General
-
Target
downloads.zip
-
Size
6.6MB
-
Sample
220620-q5zfnadfcn
-
MD5
3b0f343f00bda8ff449bf69075a2263f
-
SHA1
f9c873500d08defa8e3f387cfe14b7086acf974e
-
SHA256
e59e7db0c75cef4bb6e057d725bae7ed5e13fd011b54fe39c3fe7cdb123b684f
-
SHA512
dddc90f4ed56a28d5551bd144da4e8e53f8fd547abfab2eedae1be209c83a5f040dac8c2ee944754f7464762c98e66a09137b19a61b4fb03efbcdd705550f7b9
Malware Config
Extracted
emotet
Epoch1
155.186.9.160:80
80.249.176.206:80
94.23.62.116:8080
59.148.253.194:8080
192.232.229.54:7080
46.101.58.37:8080
62.84.75.50:80
81.215.230.173:443
170.81.48.2:80
46.43.2.95:8080
1.226.84.243:8080
152.169.22.67:80
70.32.115.157:8080
73.51.245.231:8080
94.176.234.118:443
177.73.0.98:443
113.163.216.135:80
186.188.212.201:80
201.71.228.86:80
178.250.54.208:8080
Extracted
emotet
Epoch2
99.247.33.186:80
181.165.68.127:80
64.207.182.168:8080
51.89.36.180:443
51.89.199.141:8080
87.106.139.101:8080
139.162.60.124:8080
74.208.45.104:8080
209.141.54.221:7080
173.173.254.105:80
217.20.166.178:7080
208.74.26.234:80
88.153.35.32:80
216.139.123.119:80
110.145.101.66:443
176.111.60.55:8080
139.99.158.11:443
109.116.245.80:80
172.86.188.251:8080
115.94.207.99:443
Extracted
trickbot
1000512
xml1
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
-
autorunName:pwgrab
Extracted
trickbot
100018
sat2
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
-
autorunName:pwgrabbName:pwgrabc
Extracted
trickbot
100018
lib101
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
-
autorunName:pwgrabbName:pwgrabc
Extracted
trickbot
100018
rob110
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
-
autorunName:pwgrabbName:pwgrabc
Extracted
buer
https://165.232.118.210/
Extracted
trickbot
1000512
yas45
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
-
autorunName:pwgrab
Extracted
trickbot
100018
rob109
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
-
autorunName:pwgrabbName:pwgrabc
Targets
-
-
Target
0374bb627e51aa5fa5df0640a5468939cf190a1a1bc0c8a0f3df4bc9b3e92171
-
Size
442KB
-
MD5
1eadc669573e390002451cae24c73d2a
-
SHA1
b53754d5e713b95d3f2a9ad154946fb9ed79cec1
-
SHA256
0374bb627e51aa5fa5df0640a5468939cf190a1a1bc0c8a0f3df4bc9b3e92171
-
SHA512
78f5cf2f06d3eb47171b3e6d05ce00cfdfd7b5eb8ddcff07621f7d3f9448a191f95c86b2eada24cd79628ec5ed3ebcd2a37eaf5a4fb837cfed679ef9452a5344
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Templ.dll packer
Detects Templ.dll packer which usually loads Trickbot.
-
-
-
Target
0ba117fd394120dbe7fef45f244ab20d476e595fd900ce56c4fced0941e8a635
-
Size
280KB
-
MD5
f208db3d0b53573ddb865b8083297685
-
SHA1
db379d053d1aec9c1f8be9cb7a917b6010d099a6
-
SHA256
0ba117fd394120dbe7fef45f244ab20d476e595fd900ce56c4fced0941e8a635
-
SHA512
a25da0ad6f451c09ec38c4711b8be6f2db4e6e656626bf4204c2af64887e7b7d89d85fe8d8f8360bf8f4e08a6481f9c34ff9cd592f6bf26fba5889326ff99570
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M11
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M11
-
Emotet Payload
Detects Emotet payload in memory.
