Overview
overview
10Static
static
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
3ฺฺฺà...ฺฺ
windows10_x64
4ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
9ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
3ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
3ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
1General
-
Target
Downloads.rar
-
Size
123MB
-
Sample
201118-kq8b48qtnx
-
MD5
1d12c2567abd6b5970caecc54226d137
-
SHA1
d6cb162d353f9fdb601836226005967eaedd9a47
-
SHA256
1bf6d14c4b5f59aa30882f4aa25e9e9d703dac905a785fe020ff667600e5fc97
-
SHA512
f0f1e7cee1d5f1e47fcbfb46723e3b7c327b407c2a956fe8a710efe8119b3396c230e1b0a18f6f91ee196784576a5a0c1e22548d4f4c78163dfff1a804ea02e8
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral7
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral21
Sample
good.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
infected dot net installer.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
update.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
vir1.xls
Resource
win10v20201028
Behavioral task
behavioral25
Sample
xNet.dll
Resource
win10v20201028
Malware Config
Extracted
Family |
formbook |
Version |
4.0 |
C2 |
http://www.worstig.com/w9z/ |
Decoy |
crazzysex.com hanferd.com gteesrd.com bayfrontbabyplace.com jicuiquan.net relationshiplink.net ohchacyberphoto.com kauegimenes.com powerful-seldom.com ketotoken.com make-money-online-success.com redgoldcollection.com hannan-football.com hamptondc.com vllii.com aa8520.com platform35markethall.com larozeimmo.com oligopoly.net llhak.info fisioservice.com tesla-magnumopus.com cocodrilodigital.com pinegrovesg.com traveladventureswithme.com hebitaixin.com golphysi.com gayjeans.com quickhire.expert randomviews1.com eatatnobu.com topmabati.com mediaupside.com spillerakademi.com thebowtie.store sensomaticloadcell.com turismodemadrid.net yuhe89.com wernerkrug.com cdpogo.net dannynhois.com realestatestructureddata.com matewhereareyou.net laimeibei.ltd sw328.com lmwworks.net xtremefish.com tonerias.com dsooneclinicianexpert.com 281clara.com smmcommunity.net dreamneeds.info twocraft.com yasasiite.salon advk8qi.top drabist.com europartnersplus.com saltbgone.com teslaoceanic.info bestmedicationstore.com buynewcartab.live prospect.money viebrocks.com transportationhappy.com |
Extracted
Family |
gozi_rm3 |
Attributes |
exe_type loader |
Extracted
Family |
gozi_rm3 |
Botnet |
86920224 |
C2 |
https://sibelikinciel.xyz |
Attributes |
build 300869
exe_type loader
server_id 12
url_path index.htm |
rsa_pubkey.plain |
|
serpent.plain |
|
Extracted
Family |
formbook |
Version |
4.1 |
C2 |
http://www.joomlas123.com/i0qi/ http://www.norjax.com/app/ |
Decoy |
mytakeawaybox.com goutaihuo.com kuzey.site uppertenpiercings.amsterdam honeygrandpa.com jenniferabramslaw.com ncarian.com heavilymeditatedhouston.com gsbjyzx.com akisanblog.com taoyuanreed.com jasperrvservices.com yabbanet.com myhealthfuldiet.com flipdigitalcoins.com toes.photos shoottillyoumiss.com maserental.com smarteacher.net hamdimagdeco.com wuxifanggang.com alamediationtraining.com vfoe.team kms-sp.com gfidevfight.net anomadbackpacker.com 21oms.us australianseniorpreneur.com valuereceipt.com superbetbahis.com rsrgoup.com hoidonghuongkimson.com parmedpharma.com discoveryoverload.com livetv247.win jepekha.com 6o5ttvst.biz netcorrespondents.com cscycorp.com emonkeygraphics.com tillyaeva-lola.news dgx9.com jiucai5.com justwoodsouthern.com dentalexpertstraining.com amazoncarpet.com xsxnet.net androidaso.com jinhucai.com wellnessitaly.store clashrayalefreebies.com wxvbill.com quantun.network allnaturalcbdshampton.com mobo.technology livinglifeawakened.com canliarkadas.net littlealohadaycare.com wendyoei.com kaz.site puremind.info queenscrossingneurosurgery.com theworldexams.com taptrips.com |
Extracted
Family |
danabot |
C2 |
92.204.160.54 2.56.213.179 45.153.186.47 93.115.21.29 185.45.193.50 193.34.166.247 |
