Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.91.237.42:8443/__utm.gif

Attributes
access_type
512
beacon_type
2048
host
47.91.237.42,/__utm.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
watermark
305419896

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

C2

84.91.119.105:333

Extracted

Family

revengerat

Botnet

Victime

C2

cocohack.dtdns.net:84

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Extracted

Family

revengerat

Botnet

samay

C2

shnf-47787.portmap.io:47787

Extracted

Family

zloader

Botnet

09/04

C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

rc4.plain

Extracted

Family

zloader

Botnet

07/04

C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

rc4.plain

Extracted

Family

revengerat

Botnet

INSERT-COIN

C2

3.tcp.ngrok.io:24041

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

C2

http://etasuklavish.today/

http://mragyzmachnobesdi.today/

http://kimchinikuzims.today/

http://slacvostinrius.today/

http://straponuliusyn.today/

http://grammmdinss.today/

http://viprasputinsd.chimkent.su/

http://lupadypa.dagestan.su/

http://stoknolimchin.exnet.su/

http://musaroprovadnikov.live/

http://teemforyourexprensiti.life/

http://stolkgolmishutich.termez.su/

http://roompampamgandish.wtf/

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://vintrsi.com/upload/

http://woatdert.com/upload/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain
rsa_pubkey.plain

Extracted

Family

smokeloader

Version

2019

C2

http://advertserv25.world/logstatx77/

http://mailstatm74.club/logstatx77/

http://kxservx7zx.club/logstatx77/

http://dsmail977sx.xyz/logstatx77/

http://fdmail709.club/logstatx77/

http://servicestar751.club/logstatx77/

http://staradvert9075.club/logstatx77/

http://staradvert1883.club/logstatx77/

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

formbook

Version

4.0

Campaign

w9z

C2

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi_rm3

Attributes
exe_type
loader

Extracted

Family

gozi_rm3

Botnet

86920224

C2

https://sibelikinciel.xyz

Attributes
build
300869
exe_type
loader
server_id
12
url_path
index.htm
rsa_pubkey.plain
serpent.plain

Extracted

Family

formbook

Version

4.1

Campaign

i0qi

C2

http://www.joomlas123.com/i0qi/

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Extracted

Family

danabot

C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family

formbook

Version

4.1

Campaign

app

C2

http://www.norjax.com/app/

Decoy

niresandcard.com

bonusscommesseonline.com

mezhyhirya.com

paklfz.com

bespokewomensuits.com

smarteralarm.info

munespansiyon.com

pmtradehouse.com

hotmobile-uk.com

ntdao.com

zohariaz.com

www145123.com

oceanstateofstyle.com

palermofelicissima.info

yourkinas.com

pthwheel.net

vfmagent.com

xn--3v0bw66b.com

comsystematrisk.win

on9.party

Extracted

Family

qakbot

Version

324.141

Botnet

spx129

Campaign

1590734339

C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Extracted

Family

warzonerat

C2

sandyclark255.hopto.org:5200

Extracted

Family

asyncrat

Version

0.5.6A

C2

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707

Attributes
aes_key
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo
anti_detection
true
autorun
true
bdos
false
delay
host
sandyclark255.hopto.org
hwid
install_file
install_folder
%AppData%
mutex
adweqsds56332
pastebin_config
null
port
6606,8808,7707
version
0.5.6A
aes.plain

Extracted

Family

smokeloader

Version

2017

C2

http://92.53.105.14/

Extracted

Language ps1
Source
URLs
ps1.dropper

http://bit.do/fqhHT

exe.dropper

http://bit.do/fqhHT

Extracted

Language ps1
Source
URLs
ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Extracted

Language ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJv

exe.dropper

http://bit.do/fqhJv

Extracted

Language ps1
Source
URLs
ps1.dropper

http://pdshcjvnv.ug/zxcvb.exe

exe.dropper

http://pdshcjvnv.ug/zxcvb.exe

Extracted

Language ps1
Source
URLs
ps1.dropper

http://bit.do/fqhJD

exe.dropper

http://bit.do/fqhJD

Extracted

Language ps1
Source
URLs
ps1.dropper

http://rbcxvnb.ug/zxcvb.exe

exe.dropper

http://rbcxvnb.ug/zxcvb.exe

Extracted

Family

raccoon

Botnet

5e4db353b88c002ba6466c06437973619aad03b3

Attributes
url4cnc
https://telete.in/brikitiki
rc4.plain
rc4.plain

Extracted

Family

asyncrat

Version

0.5.7B

C2

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Attributes
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B
aes.plain

