Overview
overview
10Static
static
101.bin/1.exe
windows10_x64
102019-09-02...10.exe
windows10_x64
1031.exe
windows10_x64
103DMark 11 ...on.exe
windows10_x64
15da0116af4...18.exe
windows10_x64
10Archive.zi...3e.exe
windows10_x64
6CVE-2018-1...oC.swf
windows10_x64
3CVWSHSetup...1].exe
windows10_x64
4DiskIntern...en.exe
windows10_x64
1ForceOp 2....ce.exe
windows10_x64
10HYDRA.exe
windows10_x64
10Keygen.exe
windows10_x64
10Lonelyscre...ox.exe
windows10_x64
1LtHv0O2KZDK4M637.exe
windows10_x64
10Magic_File...ja.exe
windows10_x64
1OnlineInstaller.exe
windows10_x64
10Remouse.Mi...cg.exe
windows10_x64
1SecurityTa...up.exe
windows10_x64
8Treasure.V...ox.exe
windows10_x64
1VyprVPN.exe
windows10_x64
10WSHSetup[1].exe
windows10_x64
3___ _ ____...��.exe
windows10_x64
10___ _ ____...��.exe
windows10_x64
10amtemu.v0....ed.exe
windows10_x64
10api.exe
windows10_x64
1default.exe
windows10_x64
10efd97b1038...ea4.js
windows10_x64
3good.exe
windows10_x64
10infected d...er.exe
windows10_x64
8oof.exe
windows10_x64
10ou55sg33s_1.exe
windows10_x64
10update.exe
windows10_x64
10General
-
Target
Downloads.rar
-
Size
139.9MB
-
Sample
211112-wnzb8aahhm
-
MD5
24cd2246d5a28f79a7e95a74c7d282c6
-
SHA1
6d4953d61b602667475e28d4f8eb2aae166cfcd4
-
SHA256
390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6
-
SHA512
95983ce807050d66d89630c0ff40545891c1ba2a317e94fca6a2b263057bbc1dfceea7ec4a7764dcaae83921eb5607c28be42e416f736b9bcec27ef89e00a8fe
Behavioral task
behavioral1
Sample
1.bin/1.exe
Resource
win10-en-20211014
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
31.exe
Resource
win10-en-20211014
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10-en-20211104
Behavioral task
behavioral5
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10-en-20211104
Behavioral task
behavioral6
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
CVE-2018-15982_PoC.swf
Resource
win10-en-20211104
Behavioral task
behavioral8
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10-en-20211104
Behavioral task
behavioral10
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
HYDRA.exe
Resource
win10-en-20211104
Behavioral task
behavioral12
Sample
Keygen.exe
Resource
win10-en-20211104
Behavioral task
behavioral13
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10-en-20211014
Behavioral task
behavioral14
Sample
LtHv0O2KZDK4M637.exe
Resource
win10-en-20211104
Behavioral task
behavioral15
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10-en-20211014
Behavioral task
behavioral16
Sample
OnlineInstaller.exe
Resource
win10-en-20211104
Behavioral task
behavioral17
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10-en-20211014
Behavioral task
behavioral18
Sample
SecurityTaskManager_Setup.exe
Resource
win10-en-20211104
Behavioral task
behavioral19
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10-en-20211104
Behavioral task
behavioral20
Sample
VyprVPN.exe
Resource
win10-en-20211014
Behavioral task
behavioral21
Sample
WSHSetup[1].exe
Resource
win10-en-20211104
Behavioral task
behavioral22
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10-en-20211104
Behavioral task
behavioral24
Sample
amtemu.v0.9.2.win-painter_edited.exe
Resource
win10-en-20211104
Behavioral task
behavioral25
Sample
api.exe
Resource
win10-en-20211014
Behavioral task
behavioral26
Sample
default.exe
Resource
win10-en-20211104
Behavioral task
behavioral27
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10-en-20211014
Behavioral task
behavioral28
Sample
good.exe
Resource
win10-en-20211104
Behavioral task
behavioral29
Sample
infected dot net installer.exe
Resource
win10-en-20211014
Behavioral task
behavioral30
Sample
oof.exe
Resource
win10-en-20211104
Behavioral task
behavioral31
Sample
ou55sg33s_1.exe
Resource
win10-en-20211014
Malware Config
Extracted
formbook
4.0
w9z
http://www.worstig.com/w9z/
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
fisioservice.com
tesla-magnumopus.com
cocodrilodigital.com
pinegrovesg.com
traveladventureswithme.com
hebitaixin.com
golphysi.com
gayjeans.com
quickhire.expert
randomviews1.com
eatatnobu.com
topmabati.com
mediaupside.com
spillerakademi.com
thebowtie.store
sensomaticloadcell.com
turismodemadrid.net
yuhe89.com
wernerkrug.com
cdpogo.net
dannynhois.com
realestatestructureddata.com
matewhereareyou.net
laimeibei.ltd
sw328.com
lmwworks.net
xtremefish.com
tonerias.com
dsooneclinicianexpert.com
281clara.com
smmcommunity.net
dreamneeds.info
twocraft.com
yasasiite.salon
advk8qi.top
drabist.com
europartnersplus.com