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe
-
Size
384KB
-
MD5
e5fbc1da28635c999735d46d021c1b69
-
SHA1
98bd51f54697562312fabfea5dcadd3eed997207
-
SHA256
196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe
-
SHA512
8c0f3a35bdfd4e7821f72793595f576a836d5d52ed650d7291c87673489452ef55c5b6182666a678edbf32f4aabc4f8a18fa5e88261c4c919cb012ec585d2fae
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M11
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M11
-
Emotet Payload
Detects Emotet payload in memory.
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53
-
Size
396KB
-
MD5
8503ea92f4c9941ee3295978729d98ba
-
SHA1
d04dfbc5b1335c8408ffb5c58bd966791f748ad3
-
SHA256
1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53
-
SHA512
a5dade77d81f3fc49b46d828ea653d55b921e8b65b455dd0a1fa7eba7880b3a86deff0aafd21276a86eb95be948ab61da9771343ccbc24164b31c3a5b18edaa5
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
-
-
Target
25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde
-
Size
284KB
-
MD5
f81f03280cfa4379453f152008311573
-
SHA1
97a418aaebc019f4715c911af232d4ca09004536
-
SHA256
25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde
-
SHA512
714a662ba23c5f971d92e7db65745c1ce663e59cbf94a767a695dc3527f9645129dd0d584333a3ea6dbe2857c12f9da323cf8b9ce535f04c8617fc7e31e0842f
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Emotet Payload
Detects Emotet payload in memory.
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
428ff553b67cd782e6d0227ae09c83ba8074fa11cf4bfd91703b2043aa5f6c50
-
Size
342KB
-
MD5
f4853c12c2e213979b03701b36e18960
-
SHA1
925203dea145358e1457bca76de0edcae8b33961
-
SHA256
428ff553b67cd782e6d0227ae09c83ba8074fa11cf4bfd91703b2043aa5f6c50
-
SHA512
2c450e424f88ed9c3e37c03c2f4cc8153392b70320ec5533d17a5e10400c70ec668f8526ea3125364ce7d9eba7dc16295d0587e93c979cbed3cd10bea61a373e
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Emotet Payload
Detects Emotet payload in memory.
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
455d08a5e2a10427eb1aec8f9ee931a5ae10b41acb9cf0e9090f87722a96b9ce
-
Size
296KB
-
MD5
ac35802d7f24f8c48231c4ad3dba6ca8
-
SHA1
d4e091c21fbd85e1b3ab5ff2f03eb89df2ffb9bd
-
SHA256
455d08a5e2a10427eb1aec8f9ee931a5ae10b41acb9cf0e9090f87722a96b9ce
-
SHA512
f980d12472e06782a1e05a0c9c22e60a54841d63b611b3ecc71fb8475305fc00d01fc266ec21899d0e0dede7ed850f9930ede17d01b874385415450ca952020a
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Emotet Payload
Detects Emotet payload in memory.
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
4dbd0cd1e0f85d16cb65f376880ca9ba247bd1f81542f135610f951349909959
-
Size
516KB
-
MD5
8fe94f61dc7cd3282df2683dde87e61f
-
SHA1
4731cffdc450f03baac5c9e64554d274b1421531
-
SHA256
4dbd0cd1e0f85d16cb65f376880ca9ba247bd1f81542f135610f951349909959
-
SHA512
3907347975a9618c9034e2e0a8a8ad3778e355d8e812134902609a87df300c835b0a76a6165bee752d29f05f3cf7d747944f22f48be745f5ce000b1f7dade251
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
-
-
Target
4febaf5c3eb1938f657200df1141457d1bb34b9b67222f2e889c9785dd99e492
-
Size
341KB
-
MD5
83d8dac9d5b9137272a09108bef54457
-
SHA1
0134e7feeb2727030a2a8e143751490c760dd7fc
-
SHA256
4febaf5c3eb1938f657200df1141457d1bb34b9b67222f2e889c9785dd99e492
-
SHA512
a1778db56c6ca781397eba82efbe3156119b3acb2532e29f16d23b8e516b182ac1ade0c7fa70d7e4774b6d9df0e759ec560391b2d63ae9cb4948c9e63e0bb36b
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Emotet Payload
Detects Emotet payload in memory.
