Overview

overview

10

Static

static

8

04443c70d3...be.exe

windows7_x64

9

04443c70d3...be.exe

windows10_x64

9

05535d72f3...06.exe

windows7_x64

1

05535d72f3...06.exe

windows10_x64

1

1bec139d54...72.exe

windows7_x64

8

1bec139d54...72.exe

windows10_x64

8

1f670ff8cc...55.exe

windows7_x64

1

1f670ff8cc...55.exe

windows10_x64

1

2deaa0ec74...ea.exe

windows7_x64

10

2deaa0ec74...ea.exe

windows10_x64

10

372b929ae9...ef.dll

windows7_x64

9

372b929ae9...ef.dll

windows10_x64

9

38ee6bea62...15.exe

windows7_x64

3

38ee6bea62...15.exe

windows10_x64

3

437d91ce52...8f.exe

windows7_x64

1

437d91ce52...8f.exe

windows10_x64

4

447058c1c6...a8.exe

windows7_x64

9

447058c1c6...a8.exe

windows10_x64

9

5061c0b08d...03.exe

windows7_x64

1

5061c0b08d...03.exe

windows10_x64

1

5ed4b682ef...d4.exe

windows7_x64

8

5ed4b682ef...d4.exe

windows10_x64

8

6970600d21...b5.exe

windows7_x64

1

6970600d21...b5.exe

windows10_x64

1

72f528f9a6...92.exe

windows7_x64

8

72f528f9a6...92.exe

windows10_x64

8

73dcee7abe...99.exe

windows7_x64

1

73dcee7abe...99.exe

windows10_x64

1

7e118b534a...d2.exe

windows7_x64

10

7e118b534a...d2.exe

windows10_x64

10

8034fffb03...3c.exe

windows7_x64

10

8034fffb03...3c.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloads.rar

  • Size

    30.7MB

  • Sample

    210315-4tlv3wg3ax

  • MD5

    475b06abee2f66e15943ac519666a381

  • SHA1

    becd1f63736d32bc5c2f3cff31caeef95921f10b

  • SHA256

    40ba07f9761a6565642d7aae57f2f4622030e33fe80eb46a543446dcb8e3f1ca

  • SHA512

    5c6fe9e948a1951ff973d2136ede19ac0f6bb1b9d268953f01391c1aa9b903300022bed19896188ea52d78aa987c5821d711e50fab0528726b3f7e2e22e1535a

Score
10/10
imminentlocky_lukitusxmrigdiscoveryevasionminerpersistenceransomwarespywarestealertrojanupx

Malware Config

Targets

    • Target

      04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be

    • Size

      730KB

    • MD5

      07f1fa24a6fcb3708ab0689a2706ad8c

    • SHA1

      5da69784e467f242b4f0318fed2b3aed988c6466

    • SHA256

      04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be

    • SHA512

      59a67d2e495b948a45f32f67e3e2a85f0d8343942677e16d8f53162b42ba3a535dd72b713ca1ab59f871a7cbb614f13626741b782b2b2cc4c875bf3a82e83bfb

    Score
    9/10
    minerpersistenceupx

    • Detected Stratum cryptominer command

      Looks to be attempting to contact Stratum mining pool.

      miner

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Cryptocurrency Miner

      Makes network request to known mining pool URL.

      miner

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      05535d72f3f98c73d9b660625e1b627b1bebbd15d7d4add4ecc492a2b0d67a06

    • Size

      1.5MB

    • MD5

      5c3986f4603187cbd1aeb622c8df8d10

    • SHA1

      4c70e2f27d47516386780f7e6a1aefe870790e5b

    • SHA256

      05535d72f3f98c73d9b660625e1b627b1bebbd15d7d4add4ecc492a2b0d67a06

    • SHA512

      e3eba052589d7147c44b289a4bd5e5258d1c108915a5dedf5c337cc1bbeba0f93e939edc8c60923269324dbe2795fd5414d408b7c05e62aec6dd0b7d2a22d902

    Score
    1/10
    behavioral3behavioral4

    • Target

      1bec139d54d147196c4e736d8dcf1f39d2bff390d59d5b240b4a97e03763cf72

    • Size

      1.8MB

    • MD5

      feb0e4a9e482c4a551de22193719b54c

    • SHA1

      768e728b04f59c87ee318d92a90b82cd4981631c

    • SHA256

      1bec139d54d147196c4e736d8dcf1f39d2bff390d59d5b240b4a97e03763cf72

    • SHA512

      06a0f41f0060fbafc658a5da2246451a649fad8e1f58839d9b1d9914f00a80b46952e06d6bd027dbd3c06b8d04235e74652cdc0a589b12a6797b6458a547d196

