Downloads.rar

General
Target

Downloads.rar

Size

123MB

Sample

201118-kq8b48qtnx

Score
10 /10
MD5

1d12c2567abd6b5970caecc54226d137

SHA1

d6cb162d353f9fdb601836226005967eaedd9a47

SHA256

1bf6d14c4b5f59aa30882f4aa25e9e9d703dac905a785fe020ff667600e5fc97

SHA512

f0f1e7cee1d5f1e47fcbfb46723e3b7c327b407c2a956fe8a710efe8119b3396c230e1b0a18f6f91ee196784576a5a0c1e22548d4f4c78163dfff1a804ea02e8

Malware Config

Extracted

Family formbook
Version 4.0
C2

http://www.worstig.com/w9z/
Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

fisioservice.com

tesla-magnumopus.com

cocodrilodigital.com

pinegrovesg.com

traveladventureswithme.com

hebitaixin.com

golphysi.com

gayjeans.com

quickhire.expert

randomviews1.com

eatatnobu.com

topmabati.com

mediaupside.com

spillerakademi.com

thebowtie.store

sensomaticloadcell.com

turismodemadrid.net

yuhe89.com

wernerkrug.com

cdpogo.net

dannynhois.com

realestatestructureddata.com

matewhereareyou.net

laimeibei.ltd

sw328.com

lmwworks.net

xtremefish.com

tonerias.com

dsooneclinicianexpert.com

281clara.com

Extracted

Family gozi_rm3
Attributes
exe_type
loader

Extracted

Family gozi_rm3
Botnet 86920224
C2

https://sibelikinciel.xyz
Attributes
build
300869
exe_type
loader
server_id
12
url_path
index.htm
rsa_pubkey.plain
serpent.plain

Extracted

Family formbook
Version 4.1
C2

http://www.joomlas123.com/i0qi/

http://www.norjax.com/app/
Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

wuxifanggang.com

alamediationtraining.com

vfoe.team

kms-sp.com

gfidevfight.net

anomadbackpacker.com

21oms.us

australianseniorpreneur.com

valuereceipt.com

superbetbahis.com

rsrgoup.com

hoidonghuongkimson.com

parmedpharma.com

discoveryoverload.com

livetv247.win

jepekha.com

6o5ttvst.biz

netcorrespondents.com

cscycorp.com

emonkeygraphics.com

tillyaeva-lola.news

dgx9.com

jiucai5.com

justwoodsouthern.com

dentalexpertstraining.com

amazoncarpet.com

xsxnet.net

androidaso.com

jinhucai.com

wellnessitaly.store

Extracted

Family danabot
C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247
rsa_pubkey.plain

Extracted

Family qakbot
Version 324.141
Botnet spx129
Campaign 1590734339
C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

173.173.77.164:443

207.255.161.8:2222

68.39.177.147:995

178.193.33.121:2222

72.209.191.27:443

67.165.206.193:995

64.19.74.29:995

117.199.195.112:443

75.87.161.32:995

188.173.214.88:443

173.22.120.11:2222

96.41.93.96:443

86.125.210.26:443

24.10.42.174:443

47.201.1.210:443

69.92.54.95:995

24.202.42.48:2222

47.205.231.60:443

66.26.160.37:443

65.131.44.40:995

24.110.96.149:443

108.58.9.238:443

77.159.149.74:443

74.56.167.31:443

75.137.239.211:443

47.153.115.154:995

173.172.205.216:443

184.98.104.7:995

24.46.40.189:2222

98.115.138.61:443

Extracted

Path C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email Bit_decrypt@protonmail.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: Bit_decrypt@protonmail.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