Extracted

Family

remcos

Version

2.7.2 Light

Botnet

xxxxxxxxxxx

C2

taenaia.ac.ug:6969

agentpapple.ac.ug:6969

Attributes
audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
cvxdsaxzcas-FPRVUD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Extracted

Credentials

Protocol: ftp

Host: 109.248.203.81

Port: 21

Username: alex

Password: easypassword

Targets

    • Target

      08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe

    • Size

      144KB

    • MD5

      9e9bb42a965b89a9dce86c8b36b24799

    • SHA1

      e2d1161ac7fa3420648ba59f7a5315ed0acb04c2

    • SHA256

      08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d

    • SHA512

      e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

    • Size

      355KB

    • MD5

      b403152a9d1a6e02be9952ff3ea10214

    • SHA1

      74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5

    • SHA256

      0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51

    • SHA512

      0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      0di3x.exe

    • Size

      111KB

    • MD5

      bd97f762750d0e38e38d5e8f7363f66a

    • SHA1

      9ae3d7053246289ff908758f9d60d79586f7fc9f

    • SHA256

      d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158

    • SHA512

      d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • Target

      2019-09-02_22-41-10.exe

    • Size

      251KB

    • MD5

      924aa6c26f6f43e0893a40728eac3b32

    • SHA1

      baa9b4c895b09d315ed747b3bd087f4583aa84fc

    • SHA256

      30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

    • SHA512

      3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • Target

      2c01b007729230c415420ad641ad92eb.exe

    • Size

      1MB

    • MD5

      daef338f9c47d5394b7e1e60ce38d02d

    • SHA1

      c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e

    • SHA256

      5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58

    • SHA512

      d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4

    • Target

      31.exe

    • Size

      12MB

    • MD5

      af8e86c5d4198549f6375df9378f983c

    • SHA1

      7ab5ed449b891bd4899fba62d027a2cc26a05e6f

    • SHA256

      7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

    • SHA512

      137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • AgentTesla Payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Formbook Payload

    • Looks for VirtualBox Guest Additions in registry

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      3DMark 11 Advanced Edition.exe

    • Size

      11MB

    • MD5

      236d7524027dbce337c671906c9fe10b

    • SHA1

      7d345aa201b50273176ae0ec7324739d882da32e

    • SHA256

      400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

    • SHA512

      e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • AgentTesla Payload

    • XMRig Miner Payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Modifies service

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      42f972925508a82236e8533567487761.exe