rsa_pubkey.plain |
|
Extracted
Family |
qakbot |
Version |
324.141 |
Botnet |
spx129 |
Campaign |
1590734339 |
C2 |
94.10.81.239:443 94.52.160.116:443 67.0.74.119:443 175.137.136.79:443 73.232.165.200:995 79.119.67.149:443 62.38.111.70:2222 108.58.9.238:993 216.110.249.252:2222 67.209.195.198:3389 84.247.55.190:443 96.37.137.42:443 94.176.220.76:2222 173.245.152.231:443 96.227.122.123:443 188.192.75.8:995 24.229.245.124:995 71.163.225.75:443 75.71.77.59:443 104.36.135.227:443 173.173.77.164:443 207.255.161.8:2222 68.39.177.147:995 178.193.33.121:2222 72.209.191.27:443 67.165.206.193:995 64.19.74.29:995 117.199.195.112:443 75.87.161.32:995 188.173.214.88:443 173.22.120.11:2222 96.41.93.96:443 86.125.210.26:443 24.10.42.174:443 47.201.1.210:443 69.92.54.95:995 24.202.42.48:2222 47.205.231.60:443 66.26.160.37:443 65.131.44.40:995 24.110.96.149:443 108.58.9.238:443 77.159.149.74:443 74.56.167.31:443 75.137.239.211:443 47.153.115.154:995 173.172.205.216:443 184.98.104.7:995 24.46.40.189:2222 98.115.138.61:443 35.142.12.163:2222 189.231.198.212:443 47.146.169.85:443 173.21.10.71:2222 24.42.14.241:443 188.27.6.170:443 89.137.77.237:443 5.13.99.38:995 93.113.90.128:443 72.179.242.236:0 73.210.114.187:443 80.240.26.178:443 85.186.141.62:995 81.103.144.77:443 98.4.227.199:443 24.122.228.88:443 150.143.128.70:2222 47.153.115.154:443 65.116.179.83:443 50.29.181.193:995 189.140.112.184:443 142.129.227.86:443 74.134.46.7:443 220.135.31.140:2222 172.78.87.180:443 24.201.79.208:2078 97.127.144.203:2222 100.4.173.223:443 59.124.10.133:443 89.43.108.19:443 216.163.4.91:443 67.83.54.76:2222 72.204.242.138:443 24.43.22.220:995 67.250.184.157:443 78.97.145.242:443 203.198.96.239:443 104.174.71.153:2222 24.28.183.107:995 197.160.20.211:443 79.117.161.67:21 82.76.239.193:443 69.246.151.5:443 78.96.192.26:443 216.201.162.158:995 108.21.107.203:443 107.2.148.99:443 189.236.218.181:443 75.110.250.89:443 211.24.72.253:443 207.255.161.8:443 162.154.223.73:443 50.104.186.71:443 100.38.123.22:443 96.18.240.158:443 108.183.200.239:443 173.187.170.190:443 100.40.48.96:443 71.80.66.107:443 67.197.97.144:443 69.28.222.54:443 47.136.224.60:443 47.202.98.230:443 184.180.157.203:2222 104.221.4.11:2222 70.173.46.139:443 213.67.45.195:2222 71.31.160.43:22 189.159.113.190:995 98.148.177.77:443 98.116.62.242:443 68.4.137.211:443 108.227.161.27:995 173.187.103.35:443 117.216.185.86:443 75.132.35.60:443 98.219.77.197:443 24.43.22.220:443 207.255.161.8:2087 72.190.101.70:443 189.160.217.221:443 207.255.161.8:32102 24.226.137.154:443 66.222.88.126:995 108.58.9.238:995 1.40.42.4:443 47.152.210.233:443 72.45.14.185:443 82.127.193.151:2222 101.108.113.6:443 98.13.0.128:443 175.111.128.234:995 175.111.128.234:443 216.137.140.236:2222 24.191.214.43:2083 72.177.157.217:443 72.29.181.77:2078 203.106.195.139:443 98.114.185.3:443 |
Extracted
Path |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta |
Ransom Note | YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email Bit_decrypt@protonmail.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: Bit_decrypt@protonmail.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. |
Emails |
Bit_decrypt@protonmail.com |
Extracted
Family |
smokeloader |
Version |
2019 |
C2 |
http://advertserv25.world/logstatx77/ http://mailstatm74.club/logstatx77/ http://kxservx7zx.club/logstatx77/ http://dsmail977sx.xyz/logstatx77/ http://fdmail709.club/logstatx77/ http://servicestar751.club/logstatx77/ http://staradvert9075.club/logstatx77/ http://staradvert1883.club/logstatx77/ http://10022020newfolder1002002131-service1002.space/ http://10022020newfolder1002002231-service1002.space/ http://10022020newfolder3100231-service1002.space/ http://10022020newfolder1002002431-service1002.space/ http://10022020newfolder1002002531-service1002.space/ http://10022020newfolder33417-01242510022020.space/ http://10022020test125831-service1002012510022020.space/ http://10022020test136831-service1002012510022020.space/ http://10022020test147831-service1002012510022020.space/ http://10022020test146831-service1002012510022020.space/ http://10022020test134831-service1002012510022020.space/ http://10022020est213531-service100201242510022020.ru/ http://10022020yes1t3481-service1002012510022020.ru/ http://10022020test13561-service1002012510022020.su/ http://10022020test14781-service1002012510022020.info/ http://10022020test13461-service1002012510022020.net/ http://10022020test15671-service1002012510022020.tech/ http://10022020test12671-service1002012510022020.online/ http://10022020utest1341-service1002012510022020.ru/ http://10022020uest71-service100201dom2510022020.ru/ http://10022020test61-service1002012510022020.website/ http://10022020test51-service1002012510022020.xyz/ http://10022020test41-service100201pro2510022020.ru/ http://10022020yest31-service100201rus2510022020.ru/ http://10022020rest21-service1002012510022020.eu/ http://10022020test11-service1002012510022020.press/ http://10022020newfolder4561-service1002012510022020.ru/ http://10022020rustest213-service1002012510022020.ru/ http://10022020test281-service1002012510022020.ru/ http://10022020test261-service1002012510022020.space/ http://10022020yomtest251-service1002012510022020.ru/ http://10022020yirtest231-service1002012510022020.ru/ |
rc4.i32 |
|
rc4.i32 |
|
rc4.i32 |
|
rc4.i32 |
|
Extracted
Family |
azorult |
C2 |
http://kvaka.li/1210776429.php http://195.245.112.115/index.php |
Extracted
Family |
smokeloader |
Version |
2020 |
C2 |
http://naritouzina.net/ http://nukaraguasleep.net/ http://notfortuaj.net/ http://natuturalistic.net/ http://zaniolofusa.net/ |
rc4.i32 |
|
rc4.i32 |
|
Extracted
Family |
redline |
Botnet |
NEW_YEAR_BTC |
C2 |
86.105.252.12:35200 |
Extracted
Family |
smokeloader |
Version |
2017 |
C2 |
http://92.53.105.14/ |
Extracted
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://rbcxvnb.ug/zxcvb.exe
exe.dropper
http://rbcxvnb.ug/zxcvb.exe |
Extracted
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://bit.do/fqhJv
exe.dropper
http://bit.do/fqhJv |
Extracted
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://zxvbcrt.ug/zxcvb.exe
exe.dropper
http://zxvbcrt.ug/zxcvb.exe |
Extracted
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://pdshcjvnv.ug/zxcvb.exe
exe.dropper
http://pdshcjvnv.ug/zxcvb.exe |
Extracted
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://bit.do/fqhHT
exe.dropper
http://bit.do/fqhHT |
Extracted
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://bit.do/fqhJD
exe.dropper
http://bit.do/fqhJD |
Extracted
Family |
raccoon |
Botnet |
5e4db353b88c002ba6466c06437973619aad03b3 |
Attributes |
url4cnc https://telete.in/brikitiki |
rc4.plain |
|
rc4.plain |
|
Extracted
Family |
asyncrat |
Version |
0.5.7B |
C2 |
agentttt.ac.ug:6970 agentpurple.ac.ug:6970 |
Attributes |
aes_key 16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection false
autorun false
bdos false
delay Default
host agentttt.ac.ug,agentpurple.ac.ug
hwid 3
install_file
install_folder %AppData%
mutex AsyncMutex_6SI8OkPnk
pastebin_config null
port 6970
version 0.5.7B |
aes.plain |
|
Extracted
Family |
remcos |
C2 |
taenaia.ac.ug:6969 agentpapple.ac.ug:6969 |
Extracted
Credentials |
Protocol: ftp Host: 109.248.203.81 Port: 21 Username: alex Password: easypassword |
Extracted
Credentials |
Protocol: ftp Host: 45.141.184.35 Port: 21 Username: alex Password: easypassword |
Extracted
Credentials |
Protocol: ftp Host: 109.248.203.91 Port: 21 Username: alex Password: easypassword |
Targets
-
-
Target
1.bin/1.bin
-
Size
12MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
AgentTesla Payload
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
2019-09-02_22-41-10.exe
-
Size
251KB
-
MD5
924aa6c26f6f43e0893a40728eac3b32
-
SHA1
