Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8Resubmissions
03-07-2024 16:04
240703-thygmaycpc 1001-07-2024 18:12
240701-ws6xvswbkj 1001-07-2024 18:03
240701-wm5sls1gka 1001-07-2024 18:03
240701-wm39sa1gjf 1001-07-2024 18:03
240701-wm2e7avhkj 1001-07-2024 18:03
240701-wmzxcs1fre 1001-07-2024 18:02
240701-wmzats1frc 1001-07-2024 18:02
240701-wmvbwa1fqh 1022-11-2023 17:02
231122-vkac9adg64 10General
-
Target
Downloads.rar
-
Size
154.7MB
-
Sample
201119-s41ec6lt86
-
MD5
f82e19eade5962a21f69504a854de42e
-
SHA1
2af264fdf337f13723e4f2d5ca4904e083db56ae
-
SHA256
1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f
-
SHA512
a7b0a23e8765d4f98edc6e912a75116584217ede98dd7fd81523b6d19cef4192135745efe52219bf198cab2b3a5f798b26331422c0a5da45f0b163a155e8092a
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
1.bin/1.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba.dll
Resource
win10v20201028
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
42f972925508a82236e8533567487761(1).exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
6a9e7107c97762eb1196a64baeadb291.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral19
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
KLwC6vii.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral28
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win10v20201028
Malware Config
Extracted
zloader
main
26.02.2020
https://airnaa.org/sound.php
https://banog.org/sound.php
https://rayonch.org/sound.php
Extracted
zloader
07/04
https://xyajbocpggsr.site/wp-config.php
https://ooygvpxrb.pw/wp-config.php
Extracted
revengerat
XDSDDD
84.91.119.105:333
RV_MUTEX-wtZlNApdygPh
Extracted
revengerat
Victime
cocohack.dtdns.net:84
RV_MUTEX-OKuSAtYBxGgZHx
Extracted
zloader
25/03
https://wgyvjbse.pw/milagrecf.php
https://botiq.xyz/milagrecf.php
Extracted
revengerat
samay
shnf-47787.portmap.io:47787
RV_MUTEX
Extracted
cobaltstrike
305419896
http://47.91.237.42:8443/__utm.gif
-
access_type
512
-
beacon_type
2048
-
host
47.91.237.42,/__utm.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
8443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
-
watermark
305419896
Extracted
zloader
09/04
https://eoieowo.casa/wp-config.php
https://dcgljuzrb.pw/wp-config.php
Extracted
revengerat
INSERT-COIN
3.tcp.ngrok.io:24041
RV_MUTEX
Extracted
revengerat
system
yj233.e1.luyouxia.net:20645
RV_MUTEX-GeVqDyMpzZJHO
Extracted
revengerat
YT
yukselofficial.duckdns.org:5552
RV_MUTEX-WlgZblRvZwfRtNH
Extracted
azorult
http://195.245.112.115/index.php
http://kvaka.li/1210776429.php
Extracted
formbook
4.0
w9z
http://www.worstig.com/w9z/
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
fisioservice.com
tesla-magnumopus.com
cocodrilodigital.com
pinegrovesg.com
traveladventureswithme.com
hebitaixin.com
golphysi.com
gayjeans.com
quickhire.expert
randomviews1.com
eatatnobu.com
topmabati.com
mediaupside.com
spillerakademi.com
thebowtie.store
sensomaticloadcell.com
turismodemadrid.net
yuhe89.com
wernerkrug.com
cdpogo.net
dannynhois.com
realestatestructureddata.com
matewhereareyou.net
laimeibei.ltd
sw328.com
lmwworks.net
xtremefish.com
tonerias.com
dsooneclinicianexpert.com
281clara.com
smmcommunity.net
dreamneeds.info
twocraft.com
yasasiite.salon
advk8qi.top
drabist.com
europartnersplus.com
saltbgone.com
teslaoceanic.info
bestmedicationstore.com
buynewcartab.live
prospect.money
viebrocks.com
transportationhappy.com
Extracted
gozi_rm3
-
exe_type
loader
Extracted
gozi_rm3
86920224
https://sibelikinciel.xyz
-
build
300869
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
Extracted
formbook
4.1
i0qi
http://www.joomlas123.com/i0qi/
mytakeawaybox.com
goutaihuo.com
kuzey.site
uppertenpiercings.amsterdam
honeygrandpa.com
jenniferabramslaw.com
ncarian.com
heavilymeditatedhouston.com
gsbjyzx.com
akisanblog.com
taoyuanreed.com
jasperrvservices.com
yabbanet.com
myhealthfuldiet.com
flipdigitalcoins.com
toes.photos