    • Size

      3MB

    • MD5

      9d2a888ca79e1ff3820882ea1d88d574

    • SHA1

      112c38d80bf2c0d48256249bbabe906b834b1f66

    • SHA256

      8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

    • SHA512

      17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Async RAT payload

    • Warzone RAT Payload

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

    • Size

      669KB

    • MD5

      ead18f3a909685922d7213714ea9a183

    • SHA1

      1270bd7fd62acc00447b30f066bb23f4745869bf

    • SHA256

      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    • SHA512

      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Score
    1/10
    • Target

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

    • Size

      80KB

    • MD5

      8152a3d0d76f7e968597f4f834fdfa9d

    • SHA1

      c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

    • SHA256

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

    • SHA512

      eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

    • Size

      21KB

    • MD5

      6fe3fb85216045fdf8186429c27458a7

    • SHA1

      ef2c68d0b3edf3def5d90f1525fe87c2142e5710

    • SHA256

      905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

    • SHA512

      d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • RevengeRat Executable

    • Executes dropped EXE

    • Drops file in System32 directory

    • Target

      948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe

    • Size

      17KB

    • MD5

      aa0a434f00c138ef445bf89493a6d731

    • SHA1

      2e798c079b179b736247cf20d1346657db9632c7

    • SHA256

      948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654

    • SHA512

      e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • RevengeRat Executable

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe

    • Size

      260KB

    • MD5

      9e9719483cc24dc0ab94b31f76981f42

    • SHA1

      dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b

    • SHA256

      95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9

    • SHA512

      83cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309

    Score
    1/10
    • Target

      Archive.zip__ccacaxs2tbz2t6ob3e.exe

    • Size

      430KB

    • MD5

      a3cab1a43ff58b41f61f8ea32319386b

    • SHA1

      94689e1a9e1503f1082b23e6d5984d4587f3b9ec

    • SHA256

      005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6

    • SHA512

      8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Target

      CVE-2018-15982_PoC.swf

    • Size

      12KB

    • MD5

      82fe94beb621a4368e76aa4a51998c00

    • SHA1

      b7c79b8f05c3d998e21d01b07b9ba157160581a9

    • SHA256

      c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb

    • SHA512

      055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27

    Score
    3/10
    • Target

      DiskInternals_Uneraser_v5_keygen.exe

    • Size

      12MB

    • MD5

      17c4b227deaa34d22dd0addfb0034e04

    • SHA1

      0cf926384df162bc88ae7c97d1b1b9523ac6b88c

    • SHA256

      a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e

    • SHA512

      691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      ForceOp 2.8.7 - By RaiSence.exe

    • Size

      1MB

    • MD5

      0a88ebdd3ae5ab0b006d4eaa2f5bc4b2

    • SHA1

      6bf1215ac7b1fde54442a9d075c84544b6e80d50

    • SHA256

      26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680

    • SHA512

      54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37

    Score
    10/10
    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Executes dropped EXE

    • Target

      HYDRA.exe

    • Size

      2MB

    • MD5

      c52bc39684c52886712971a92f339b23

    • SHA1

      c5cb39850affb7ed322bfb0a4900e17c54f95a11

    • SHA256

      f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

    • SHA512

      2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Drops startup file

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      KLwC6vii.exe

    • Size

      17KB

    • MD5

      1ded740b925aa0c370e4e5bd02c0741f

    • SHA1

      64731e77b65da3eb192783c074afdcb6a0a245a8

    • SHA256

      a8745addaf2f95e0fe6afbc6d6712f817d4a819cf1d08bf7c0ff01822e18e1db

    • SHA512

      fdaaa6633196851725fe088fafd539eb17483555d9b926338a7caeb961354c12cabcd3f55aa51f32297ce4a884806fbc337dfa725583cc1c86b8ca6c97218d4e

    Score
    1/10
    • Target

      Keygen.exe

    • Size

      849KB

    • MD5

      dbde61502c5c0e17ebc6919f361c32b9

    • SHA1

      189749cf0b66a9f560b68861f98c22cdbcafc566

    • SHA256

      88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b

    • SHA512

      d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modifies Windows Defender Real-time Protection settings

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Raccoon Stealer Payload

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Async RAT payload

    • ModiLoader First Stage

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Lonelyscreen.1.2.9.keygen.by.Paradox.exe

    • Size

      13MB

    • MD5

      48c356e14b98fb905a36164e28277ae5

    • SHA1

      d7630bd683af02de03aebc8314862c512acd5656

    • SHA256

      b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c

    • SHA512

      278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Nirsoft

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      LtHv0O2KZDK4M637.exe

    • Size

      10MB

    • MD5

      5e25abc3a3ad181d2213e47fa36c4a37

    • SHA1

      ba365097003860c8fb9d332f377e2f8103d220e0

    • SHA256

      3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9

    • SHA512

      676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies visiblity of hidden/system files in Explorer

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • UAC bypass

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Detected Stratum cryptominer command

      Looks to be attempting to contact Stratum mining pool.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • XMRig Miner Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Registers new Print Monitor

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      Magic_File_v3_keygen_by_KeygenNinja.exe

    • Size

      8MB

    • MD5

      80e5a163c5396401b58a3b24f2e00d38

    • SHA1

      589accaeeca95b8d69fa7bc14f402925dd338a6a

    • SHA256

      72fae9a9d8cfd546975fd86222bc1f7f70133d0845798a683569bb8119ffa3b1

    • SHA512

      cc0ede6416032035943522e5249ac378da4ba58ab836d13b53907567a65f0c296aa7263523ca23f1843fb86a88d123864e9385f4b97bac870a110f6fd2ddf1e6

