Description
Zloader is a malware strain that was initially discovered back in August 2015.
Downloads.rar
143MB
201120-knjmpd4xpe
c572596b2caadbc11672ff12af226635
57a176459d3f24cf94810efbb6511abca2e7dce2
d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337
d112c32cab043308c8707350679af122a3af504386e3f7ee846c72edbc2e2fd2e825023d5bc0e793853a065df159dfd35c8e32e5370b03cdfa59ab7aa05cd5c6
Family | zloader |
Botnet | main |
Campaign | 26.02.2020 |
C2 |
https://airnaa.org/sound.php https://banog.org/sound.php https://rayonch.org/sound.php |
rc4.plain |
|
Family | revengerat |
Botnet | XDSDDD |
C2 |
84.91.119.105:333 |
Family | revengerat |
Botnet | Victime |
C2 |
cocohack.dtdns.net:84 |
Family | zloader |
Botnet | 25/03 |
C2 |
https://wgyvjbse.pw/milagrecf.php https://botiq.xyz/milagrecf.php |
rc4.plain |
|
Family | revengerat |
Botnet | samay |
C2 |
shnf-47787.portmap.io:47787 |
Family | zloader |
Botnet | 09/04 |
C2 |
https://eoieowo.casa/wp-config.php https://dcgljuzrb.pw/wp-config.php |
rc4.plain |
|
Family | zloader |
Botnet | 07/04 |
C2 |
https://xyajbocpggsr.site/wp-config.php https://ooygvpxrb.pw/wp-config.php |
rc4.plain |
|
Family | revengerat |
Botnet | INSERT-COIN |
C2 |
3.tcp.ngrok.io:24041 |
Family | revengerat |
Botnet | YT |
C2 |
yukselofficial.duckdns.org:5552 |
Family | revengerat |
Botnet | system |
C2 |
yj233.e1.luyouxia.net:20645 |
Family | azorult |
C2 |
http://195.245.112.115/index.php http://kvaka.li/1210776429.php |
Family | smokeloader |
Version | 2020 |
C2 |
http://etasuklavish.today/ http://mragyzmachnobesdi.today/ http://kimchinikuzims.today/ http://slacvostinrius.today/ http://straponuliusyn.today/ http://grammmdinss.today/ http://viprasputinsd.chimkent.su/ http://lupadypa.dagestan.su/ http://stoknolimchin.exnet.su/ http://musaroprovadnikov.live/ http://teemforyourexprensiti.life/ http://stolkgolmishutich.termez.su/ http://roompampamgandish.wtf/ http://naritouzina.net/ http://nukaraguasleep.net/ http://notfortuaj.net/ http://natuturalistic.net/ http://zaniolofusa.net/ http://vintrsi.com/upload/ http://woatdert.com/upload/ http://waruse.com/upload/ |
rc4.i32 |
|
rc4.i32 |
|
Family | zloader |
Botnet | r1 |
Campaign | r1 |
C2 |
https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php |
rc4.plain |
|
rsa_pubkey.plain |
|
Family | smokeloader |
Version | 2019 |
C2 |
http://advertserv25.world/logstatx77/ http://mailstatm74.club/logstatx77/ http://kxservx7zx.club/logstatx77/ http://dsmail977sx.xyz/logstatx77/ http://fdmail709.club/logstatx77/ http://servicestar751.club/logstatx77/ http://staradvert9075.club/logstatx77/ http://staradvert1883.club/logstatx77/ http://10022020newfolder1002002131-service1002.space/ http://10022020newfolder1002002231-service1002.space/ http://10022020newfolder3100231-service1002.space/ http://10022020newfolder1002002431-service1002.space/ http://10022020newfolder1002002531-service1002.space/ http://10022020newfolder33417-01242510022020.space/ http://10022020test125831-service1002012510022020.space/ http://10022020test136831-service1002012510022020.space/ http://10022020test147831-service1002012510022020.space/ http://10022020test146831-service1002012510022020.space/ http://10022020test134831-service1002012510022020.space/ http://10022020est213531-service100201242510022020.ru/ http://10022020yes1t3481-service1002012510022020.ru/ http://10022020test13561-service1002012510022020.su/ http://10022020test14781-service1002012510022020.info/ http://10022020test13461-service1002012510022020.net/ http://10022020test15671-service1002012510022020.tech/ http://10022020test12671-service1002012510022020.online/ http://10022020utest1341-service1002012510022020.ru/ http://10022020uest71-service100201dom2510022020.ru/ http://10022020test61-service1002012510022020.website/ http://10022020test51-service1002012510022020.xyz/ http://10022020test41-service100201pro2510022020.ru/ http://10022020yest31-service100201rus2510022020.ru/ http://10022020rest21-service1002012510022020.eu/ http://10022020test11-service1002012510022020.press/ http://10022020newfolder4561-service1002012510022020.ru/ http://10022020rustest213-service1002012510022020.ru/ http://10022020test281-service1002012510022020.ru/ http://10022020test261-service1002012510022020.space/ http://10022020yomtest251-service1002012510022020.ru/ http://10022020yirtest231-service1002012510022020.ru/ |