saltbgone.com
teslaoceanic.info
bestmedicationstore.com
buynewcartab.live
prospect.money
viebrocks.com
transportationhappy.com
Extracted
gozi_rm3
-
build
300869
-
exe_type
loader
Extracted
gozi_rm3
86920224
https://sibelikinciel.xyz
-
build
300869
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
Extracted
guloader
https://drive.google.com/uc?export=download&id=1ELoiNSVTziaBatbVNZQWxal_RsriCCrt
http://ffacscs.ug/nw_kUILGeMGK73.bin
http://blockchains.pk/nw_kUILGeMGK73.bin
https://onedrive.live.com/download?cid=8D14D74EB13B02D0&resid=8D14D74EB13B02D0%21161&authkey=AAzCpAsT_Jf9zKg
https://cmdtech.com.vn/MY_XXX_VUVHawg214.bin
https://qif.ac.ke/flow_AoGPhiVz245.bin
Extracted
raccoon
7765746aa9cb9b6c88bb5a7789286d92b104fd16
-
url4cnc
https://telete.in/blintick
Extracted
formbook
4.1
i0qi
http://www.joomlas123.com/i0qi/
mytakeawaybox.com
goutaihuo.com
kuzey.site
uppertenpiercings.amsterdam
honeygrandpa.com
jenniferabramslaw.com
ncarian.com
heavilymeditatedhouston.com
gsbjyzx.com
akisanblog.com
taoyuanreed.com
jasperrvservices.com
yabbanet.com
myhealthfuldiet.com
flipdigitalcoins.com
toes.photos
shoottillyoumiss.com
maserental.com
smarteacher.net
hamdimagdeco.com
wuxifanggang.com
alamediationtraining.com
vfoe.team
kms-sp.com
gfidevfight.net
anomadbackpacker.com
21oms.us
australianseniorpreneur.com
valuereceipt.com
superbetbahis.com
rsrgoup.com
hoidonghuongkimson.com
parmedpharma.com
discoveryoverload.com
livetv247.win
jepekha.com
6o5ttvst.biz
netcorrespondents.com
cscycorp.com
emonkeygraphics.com
tillyaeva-lola.news
dgx9.com
jiucai5.com
justwoodsouthern.com
dentalexpertstraining.com
amazoncarpet.com
xsxnet.net
androidaso.com
jinhucai.com
wellnessitaly.store
clashrayalefreebies.com
wxvbill.com
quantun.network
allnaturalcbdshampton.com
mobo.technology
livinglifeawakened.com
canliarkadas.net
littlealohadaycare.com
wendyoei.com
kaz.site
puremind.info
queenscrossingneurosurgery.com
theworldexams.com
taptrips.com
Extracted
danabot
92.204.160.54
2.56.213.179
45.153.186.47
93.115.21.29
185.45.193.50
193.34.166.247
Extracted
formbook
4.1
app
http://www.norjax.com/app/
niresandcard.com
bonusscommesseonline.com
mezhyhirya.com
paklfz.com
bespokewomensuits.com
smarteralarm.info
munespansiyon.com
pmtradehouse.com
hotmobile-uk.com
ntdao.com
zohariaz.com
www145123.com
oceanstateofstyle.com
palermofelicissima.info
yourkinas.com
pthwheel.net
vfmagent.com
xn--3v0bw66b.com
comsystematrisk.win
on9.party
isnxwa.info
my-smarfreen3.com
eareddoor.com
kfo-sonnenberg.com
conceptweaversindia.online
ledgermapping.com
fashionartandmore.com
broemail.com
bs3399.com
minds4rent.com
182man.com
dionclarke.com
naakwaley.com
huoerguosicaiwu.net
langongzi.net
haz-rnatresponse.com
confidentcharm.com
yshtjs.com
phiscalp.com
walletcasebuy.com
history.fail
al208.com
kitkatwaitressing.com
fxmetrix.com
riyacan.com
garrettfitz.com
worldaspect.win
serviciodomicilio.com
yngny.com
acaes.info
jujiangxizang.com
mysteryvacay.com
extensiverevive.com
feelgoodpainting.com
dtechconsultants.com
manufacturehealth.com
khmernature.com
archaicways.com
westlakegranturismo.com
transporteselruso.com
cultclassics.net
anne-nelson.com
warminch.com
bihusomu40.win
Extracted
smokeloader
2019
http://advertserv25.world/logstatx77/
http://mailstatm74.club/logstatx77/
http://kxservx7zx.club/logstatx77/
http://dsmail977sx.xyz/logstatx77/
http://fdmail709.club/logstatx77/
http://servicestar751.club/logstatx77/
http://staradvert9075.club/logstatx77/
http://staradvert1883.club/logstatx77/
Extracted
smokeloader
2017
http://92.53.105.14/
Extracted
http://bit.do/fqhHT
http://bit.do/fqhHT
Extracted
http://bit.do/fqhJv
http://bit.do/fqhJv
Extracted
http://rbcxvnb.ug/zxcvb.exe
http://rbcxvnb.ug/zxcvb.exe
Extracted
http://zxvbcrt.ug/zxcvb.exe
http://zxvbcrt.ug/zxcvb.exe
Extracted
http://pdshcjvnv.ug/zxcvb.exe
http://pdshcjvnv.ug/zxcvb.exe
Extracted
http://bit.do/fqhJD
http://bit.do/fqhJD
Extracted
raccoon
32365171a31c4583d6e3b7aad1690e41cefc38eb
-
url4cnc
http://telegalive.top/brikitiki
http://toptelete.top/brikitiki
http://telegraf.top/brikitiki
https://t.me/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
colonna.ac.ug
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
vidar
26.1
276
http://centos10.com/
-
profile_id
276
Extracted
Protocol: ftp- Host:
193.32.188.10 - Port:
21 - Username:
alex - Password:
easypassword
Targets
-
-
Target
1.bin/1.exe
-
Size
12.5MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Raccoon Stealer Payload
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
