Downloads.rar

General
Target

Downloads.rar

Size

154MB

Sample

210119-s26yznnqsn

Score
10 /10
MD5

f82e19eade5962a21f69504a854de42e

SHA1

2af264fdf337f13723e4f2d5ca4904e083db56ae

SHA256

1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

SHA512

a7b0a23e8765d4f98edc6e912a75116584217ede98dd7fd81523b6d19cef4192135745efe52219bf198cab2b3a5f798b26331422c0a5da45f0b163a155e8092a

Malware Config

Extracted

Family zloader
Botnet main
Campaign 26.02.2020
C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

rc4.plain

Extracted

Family zloader
Botnet 07/04
C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

rc4.plain

Extracted

Family revengerat
Botnet XDSDDD
C2

84.91.119.105:333

Extracted

Family revengerat
Botnet Victime
C2

cocohack.dtdns.net:84

Extracted

Family zloader
Botnet 25/03
C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Extracted

Family revengerat
Botnet samay
C2

shnf-47787.portmap.io:47787

Extracted

Family zloader
Botnet 09/04
C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

rc4.plain

Extracted

Family revengerat
Botnet INSERT-COIN
C2

3.tcp.ngrok.io:24041

Extracted

Family revengerat
Botnet system
C2

yj233.e1.luyouxia.net:20645

Extracted

Family revengerat
Botnet YT
C2

yukselofficial.duckdns.org:5552

Extracted

Family smokeloader
Version 2020
C2

http://etasuklavish.today/

http://mragyzmachnobesdi.today/

http://kimchinikuzims.today/

http://slacvostinrius.today/

http://straponuliusyn.today/

http://grammmdinss.today/

http://viprasputinsd.chimkent.su/

http://lupadypa.dagestan.su/

http://stoknolimchin.exnet.su/

http://musaroprovadnikov.live/

http://teemforyourexprensiti.life/

http://stolkgolmishutich.termez.su/

http://roompampamgandish.wtf/

rc4.i32
rc4.i32

Extracted

Family formbook
C2

http://www.worstig.com/w9z/

http://www.joomlas123.com/i0qi/

http://www.norjax.com/app/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

fisioservice.com

tesla-magnumopus.com

cocodrilodigital.com

pinegrovesg.com

traveladventureswithme.com

hebitaixin.com

golphysi.com

gayjeans.com

quickhire.expert

randomviews1.com

eatatnobu.com

topmabati.com

mediaupside.com

spillerakademi.com

thebowtie.store

sensomaticloadcell.com

turismodemadrid.net

yuhe89.com

wernerkrug.com

cdpogo.net

dannynhois.com

realestatestructureddata.com

matewhereareyou.net

laimeibei.ltd

sw328.com

lmwworks.net

xtremefish.com

tonerias.com

dsooneclinicianexpert.com

281clara.com

Extracted

Family qakbot
Botnet spx129
Campaign 1590734339
C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

173.173.77.164:443

207.255.161.8:2222

68.39.177.147:995

178.193.33.121:2222

72.209.191.27:443

67.165.206.193:995

64.19.74.29:995

117.199.195.112:443

75.87.161.32:995

188.173.214.88:443

173.22.120.11:2222

96.41.93.96:443

86.125.210.26:443

24.10.42.174:443

47.201.1.210:443

69.92.54.95:995

24.202.42.48:2222

47.205.231.60:443

66.26.160.37:443

65.131.44.40:995

24.110.96.149:443

108.58.9.238:443

77.159.149.74:443

74.56.167.31:443

75.137.239.211:443

47.153.115.154:995

173.172.205.216:443

184.98.104.7:995

24.46.40.189:2222

98.115.138.61:443

Extracted

Family danabot
C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family zloader
Botnet googleaktualizacija
Campaign googleaktualizacija1
C2

https://iqowijsdakm.ru/gate.php

https://wiewjdmkfjn.ru/gate.php

https://dksaoidiakjd.su/gate.php

https://iweuiqjdakjd.su/gate.php

https://yuidskadjna.su/gate.php

https://olksmadnbdj.su/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain
rsa_pubkey.plain