baa9b4c895b09d315ed747b3bd087f4583aa84fc
-
SHA256
30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
-
SHA512
3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
Score10/10-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
31.exe
-
Size
12MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
AgentTesla Payload
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
3DMark 11 Advanced Edition.exe
-
Size
11MB
-
MD5
236d7524027dbce337c671906c9fe10b
-
SHA1
7d345aa201b50273176ae0ec7324739d882da32e
-
SHA256
400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c
-
SHA512
e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Nirsoft
-
XMRig Miner Payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Archive.zip__ccacaxs2tbz2t6ob3e.exe
-
Size
430KB
-
MD5
a3cab1a43ff58b41f61f8ea32319386b
-
SHA1
94689e1a9e1503f1082b23e6d5984d4587f3b9ec
-
SHA256
005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6
-
SHA512
8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d
Score8/10-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
-
-
Target
CVE-2018-15982_PoC.swf
-
Size
12KB
-
MD5
82fe94beb621a4368e76aa4a51998c00
-
SHA1
b7c79b8f05c3d998e21d01b07b9ba157160581a9
-
SHA256
c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb
-
SHA512
055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27
Score3/10 -
-
-
Target
CVWSHSetup[1].bin/WSHSetup[1].exe
-
Size
898KB
-
MD5
cb2b4cd74c7b57a12bd822a168e4e608
-
SHA1
f2182062719f0537071545b77ca75f39c2922bf5
-
SHA256
5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
-
SHA512
7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348
Score4/10 -
-
-
Target
DiskInternals_Uneraser_v5_keygen.exe
-
Size
12MB
-
MD5
17c4b227deaa34d22dd0addfb0034e04
-
SHA1
0cf926384df162bc88ae7c97d1b1b9523ac6b88c
-
SHA256
a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e
-
SHA512
691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
ForceOp 2.8.7 - By RaiSence.exe
-
Size
1MB
-
MD5
0a88ebdd3ae5ab0b006d4eaa2f5bc4b2
-
SHA1
6bf1215ac7b1fde54442a9d075c84544b6e80d50
-
SHA256
26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680
-
SHA512
54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
-
-
Target
HYDRA.exe
-
Size
2MB
-
MD5
c52bc39684c52886712971a92f339b23
-
SHA1
c5cb39850affb7ed322bfb0a4900e17c54f95a11
-
SHA256
f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d
-
SHA512
2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Drops startup file
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
Keygen.exe
-
Size
849KB
-
MD5
dbde61502c5c0e17ebc6919f361c32b9
-
SHA1
189749cf0b66a9f560b68861f98c22cdbcafc566
-
SHA256
88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b
-
SHA512
d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Async RAT payload
-
ModiLoader First Stage
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
-
Size
13MB
-
MD5
48c356e14b98fb905a36164e28277ae5
-
SHA1
d7630bd683af02de03aebc8314862c512acd5656
-
SHA256
b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c
-
SHA512
278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b
-
Nirsoft
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
LtHv0O2KZDK4M637.exe
-
Size
10MB
-
MD5
5e25abc3a3ad181d2213e47fa36c4a37
-
SHA1
ba365097003860c8fb9d332f377e2f8103d220e0
-
SHA256
3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9
-
SHA512
676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies visiblity of hidden/system files in Explorer
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
XMRig Miner Payload
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Registers new Print Monitor
-
Sets DLL path for service in the registry
-
Stops running service(s)
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
-
-
Target
OnlineInstaller.exe
-
Size
3MB
-
MD5
4b042bfd9c11ab6a3fb78fa5c34f55d0
-
SHA1
b0f506640c205d3fbcfe90bde81e49934b870eab
-
SHA256
59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834