rc4.i32 |
|
rc4.i32 |
|
Family | formbook |
C2 |
http://www.worstig.com/w9z/ http://www.joomlas123.com/i0qi/ http://www.norjax.com/app/ |
Decoy |
crazzysex.com hanferd.com gteesrd.com bayfrontbabyplace.com jicuiquan.net relationshiplink.net ohchacyberphoto.com kauegimenes.com powerful-seldom.com ketotoken.com make-money-online-success.com redgoldcollection.com hannan-football.com hamptondc.com vllii.com aa8520.com platform35markethall.com larozeimmo.com oligopoly.net llhak.info fisioservice.com tesla-magnumopus.com cocodrilodigital.com pinegrovesg.com traveladventureswithme.com hebitaixin.com golphysi.com gayjeans.com quickhire.expert randomviews1.com eatatnobu.com topmabati.com mediaupside.com spillerakademi.com thebowtie.store sensomaticloadcell.com turismodemadrid.net yuhe89.com wernerkrug.com cdpogo.net dannynhois.com realestatestructureddata.com matewhereareyou.net laimeibei.ltd sw328.com lmwworks.net xtremefish.com tonerias.com dsooneclinicianexpert.com 281clara.com |
Family | gozi_rm3 |
Botnet | 86920224 |
C2 |
https://sibelikinciel.xyz |
Attributes |
build
300869
exe_type
loader
server_id
12
url_path
index.htm
|
rsa_pubkey.base64 |
|
serpent.plain |
|
Family | danabot |
C2 |
92.204.160.54 2.56.213.179 45.153.186.47 93.115.21.29 185.45.193.50 193.34.166.247 |
rsa_pubkey.plain |
|
Family | qakbot |
Botnet | spx129 |
Campaign | 1590734339 |
C2 |
94.10.81.239:443 94.52.160.116:443 67.0.74.119:443 175.137.136.79:443 73.232.165.200:995 79.119.67.149:443 62.38.111.70:2222 108.58.9.238:993 216.110.249.252:2222 67.209.195.198:3389 84.247.55.190:443 96.37.137.42:443 94.176.220.76:2222 173.245.152.231:443 96.227.122.123:443 188.192.75.8:995 24.229.245.124:995 71.163.225.75:443 75.71.77.59:443 104.36.135.227:443 173.173.77.164:443 207.255.161.8:2222 68.39.177.147:995 178.193.33.121:2222 72.209.191.27:443 67.165.206.193:995 64.19.74.29:995 117.199.195.112:443 75.87.161.32:995 188.173.214.88:443 173.22.120.11:2222 96.41.93.96:443 86.125.210.26:443 24.10.42.174:443 47.201.1.210:443 69.92.54.95:995 24.202.42.48:2222 47.205.231.60:443 66.26.160.37:443 65.131.44.40:995 24.110.96.149:443 108.58.9.238:443 77.159.149.74:443 74.56.167.31:443 75.137.239.211:443 47.153.115.154:995 173.172.205.216:443 184.98.104.7:995 24.46.40.189:2222 98.115.138.61:443 |
Family | asyncrat |
Version | 0.5.6A |
C2 |
sandyclark255.hopto.org:6606 sandyclark255.hopto.org:8808 sandyclark255.hopto.org:7707 |
Attributes |
aes_key
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo
anti_detection
true
autorun
true
bdos
false
delay
host
sandyclark255.hopto.org
hwid
install_file
install_folder
%AppData%
mutex
adweqsds56332
pastebin_config
null
port
6606,8808,7707
version
0.5.6A
|
aes.plain |
|
Family | smokeloader |
Version | 2017 |
C2 |
http://92.53.105.14/ |
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://bit.do/fqhHT exe.dropperhttp://bit.do/fqhHT |
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://zxvbcrt.ug/zxcvb.exe exe.dropperhttp://zxvbcrt.ug/zxcvb.exe |
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://bit.do/fqhJv exe.dropperhttp://bit.do/fqhJv |
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://pdshcjvnv.ug/zxcvb.exe exe.dropperhttp://pdshcjvnv.ug/zxcvb.exe |
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://bit.do/fqhJD exe.dropperhttp://bit.do/fqhJD |
Language | ps1 |
Source |
|
URLs |
ps1.dropper
http://rbcxvnb.ug/zxcvb.exe exe.dropperhttp://rbcxvnb.ug/zxcvb.exe |
Family | raccoon |
Botnet | 5e4db353b88c002ba6466c06437973619aad03b3 |
Attributes |
url4cnc
https://telete.in/brikitiki
|
rc4.plain |
|
rc4.plain |
|
Family | asyncrat |
Version | 0.5.7B |
C2 |
agentttt.ac.ug:6970 agentpurple.ac.ug:6970 |
Attributes |
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B
|
aes.plain |
|
Family | remcos |
C2 |
taenaia.ac.ug:6969 agentpapple.ac.ug:6969 |
Protocol | ftp |
Host | 109.248.203.81 |
Port | 21 |
Username | alex |
Password | easypassword |
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe
9e9bb42a965b89a9dce86c8b36b24799
144KB
e2d1161ac7fa3420648ba59f7a5315ed0acb04c2
