Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    6c5db6dce13ded4e0e6c7e9a526b063e.exe

  • Size

    4.3MB

  • MD5

    1485d115c0db789ed882e6da39b845d0

  • SHA1

    b25ee4515f5a1a8b420e7eba38f233ee64a24755

  • SHA256

    036e1c48be2a9fde1e94334dcb1216eec8512b38c118234c118aaa47b6ad65c7

  • SHA512

    c8571df02ca3c8d69c49393d45a032a291c6f5c7100564e9a1337f287abd195c903bf86a20217990de38627d2a646dc7dde0e3953827afa94db270124c1f559b

  Score

  10^/10

  gluptebametasploitbackdoordropperloadertrojan

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  behavioral1behavioral2

• • Target

    DusBrowserInst.exe

  • Size

    172KB

  • MD5

    2bf65413a6aabdbb7f18b7efebee633d

  • SHA1

    c4eed75b2d69ca51ce87ede0a907db0ecbb4f4b7

  • SHA256

    1db05647c15a26167a50bf7cf1d5f2d00ae89e4f18cfba2bcb4024f043c81739

  • SHA512

    b59fcc75925273239c90520d616a9e5dddacfc36d6cefb1f464dab3ef066aebfc57adfd9e28484aadfb9ed6a9dde4d509e0eee2bc5245a795025c64fb790fb2f

  Score

  6^/10

  • Legitimate hosting services abused for malware hosting/C2

  behavioral3behavioral4

• • Target

    IDWCH2.exe

  • Size

    739KB

  • MD5

    0d5cc91890c411599e994ab4d927350b

  • SHA1

    b64c4752537fc05bd460918fe252ef64e72d2651

  • SHA256

    b64cc3011b334fe3fdc47852da28f1d865a1f71dd819827a035b9b3adab1a163

  • SHA512

    56418a6586f0cc7f985e944811744fdce2ddaea5e238d02b21435768a3738ba7cccc738190b677f0eb66916a24cdcd4b63701df8a35c7a44802ba053ccdf059b

  Score

  8^/10

  • Executes dropped EXE

  • Loads dropped DLL

  behavioral5behavioral6

• • Target

    Litever01.exe

  • Size

    502KB

  • MD5

    bca995c0fd475fb09fb7988cb876c795

  • SHA1

    0f8776b9a5b3daedcc314fa283172697dee4cf8d

  • SHA256

    659895bb642f43854043053d386b987c63db7e615d827dbc41866ac0371ab92d

  • SHA512

    94387589151f5dc774aaf981988c8f6b568e8373158ce79b5da370594a6f67f18c5b90547da62db70a808a9756fc318eeb3cd6df9b87495bfde379a46e2699df

  Score

  10^/10

  vidar933stealer

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar Stealer

    stealer
  behavioral7behavioral8

• • Target

    NAN.exe

  • Size

    608KB

  • MD5

    db1e5d0455f39c5cf5ac0c210dd679c4

  • SHA1

    836e95bd1285ff790e55a8602febb29d97187bd7

  • SHA256

    578eddcbe98744e25e8836b7cdc447f62b7032bcd3d083f2eb0cfe018022243e

  • SHA512

    3f349ba618510f3e76e893fb70f0bfd5c3885216d73ed024617b49878eed376789eb7d3e4d347bb84aec8d90dbd0706256cdfdfa3f99c3b2b62982d9bc5c3a25

  Score

  10^/10

  redlinenananiinfostealer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • Suspicious use of SetThreadContext

  behavioral9behavioral10

• • Target

    anyname.exe

  • Size

    100KB

  • MD5

    2cd68cb7fd85144362d03a0b260f338f

  • SHA1

    6e106cc5246ed9fe053ef748b28022183e520ad9

  • SHA256

    f67d7d488b447f8a6356bff9d49add653ef5c49e6dc74982005028d01609c24a

  • SHA512

    4ac9508d59f9f32d5b883b78b2b4cc80a7364731d96f01f53d816055fe7e1f8505790796ca4696c6810de89331a346e2b5eedd071c50b56c10489bcc9b72693c

  Score

  10^/10

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral11behavioral12

• • Target

    app.exe

  • Size

    4.3MB

  • MD5

    d3f680a40104a2bf44d1e55ab22cc283

  • SHA1

    3e44293bd666ee6842f27001e561442203479698

  • SHA256

    a5d0a8eb93516f6979ce8da08a5750bf7f0f0fc98a969cd9e5b175dd29302a86

  • SHA512

    478c308a40b3da9697ef9925e3d8c375bdc9a51d17d401fdf947f1e9ec7b4b5b59d5aa6e5ab0857825f5dbcb398a1cfffe33f972b6841d2916329f2e2358510b

  Score

  10^/10

  gluptebametasploitbackdoordropperloadertrojan

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  behavioral13behavioral14

• • Target

    askinstall50.exe

  • Size

    1.4MB

  • MD5

    68bc0c244bb2d261a9a7d007bb6e06d7

  • SHA1

    4226d51ebf9d925de953e0a5a6b3784eabfc47b6

  • SHA256

    fd53ca7be25f932d930f68ab7818359762dde5d3608271e7a27e815f5b30e9e4

  • SHA512

    f52a04cd2a5d0f9f30be1b6827e95f5afe5f34d0453a78b000dd71d7d8e20467ef6f541a91858833704df6b1560cb5701eab08e5df0a86870b946b052cd6d9da