Extracted

Family smokeloader
Version 2019
C2

http://advertserv25.world/logstatx77/

http://mailstatm74.club/logstatx77/

http://kxservx7zx.club/logstatx77/

http://dsmail977sx.xyz/logstatx77/

http://fdmail709.club/logstatx77/

http://servicestar751.club/logstatx77/

http://staradvert9075.club/logstatx77/

http://staradvert1883.club/logstatx77/

rc4.i32
rc4.i32

Extracted

Family asyncrat
Version 0.5.6A
C2

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707

Attributes
aes_key
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo
anti_detection
true
autorun
true
bdos
false
delay
host
sandyclark255.hopto.org
hwid
install_file
install_folder
%AppData%
mutex
adweqsds56332
pastebin_config
null
port
6606,8808,7707
version
0.5.6A
aes.plain

Extracted

Family zloader
Botnet CanadaLoads
Campaign Nerino
C2

https://monanuslanus.com/bFnF0y1r/7QKpXmV3Pz.php

https://lericastrongs.com/bFnF0y1r/7QKpXmV3Pz.php

https://hyllionsudks.com/bFnF0y1r/7QKpXmV3Pz.php

https://crimewasddef.com/bFnF0y1r/7QKpXmV3Pz.php

https://derekdsingel.com/bFnF0y1r/7QKpXmV3Pz.php

https://simplereffiret.com/bFnF0y1r/7QKpXmV3Pz.php

https://regeerscomba.com/bFnF0y1r/7QKpXmV3Pz.php

rc4.plain
rsa_pubkey.plain
Targets
Target

08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d

MD5

9e9bb42a965b89a9dce86c8b36b24799

Filesize

144KB

Score
10 /10
SHA1

e2d1161ac7fa3420648ba59f7a5315ed0acb04c2

SHA256

08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d

SHA512

e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8

Tags

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Description

    Zloader is a malware strain that was initially discovered back in August 2015.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

Target

0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

MD5

b403152a9d1a6e02be9952ff3ea10214

Filesize

355KB

Score
3 /10
SHA1

74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5

SHA256

0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51

SHA512

0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8

Related Tasks

Target

0di3x.bin

MD5

bd97f762750d0e38e38d5e8f7363f66a

Filesize

111KB

Score
10 /10
SHA1

9ae3d7053246289ff908758f9d60d79586f7fc9f

SHA256

d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158

SHA512

d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39

Tags

Signatures

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Deletes itself

  • Loads dropped DLL

Related Tasks

Target

1.bin/1.exe

MD5

af8e86c5d4198549f6375df9378f983c

Filesize

12MB

Score
10 /10
SHA1

7ab5ed449b891bd4899fba62d027a2cc26a05e6f

SHA256

7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

SHA512

137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Danabot x86 payload

    Description

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    Tags

  • Dharma

    Description

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    Tags

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    Tags

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • AgentTesla Payload

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Formbook Payload

    Tags

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • rezer0

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

Target

4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab

MD5

4aa199c19c28cd1d176b7f6ff59bd713

Filesize

524KB

Score
10 /10
SHA1

ec321c45f365ad178bbbef4f873578ffc52b6114

SHA256

4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab

SHA512

b764a3378677a4d7ceba3d57442b98028581c0c2841bdac287c5caced0f350638a2c1c0a6136873d29627420b208789873c0d5a5ad4d28e3f1e3758e3a12a6f5

Tags

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Description

    Zloader is a malware strain that was initially discovered back in August 2015.

    Tags

Related Tasks

Target

2019-09-02_22-41-10.exe

MD5

924aa6c26f6f43e0893a40728eac3b32

Filesize

251KB

Score
10 /10
SHA1

baa9b4c895b09d315ed747b3bd087f4583aa84fc

SHA256

30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

SHA512

3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

Tags

Signatures

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

Target

2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba

MD5

6d2864f9d3349fc4292884e7baab4bcc

Filesize

183KB

Score
10 /10
SHA1

b4e7df23ccd50f4d136f66e62d56815eab09e720

SHA256

2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba

SHA512

dcfc50105df4ea00add6dc3d121baa3ff93180a0be71e444e89e3a8249d1fd2103eb34aa61aa57ada45c5a86ed5783a67e10f21eeb9dda802a49f627aaa0cec0

Tags

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Description

    Zloader is a malware strain that was initially discovered back in August 2015.