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d
e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8
Zloader is a malware strain that was initially discovered back in August 2015.
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
b403152a9d1a6e02be9952ff3ea10214
355KB
74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51
0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
Oski is an infostealer targeting browser data, crypto wallets.
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
0di3x.exe
bd97f762750d0e38e38d5e8f7363f66a
111KB
9ae3d7053246289ff908758f9d60d79586f7fc9f
d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158
d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39
Modular backdoor trojan in use since 2014.
Zloader is a malware strain that was initially discovered back in August 2015.
2019-09-02_22-41-10.exe
924aa6c26f6f43e0893a40728eac3b32
251KB
baa9b4c895b09d315ed747b3bd087f4583aa84fc
30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
Modular backdoor trojan in use since 2014.
2c01b007729230c415420ad641ad92eb.exe
daef338f9c47d5394b7e1e60ce38d02d
1MB
c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e
5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58
d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4
NanoCore is a remote access tool (RAT) with a variety of capabilities.
31.exe
af8e86c5d4198549f6375df9378f983c
12MB
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
Agent Tesla is a remote access tool (RAT) written in visual basic.
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Danabot is a modular banking Trojan that has been linked with other malware.
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Dharma is a ransomware that uses security software installation to hide malicious activities.
Formbook is a data stealing malware which is capable of stealing data.
A heavily modified version of Gozi using RM3 loader.
Qbot or Qakbot is a sophisticated worm with banking capabilities.
Detects CryptOne packer defined in NCC blogpost.
Detects ReZer0, a packer with multiple versions used in various campaigns.
BIOS information is often read in order to detect sandboxing environments.
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Disk information is often read in order to detect sandboxing environments.
3DMark 11 Advanced Edition.exe
236d7524027dbce337c671906c9fe10b
11MB
7d345aa201b50273176ae0ec7324739d882da32e
400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c
e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a
Agent Tesla is a remote access tool (RAT) written in visual basic.
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Modular backdoor trojan in use since 2014.
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
XMRig is a high performance, open source, cross platform CPU/GPU miner.
Office document equipped with 4.0 macros.
Detects executables packed with UPX/modified UPX open source packer.
Detects executables packed with VMProtect commercial packer.
Looks up country code configured in the registry, likely geofence.
Email clients store some user data on disk where infostealers will often target it.
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Attempts to read the root path of hard drives other than the default C: drive.
Uses a legitimate IP lookup service to find the infected system's external IP.
Bootkits write to the MBR to gain persistence at a level below the operating system.
42f972925508a82236e8533567487761.exe
9d2a888ca79e1ff3820882ea1d88d574
3MB
112c38d80bf2c0d48256249bbabe906b834b1f66
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840
AsyncRAT is designed to remotely monitor and control other computers.
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
Widely used RAT written in .NET.
Looks up country code configured in the registry, likely geofence.
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
ead18f3a909685922d7213714ea9a183
669KB
1270bd7fd62acc00447b30f066bb23f4745869bf
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
8152a3d0d76f7e968597f4f834fdfa9d
80KB
c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
Ransomware which encrypts files using AES, first seen in November 2019.
Ransomware generally changes the extension on encrypted files.
Infostealers often target stored browser data, which can include saved credentials etc.
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
6fe3fb85216045fdf8186429c27458a7
21KB
ef2c68d0b3edf3def5d90f1525fe87c2142e5710
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
Remote-access trojan with a wide range of capabilities.
XMRig is a high performance, open source, cross platform CPU/GPU miner.
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
aa0a434f00c138ef445bf89493a6d731
17KB
2e798c079b179b736247cf20d1346657db9632c7
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654
e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952
Remote-access trojan with a wide range of capabilities.
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe
9e9719483cc24dc0ab94b31f76981f42
260KB
dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9
83cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309
Archive.zip__ccacaxs2tbz2t6ob3e.exe
a3cab1a43ff58b41f61f8ea32319386b
430KB
94689e1a9e1503f1082b23e6d5984d4587f3b9ec
005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6
8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Uses a legitimate IP lookup service to find the infected system's external IP.
CVE-2018-15982_PoC.swf
82fe94beb621a4368e76aa4a51998c00
12KB
b7c79b8f05c3d998e21d01b07b9ba157160581a9
c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb
055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27
DiskInternals_Uneraser_v5_keygen.exe
17c4b227deaa34d22dd0addfb0034e04
12MB
0cf926384df162bc88ae7c97d1b1b9523ac6b88c
a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e
691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
Detects executables packed with UPX/modified UPX open source packer.
BIOS information is often read in order to detect sandboxing environments.
Looks up country code configured in the registry, likely geofence.
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Uses a legitimate IP lookup service to find the infected system's external IP.
ForceOp 2.8.7 - By RaiSence.exe
0a88ebdd3ae5ab0b006d4eaa2f5bc4b2
1MB
6bf1215ac7b1fde54442a9d075c84544b6e80d50
26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680
54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37
HYDRA.exe
c52bc39684c52886712971a92f339b23
2MB
c5cb39850affb7ed322bfb0a4900e17c54f95a11
f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d
2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b
Modular backdoor trojan in use since 2014.
Disk information is often read in order to detect sandboxing environments.
KLwC6vii.exe
1ded740b925aa0c370e4e5bd02c0741f
17KB
64731e77b65da3eb192783c074afdcb6a0a245a8
a8745addaf2f95e0fe6afbc6d6712f817d4a819cf1d08bf7c0ff01822e18e1db
fdaaa6633196851725fe088fafd539eb17483555d9b926338a7caeb961354c12cabcd3f55aa51f32297ce4a884806fbc337dfa725583cc1c86b8ca6c97218d4e
Keygen.exe
dbde61502c5c0e17ebc6919f361c32b9
849KB
189749cf0b66a9f560b68861f98c22cdbcafc566
88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b
d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb
AsyncRAT is designed to remotely monitor and control other computers.
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
Oski is an infostealer targeting browser data, crypto wallets.
Simple but powerful infostealer which was very active in 2019.
Remcos is a closed-source remote control and surveillance software.
Email clients store some user data on disk where infostealers will often target it.
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
48c356e14b98fb905a36164e28277ae5
13MB
d7630bd683af02de03aebc8314862c512acd5656
b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c
278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b
Detects executables packed with UPX/modified UPX open source packer.
Detects executables packed with VMProtect commercial packer.
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Uses a legitimate IP lookup service to find the infected system's external IP.
LtHv0O2KZDK4M637.exe
5e25abc3a3ad181d2213e47fa36c4a37
10MB
ba365097003860c8fb9d332f377e2f8103d220e0
3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9
676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
XMRig is a high performance, open source, cross platform CPU/GPU miner.
Detects file using ACProtect software.
Looks to be attempting to contact Stratum mining pool.
Uses net.exe to modify the user's privileges.
Detects executables packed with ASPack v2.12-2.42
Adds application to list of disallowed applications.
Modifies file attributes to stop it showing in Explorer etc.
Detects executables packed with UPX/modified UPX open source packer.
Tries to access configuration files associated with programs like FileZilla.
Email clients store some user data on disk where infostealers will often target it.
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Uses a legitimate IP lookup service to find the infected system's external IP.