shoottillyoumiss.com
maserental.com
smarteacher.net
hamdimagdeco.com
wuxifanggang.com
alamediationtraining.com
vfoe.team
kms-sp.com
gfidevfight.net
anomadbackpacker.com
21oms.us
australianseniorpreneur.com
valuereceipt.com
superbetbahis.com
rsrgoup.com
hoidonghuongkimson.com
parmedpharma.com
discoveryoverload.com
livetv247.win
jepekha.com
6o5ttvst.biz
netcorrespondents.com
cscycorp.com
emonkeygraphics.com
tillyaeva-lola.news
dgx9.com
jiucai5.com
justwoodsouthern.com
dentalexpertstraining.com
amazoncarpet.com
xsxnet.net
androidaso.com
jinhucai.com
wellnessitaly.store
clashrayalefreebies.com
wxvbill.com
quantun.network
allnaturalcbdshampton.com
mobo.technology
livinglifeawakened.com
canliarkadas.net
littlealohadaycare.com
wendyoei.com
kaz.site
puremind.info
queenscrossingneurosurgery.com
theworldexams.com
taptrips.com
Extracted
formbook
4.1
app
http://www.norjax.com/app/
niresandcard.com
bonusscommesseonline.com
mezhyhirya.com
paklfz.com
bespokewomensuits.com
smarteralarm.info
munespansiyon.com
pmtradehouse.com
hotmobile-uk.com
ntdao.com
zohariaz.com
www145123.com
oceanstateofstyle.com
palermofelicissima.info
yourkinas.com
pthwheel.net
vfmagent.com
xn--3v0bw66b.com
comsystematrisk.win
on9.party
isnxwa.info
my-smarfreen3.com
eareddoor.com
kfo-sonnenberg.com
conceptweaversindia.online
ledgermapping.com
fashionartandmore.com
broemail.com
bs3399.com
minds4rent.com
182man.com
dionclarke.com
naakwaley.com
huoerguosicaiwu.net
langongzi.net
haz-rnatresponse.com
confidentcharm.com
yshtjs.com
phiscalp.com
walletcasebuy.com
history.fail
al208.com
kitkatwaitressing.com
fxmetrix.com
riyacan.com
garrettfitz.com
worldaspect.win
serviciodomicilio.com
yngny.com
acaes.info
jujiangxizang.com
mysteryvacay.com
extensiverevive.com
feelgoodpainting.com
dtechconsultants.com
manufacturehealth.com
khmernature.com
archaicways.com
westlakegranturismo.com
transporteselruso.com
cultclassics.net
anne-nelson.com
warminch.com
bihusomu40.win
Extracted
danabot
92.204.160.54
2.56.213.179
45.153.186.47
93.115.21.29
185.45.193.50
193.34.166.247
Extracted
qakbot
324.141
spx129
1590734339
94.10.81.239:443
94.52.160.116:443
67.0.74.119:443
175.137.136.79:443
73.232.165.200:995
79.119.67.149:443
62.38.111.70:2222
108.58.9.238:993
216.110.249.252:2222
67.209.195.198:3389
84.247.55.190:443
96.37.137.42:443
94.176.220.76:2222
173.245.152.231:443
96.227.122.123:443
188.192.75.8:995
24.229.245.124:995
71.163.225.75:443
75.71.77.59:443
104.36.135.227:443
173.173.77.164:443
207.255.161.8:2222
68.39.177.147:995
178.193.33.121:2222
72.209.191.27:443
67.165.206.193:995
64.19.74.29:995
117.199.195.112:443
75.87.161.32:995
188.173.214.88:443
173.22.120.11:2222
96.41.93.96:443
86.125.210.26:443
24.10.42.174:443
47.201.1.210:443
69.92.54.95:995
24.202.42.48:2222
47.205.231.60:443
66.26.160.37:443
65.131.44.40:995
24.110.96.149:443
108.58.9.238:443
77.159.149.74:443
74.56.167.31:443
75.137.239.211:443
47.153.115.154:995
173.172.205.216:443
184.98.104.7:995
24.46.40.189:2222
98.115.138.61:443
35.142.12.163:2222
189.231.198.212:443
47.146.169.85:443
173.21.10.71:2222
24.42.14.241:443
188.27.6.170:443
89.137.77.237:443
5.13.99.38:995
93.113.90.128:443
72.179.242.236:0
73.210.114.187:443
80.240.26.178:443
85.186.141.62:995
81.103.144.77:443
98.4.227.199:443
24.122.228.88:443
150.143.128.70:2222
47.153.115.154:443
65.116.179.83:443
50.29.181.193:995
189.140.112.184:443
142.129.227.86:443
74.134.46.7:443
220.135.31.140:2222
172.78.87.180:443
24.201.79.208:2078
97.127.144.203:2222
100.4.173.223:443
59.124.10.133:443
89.43.108.19:443
216.163.4.91:443
67.83.54.76:2222
72.204.242.138:443
24.43.22.220:995
67.250.184.157:443
78.97.145.242:443
203.198.96.239:443
104.174.71.153:2222
24.28.183.107:995
197.160.20.211:443
79.117.161.67:21
82.76.239.193:443
69.246.151.5:443
78.96.192.26:443
216.201.162.158:995
108.21.107.203:443
107.2.148.99:443
189.236.218.181:443
75.110.250.89:443
211.24.72.253:443