-
SHA512
dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3
Score8/10-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks for any installed AV software in registry
-
Drops file in System32 directory
-
-
-
Target
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
-
Size
9MB
-
MD5
edcc1a529ea8d2c51592d412d23c057e
-
SHA1
1d62d278fe69be7e3dde9ae96cc7e6a0fa960331
-
SHA256
970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d
-
SHA512
c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
-
Size
10MB
-
MD5
8103aad9a6f5ee1fb4f764fc5782822a
-
SHA1
4fb4f963243d7cb65394e59de787aebe020b654c
-
SHA256
4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40
-
SHA512
e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Nirsoft
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
VyprVPN.exe
-
Size
1MB
-
MD5
f1d5f022e71b8bc9e3241fbb72e87be2
-
SHA1
1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c
-
SHA256
08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d
-
SHA512
f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
WSHSetup[1].exe
-
Size
898KB
-
MD5
cb2b4cd74c7b57a12bd822a168e4e608
-
SHA1
f2182062719f0537071545b77ca75f39c2922bf5
-
SHA256
5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
-
SHA512
7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348
Score3/10 -
-
-
Target
api.exe
-
Size
22MB
-
MD5
3561a1c35184a0b60b89f4b560a9660d
-
SHA1
e39442388db90a088a8eb8ce46d4f61182334a1b
-
SHA256
3f1e28e961239c01602b1ce7555f51778c9f369b059ef07b75a7d9dee70ff8b1
-
SHA512
7a83a669e8a72d6ec83952c9d57cc8059a6fff6f3564dab69ad50ca939a7d8e3f3d7d9ed74f8d06d060a39f8c4525fcfdcdecf2550c6fe57da0bef3df1f5ee75
Score1/10 -
-
-
Target
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
-
Size
920KB
-
MD5
4339e3b6d6cf2603cc780e8e032e82f6
-
SHA1
195c244a037815ec13d469e3b28e62a0e10bed56
-
SHA256
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4
-
SHA512
a87c47c998f667eb8ac280f4e6dc3df182d721c44267c68ee042c17e8168115e38f2e1d59c6928ca595bb93b3bfd112cbd7bffb0ee6ff8ca81f469056f26ff87
Score3/10 -
-
-
Target
good.exe
-
Size
143KB
-
MD5
b034e2a7cd76b757b7c62ce514b378b4
-
SHA1
27d15f36cb5e3338a19a7f6441ece58439f830f2
-
SHA256
90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac
-
SHA512
1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
infected dot net installer.exe
-
Size
1MB
-
MD5
6eb2b081d12ad12c2ce50da34438651d
-
SHA1
2092c0733ec3a3c514568b6009ee53b9d2ad8dc4
-
SHA256
1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104
-
SHA512
881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b
Score8/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
update.exe
-
Size
11MB
-
MD5
c5c8d4f5d9f26bac32d43854af721fb3
-
SHA1
e4119a28baa102a28ff9b681f6bbb0275c9627c7
-
SHA256
3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402
-
SHA512
09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies visiblity of hidden/system files in Explorer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
XMRig Miner Payload
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Stops running service(s)
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Drops file in System32 directory
-
-
-
Target
vir1.xls
-
Size
303KB
-
MD5
f5ec41ec42ebdec9404692dde8fb9d15
-
SHA1
39f10e1ea5153fa70be025a2d392dcf62966412e
-
SHA256
7a5d5f4ceb3c815d6fb882777d0859b9757e27edd5a95eb1c2b88dc438d09c92
-
SHA512
359fddc66f069137e030d2a039ddcfc76ab0e22769ff58f3a0571bae81fb94f87aed23c995eeab545c578e065339f3c1ea2b0623d33835f44054672f717f9952
Score1/10 -
-
-
Target
xNet.dll
-
Size
99KB
-
MD5
bf1f76644bddd20339548ebacf7a48eb
-
SHA1
38114702114105eb3df3f74bf4c68ef7db436f47
-
SHA256
5d9c2b1822bcaa71ddeaa5426d4312d8e174766ae8864c7add29d7f44cea87f2
-
SHA512
76132c9e29a0a3054cd41c56d5184951d392a2abd1995e14b34c40f14b154914a6990c107e7fcf4139344759ae6048e9ecf0bdaf0447c1cd589dfacbf901b7c5
Score1/10 -
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation