d61

Tags

makop persistence ransomware spyware

Signatures

Makop

Description

Ransomware family discovered by @VK_Intel in early 2020.

Tags

ransomware makop
Suspicious use of NtCreateUserProcessOtherParentProcess
Deletes shadow copies

Description

Ransomware often targets backup files to inhibit system recovery.

Tags

ransomware

TTPs

File Deletion Inhibit System Recovery
Deletes backup catalog

Description

Uses wbadmin.exe to inhibit system recovery.

Tags

ransomware

TTPs

Command-Line Interface File Deletion Inhibit System Recovery
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Legitimate hosting services abused for malware hosting/C2

TTPs

Web Service

Related Tasks

behavioral23

Target

amtemu.v0.9.2.win-painter_edited.exe

MD5

88124e4aba906259af28a466774431ea

Filesize

3MB

Score

10 ^/10

SHA1

fbc1c27e0d7177238ec99481ffa7d839d1f51594

SHA256

1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd

SHA512

cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d

Tags

asyncrat azorult betabot modiloader oski raccoon remcos 5e4db353b88c002ba6466c06437973619aad03b3 backdoor botnet discovery evasion infostealer persistence rat spyware stealer trojan

Signatures

AsyncRat

Description

AsyncRAT is designed to remotely monitor and control other computers.

Tags

rat asyncrat
Azorult

Description

An information stealer that was first discovered in 2016, targeting browsing history and passwords.

Tags

trojan infostealer azorult
BetaBot

Description

Beta Bot is a Trojan that infects computers and disables Antivirus.

Tags

trojan backdoor botnet betabot
Contains code to disable Windows Defender

Description

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
ModiLoader, DBatLoader

Description

ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

Tags

trojan modiloader
Modifies Windows Defender Real-time Protection settings

Tags

evasion trojan

TTPs

Modify Registry Modify Existing Service Disabling Security Tools
Modifies firewall policy service

Tags

evasion

TTPs

Modify Registry Modify Existing Service
Modifies security service

Tags

evasion

TTPs

Modify Registry Modify Existing Service
Oski

Description

Oski is an infostealer targeting browser data, crypto wallets.

Tags

infostealer oski
Raccoon

Description

Simple but powerful infostealer which was very active in 2019.

Tags

stealer raccoon
Remcos

Description

Remcos is a closed-source remote control and surveillance software.

Tags

rat remcos
UAC bypass

Tags

evasion trojan

TTPs

Bypass User Account Control Disabling Security Tools Modify Registry
Async RAT payload

Tags

rat
ModiLoader First Stage
Blocklisted process makes network request
Disables taskbar notifications via registry modification

Tags

evasion
Disables use of System Restore points

Tags

evasion

TTPs

Inhibit System Recovery
Drops file in Drivers directory
Executes dropped EXE
Sets file execution options in registry

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Sets service image path in registry

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks BIOS information in registry

Description

BIOS information is often read in order to detect sandboxing environments.

TTPs

Query Registry System Information Discovery
Loads dropped DLL
Reads user/profile data of local email clients

Description

Email clients store some user data on disk where infostealers will often target it.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Windows security modification

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks for any installed AV software in registry

TTPs

Security Software Discovery
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled

Tags

evasion trojan

TTPs

System Information Discovery
Drops desktop.ini file(s)
Maps connected drives based on registry

Description

Disk information is often read in order to detect sandboxing environments.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral24

Target

api.exe

MD5

3561a1c35184a0b60b89f4b560a9660d

Filesize

22MB

Score

1 ^/10

SHA1

e39442388db90a088a8eb8ce46d4f61182334a1b

SHA256

3f1e28e961239c01602b1ce7555f51778c9f369b059ef07b75a7d9dee70ff8b1

SHA512

7a83a669e8a72d6ec83952c9d57cc8059a6fff6f3564dab69ad50ca939a7d8e3f3d7d9ed74f8d06d060a39f8c4525fcfdcdecf2550c6fe57da0bef3df1f5ee75

Related Tasks

behavioral25

Target

default.exe

MD5

f42abb7569dbc2ff5faa7e078cb71476

Filesize

211KB

Score

10 ^/10

SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Tags

buran persistence ransomware

Signatures

Buran

Description

Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

Tags

ransomware buran
Deletes shadow copies

Description

Ransomware often targets backup files to inhibit system recovery.