Bit_decrypt@protonmail.com

Extracted

Family smokeloader
Version 2019
C2

http://advertserv25.world/logstatx77/

http://mailstatm74.club/logstatx77/

http://kxservx7zx.club/logstatx77/

http://dsmail977sx.xyz/logstatx77/

http://fdmail709.club/logstatx77/

http://servicestar751.club/logstatx77/

http://staradvert9075.club/logstatx77/

http://staradvert1883.club/logstatx77/

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

http://10022020test61-service1002012510022020.website/

http://10022020test51-service1002012510022020.xyz/

http://10022020test41-service100201pro2510022020.ru/

http://10022020yest31-service100201rus2510022020.ru/

http://10022020rest21-service1002012510022020.eu/

http://10022020test11-service1002012510022020.press/

http://10022020newfolder4561-service1002012510022020.ru/

http://10022020rustest213-service1002012510022020.ru/

http://10022020test281-service1002012510022020.ru/

http://10022020test261-service1002012510022020.space/

http://10022020yomtest251-service1002012510022020.ru/

http://10022020yirtest231-service1002012510022020.ru/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family azorult
C2

http://kvaka.li/1210776429.php

http://195.245.112.115/index.php

Extracted

Family smokeloader
Version 2020
C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/
rc4.i32
rc4.i32

Extracted

Family redline
Botnet NEW_YEAR_BTC
C2

86.105.252.12:35200

Extracted

Family smokeloader
Version 2017
C2

http://92.53.105.14/

Extracted

Language ps1
Source
URLs
ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

 exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Language ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJv

 exe.dropper

http://bit.do/fqhJv

Extracted

Language ps1
Source
URLs
ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

 exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language ps1
Source
URLs
ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

 exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language ps1
Source
URLs
ps1.dropper

http://bit.do/fqhHT

 exe.dropper

http://bit.do/fqhHT

Extracted

Language ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJD

 exe.dropper

http://bit.do/fqhJD

Extracted

Family raccoon
Botnet 5e4db353b88c002ba6466c06437973619aad03b3
Attributes
url4cnc
https://telete.in/brikitiki
rc4.plain
rc4.plain

Extracted

Family asyncrat
Version 0.5.7B
C2

agentttt.ac.ug:6970

agentpurple.ac.ug:6970
Attributes
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B
aes.plain

Extracted

Family remcos
C2

taenaia.ac.ug:6969

agentpapple.ac.ug:6969

Extracted

Credentials

Protocol: ftp

Host: 109.248.203.81

Port: 21

Username: alex

Password: easypassword

Extracted

Credentials

Protocol: ftp

Host: 45.141.184.35

Port: 21

Username: alex

Password: easypassword

Extracted

Credentials

Protocol: ftp

Host: 109.248.203.91

Port: 21

Username: alex

Password: easypassword
Targets
Target

1.bin/1.bin

MD5

af8e86c5d4198549f6375df9378f983c

Filesize

12MB

Score
10 /10
SHA1

7ab5ed449b891bd4899fba62d027a2cc26a05e6f

SHA256

7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

SHA512

137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Danabot x86 payload

    Description

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    Tags

  • Dharma

    Description

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    Tags

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Gozi RM3

    Description

    A heavily modified version of Gozi using RM3 loader.

    Tags

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    Tags

  • AgentTesla Payload

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Tags

  • Formbook Payload

    Tags

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion

  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery

  • Checks QEMU agent file

    Description

    Checks presence of QEMU agent, possibly to detect virtualization.

    TTPs

    Query Registry System Information Discovery

  • Drops startup file

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Drops desktop.ini file(s)

  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

behavioral1
Target

2019-09-02_22-41-10.exe

MD5

924aa6c26f6f43e0893a40728eac3b32

Filesize

251KB

Score
10 /10
SHA1

baa9b4c895b09d315ed747b3bd087f4583aa84fc

SHA256

30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

SHA512

3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

Tags

Signatures

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

behavioral2
Target

31.exe

MD5

af8e86c5d4198549f6375df9378f983c

Filesize

12MB

Score
10 /10
SHA1

7ab5ed449b891bd4899fba62d027a2cc26a05e6f

SHA256

7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

SHA512

137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Danabot x86 payload

    Description

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    Tags

  • Dharma

    Description

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    Tags

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Gozi RM3

    Description

    A heavily modified version of Gozi using RM3 loader.

    Tags

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    Tags

  • AgentTesla Payload

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Tags

  • Formbook Payload

    Tags

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion

  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery

  • Checks QEMU agent file

    Description

    Checks presence of QEMU agent, possibly to detect virtualization.