    Tags

  • Suspicious use of SetThreadContext

Related Tasks

Target

2c01b007729230c415420ad641ad92eb

MD5

daef338f9c47d5394b7e1e60ce38d02d

Filesize

1MB

Score
10 /10
SHA1

c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e

SHA256

5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58

SHA512

d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4

Tags

Signatures

  • HawkEye

    Description

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    Tags

  • NanoCore

    Description

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    Tags

  • NirSoft MailPassView

    Description

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Description

    Password recovery tool for various web browsers

  • Nirsoft

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

Target

31.exe

MD5

af8e86c5d4198549f6375df9378f983c

Filesize

12MB

Score
10 /10
SHA1

7ab5ed449b891bd4899fba62d027a2cc26a05e6f

SHA256

7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

SHA512

137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Danabot x86 payload

    Description

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    Tags

  • Dharma

    Description

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    Tags

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    Tags

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • AgentTesla Payload

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Formbook Payload

    Tags

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • rezer0

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

Target

3DMark 11 Advanced Edition.exe

MD5

236d7524027dbce337c671906c9fe10b

Filesize

11MB

Score
1 /10
SHA1

7d345aa201b50273176ae0ec7324739d882da32e

SHA256

400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

SHA512

e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

Related Tasks

Target

42f972925508a82236e8533567487761

MD5

9d2a888ca79e1ff3820882ea1d88d574

Filesize

3MB

Score
10 /10
SHA1

112c38d80bf2c0d48256249bbabe906b834b1f66

SHA256

8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

SHA512

17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

Tags

Signatures

  • AsyncRat

    Description

    AsyncRAT is designed to remotely monitor and control other computers.

    Tags

  • Darkcomet

    Description

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    Tags

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Suspicious use of NtCreateProcessExOtherParentProcess

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

    Tags

  • Async RAT payload

    Tags

  • Warzone RAT Payload

    Tags

  • Disables RegEdit via registry modification

    Tags

  • Disables Task Manager via registry modification

    Tags

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

Target

42f972925508a82236e8533567487761(1)

MD5

9d2a888ca79e1ff3820882ea1d88d574

Filesize

3MB

Score
10 /10
SHA1

112c38d80bf2c0d48256249bbabe906b834b1f66

SHA256

8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

SHA512

17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

Tags

Signatures

  • AsyncRat

    Description

    AsyncRAT is designed to remotely monitor and control other computers.

    Tags

  • Darkcomet

    Description

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    Tags

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Suspicious use of NtCreateProcessExOtherParentProcess

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

    Tags

  • Async RAT payload

    Tags

  • Warzone RAT Payload

    Tags

  • Disables RegEdit via registry modification

    Tags

  • Disables Task Manager via registry modification

    Tags

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

Target

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

MD5

ead18f3a909685922d7213714ea9a183

Filesize

669KB

Score
8 /10
SHA1

1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512

6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Tags

Signatures

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

MD5

8152a3d0d76f7e968597f4f834fdfa9d

Filesize

80KB

Score
10 /10
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Tags

Signatures

  • Hakbit

    Description

    Ransomware which encrypts files using AES, first seen in November 2019.

    Tags

  • Deletes itself

  • Drops startup file

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files

Related Tasks

Target

6a9e7107c97762eb1196a64baeadb291

MD5

417457ac3e000697959127259c73ee46

Filesize

209KB

Score
10 /10
SHA1

e060125845cc1c4098f87632f453969ad9ec01ab

SHA256

d74e9aa01bffcb4944742f93ad5b87d4c057f4faad008f04f7397634fe3f234d

SHA512

7e2dac573db052dc03d89499d9e879bc530e94f3d1235898064aa87e99aee8fced1ac4aeeba342b77afd1480e0584a238ad7cd79cdef9c562bb89d65ba365b31

Tags

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Description

    Zloader is a malware strain that was initially discovered back in August 2015.

    Tags

Related Tasks

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

MD5

6fe3fb85216045fdf8186429c27458a7

Filesize

21KB

Score
1 /10
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Related Tasks

Tasks

behavioral3

3/10

behavioral4

3/10

behavioral5

10/10

behavioral6

10/10

behavioral10

1/10

behavioral11

10/10

behavioral12

10/10

behavioral13

10/10

behavioral14

10/10

behavioral16

1/10

behavioral19

1/10

behavioral20

1/10

behavioral25

8/10

behavioral26

8/10

behavioral27

10/10

behavioral28

10/10

behavioral31

1/10

behavioral32

1/10