Tags

ransomware

TTPs

File Deletion Inhibit System Recovery
Executes dropped EXE
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
Deletes itself
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Enumerates connected drives

Description

Attempts to read the root path of hard drives other than the default C: drive.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Legitimate hosting services abused for malware hosting/C2

TTPs

Web Service
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

behavioral26

Target

efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js

MD5

4339e3b6d6cf2603cc780e8e032e82f6

Filesize

920KB

Score

3 ^/10

SHA1

195c244a037815ec13d469e3b28e62a0e10bed56

SHA256

efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4

SHA512

a87c47c998f667eb8ac280f4e6dc3df182d721c44267c68ee042c17e8168115e38f2e1d59c6928ca595bb93b3bfd112cbd7bffb0ee6ff8ca81f469056f26ff87

Related Tasks

behavioral27

Target

good.exe

MD5

b034e2a7cd76b757b7c62ce514b378b4

Filesize

143KB

Score

10 ^/10

SHA1

27d15f36cb5e3338a19a7f6441ece58439f830f2

SHA256

90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

SHA512

1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385

Tags

phorphiex evasion loader persistence trojan upx worm

Signatures

Phorphiex Worm

Description

Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

Tags

worm trojan loader phorphiex
Windows security bypass

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
Executes dropped EXE
UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx
Windows security modification

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry

Related Tasks

behavioral28

Target

infected dot net installer.exe

MD5

6eb2b081d12ad12c2ce50da34438651d

Filesize

1MB

Score

8 ^/10

SHA1

2092c0733ec3a3c514568b6009ee53b9d2ad8dc4

SHA256

1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104

SHA512

881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b

Tags

persistence

Signatures

Executes dropped EXE
Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery
Loads dropped DLL
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry

Related Tasks

behavioral29

Target

oof.exe

MD5

0760d43d4adebe20fa0b5e5a7bca1714

Filesize

662KB

Score

1 ^/10

SHA1

a0a9dae5e9be39bca31021dd9cf565fcdefb8474

SHA256

8f9067f2bd4a374539a40fddb8915600c9fd6ba3e5db20cbddcb3c5f22d9da44

SHA512

7e60c2726711bb8e822375f93cfb9ced7d172f3f0ae07041cbeea8c4cdb45488d1de90ee77dfef52aa86722a5dcbe521d1affeace3aec8811e851f693d74ef77

Related Tasks

behavioral30

Target

ou55sg33s_1.exe

MD5

347d7700eb4a4537df6bb7492ca21702

Filesize

609KB

Score

10 ^/10

SHA1

983189dab4b523e19f8efd35eee4d7d43d84aca2

SHA256

a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8

SHA512

5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9

Tags

asyncrat azorult betabot modiloader oski raccoon remcos 5e4db353b88c002ba6466c06437973619aad03b3 backdoor botnet discovery evasion infostealer persistence rat spyware stealer trojan

Signatures

AsyncRat

Description

AsyncRAT is designed to remotely monitor and control other computers.

Tags

rat asyncrat
Azorult

Description

An information stealer that was first discovered in 2016, targeting browsing history and passwords.

Tags

trojan infostealer azorult
BetaBot

Description

Beta Bot is a Trojan that infects computers and disables Antivirus.