207.255.161.8:443
162.154.223.73:443
50.104.186.71:443
100.38.123.22:443
96.18.240.158:443
108.183.200.239:443
173.187.170.190:443
100.40.48.96:443
71.80.66.107:443
67.197.97.144:443
69.28.222.54:443
47.136.224.60:443
47.202.98.230:443
184.180.157.203:2222
104.221.4.11:2222
70.173.46.139:443
213.67.45.195:2222
71.31.160.43:22
189.159.113.190:995
98.148.177.77:443
98.116.62.242:443
68.4.137.211:443
108.227.161.27:995
173.187.103.35:443
117.216.185.86:443
75.132.35.60:443
98.219.77.197:443
24.43.22.220:443
207.255.161.8:2087
72.190.101.70:443
189.160.217.221:443
207.255.161.8:32102
24.226.137.154:443
66.222.88.126:995
108.58.9.238:995
1.40.42.4:443
47.152.210.233:443
72.45.14.185:443
82.127.193.151:2222
101.108.113.6:443
98.13.0.128:443
175.111.128.234:995
175.111.128.234:443
216.137.140.236:2222
24.191.214.43:2083
72.177.157.217:443
72.29.181.77:2078
203.106.195.139:443
98.114.185.3:443
Extracted
smokeloader
2019
http://advertserv25.world/logstatx77/
http://mailstatm74.club/logstatx77/
http://kxservx7zx.club/logstatx77/
http://dsmail977sx.xyz/logstatx77/
http://fdmail709.club/logstatx77/
http://servicestar751.club/logstatx77/
http://staradvert9075.club/logstatx77/
http://staradvert1883.club/logstatx77/
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Extracted
Protocol: smtp- Host:
mail.pro-powersourcing.com - Port:
587 - Username:
[email protected] - Password:
china1977
Extracted
smokeloader
2020
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://vintrsi.com/upload/
http://woatdert.com/upload/
http://waruse.com/upload/
Extracted
warzonerat
sandyclark255.hopto.org:5200
Extracted
asyncrat
0.5.6A
sandyclark255.hopto.org:6606
sandyclark255.hopto.org:8808
sandyclark255.hopto.org:7707
adweqsds56332
-
aes_key
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo
-
anti_detection
true
-
autorun
true
-
bdos
false
- delay
-
host
sandyclark255.hopto.org
- hwid
- install_file
-
install_folder
%AppData%
-
mutex
adweqsds56332
-
pastebin_config
null
-
port
6606,8808,7707
-
version
0.5.6A
Extracted
smokeloader
2017
http://92.53.105.14/
Extracted
http://zxvbcrt.ug/zxcvb.exe
http://zxvbcrt.ug/zxcvb.exe
Extracted
http://bit.do/fqhHT
http://bit.do/fqhHT
Extracted
http://bit.do/fqhJv
http://bit.do/fqhJv
Extracted
http://pdshcjvnv.ug/zxcvb.exe
http://pdshcjvnv.ug/zxcvb.exe
Extracted
http://bit.do/fqhJD
http://bit.do/fqhJD
Extracted
http://rbcxvnb.ug/zxcvb.exe
http://rbcxvnb.ug/zxcvb.exe
Extracted
raccoon
5e4db353b88c002ba6466c06437973619aad03b3
-
url4cnc
https://telete.in/brikitiki
Extracted
asyncrat
0.5.7B
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
AsyncMutex_6SI8OkPnk
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
Extracted
remcos
2.7.2 Light
xxxxxxxxxxx
taenaia.ac.ug:6969
agentpapple.ac.ug:6969
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
cvxdsaxzcas-FPRVUD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Targets
-
-
Target
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d
-
Size
144KB
-
MD5
9e9bb42a965b89a9dce86c8b36b24799
-
SHA1
e2d1161ac7fa3420648ba59f7a5315ed0acb04c2
-
SHA256
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d
-
SHA512
e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8
Score10/10-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
-
Size
355KB
-
MD5
b403152a9d1a6e02be9952ff3ea10214
-
SHA1
74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5
-
SHA256
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51
-
SHA512
0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
1.bin/1.exe
-
Size
12.5MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
AgentTesla Payload
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
2019-09-02_22-41-10.exe
-
Size
251KB
-
MD5
924aa6c26f6f43e0893a40728eac3b32
-
SHA1
baa9b4c895b09d315ed747b3bd087f4583aa84fc
-
SHA256
30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
-
SHA512
3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