    • Nirsoft

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      OnlineInstaller.exe

    • Size

      3MB

    • MD5

      4b042bfd9c11ab6a3fb78fa5c34f55d0

    • SHA1

      b0f506640c205d3fbcfe90bde81e49934b870eab

    • SHA256

      59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

    • SHA512

      dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

    Score
    8/10
    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks for any installed AV software in registry

    • Drops file in System32 directory

    • Target

      Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

    • Size

      9MB

    • MD5

      edcc1a529ea8d2c51592d412d23c057e

    • SHA1

      1d62d278fe69be7e3dde9ae96cc7e6a0fa960331

    • SHA256

      970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d

    • SHA512

      c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab

    Score
    1/10
    • Target

      SecuriteInfo.com.Gen.NN.ZexaF.34108.xy1@amqiedE.17985

    • Size

      372KB

    • MD5

      2c959a0f9af72398f115f839397c3396

    • SHA1

      80b078a6b74a17e6147321f3b3104bf91b4262f2

    • SHA256

      cc0c949be6493aa98619cd591e6b4a0488eef3227b53fbaeac4309fab9efd206

    • SHA512

      511bd3992e5345c7d2b0a728f2f8ce7d18ebbc46ee41afaa4a6e4dfa937c28ca799361d286196b327e01df81981bfbc88b15ca1ad0d49fdaad46436e5735170c

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

    • IcedID First Stage Loader

    • Target

      SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869

    • Size

      486KB

    • MD5

      cde56cf0169830ee0059ee385c0c5eaf

    • SHA1

      08aacb48ffcdc6b49af18d01155982984de230f7

    • SHA256

      cb762227729d0faadc4c33a4a55b513673a9c76284773535b0e07d7e47d8413e

    • SHA512

      234ddd4191c1abdfe04d9cc1afe2fed2901ef4d38404d0568a356218bc62096d200dd8ec28c8980da4a5852b0a481bf698b244f51d13560b303285b99105b3dd

    Score
    1/10
    • Target

      SecurityTaskManager_Setup.exe

    • Size

      2MB

    • MD5

      444439bc44c476297d7f631a152ce638

    • SHA1

      820fcb951d1ac8c2fda1a1ae790f52eb1f8edf2e

    • SHA256

      bc2d5417a6bf47d53c20c280f6e4b1a3e00dc0b6bbd3e26b2e591fd2f2dc4cc3

    • SHA512

      160f4b095d37a9f4c6279a4a19f072e170c5f819d0e8e588b2503711b9e2eaac9567b48a9e42bf15af50ba60e64ef97a64e003230369aec0b032cb2030fdca00

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Target

      Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

    • Size

      10MB

    • MD5

      8103aad9a6f5ee1fb4f764fc5782822a

    • SHA1

      4fb4f963243d7cb65394e59de787aebe020b654c

    • SHA256

      4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40

    • SHA512

      e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • AgentTesla Payload

    • XMRig Miner Payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Modifies service

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      VyprVPN.exe

    • Size

      1MB

    • MD5

      f1d5f022e71b8bc9e3241fbb72e87be2

    • SHA1

      1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c

    • SHA256

      08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d

    • SHA512

      f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      WSHSetup[1].exe

    • Size

      898KB

    • MD5

      cb2b4cd74c7b57a12bd822a168e4e608

    • SHA1

      f2182062719f0537071545b77ca75f39c2922bf5

    • SHA256

      5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

    • SHA512

      7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

    Score
    8/10
    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

    • Target

      Yard.dll

    • Size

      400KB

    • MD5

      3cf481ccbb1019894fcbacb554f3bda1

    • SHA1

      63c11153ab0afb36703723c5121cd0e9b48ac6e8

    • SHA256

      c8c5815fe4a06a752e51f79332a393db1f91a8e39b67899aa996e4ca76cfa675

    • SHA512

      628e34581b3ebc7645639f2e6da19ce15afb794cc032e99d895841eecef0bd372da27895a9485bb18630864b921c1239fa6e4904d6bd6f54ca80a220a3fe66d0

    Score
    1/10

Tasks