Tags

trojan backdoor botnet betabot
Contains code to disable Windows Defender

Description

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
ModiLoader, DBatLoader

Description

ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

Tags

trojan modiloader
Modifies Windows Defender Real-time Protection settings

Tags

evasion trojan

TTPs

Modify Registry Modify Existing Service Disabling Security Tools
Modifies firewall policy service

Tags

evasion

TTPs

Modify Registry Modify Existing Service
Modifies security service

Tags

evasion

TTPs

Modify Registry Modify Existing Service
Oski

Description

Oski is an infostealer targeting browser data, crypto wallets.

Tags

infostealer oski
Raccoon

Description

Simple but powerful infostealer which was very active in 2019.

Tags

stealer raccoon
Remcos

Description

Remcos is a closed-source remote control and surveillance software.

Tags

rat remcos
UAC bypass

Tags

evasion trojan

TTPs

Bypass User Account Control Disabling Security Tools Modify Registry
Async RAT payload

Tags

rat
ModiLoader First Stage
Disables taskbar notifications via registry modification

Tags

evasion
Disables use of System Restore points

Tags

evasion

TTPs

Inhibit System Recovery
Executes dropped EXE
Sets file execution options in registry

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Sets service image path in registry

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks BIOS information in registry

Description

BIOS information is often read in order to detect sandboxing environments.

TTPs

Query Registry System Information Discovery
Loads dropped DLL
Reads user/profile data of local email clients

Description

Email clients store some user data on disk where infostealers will often target it.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Windows security modification

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks for any installed AV software in registry

TTPs

Security Software Discovery
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled

Tags

evasion trojan

TTPs

System Information Discovery
Drops desktop.ini file(s)
Maps connected drives based on registry

Description

Disk information is often read in order to detect sandboxing environments.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral31

Target

update.exe

MD5

c5c8d4f5d9f26bac32d43854af721fb3

Filesize

11MB

Score

10 ^/10

SHA1

e4119a28baa102a28ff9b681f6bbb0275c9627c7

SHA256

3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402

SHA512

09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828

Tags

azorult redline rms xmrig aspackv2 discovery evasion infostealer miner persistence rat spyware trojan upx

Signatures

Azorult

Description

An information stealer that was first discovered in 2016, targeting browsing history and passwords.

Tags

trojan infostealer azorult
Modifies Windows Defender Real-time Protection settings

Tags

evasion trojan

TTPs

Modify Registry Modify Existing Service Disabling Security Tools
Modifies visiblity of hidden/system files in Explorer

Tags

evasion

TTPs

Hidden Files and Directories Modify Registry
RMS

Description

Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

Tags

trojan rat rms
RedLine

Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.

Tags

infostealer redline
RedLine Payload
Windows security bypass

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
xmrig

Description

XMRig is a high performance, open source, cross platform CPU/GPU miner.

Tags

miner xmrig
ACProtect 1.3x - 1.4x DLL software

Description

Detects file using ACProtect software.
Detected Stratum cryptominer command

Description

Looks to be attempting to contact Stratum mining pool.

Tags

miner
Grants admin privileges

Description

Uses net.exe to modify the user's privileges.

TTPs

Account Manipulation
XMRig Miner Payload

Tags

miner
ASPack v2.12-2.42

Description

Detects executables packed with ASPack v2.12-2.42

Tags

aspackv2
Blocks application from running via registry modification

Description

Adds application to list of disallowed applications.

Tags

evasion
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall

Tags

evasion

TTPs

Modify Existing Service
Sets DLL path for service in the registry

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Sets file to hidden

Description

Modifies file attributes to stop it showing in Explorer etc.