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
5282f373b4dbab1b939b625d05d45442e8c008eeb6fa5d3c1f587cf80afa21ff
-
Size
92KB
-
MD5
fd8050fe993e55914b1608dd1828f540
-
SHA1
8d8de88ec4baaeb504b4cdf959fd0d76fd346818
-
SHA256
5282f373b4dbab1b939b625d05d45442e8c008eeb6fa5d3c1f587cf80afa21ff
-
SHA512
ac73a5a33b2c9549b678ccf7dd48242f7563eb15b1cc75f3d28e170b72d09f6a4424e75f20c049f603b04c2536f03aa96fae50a6c3f12dbb5f7075ef9dd9e60d
Score9/10-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47
-
Size
244KB
-
MD5
ec6363acaf183e7c3bcdc5b009ac277c
-
SHA1
94bf19b87591a990a40ea61e3235314a02f105e2
-
SHA256
6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47
-
SHA512
be05c7ef26a3216cd01cbadb1086962caae4075a0ce322c248c56ad3d97c9cb85d19173e52db754152eac8678317ea637fe18d10cc89133f7eadc885fb92d402
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Emotet Payload
Detects Emotet payload in memory.
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
6c95be6a536264db1dcb3c13b03b6f67d04b75a49cb9411fa294352590df2e65
-
Size
860KB
-
MD5
02adc56200b095ac950730eb3458ce9d
-
SHA1
ddecba68da8e16bfc2638b48a2080104b180b12e
-
SHA256
6c95be6a536264db1dcb3c13b03b6f67d04b75a49cb9411fa294352590df2e65
-
SHA512
5f25c4953683279894086126a7eae6babd25b1f9ffbe367eecf46f6f9dc08f05fd4a94027d9cadeeca21d5d499e5bb96f3e4b7d660c1eeb1f8876addc1d2f885
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
-
-
Target
75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a
-
Size
454KB
-
MD5
92bdf585c0213c658e84afa9bee31e83
-
SHA1
2605300c6957335e73d527d83405e657ff3348f0
-
SHA256
75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a
-
SHA512
94fe04fb55a6046226222d55967a05acfa9f26e7ed5a7ce91f6e57565502399f1daad99084e9ed9d940319a124b0fd9557fb28d2082c0c2cdbba5255ca986726
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-
-
-
Target
7dd89cf8a1fd81909f2dd9b75cffa1f7ed98ae94c381a6c92ffd0a0dee7707d2
-
Size
196KB
-
MD5
dd69fb6eb36fd0b9d0e14e099104726a
-
SHA1
6fb3cad9868b22a0563664d3c5cbefe7e57d09b2
-
SHA256
7dd89cf8a1fd81909f2dd9b75cffa1f7ed98ae94c381a6c92ffd0a0dee7707d2
-
SHA512
6743cac45032112bccf24bd0765f15727c7dd12a46e8162adc39c99631998f3b8b8544916ab398bbeaaa3704b65e8dd57b4f6dd8acaf1c933a2406e9525eacea
Score10/10-
Buer
Buer is a new modular loader first seen in August 2019.
-
Modifies WinLogon for persistence
-
Buer Loader
Detects Buer loader in memory or disk.
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77
-
Size
432KB
-
MD5
7773c8164949a42936c4d1374cf16284
-
SHA1
9e92535dc7bcdd7bf677a643f90ee730784edfc6
-
SHA256
81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77
-
SHA512
8569116004d7b7154fced5a1a6f9d6ed111cae4cf71a68942fc0b978f5fb42db5b595c059fa77bd787cb923c99894dfc07accbc201c38caa02e3f2a235a9d61c
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Dave packer
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
-
Drops file in System32 directory
-
-
-
Target
9268e1f0af209ecb3d16ddbb4b5f294194c62b54812b02aba7efc7b1306c0fb0
-
Size
544KB
-
MD5
252d7a18958132b04614191096ab9636
-
SHA1
e0c9542cba105632c39e4b9b6db75a0cecb29221
-
SHA256
9268e1f0af209ecb3d16ddbb4b5f294194c62b54812b02aba7efc7b1306c0fb0
-
SHA512
d66d7f0047b4c41e101641d91270c43325637de28d1a5713194a9a7db8de6320e51de8f0219db209237951432318f9d609c205610f41306f23837ff1a5ece31c
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
-