91d48cd8799643b9e70cc8d7f1abcab8a8a8377090d03623d28d8222c76b0d58 | Triage

Submit
Reports

Overview

overview

Static

static

Tornado.exe

windows7_x64

8

Tornado.exe

windows7_x64

8

Tornado.exe

windows7_x64

Tornado.exe

windows11_x64

8

Tornado.exe

windows10_x64

Tornado.exe

windows10_x64

Tornado.exe

windows10_x64

Sharing

General

Target

Tornado.iso
Size

331.0MB
Sample

211021-pt2afabbdq
MD5

2ce6a31993822bc5f286f04fa73c517b
SHA1

16497f37d84928fcf06fb0c81b53bf2224892ac4
SHA256

91d48cd8799643b9e70cc8d7f1abcab8a8a8377090d03623d28d8222c76b0d58
SHA512

3e2d1e2c61c9a460978c0a2b8c656f68b2f5486927a6c0240190447f41f16b4ab2604ef37cca532387dab51de6f69b8b46c9564c4aad1e80ecd1949afed31463

Score

10^/10

discovery evasion persistence spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Tornado.exe

Resource

win7-ja-20211014

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Tornado.exe

Resource

win7-en-20210920

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral3

Sample

Tornado.exe

Resource

win7-de-20211014

discovery persistence spyware stealer suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral4

Sample

Tornado.exe

Resource

win11

windows11_x64

0 signatures

0 seconds

Behavioral task

behavioral5

Sample

Tornado.exe

Resource

win10-ja-20210920

evasion persistence trojan

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral6

Sample

Tornado.exe

Resource

win10-en-20211014

discovery persistence spyware stealer suricata

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral7

Sample

Tornado.exe

Resource

win10-de-20210920

discovery persistence spyware stealer suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  Tornado.exe
- Size
  
  331.0MB
- MD5
  
  2acf755a8825894b837989ce1ae3db1d
- SHA1
  
  17d5590e64a1df1470e83f79eb935d78bc218c2d
- SHA256
  
  876dbe0fdf3f4ec70bd1985bf7c6f661b1105efd591407a6dd7ca7506bc61adf
- SHA512
  
  f5ca9da28f33097e92714f1e329d62fa8b98afe35bdaaf9e4941ad8f46c9350df74117b4712abc83c7bf44d6a1cb357b44bfb426d7ab0eeb88b3c813e99eef4b
Score

10^/10

persistence discovery spyware stealer suricata evasion trojan
- Registers COM server for autorun
  persistence
- suricata: ET MALWARE Arechclient2 Backdoor CnC Init
  suricata: ET MALWARE Arechclient2 Backdoor CnC Init
  suricata
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

discoverypersistencespywarestealersuricata

behavioral4

behavioral5

evasionpersistencetrojan

behavioral6

discoverypersistencespywarestealersuricata

behavioral7

discoverypersistencespywarestealersuricata

© 2018-2024

Terms | Privacy