Magic_File_v3_keygen_by_KeygenNinja.exe
80e5a163c5396401b58a3b24f2e00d38
8MB
589accaeeca95b8d69fa7bc14f402925dd338a6a
72fae9a9d8cfd546975fd86222bc1f7f70133d0845798a683569bb8119ffa3b1
cc0ede6416032035943522e5249ac378da4ba58ab836d13b53907567a65f0c296aa7263523ca23f1843fb86a88d123864e9385f4b97bac870a110f6fd2ddf1e6
Detects ReZer0, a packer with multiple versions used in various campaigns.
Detects executables packed with UPX/modified UPX open source packer.
Looks up country code configured in the registry, likely geofence.
Infostealers often target stored browser data, which can include saved credentials etc.
Uses a legitimate IP lookup service to find the infected system's external IP.
Bootkits write to the MBR to gain persistence at a level below the operating system.
OnlineInstaller.exe
4b042bfd9c11ab6a3fb78fa5c34f55d0
3MB
b0f506640c205d3fbcfe90bde81e49934b870eab
59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834
dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
edcc1a529ea8d2c51592d412d23c057e
9MB
1d62d278fe69be7e3dde9ae96cc7e6a0fa960331
970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d
c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab
SecuriteInfo.com.Gen.NN.ZexaF.34108.xy1@amqiedE.17985
2c959a0f9af72398f115f839397c3396
372KB
80b078a6b74a17e6147321f3b3104bf91b4262f2
cc0c949be6493aa98619cd591e6b4a0488eef3227b53fbaeac4309fab9efd206
511bd3992e5345c7d2b0a728f2f8ce7d18ebbc46ee41afaa4a6e4dfa937c28ca799361d286196b327e01df81981bfbc88b15ca1ad0d49fdaad46436e5735170c
IcedID is a banking trojan capable of stealing credentials.
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869
cde56cf0169830ee0059ee385c0c5eaf
486KB
08aacb48ffcdc6b49af18d01155982984de230f7
cb762227729d0faadc4c33a4a55b513673a9c76284773535b0e07d7e47d8413e
234ddd4191c1abdfe04d9cc1afe2fed2901ef4d38404d0568a356218bc62096d200dd8ec28c8980da4a5852b0a481bf698b244f51d13560b303285b99105b3dd
SecurityTaskManager_Setup.exe
444439bc44c476297d7f631a152ce638
2MB
820fcb951d1ac8c2fda1a1ae790f52eb1f8edf2e
bc2d5417a6bf47d53c20c280f6e4b1a3e00dc0b6bbd3e26b2e591fd2f2dc4cc3
160f4b095d37a9f4c6279a4a19f072e170c5f819d0e8e588b2503711b9e2eaac9567b48a9e42bf15af50ba60e64ef97a64e003230369aec0b032cb2030fdca00
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
8103aad9a6f5ee1fb4f764fc5782822a
10MB
4fb4f963243d7cb65394e59de787aebe020b654c
4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40
e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8
Agent Tesla is a remote access tool (RAT) written in visual basic.
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
Pony is a Remote Access Trojan application that steals information.
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Modular backdoor trojan in use since 2014.
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
XMRig is a high performance, open source, cross platform CPU/GPU miner.
Office document equipped with 4.0 macros.
Detects executables packed with UPX/modified UPX open source packer.
Detects executables packed with VMProtect commercial packer.
Looks up country code configured in the registry, likely geofence.
Tries to access configuration files associated with programs like FileZilla.
Email clients store some user data on disk where infostealers will often target it.
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Attempts to read the root path of hard drives other than the default C: drive.
Uses a legitimate IP lookup service to find the infected system's external IP.
Bootkits write to the MBR to gain persistence at a level below the operating system.
VyprVPN.exe
f1d5f022e71b8bc9e3241fbb72e87be2
1MB
1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c
08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d
f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f
Looks up country code configured in the registry, likely geofence.
Infostealers often target stored browser data, which can include saved credentials etc.
WSHSetup[1].exe
cb2b4cd74c7b57a12bd822a168e4e608
898KB
f2182062719f0537071545b77ca75f39c2922bf5
5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348
Enables rebooting of the machine without requiring login credentials.
Yard.dll
3cf481ccbb1019894fcbacb554f3bda1
400KB
63c11153ab0afb36703723c5121cd0e9b48ac6e8
c8c5815fe4a06a752e51f79332a393db1f91a8e39b67899aa996e4ca76cfa675
628e34581b3ebc7645639f2e6da19ce15afb794cc032e99d895841eecef0bd372da27895a9485bb18630864b921c1239fa6e4904d6bd6f54ca80a220a3fe66d0