AgentTesla Payload
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
2019-09-02_22-41-10.exe
-
Size
251KB
-
MD5
924aa6c26f6f43e0893a40728eac3b32
-
SHA1
baa9b4c895b09d315ed747b3bd087f4583aa84fc
-
SHA256
30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
-
SHA512
3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
Score10/10-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
31.exe
-
Size
12.5MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Raccoon Stealer Payload
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
AgentTesla Payload
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
3DMark 11 Advanced Edition.exe
-
Size
11.6MB
-
MD5
236d7524027dbce337c671906c9fe10b
-
SHA1
7d345aa201b50273176ae0ec7324739d882da32e
-
SHA256
400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c
-
SHA512
e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a
Score1/10 -
-
-
Target
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
-
Size
669KB
-
MD5
ead18f3a909685922d7213714ea9a183
-
SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf
-
SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
-
SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
Score10/10-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Modifies file permissions
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Archive.zip__ccacaxs2tbz2t6ob3e.exe
-
Size
430KB
-
MD5
a3cab1a43ff58b41f61f8ea32319386b
-
SHA1
94689e1a9e1503f1082b23e6d5984d4587f3b9ec
-
SHA256
005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6
-
SHA512
8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
CVE-2018-15982_PoC.swf
-
Size
12KB
-
MD5
82fe94beb621a4368e76aa4a51998c00
-
SHA1
b7c79b8f05c3d998e21d01b07b9ba157160581a9
-
SHA256
c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb
-
SHA512
055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27
Score3/10 -
-
-
Target
CVWSHSetup[1].bin/WSHSetup[1].exe
-
Size
898KB
-
MD5
cb2b4cd74c7b57a12bd822a168e4e608
-
SHA1
f2182062719f0537071545b77ca75f39c2922bf5
-
SHA256
5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
-
SHA512
7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348
Score4/10 -
-
-
Target
DiskInternals_Uneraser_v5_keygen.exe
-
Size
12.9MB
-
MD5
17c4b227deaa34d22dd0addfb0034e04
-
SHA1
0cf926384df162bc88ae7c97d1b1b9523ac6b88c
-
SHA256
a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e
-
SHA512
691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c
Score1/10 -
-
-
Target
ForceOp 2.8.7 - By RaiSence.exe
-
Size
1.0MB
-
MD5
0a88ebdd3ae5ab0b006d4eaa2f5bc4b2
-
SHA1
6bf1215ac7b1fde54442a9d075c84544b6e80d50
-
SHA256
26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680
-
SHA512
54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
-
-
Target
HYDRA.exe
-
Size
2.6MB
-
MD5
c52bc39684c52886712971a92f339b23
-
SHA1
c5cb39850affb7ed322bfb0a4900e17c54f95a11
-
SHA256
f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d
-
SHA512
2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b
Score10/10-
suricata: ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check M3
suricata: ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check M3
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 9
suricata: ET MALWARE Sharik/Smoke CnC Beacon 9
-
Executes dropped EXE
-
Drops startup file
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
Keygen.exe
-
Size
849KB
-
MD5
dbde61502c5c0e17ebc6919f361c32b9
-
SHA1
189749cf0b66a9f560b68861f98c22cdbcafc566
-
SHA256
88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b
-
SHA512
d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
-
Size
13.4MB
-
MD5
48c356e14b98fb905a36164e28277ae5
-
SHA1
d7630bd683af02de03aebc8314862c512acd5656
-
SHA256
b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c
-
SHA512
278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b
Score1/10 -
-
-
Target
LtHv0O2KZDK4M637.exe
-
Size
10.6MB
-
MD5
5e25abc3a3ad181d2213e47fa36c4a37
-
SHA1
ba365097003860c8fb9d332f377e2f8103d220e0
-
SHA256
3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9
-
SHA512
676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies visiblity of hidden/system files in Explorer
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
XMRig Miner Payload
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Registers new Print Monitor
-
Sets DLL path for service in the registry
-
Stops running service(s)
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
autoit_exe
AutoIT scripts compiled to PE executables.