Tags

evasion

TTPs

Hidden Files and Directories
Stops running service(s)

Tags

evasion

TTPs

Modify Existing Service Service Stop
UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx
Loads dropped DLL
Modifies file permissions

Tags

discovery

TTPs

File Permissions Modification
Reads data files stored by FTP clients

Description

Tries to access configuration files associated with programs like FileZilla.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of local email clients

Description

Email clients store some user data on disk where infostealers will often target it.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Legitimate hosting services abused for malware hosting/C2

TTPs

Web Service
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Modifies WinLogon

Tags

persistence

TTPs

Winlogon Helper DLL Modify Registry
Drops file in System32 directory

Related Tasks

behavioral32

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Command-Line Interface

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Bypass User Account Control

static1

upx

8^/10

behavioral2

smokeloader backdoor trojan

10^/10

behavioral4

agenttesla azorult plugx redline smokeloader tofsee xmrig backdoor bootkit discovery evasion infostealer keylogger macro miner persistence spyware stealer trojan upx vmprotect

10^/10

behavioral5

discovery persistence ransomware upx

10^/10

behavioral6

discovery persistence spyware

8^/10

behavioral7

3^/10

behavioral8

4^/10

behavioral9

azorult pony discovery evasion infostealer persistence rat spyware stealer trojan upx

10^/10

behavioral10

10^/10

behavioral11

smokeloader backdoor persistence trojan

10^/10

behavioral12

asyncrat azorult modiloader oski raccoon 5e4db353b88c002ba6466c06437973619aad03b3 discovery evasion infostealer rat spyware stealer trojan

10^/10

behavioral13

pony discovery persistence rat spyware stealer upx vmprotect

10^/10

behavioral14

azorult rms xmrig aspackv2 discovery evasion infostealer miner persistence rat spyware trojan upx

10^/10

behavioral15

pony bootkit discovery evasion persistence rat rezer0 spyware stealer trojan upx

10^/10

behavioral16

8^/10

behavioral17

azorult smokeloader tofsee xmrig backdoor bootkit discovery evasion infostealer macro miner persistence spyware stealer trojan upx

10^/10

behavioral18

discovery evasion spyware trojan

8^/10

behavioral19

azorult plugx pony raccoon redline smokeloader tofsee vidar xmrig backdoor bootkit discovery evasion infostealer macro miner persistence ransomware rat spyware stealer trojan upx vmprotect xlm

10^/10

behavioral20

persistence spyware

10^/10

behavioral21

4^/10

behavioral22

vidar discovery spyware stealer

10^/10

behavioral23

makop persistence ransomware spyware

10^/10

behavioral24

asyncrat azorult betabot modiloader oski raccoon remcos 5e4db353b88c002ba6466c06437973619aad03b3 backdoor botnet discovery evasion infostealer persistence rat spyware stealer trojan

10^/10

behavioral25

1^/10

behavioral26

buran persistence ransomware

10^/10

behavioral27

3^/10

behavioral28

phorphiex evasion loader persistence trojan upx worm

10^/10

behavioral29

persistence

8^/10

behavioral30

1^/10

behavioral31

asyncrat azorult betabot modiloader oski raccoon remcos 5e4db353b88c002ba6466c06437973619aad03b3 backdoor botnet discovery evasion infostealer persistence rat spyware stealer trojan

10^/10

behavioral32

azorult redline rms xmrig aspackv2 discovery evasion infostealer miner persistence rat spyware trojan upx

10^/10

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Tags

Signatures

AgentTesla

Description

Tags

CoreEntity .NET Packer

Description

Tags

Danabot

Description

Tags

Danabot x86 payload

Description

Tags

Dharma

Description

Tags

Formbook

Description

Tags

Gozi RM3

Description

Tags

Qakbot/Qbot

Description

Tags

AgentTesla Payload

CryptOne packer

Description

Tags

Formbook Payload

Tags

Looks for VirtualBox Guest Additions in registry

Tags

TTPs

rezer0

Description

Tags

Executes dropped EXE

Looks for VMWare Tools registry key

Tags

TTPs

Checks BIOS information in registry

Description

TTPs

Drops startup file

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Description

Tags

Adds Run key to start application

Tags

TTPs

Drops desktop.ini file(s)

Maps connected drives based on registry

Description

TTPs

Drops file in System32 directory