General
-
Target
showcase.zip
-
Size
6.8MB
-
Sample
220624-qw33gscfak
-
MD5
0259f0150a31d2fcc9f009a961243b54
-
SHA1
ddb27c245b32032ae4a1c9922d6c2312d709578c
-
SHA256
96995eadf0555a4f7759c817a64f58810b64a423ab172ac809c373f381d5cd3e
-
SHA512
0e1b5e353ebbe9481f20f9d8d7d04178b5c320acc0e2e052036e814566d52901cd1c83ad028b6629ecad3632b92c00918fe81b0a38390249542a0eb7db1931e9
Malware Config
Extracted
qakbot
402.68
tr
1619706851
24.117.107.120:443
190.85.91.154:443
72.252.201.69:443
189.210.115.207:443
71.41.184.10:3389
81.97.154.100:443
50.29.166.232:995
140.82.49.12:443
75.137.47.174:443
71.74.12.34:443
73.25.124.140:2222
149.28.99.97:2222
45.77.115.208:2222
45.32.211.207:995
207.246.116.237:443
149.28.99.97:443
207.246.77.75:443
149.28.98.196:995
207.246.116.237:2222
45.77.115.208:8443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Extracted
redline
KREATOR
45.140.146.214:20498
Extracted
C:\MSOCache\YOUR_FILES_ARE_ENCRYPTED.TXT
Extracted
C:\Users\Admin\AppData\Local\Temp\readme.hta
Targets
-
-
Target
filecoder.dmg
-
Size
2.5MB
-
MD5
5557a06822358ea7814891631f7df8ce
-
SHA1
f6e215ed5a1623de05c6f63033aa4f6d1a5696d6
-
SHA256
f8dd1edd285ba0ee23250d7925dd7c230aaf3845ceedb6bcfe2913815c8775db
-
SHA512
a592d44e8942dd223792baf0180bb4d06d0d9e0e2740a64c86c89435cefc3a704acc86ab0caee207eb549f7e8eaee777b66178bd4ac7f7c331d981b7e40a0d5b
Score1/10 -
-
-
Target
flawedammyy
-
Size
3.6MB
-
MD5
743a6891999db5d7179091aba5f98fdb
-
SHA1
eeca4b8f88fcae9db6f54304270699d459fb5722
-
SHA256
fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f
-
SHA512
9edef033663c828536190332ec87ac0096ffddae934d17c51b255a55ecb05774211a0edb1915c19384641befa291cfdfd2e3f878bf3b827f8b203ec1bee9dd96
Score10/10-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin Payload
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
qakbot
-
Size
959KB
-
MD5
2dc87224ef9349f4b281f11fb43ed3f4
-
SHA1
e19c8174793560817c522e3f206f6434ebf4b342
-
SHA256
31c42d854a77c7673a3438df6501c3a09ee530f6f4f23cc7bea891cec7bc096b
-
SHA512
1d492db541796480d4f4c987f4ab7abd49ba6caf6da8bed419893d658ce5325e3cd672d9fef7a58986f2262ef18775ad1e435358a1b797cf271cea99474f0874
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Loads dropped DLL
-
-
-
Target
redline
-
Size
569KB
-
MD5
4842156a83bbc8f5b1b46b0e2a597ab4
-
SHA1
bdda0f367bf93fa75e2bf4b632daab8b615c9c69
-
SHA256
24dc9485b3fcea21dc81118d045d6bd13ca40f04dcc905662b70f4ed5754f003
-
SHA512
f0fe9c63fc8fd1333297b76f7f0ed414535ffb4f8ab96906c8207840bf63688d8b6e0de8053e7882eeb616ddf83c8021d5940adc9fcba4e8fd1e342c67343f73
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of SetThreadContext
-
-
-
Target
seon
-
Size
62KB
-
MD5
7d3573bee1a9acd192c50bc72a65ef7a
-
SHA1
8ff77e69046c8cecd4407c536219e6fc1a747af7
-
SHA256
221ab2fabe92b623834e7214d05dbef0cdc2b4399d34721de63e7c32ab5820ea
-
SHA512
dcf3998861c2c1818d05ba526134edddee58bea51d4065ec5d156dfac2d24a63d65df057a1319e0886bdf37a394f82fb4435c0292c3e1f135646623ad3aaf347
Score10/10-
Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-