Score10/10-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba
-
Size
183KB
-
MD5
6d2864f9d3349fc4292884e7baab4bcc
-
SHA1
b4e7df23ccd50f4d136f66e62d56815eab09e720
-
SHA256
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba
-
SHA512
dcfc50105df4ea00add6dc3d121baa3ff93180a0be71e444e89e3a8249d1fd2103eb34aa61aa57ada45c5a86ed5783a67e10f21eeb9dda802a49f627aaa0cec0
-
Suspicious use of SetThreadContext
-
-
-
Target
2c01b007729230c415420ad641ad92eb
-
Size
1.3MB
-
MD5
daef338f9c47d5394b7e1e60ce38d02d
-
SHA1
c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e
-
SHA256
5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58
-
SHA512
d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
31.exe
-
Size
12.5MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
AgentTesla Payload
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
3DMark 11 Advanced Edition.exe
-
Size
11.6MB
-
MD5
236d7524027dbce337c671906c9fe10b
-
SHA1
7d345aa201b50273176ae0ec7324739d882da32e
-
SHA256
400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c
-
SHA512
e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
XMRig Miner Payload
-
Creates new service(s)
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
JavaScript code in executable
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Modifies service
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
42f972925508a82236e8533567487761
-
Size
3.7MB
-
MD5
9d2a888ca79e1ff3820882ea1d88d574
-
SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66
-
SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
-
SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840
-
Modifies WinLogon for persistence
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT Payload
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
42f972925508a82236e8533567487761(1)
-
Size
3.7MB
-
MD5
9d2a888ca79e1ff3820882ea1d88d574
-
SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66
-
SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
-
SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840
-
Modifies WinLogon for persistence
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT Payload
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
-
Size
669KB
-
MD5
ead18f3a909685922d7213714ea9a183
-
SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf
-
SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
-
SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
Score10/10-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Modifies file permissions
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
-
Size
80KB
-
MD5
8152a3d0d76f7e968597f4f834fdfa9d
-
SHA1
c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
-
SHA256
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
-
SHA512
eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
-
-
Target
6a9e7107c97762eb1196a64baeadb291
-
Size
209KB
-
MD5
417457ac3e000697959127259c73ee46
-
SHA1
e060125845cc1c4098f87632f453969ad9ec01ab
-
SHA256
d74e9aa01bffcb4944742f93ad5b87d4c057f4faad008f04f7397634fe3f234d
-
SHA512
7e2dac573db052dc03d89499d9e879bc530e94f3d1235898064aa87e99aee8fced1ac4aeeba342b77afd1480e0584a238ad7cd79cdef9c562bb89d65ba365b31
Score8/10-
Blocklisted process makes network request
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
-
Size
21KB
-
MD5
6fe3fb85216045fdf8186429c27458a7
-
SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710
-
SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
-
SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
-
RevengeRat Executable
-
Executes dropped EXE
-
Drops startup file
-
Uses the VBS compiler for execution
-
Drops file in System32 directory
-
-
-
Target
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654
-
Size
17KB
-
MD5
aa0a434f00c138ef445bf89493a6d731
-
SHA1
2e798c079b179b736247cf20d1346657db9632c7
-
SHA256
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654
-
SHA512