    TTPs

    Query Registry System Information Discovery

  • Drops startup file

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Drops desktop.ini file(s)

  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

behavioral3
Target

3DMark 11 Advanced Edition.exe

MD5

236d7524027dbce337c671906c9fe10b

Filesize

11MB

Score
10 /10
SHA1

7d345aa201b50273176ae0ec7324739d882da32e

SHA256

400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

SHA512

e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • PlugX

    Description

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • Nirsoft

  • XMRig Miner Payload

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Suspicious Office macro

    Description

    Office document equipped with 4.0 macros.

    Tags

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • VMProtect packed file

    Description

    Detects executables packed with VMProtect commercial packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

behavioral4
Target

Archive.zip__ccacaxs2tbz2t6ob3e.exe

MD5

a3cab1a43ff58b41f61f8ea32319386b

Filesize

430KB

Score
8 /10
SHA1

94689e1a9e1503f1082b23e6d5984d4587f3b9ec

SHA256

005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6

SHA512

8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d

Tags

Signatures

  • Creates new service(s)

    Tags

    TTPs

    New Service

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

Related Tasks

behavioral5
Target

CVE-2018-15982_PoC.swf

MD5

82fe94beb621a4368e76aa4a51998c00

Filesize

12KB

Score
3 /10
SHA1

b7c79b8f05c3d998e21d01b07b9ba157160581a9

SHA256

c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb

SHA512

055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27

Related Tasks

behavioral6
Target

CVWSHSetup[1].bin/WSHSetup[1].exe

MD5

cb2b4cd74c7b57a12bd822a168e4e608

Filesize

898KB

Score
4 /10
SHA1

f2182062719f0537071545b77ca75f39c2922bf5

SHA256

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

SHA512

7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

Related Tasks

behavioral7
Target

DiskInternals_Uneraser_v5_keygen.exe

MD5

17c4b227deaa34d22dd0addfb0034e04

Filesize

12MB

Score
10 /10
SHA1

0cf926384df162bc88ae7c97d1b1b9523ac6b88c

SHA256

a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e

SHA512

691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery

  • Identifies Wine through registry keys

    Description

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral8
Target

ForceOp 2.8.7 - By RaiSence.exe

MD5

0a88ebdd3ae5ab0b006d4eaa2f5bc4b2

Filesize

1MB

Score
10 /10
SHA1

6bf1215ac7b1fde54442a9d075c84544b6e80d50

SHA256

26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680

SHA512

54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37

Tags

Signatures

  • DcRat

    Description

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Executes dropped EXE

Related Tasks

behavioral9
Target

HYDRA.exe

MD5

c52bc39684c52886712971a92f339b23

Filesize

2MB

Score
10 /10
SHA1

c5cb39850affb7ed322bfb0a4900e17c54f95a11

SHA256

f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

SHA512

2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

Tags

Signatures

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Executes dropped EXE

  • Drops startup file

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery

Related Tasks

behavioral10
Target

Keygen.exe

MD5

dbde61502c5c0e17ebc6919f361c32b9

Filesize

849KB

Score
10 /10
SHA1

189749cf0b66a9f560b68861f98c22cdbcafc566

SHA256

88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b

SHA512

d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

Tags

Signatures

  • AsyncRat

    Description

    AsyncRAT is designed to remotely monitor and control other computers.

    Tags

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • Contains code to disable Windows Defender

    Description

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • ModiLoader, DBatLoader

    Description

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools

  • Oski

    Description

    Oski is an infostealer targeting browser data, crypto wallets.

    Tags

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • Remcos

    Description

    Remcos is a closed-source remote control and surveillance software.

    Tags

  • Async RAT payload

    Tags

  • ModiLoader First Stage

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Windows security modification

    Tags

    TTPs

    Disabling Security Tools Modify Registry

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Drops desktop.ini file(s)