-
-
-
Target
Magic_File_v3_keygen_by_KeygenNinja.exe
-
Size
8.6MB
-
MD5
80e5a163c5396401b58a3b24f2e00d38
-
SHA1
589accaeeca95b8d69fa7bc14f402925dd338a6a
-
SHA256
72fae9a9d8cfd546975fd86222bc1f7f70133d0845798a683569bb8119ffa3b1
-
SHA512
cc0ede6416032035943522e5249ac378da4ba58ab836d13b53907567a65f0c296aa7263523ca23f1843fb86a88d123864e9385f4b97bac870a110f6fd2ddf1e6
Score1/10 -
-
-
Target
OnlineInstaller.exe
-
Size
3.6MB
-
MD5
4b042bfd9c11ab6a3fb78fa5c34f55d0
-
SHA1
b0f506640c205d3fbcfe90bde81e49934b870eab
-
SHA256
59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834
-
SHA512
dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3
Score10/10-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks for any installed AV software in registry
-
Drops file in System32 directory
-
-
-
Target
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
-
Size
9.5MB
-
MD5
edcc1a529ea8d2c51592d412d23c057e
-
SHA1
1d62d278fe69be7e3dde9ae96cc7e6a0fa960331
-
SHA256
970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d
-
SHA512
c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab
Score1/10 -
-
-
Target
SecurityTaskManager_Setup.exe
-
Size
2.9MB
-
MD5
444439bc44c476297d7f631a152ce638
-
SHA1
820fcb951d1ac8c2fda1a1ae790f52eb1f8edf2e
-
SHA256
bc2d5417a6bf47d53c20c280f6e4b1a3e00dc0b6bbd3e26b2e591fd2f2dc4cc3
-
SHA512
160f4b095d37a9f4c6279a4a19f072e170c5f819d0e8e588b2503711b9e2eaac9567b48a9e42bf15af50ba60e64ef97a64e003230369aec0b032cb2030fdca00
Score8/10-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
-
Size
10.5MB
-
MD5
8103aad9a6f5ee1fb4f764fc5782822a
-
SHA1
4fb4f963243d7cb65394e59de787aebe020b654c
-
SHA256
4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40
-
SHA512
e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8
Score1/10 -
-
-
Target
VyprVPN.exe
-
Size
1.6MB
-
MD5
f1d5f022e71b8bc9e3241fbb72e87be2
-
SHA1
1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c
-
SHA256
08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d
-
SHA512
f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
WSHSetup[1].exe
-
Size
898KB
-
MD5
cb2b4cd74c7b57a12bd822a168e4e608
-
SHA1
f2182062719f0537071545b77ca75f39c2922bf5
-
SHA256
5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
-
SHA512
7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348
Score3/10 -
-
-
Target
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe
-
Size
545KB
-
MD5
54bef758433c98353b61bf1e2aecefb2
-
SHA1
06feb43c6d58eab893396f63aa2e1d0e4542f7d1
-
SHA256
291f381da3286ea93c38bb325e19f35744349c3543708135d8be731f4bafb6e2
-
SHA512
3bfb51f9bee7033ebde0f418b88327b7c7a322b3e0572d92ad4cdf37c9fbed22d518c9ce2d8d5638381542bef83077d8054184b9f613b815df6906a99fd4526f
-
Vidar Stealer
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
-
Size
228KB
-
MD5
8399865e44e7d6a193f8c8acf547eb31
-
SHA1
17e3bee5debada69dadec0b748256925a1a8b1ac
-
SHA256
aaf7bb9ad358726ca367f1827686dc15fea925f26ab1e201a2768c67472e8890
-
SHA512
bf9ceb3a36ca874dceb9ccfec8e7635f5f11f83f04226ceb4e2b4b2548dbcecf2618fe5063bec068b1571867984d0beece6b5f9be0747a13ddb53f9a09aa4d61
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
amtemu.v0.9.2.win-painter_edited.exe
-
Size
3.5MB
-
MD5
88124e4aba906259af28a466774431ea
-
SHA1
fbc1c27e0d7177238ec99481ffa7d839d1f51594
-
SHA256
1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd
-
SHA512
cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies firewall policy service
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
-
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Sets file execution options in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