    Score
    8/10
    discovery

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral5behavioral6

    • Target

      1f670ff8cca59a61aa0d58f297788916a6a9a318c1e7a3319367b6ffdc45c755

    • Size

      777KB

    • MD5

      bcc7caa6a013aad40f40c4ef7711c725

    • SHA1

      1917a4ca3e14d003b618d1ba6835177bd12591b4

    • SHA256

      1f670ff8cca59a61aa0d58f297788916a6a9a318c1e7a3319367b6ffdc45c755

    • SHA512

      8383c150e5adc100cc92005747497eae33be8d09610577583961c73ecabf2c924f40394a7b9e64cac14e392f99ead367922e718b519689cc2bdc463c419edf41

    Score
    1/10
    behavioral7behavioral8

    • Target

      2deaa0ec7445c26f1442f860eb32f4fcda2d501699d09a94c26035d6185803ea

    • Size

      657KB

    • MD5

      8009e4433aad21916a7761d374ee2be9

    • SHA1

      e0538c4bb3d0310f827799c98707b681d1f91b45

    • SHA256

      2deaa0ec7445c26f1442f860eb32f4fcda2d501699d09a94c26035d6185803ea

    • SHA512

      404f98fb57d0842aa43d5a113a395ff1d5d963ae60bce81d4dc22f3f0b382a7ba06703b0d7404a240e5edf5f1f75f8bc9b980a966bd29b9e432cd09cb1507071

    Score
    10/10
    locky_lukitusransomware

    • Locky (Lukitus variant)

      Variant of the Locky ransomware seen in the wild since late 2017.

      ransomwarelocky_lukitus

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Sets desktop wallpaper using registry

      ransomware
    behavioral9behavioral10

    • Target

      372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef

    • Size

      846KB

    • MD5

      85003057fbddd3468478adc04a1b50cd

    • SHA1

      acdd39a0d8068bfc4a16a0193c90eae85a5831fa

    • SHA256

      372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef

    • SHA512

      989f0738855e83b3ec9d97a7c9f93c0362285393cb1b7a266d6d1287bffad97c3a674c1738d1d0dc32c9751f68025da34f176a9bcc81c27b39fc1accdbbabb06

    Score
    9/10
    persistencespywarestealerupx

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral11behavioral12

    • Target

      38ee6bea62658ae4fa75914261a5848a8db5b332ddfb52daf01e958871559e15

    • Size

      1.6MB

    • MD5

      7feccbef4ed3a323ed763d24d022e4df

    • SHA1

      c6d62240ffd19c94a5f5080d7518b65555eb4fb2

    • SHA256

      38ee6bea62658ae4fa75914261a5848a8db5b332ddfb52daf01e958871559e15

    • SHA512

      ccb1b77974fb1be74fc71f3f6d036aafdf077d214efadd933f8e3f7e4e9e9f4e8915d9d4da31b95a65e15c29429a726aa3d3116fbb4f2b73c3fa95ddc78d22e2

    Score
    3/10
    behavioral13behavioral14

    • Target

      437d91ce52c0b54e125d28ea1bc6b5547183f04e40f9e487150be7862e61688f

    • Size

      3.5MB

    • MD5

      7ec07e27817c7dc87b3cf22533509581

    • SHA1

      b3cd8a2386897d53133b8a6193989f2a6324a71f

    • SHA256

      437d91ce52c0b54e125d28ea1bc6b5547183f04e40f9e487150be7862e61688f

    • SHA512

      aed38074b14d441566677af3cada2b695f2ffca9651e79f3df0ccad9daac8c69d03cca016a4bd36a9fc3e798debe4a39cb60d00ef566c02c25813c35d6ccf36f

    Score
    4/10
    behavioral15behavioral16

    • Target

      447058c1c6551c352895be7569e33c96384da3757303fc97004be45f56b4e9a8

    • Size

      618KB

    • MD5

      fa441d64d6ff82b1720ad98b1140f955

    • SHA1

      0afa7eb0fb26f69ca0146c68d2b7d84c2ad5078e

    • SHA256

      447058c1c6551c352895be7569e33c96384da3757303fc97004be45f56b4e9a8

    • SHA512

      606dd4e96f435665b29c8254ef143e0c303c0304e452f2bf1d3206ef0803ae920885e4c751c2a9a5f4a93103bc5b81c9fdebb9289fbd1d3e13a1dbc32e838e4e

    Score
    9/10
    upx

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    behavioral17behavioral18

    • Target

      5061c0b08d522fdae45fc9285ac45fb96a4e80bd859867a0e988dfaeb2b33b03

    • Size

      1001KB

    • MD5

      36882198e11da2783e28b84eed923fca

    • SHA1

      7b438dcc035151bdec22ff1c879ec0461ebad8fd

    • SHA256

      5061c0b08d522fdae45fc9285ac45fb96a4e80bd859867a0e988dfaeb2b33b03

    • SHA512

      cae626bd2810c171e73256e4553d9558b40fa98afca46b31dbb6fd81ebe70eaf2c16ec23f17f2fb41553bea7b21b1868ea867904e4ed2b479ae2c985fbc4d8f2