  Score

  10^/10

  socelarsdiscoveryspywarestealer

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  behavioral15behavioral16

• • Target

    farlab_setup.exe

  • Size

    1.7MB

  • MD5

    a7703240793e447ec11f535e808d2096

  • SHA1

    913af985f540dab68be0cdf999f6d7cb52d5be96

  • SHA256

    6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f

  • SHA512

    57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e

  Score

  10^/10

  vidardiscoveryevasionpersistencespywarestealer

  • Modifies firewall policy service

    evasion

  • Registers COM server for autorun

    persistence

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar Stealer

    stealer

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Installed Components in the registry

    persistence

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral17behavioral18

• • Target

    inst002.exe

  • Size

    265KB

  • MD5

    f38f3aab5af6435226dcca8751f61e6c

  • SHA1

    e555e536dca72784f73422a216aa35206441444a

  • SHA256

    94590b6681e3f9255a27b41a356d0334460ed596daab947258110a4ab94708db

  • SHA512

    0402a9d77388348aa055ab58a3211222ffdbe043e73052e075d861d1d0888437cfdeb2c2d7676b23e539b573bd4a4180d4e5f8af840693823979997f99c76c09

  Score

  1^/10
  behavioral19behavioral20

• • Target

    jamesnew.exe

  • Size

    846KB

  • MD5

    ea180cb17e71d8e32481aa37cb796cc1

  • SHA1

    351b1c6cdbdcd21215e6cb9fc7b76887ddfe7a2a

  • SHA256

    8a75fd219504039ceb7841811d75416ca52eb26a9667bbdf621055dad62e8b1a

  • SHA512

    7bfe33816e5d6373cdbae1b8fffb620e76defabd1302b8c98650980ac0292b3135cee52d7316b8fe895812e56b2a7cfa2aa983d7e746f4673c37f1b585636cbc

  Score

  3^/10
  behavioral21behavioral22

• • Target

    justdezine.exe

  • Size

    136KB

  • MD5

    7bd33952ce41285449099ae0bcd48d81

  • SHA1

    1d6224283dd85c51a22445a69b1f2771724a7733

  • SHA256

    6d5ac5464acd393224513115ebee2eeca5efca62b2a0e92f50c5186a8f740581

  • SHA512

    bbe8a7d76db63b498b0ff8736ab010c12506b8f27b17eaeb13a77d0972e6512a54dccbf5c050642ffe7665647439c5fd1424312677b351d7fe893a7956728c05

  Score

  10^/10

  smokeloaderbackdoortrojan

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Deletes itself

  behavioral23behavioral24

• • Target

    md3_3kvm.exe

  • Size

    924KB

  • MD5

    53b01ccd65893036e6e73376605da1e2

  • SHA1

    12c7162ea3ce90ec064ce61251897c8bec3fd115

  • SHA256

    de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

  • SHA512

    e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

  Score

  7^/10

  spywarestealerevasiontrojan

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  behavioral25behavioral26

• • Target

    mixseven.exe

  • Size

    213KB

  • MD5

    984f9ec5ff106e4c08bb076ef63f3ec2

  • SHA1

    119152d00b0b883cefae6519bbe4be43c6e1aafd

  • SHA256

    438676e5d2d9fd41a35b18eee5db8917e7f960f0d50917513f4fb92b95d29995

  • SHA512

    641cdf64b6ba39fb01c0bbe86aa878026e9f61280a83d449d67656dfa89100957f9e5b2b575b7ec460a0eeb4d2a8ef8da0781de58d3c518be2a2ae97ce1acd6a

  Score

  10^/10

  evasionthemidatrojan

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral27behavioral28

• • Target

    redcloud.exe

  • Size

    173KB

  • MD5

    16bf4653dfc06b85e7d34cb5cfe62717

  • SHA1

    35ca16cdb661f6978815efc8c8a2ae0fbddcb733

  • SHA256

    6038860aefedc84fdafe7d693ea6fa63147be5e3a43dd96e20adf377811c5d30

  • SHA512

    0717f23056515b18f627496c309c22bfc76da5b61f2730a320fa8584ad0fb5ed47a8695ad255bc8635cdd379d2313cb141466e86ae0b639c33772fe2177fa35f

  Score

  1^/10
  behavioral29behavioral30

• • Target

    udptest.exe

  • Size

    240KB

  • MD5

    265717bdcb626127fdb7e62b018e963c

  • SHA1

    d9d70e33380e33caa8c48b6a4ba7a4fe08ecafe5

  • SHA256

    e102abb40eb0795f838749e262c4e94af6df4213832b1d055b727cbc50f3a8ee

  • SHA512

    f9c3656bb1e9848620990ca2ee8c163f32c2259774cf21ff78979ba1318daabb672ba1a67924b90d55cce8b579830bf31db32e2da83a09b51916c60ca157f362

  Score

  10^/10

  redlinetestinfostealer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  behavioral31behavioral32