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

behavioral11
Target

Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe

MD5

48c356e14b98fb905a36164e28277ae5

Filesize

13MB

Score
9 /10
SHA1

d7630bd683af02de03aebc8314862c512acd5656

SHA256

b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c

SHA512

278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b

Tags

Signatures

  • Nirsoft

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • VMProtect packed file

    Description

    Detects executables packed with VMProtect commercial packer.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

behavioral12
Target

LtHv0O2KZDK4M637.exe

MD5

5e25abc3a3ad181d2213e47fa36c4a37

Filesize

10MB

Score
10 /10
SHA1

ba365097003860c8fb9d332f377e2f8103d220e0

SHA256

3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9

SHA512

676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools

  • Modifies visiblity of hidden/system files in Explorer

    Tags

    TTPs

    Hidden Files and Directories Modify Registry

  • RMS

    Description

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    Tags

  • UAC bypass

    Tags

    TTPs

    Bypass User Account Control Disabling Security Tools Modify Registry

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • ACProtect 1.3x - 1.4x DLL software

    Description

    Detects file using ACProtect software.

  • Detected Stratum cryptominer command

    Description

    Looks to be attempting to contact Stratum mining pool.

    Tags

  • Grants admin privileges

    Description

    Uses net.exe to modify the user's privileges.

    TTPs

    Account Manipulation

  • XMRig Miner Payload

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Blocks application from running via registry modification

    Description

    Adds application to list of disallowed applications.

    Tags

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service

  • Registers new Print Monitor

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Sets DLL path for service in the registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Sets file to hidden

    Description

    Modifies file attributes to stop it showing in Explorer etc.

    Tags

    TTPs

    Hidden Files and Directories

  • Stops running service(s)

    Tags

    TTPs

    Modify Existing Service Service Stop

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Reads local data of messenger clients

    Description

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry

Related Tasks

behavioral13
Target

OnlineInstaller.exe

MD5

4b042bfd9c11ab6a3fb78fa5c34f55d0

Filesize

3MB

Score
8 /10
SHA1

b0f506640c205d3fbcfe90bde81e49934b870eab

SHA256

59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

SHA512

dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

Signatures

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Checks for any installed AV software in registry

    TTPs

    Security Software Discovery

  • Drops file in System32 directory

Related Tasks

behavioral14
Target

Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

MD5

edcc1a529ea8d2c51592d412d23c057e

Filesize

9MB

Score
10 /10
SHA1

1d62d278fe69be7e3dde9ae96cc7e6a0fa960331

SHA256

970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d

SHA512

c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • Nirsoft

  • Executes dropped EXE

  • Suspicious Office macro

    Description

    Office document equipped with 4.0 macros.

    Tags

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

behavioral15
Target

Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

MD5

8103aad9a6f5ee1fb4f764fc5782822a

Filesize

10MB

Score
10 /10
SHA1

4fb4f963243d7cb65394e59de787aebe020b654c

SHA256

4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40

SHA512

e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • PlugX

    Description

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Nirsoft

  • Creates new service(s)

    Tags

    TTPs

    New Service

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Suspicious Office macro

    Description

    Office document equipped with 4.0 macros.

    Tags

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

behavioral16
Target

VyprVPN.exe

MD5

f1d5f022e71b8bc9e3241fbb72e87be2

Filesize

1MB

Score
10 /10
SHA1

1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c

SHA256

08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d

SHA512

f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f

Tags

Signatures

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral17
Target

WSHSetup[1].exe

MD5

cb2b4cd74c7b57a12bd822a168e4e608

Filesize

898KB

Score
3 /10
SHA1

f2182062719f0537071545b77ca75f39c2922bf5

SHA256

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

SHA512

7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

Related Tasks

behavioral18
Target

api.exe

MD5

3561a1c35184a0b60b89f4b560a9660d

Filesize

22MB

Score
1 /10
SHA1

e39442388db90a088a8eb8ce46d4f61182334a1b

SHA256

3f1e28e961239c01602b1ce7555f51778c9f369b059ef07b75a7d9dee70ff8b1

SHA512

7a83a669e8a72d6ec83952c9d57cc8059a6fff6f3564dab69ad50ca939a7d8e3f3d7d9ed74f8d06d060a39f8c4525fcfdcdecf2550c6fe57da0bef3df1f5ee75

Related Tasks

behavioral19
Target

efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js

MD5

4339e3b6d6cf2603cc780e8e032e82f6

Filesize

920KB

Score
3 /10
SHA1

195c244a037815ec13d469e3b28e62a0e10bed56

SHA256

efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4

SHA512

a87c47c998f667eb8ac280f4e6dc3df182d721c44267c68ee042c17e8168115e38f2e1d59c6928ca595bb93b3bfd112cbd7bffb0ee6ff8ca81f469056f26ff87