    Score
    1/10
    behavioral19behavioral20

    • Target

      5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4

    • Size

      611KB

    • MD5

      646a7f19343274ba87dbddc903dd60d0

    • SHA1

      eb84789fda3ad3fa6e838c954e1ac0d1e9fd2848

    • SHA256

      5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4

    • SHA512

      3589d32cce5620232b2b6e7b6fc4f64fad7cf7b0ff95bd161913f8f59b45a086c9d93aa453dbc6f4d9b63b40b7a3e1101f09fe6ee5bcd997de1177a5d798c362

    Score
    8/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral21behavioral22

    • Target

      6970600d21285371d6a4fd6175b65b672b9b9aaea36353e1544f0672944c9fb5

    • Size

      766KB

    • MD5

      25fa4e744078e82fd359f8755191bdf5

    • SHA1

      6ef18a8590fc8aa4874ec16a3682123624eafbd8

    • SHA256

      6970600d21285371d6a4fd6175b65b672b9b9aaea36353e1544f0672944c9fb5

    • SHA512

      bf26f615cbccd58758adef227730a2bf90b9e038cf0078d413f749c513664a8f171b33f05539bcff46cec5182ed7be69a1d4fc2166ea5542b60eb275fbc03484

    Score
    1/10
    behavioral23behavioral24

    • Target

      72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592

    • Size

      818KB

    • MD5

      d8e9c7825c9f7c3828ff4a579a965a8a

    • SHA1

      8db1c5dcd2d583a6644f7e7d613837309b0092a5

    • SHA256

      72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592

    • SHA512

      9379b64c348f3b070cdf0a962ccd22f8ff7111fd0bbc7f242feca32cada3cb5ce46b132be1675705983f96e75146051ed2a84d36fe13bc7ac10fe89105a103b3

    Score
    8/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral25behavioral26

    • Target

      73dcee7abeca24a9170f800d069e80283b9ea1bd7cc6fbabdf55c613897f9699

    • Size

      3.6MB

    • MD5

      5bdc58d9791dd30ca23b19c1ef88affb

    • SHA1

      73379a7aea0b87ffa3305603ae76e02443e9378f

    • SHA256

      73dcee7abeca24a9170f800d069e80283b9ea1bd7cc6fbabdf55c613897f9699

    • SHA512

      53113b9aebd79a9f64029491ea8b4eda159388a2c68010bac12f2ad32f1aa417f12ad27c2a554bfee2737cbe1e7c8374b315d8e6bc69ec9929cee372ebcc286d

    Score
    1/10
    behavioral27behavioral28

    • Target

      7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2

    • Size

      1.2MB

    • MD5

      629616cf3527c449d804903309e7ce66

    • SHA1

      90374cb88ca94ed7cc0ec7a0eca33be01e40b6d0

    • SHA256

      7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2

    • SHA512

      da12c2757632698ea0ba35261c95a3c712b3f4a2d276b628fba703d2a2c4c2e2d2929c6dc178c1cd18142d6010e54ef9b7b8b8f009ed5b402007bc7cd431fa67

    Score
    10/10
    xmrigminerupx

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      8034fffb03faec5aa94d3c16cdb98dfbcce06e8f8f7a278f7c30cff0398ea03c

    • Size

      2.8MB

    • MD5

      1b571c3e29d65ece64e292985cbb020c

    • SHA1

      09ef64cdef28ea000ed410615a779d6b17039a01

    • SHA256

      8034fffb03faec5aa94d3c16cdb98dfbcce06e8f8f7a278f7c30cff0398ea03c

    • SHA512

      9c6330aa486796104ee0d8e0e71130b8e1a91dd16e347218e6a72d8a6b5ee7b99b1099f1fb2c02310f75b2032ac43781902d1e2a831d59273556829c85d613f4

    Score
    10/10
    imminentevasionspywaretrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral31behavioral32

MITRE ATT&CK Enterprise v6

Tasks

static1

upx
Score
8/10

behavioral1

minerpersistenceupx
Score
9/10

behavioral2

minerpersistenceupx
Score
9/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

discovery
Score
8/10

behavioral6

discovery
Score
8/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

locky_lukitusransomware
Score
10/10

behavioral10

locky_lukitusransomware
Score
10/10

behavioral11

persistencespywarestealerupx
Score
9/10

behavioral12

persistencespywarestealerupx
Score
9/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

Score
1/10

behavioral16

Score
4/10

behavioral17

upx
Score
9/10

behavioral18

upx
Score
9/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
8/10

behavioral22

Score
8/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

persistenceupx
Score
8/10

behavioral26

persistenceupx
Score
8/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

xmrigminerupx
Score
10/10

behavioral30

xmrigminerupx
Score
10/10

behavioral31

imminentevasionspywaretrojan
Score
10/10

behavioral32

imminentevasionspywaretrojan
Score
10/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.