e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952
Score10/10-
RevengeRat Executable
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9
-
Size
260KB
-
MD5
9e9719483cc24dc0ab94b31f76981f42
-
SHA1
dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b
-
SHA256
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9
-
SHA512
83cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of SetThreadContext
-
-
-
Target
Archive.zip__ccacaxs2tbz2t6ob3e.exe
-
Size
430KB
-
MD5
a3cab1a43ff58b41f61f8ea32319386b
-
SHA1
94689e1a9e1503f1082b23e6d5984d4587f3b9ec
-
SHA256
005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6
-
SHA512
8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d
Score8/10-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
-
-
Target
CVE-2018-15982_PoC.swf
-
Size
12KB
-
MD5
82fe94beb621a4368e76aa4a51998c00
-
SHA1
b7c79b8f05c3d998e21d01b07b9ba157160581a9
-
SHA256
c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb
-
SHA512
055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27
Score3/10 -
-
-
Target
CVWSHSetup[1].bin/WSHSetup[1].exe
-
Size
898KB
-
MD5
cb2b4cd74c7b57a12bd822a168e4e608
-
SHA1
f2182062719f0537071545b77ca75f39c2922bf5
-
SHA256
5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
-
SHA512
7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348
Score3/10 -
-
-
Target
DiskInternals_Uneraser_v5_keygen.exe
-
Size
12.9MB
-
MD5
17c4b227deaa34d22dd0addfb0034e04
-
SHA1
0cf926384df162bc88ae7c97d1b1b9523ac6b88c
-
SHA256
a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e
-
SHA512
691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Socelars Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
ForceOp 2.8.7 - By RaiSence.exe
-
Size
1.0MB
-
MD5
0a88ebdd3ae5ab0b006d4eaa2f5bc4b2
-
SHA1
6bf1215ac7b1fde54442a9d075c84544b6e80d50
-
SHA256
26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680
-
SHA512
54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
-
-
Target
HYDRA.exe
-
Size
2.6MB
-
MD5
c52bc39684c52886712971a92f339b23
-
SHA1
c5cb39850affb7ed322bfb0a4900e17c54f95a11
-
SHA256
f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d
-
SHA512
2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Drops startup file
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
KLwC6vii.exe
-
Size
17KB
-
MD5
1ded740b925aa0c370e4e5bd02c0741f
-
SHA1
64731e77b65da3eb192783c074afdcb6a0a245a8
-
SHA256
a8745addaf2f95e0fe6afbc6d6712f817d4a819cf1d08bf7c0ff01822e18e1db
-
SHA512
fdaaa6633196851725fe088fafd539eb17483555d9b926338a7caeb961354c12cabcd3f55aa51f32297ce4a884806fbc337dfa725583cc1c86b8ca6c97218d4e
Score1/10 -
-
-
Target
Keygen.exe
-
Size
849KB
-
MD5
dbde61502c5c0e17ebc6919f361c32b9
-
SHA1
189749cf0b66a9f560b68861f98c22cdbcafc566
-
SHA256
88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b
-
SHA512
d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Raccoon Stealer Payload
-
Async RAT payload
-
ModiLoader First Stage
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
-
Size
13.4MB
-
MD5
48c356e14b98fb905a36164e28277ae5
-
SHA1
d7630bd683af02de03aebc8314862c512acd5656
-
SHA256
b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c
-
SHA512
278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b
-
Nirsoft
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
LtHv0O2KZDK4M637.exe
-
Size
10.6MB
-
MD5
5e25abc3a3ad181d2213e47fa36c4a37
-
SHA1
ba365097003860c8fb9d332f377e2f8103d220e0
-
SHA256
3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9
-
SHA512
676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies visiblity of hidden/system files in Explorer
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
XMRig Miner Payload
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Registers new Print Monitor
-
Sets DLL path for service in the registry
-
Stops running service(s)
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
autoit_exe
AutoIT scripts compiled to PE executables.
-
-
-
Target
Magic_File_v3_keygen_by_KeygenNinja.exe
-
Size
8.6MB
-
MD5
80e5a163c5396401b58a3b24f2e00d38
-
SHA1
589accaeeca95b8d69fa7bc14f402925dd338a6a
-
SHA256
72fae9a9d8cfd546975fd86222bc1f7f70133d0845798a683569bb8119ffa3b1
-
SHA512
cc0ede6416032035943522e5249ac378da4ba58ab836d13b53907567a65f0c296aa7263523ca23f1843fb86a88d123864e9385f4b97bac870a110f6fd2ddf1e6
-
Nirsoft
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
OnlineInstaller.exe
-
Size
3.6MB
-
MD5
4b042bfd9c11ab6a3fb78fa5c34f55d0
-
SHA1
b0f506640c205d3fbcfe90bde81e49934b870eab
-
SHA256
59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834
-
SHA512
dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3
Score8/10-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks for any installed AV software in registry
-
Drops file in System32 directory
-
-
-
Target
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
-
Size
9.5MB
-
MD5
edcc1a529ea8d2c51592d412d23c057e
-
SHA1
1d62d278fe69be7e3dde9ae96cc7e6a0fa960331
-
SHA256
970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d
-
SHA512
c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
XMRig Miner Payload
-
Creates new service(s)
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
JavaScript code in executable
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Modifies service
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
-
Size
372KB
-
MD5
2c959a0f9af72398f115f839397c3396
-
SHA1
80b078a6b74a17e6147321f3b3104bf91b4262f2
-
SHA256
cc0c949be6493aa98619cd591e6b4a0488eef3227b53fbaeac4309fab9efd206
-
SHA512
511bd3992e5345c7d2b0a728f2f8ce7d18ebbc46ee41afaa4a6e4dfa937c28ca799361d286196b327e01df81981bfbc88b15ca1ad0d49fdaad46436e5735170c
-
IcedID First Stage Loader
-
-
-
Target
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869
-
Size
486KB
-
MD5
cde56cf0169830ee0059ee385c0c5eaf
-
SHA1
08aacb48ffcdc6b49af18d01155982984de230f7
-
SHA256
cb762227729d0faadc4c33a4a55b513673a9c76284773535b0e07d7e47d8413e
-
SHA512
234ddd4191c1abdfe04d9cc1afe2fed2901ef4d38404d0568a356218bc62096d200dd8ec28c8980da4a5852b0a481bf698b244f51d13560b303285b99105b3dd
Score1/10 -
-
-
Target
SecurityTaskManager_Setup.exe
-
Size
2.9MB
-
MD5
444439bc44c476297d7f631a152ce638
-
SHA1
820fcb951d1ac8c2fda1a1ae790f52eb1f8edf2e
-
SHA256
bc2d5417a6bf47d53c20c280f6e4b1a3e00dc0b6bbd3e26b2e591fd2f2dc4cc3
-
SHA512
160f4b095d37a9f4c6279a4a19f072e170c5f819d0e8e588b2503711b9e2eaac9567b48a9e42bf15af50ba60e64ef97a64e003230369aec0b032cb2030fdca00
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Bootkit
1Hidden Files and Directories
3Modify Existing Service
4New Service
1Registry Run Keys / Startup Folder
5Scheduled Task
1Winlogon Helper DLL
2Defense Evasion
Bypass User Account Control
1Disabling Security Tools
4File and Directory Permissions Modification
1Hidden Files and Directories
3Impair Defenses
1Install Root Certificate
1Modify Registry
18Scripting
1Virtualization/Sandbox Evasion
4Web Service
1