Related Tasks

behavioral20
Target

good.exe

MD5

b034e2a7cd76b757b7c62ce514b378b4

Filesize

143KB

Score
10 /10
SHA1

27d15f36cb5e3338a19a7f6441ece58439f830f2

SHA256

90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

SHA512

1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385

Tags

Signatures

  • Phorphiex Worm

    Description

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Windows security modification

    Tags

    TTPs

    Disabling Security Tools Modify Registry

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

Related Tasks

behavioral21
Target

infected dot net installer.exe

MD5

6eb2b081d12ad12c2ce50da34438651d

Filesize

1MB

Score
8 /10
SHA1

2092c0733ec3a3c514568b6009ee53b9d2ad8dc4

SHA256

1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104

SHA512

881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b

Tags

Signatures

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery

  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

Related Tasks

behavioral22
Target

update.exe

MD5

c5c8d4f5d9f26bac32d43854af721fb3

Filesize

11MB

Score
10 /10
SHA1

e4119a28baa102a28ff9b681f6bbb0275c9627c7

SHA256

3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402

SHA512

09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools

  • Modifies visiblity of hidden/system files in Explorer

    Tags

    TTPs

    Hidden Files and Directories Modify Registry

  • RMS

    Description

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • ACProtect 1.3x - 1.4x DLL software

    Description

    Detects file using ACProtect software.

  • Detected Stratum cryptominer command

    Description

    Looks to be attempting to contact Stratum mining pool.

    Tags

  • Grants admin privileges

    Description

    Uses net.exe to modify the user's privileges.

    TTPs

    Account Manipulation

  • XMRig Miner Payload

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Blocks application from running via registry modification

    Description

    Adds application to list of disallowed applications.

    Tags

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service

  • Sets DLL path for service in the registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Sets file to hidden

    Description

    Modifies file attributes to stop it showing in Explorer etc.

    Tags

    TTPs

    Hidden Files and Directories

  • Stops running service(s)

    Tags

    TTPs

    Modify Existing Service Service Stop

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Reads local data of messenger clients

    Description

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry

  • Drops file in System32 directory

Related Tasks

behavioral23
Target

vir1.xls

MD5

f5ec41ec42ebdec9404692dde8fb9d15

Filesize

303KB

Score
1 /10
SHA1

39f10e1ea5153fa70be025a2d392dcf62966412e

SHA256

7a5d5f4ceb3c815d6fb882777d0859b9757e27edd5a95eb1c2b88dc438d09c92

SHA512

359fddc66f069137e030d2a039ddcfc76ab0e22769ff58f3a0571bae81fb94f87aed23c995eeab545c578e065339f3c1ea2b0623d33835f44054672f717f9952

Related Tasks

behavioral24
Target

xNet.dll

MD5

bf1f76644bddd20339548ebacf7a48eb

Filesize

99KB

Score
1 /10
SHA1

38114702114105eb3df3f74bf4c68ef7db436f47

SHA256

5d9c2b1822bcaa71ddeaa5426d4312d8e174766ae8864c7add29d7f44cea87f2

SHA512

76132c9e29a0a3054cd41c56d5184951d392a2abd1995e14b34c40f14b154914a6990c107e7fcf4139344759ae6048e9ecf0bdaf0447c1cd589dfacbf901b7c5

Related Tasks

behavioral25
Tasks

static1

8/10

behavioral1

10/10

behavioral2

10/10

behavioral3

10/10

behavioral4

10/10

behavioral5

8/10

behavioral6

3/10

behavioral7

4/10

behavioral8

10/10

behavioral9

10/10

behavioral10

10/10

behavioral11

10/10

behavioral12

9/10

behavioral13

10/10

behavioral14

8/10

behavioral15

10/10

behavioral16

10/10

behavioral17

10/10

behavioral18

3/10

behavioral19

1/10

behavioral20

3/10

behavioral21

10/10

behavioral22

8/10

behavioral23

10/10

behavioral24

1/10

behavioral25

1/10