api.exe
-
Size
22.9MB
-
MD5
3561a1c35184a0b60b89f4b560a9660d
-
SHA1
e39442388db90a088a8eb8ce46d4f61182334a1b
-
SHA256
3f1e28e961239c01602b1ce7555f51778c9f369b059ef07b75a7d9dee70ff8b1
-
SHA512
7a83a669e8a72d6ec83952c9d57cc8059a6fff6f3564dab69ad50ca939a7d8e3f3d7d9ed74f8d06d060a39f8c4525fcfdcdecf2550c6fe57da0bef3df1f5ee75
Score1/10 -
-
-
Target
default.exe
-
Size
211KB
-
MD5
f42abb7569dbc2ff5faa7e078cb71476
-
SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6
-
SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
-
SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Executes dropped EXE
-
Deletes itself
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
-
Size
920KB
-
MD5
4339e3b6d6cf2603cc780e8e032e82f6
-
SHA1
195c244a037815ec13d469e3b28e62a0e10bed56
-
SHA256
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4
-
SHA512
a87c47c998f667eb8ac280f4e6dc3df182d721c44267c68ee042c17e8168115e38f2e1d59c6928ca595bb93b3bfd112cbd7bffb0ee6ff8ca81f469056f26ff87
Score3/10 -
-
-
Target
good.exe
-
Size
143KB
-
MD5
b034e2a7cd76b757b7c62ce514b378b4
-
SHA1
27d15f36cb5e3338a19a7f6441ece58439f830f2
-
SHA256
90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac
-
SHA512
1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
infected dot net installer.exe
-
Size
1.7MB
-
MD5
6eb2b081d12ad12c2ce50da34438651d
-
SHA1
2092c0733ec3a3c514568b6009ee53b9d2ad8dc4
-
SHA256
1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104
-
SHA512
881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b
Score8/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
oof.exe
-
Size
662KB
-
MD5
0760d43d4adebe20fa0b5e5a7bca1714
-
SHA1
a0a9dae5e9be39bca31021dd9cf565fcdefb8474
-
SHA256
8f9067f2bd4a374539a40fddb8915600c9fd6ba3e5db20cbddcb3c5f22d9da44
-
SHA512
7e60c2726711bb8e822375f93cfb9ced7d172f3f0ae07041cbeea8c4cdb45488d1de90ee77dfef52aa86722a5dcbe521d1affeace3aec8811e851f693d74ef77
-
Modifies firewall policy service
-
Sets file execution options in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
ou55sg33s_1.exe
-
Size
609KB
-
MD5
347d7700eb4a4537df6bb7492ca21702
-
SHA1
983189dab4b523e19f8efd35eee4d7d43d84aca2
-
SHA256
a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
-
SHA512
5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
Modifies firewall policy service
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
-
Sets file execution options in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
update.exe
-
Size
12.0MB
-
MD5
c5c8d4f5d9f26bac32d43854af721fb3
-
SHA1
e4119a28baa102a28ff9b681f6bbb0275c9627c7
-
SHA256
3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402
-
SHA512
09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828
-
Modifies visiblity of hidden/system files in Explorer
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
XMRig Miner Payload
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Stops running service(s)
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Drops file in System32 directory
-
autoit_exe
AutoIT scripts compiled to PE executables.
-
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Hidden Files and Directories
3Modify Existing Service
4Registry Run Keys / Startup Folder
5Scheduled Task
1Winlogon Helper DLL
2Defense Evasion
Bypass User Account Control
1Disabling Security Tools
4File Deletion
3File and Directory Permissions Modification
1Hidden Files and Directories
3Impair Defenses
1Install Root Certificate
1Modify Registry
19Virtualization/Sandbox Evasion
2Web Service
1