Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1.exe

  • Size

    3.8MB

  • MD5

    56fbb5d915ff47c20902b8927ba569a3

  • SHA1

    23aae060b278385144806e0c371af6c69b8e0158

  • SHA256

    08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1

  • SHA512

    8067445522ceff25c27caa0683019a0738658509c72f2600c56efe31fd57a0478b23489321132dba66c6826790b94a5cbe676181899a8211ea2aa31988eeaeb2

  • SSDEEP

    98304:JMdlMnIffWtaW1gBLuoitV6HxvT5DsimPSveqa:JMdiIXYaWYktVexv1Dveqa

  Score

  10^/10

  fabookienullmixernymaimprivateloaderredlinesmokeloadertofseevidarxmrig933build2aspackv2backdoordropperevasioninfostealerloaderminerpersistencespywarestealertrojanupx1679themidavmprotect

  • Detect Fabookie payload

  • Detects Smokeloader packer

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    trojannymaim

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Nirsoft

  • Vidar Stealer

    stealer

  • XMRig Miner payload

    miner

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Creates new service(s)

    persistence

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Cryptocurrency Miner

    Makes network request to known mining pool URL.

    miner

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Adds Run key to start application

    persistence

  • Drops Chrome extension

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2