Extracted

Extracted

• • Target

    100.exe

  • Size

    75KB

  • MD5

    6fe5189a35abb1d99830e92de024bd2d

  • SHA1

    add93a5ad62ff4d923f68661727ea0c37d2053fd

  • SHA256

    9e3ad5186e3784d866a3ed9a41e61a1ff2fbb983ce8edb330a3b069f452b636d

  • SHA512

    7f28b95a47947f75c10763dec5a22fc77b9d249144e24c8de8824dba0dc375729f1b8a4e4aa9faeb3031ee11d1e38afbc167904f5a5061390d896673b414950c

  • SSDEEP

    768:tbyvTDdVf5ozWBYP5SywTwiN9dguJcF4Qhc4VjsS8jAnKNu6LUEscg6U2:tbyvtVRsWyP55wTwiT2hBjsV61nV2

  Score

  10^/10

  evasionpersistencenjrattrojan

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral1behavioral2

• • Target

    101.exe

  • Size

    382KB

  • MD5

    ddfd1af9b3efa75c2fd43345ad6d5134

  • SHA1

    d4c4b94b065730cfedbb4b1d4028334c0249cc16

  • SHA256

    816f2804fa18c61299f99044fe9dac032cc41a14fbc2b9240906125dd3851e0f

  • SHA512

    28aeabaaa5f9ecff771dd302314da94b0c9cd945bfde34873f172cf801bbc94f3a12f5ed5ed8d62b0707a9f22fb88c12bca0e19a08f3b2ba2f5b65a3aa635066

  • SSDEEP

    1536:Ut/vpQmpV3t/vpQmpVBIzK66cqFz5CCImpEzqG4SutULWKh83TCBkryYRCO2/7ed:QnpVpVdnpVpVB+8BICbrq

  Score

  1^/10
  behavioral3behavioral4

• • Target

    102.exe

  • Size

    296KB

  • MD5

    53dbea2d9cbdaa8271d05eb5dbb26cd6

  • SHA1

    e991722d8f9d739f8a3adaf70cd8c3c905ce995f

  • SHA256

    810d0d8097c08297f9ddbba9d513ea75ec3cc50ca2f82c7985e148b191ad5a05

  • SHA512

    617c7df31822baf436c88b3d5698b573fcc49f20332b209d134caee682620520fd91b55f671ddfbb857eae212bcf10dfd93438cd648477d43f9cbbe9fcc41fa1

  • SSDEEP

    6144:uVI/y3qx3YgnXIqE8LsUCSLdgR4XbMg65AGdU:hKaxYgYqEssdSGyrMBQ

  Score

  8^/10

  persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral5behavioral6

• • Target

    103.exe

  • Size

    1.3MB

  • MD5

    d28a03f60138fdfe9184420a6b01d1bb

  • SHA1

    ecd63362ccff42b702491512f1bc3201ed6992a9

  • SHA256

    815a92ac6ced5517d19d77684ca2fccdd5b0d3cf98c478169de378317b340d35

  • SHA512

    18db0198bc2d6edfed89afe3213b6f61734bdf32ca31f15f2e7bb22f0ebc94aa28f1ae80f3a5c1b2feced852a1df825802fd5b93f9e08cff78594b7e6325bb46

  • SSDEEP

    24576:6NQmE25Zq4qCN3yQtEOzFxa1LBUYrFgzxzFSO2KDAXiW6Bo:6NQsqc5tza8P0TKi

  Score

  8^/10

  • Executes dropped EXE

  • Loads dropped DLL

  behavioral7behavioral8

• • Target

    105.exe

  • Size

    555KB

  • MD5

    6494681c2245762c201fb9d0168a400f

  • SHA1

    eaf39ecfb2648ac66f8e60bf63558f3d72fd9928

  • SHA256

    e9904b7bcc2f754d895f293be21430c96f8278a449f48a346cf68036782dbfbb

  • SHA512

    7e63b20e05fb894757505e99db8e43927e98bb5bcd0f84a5e035187536fedda5f5441711c5e22168fe59dbe5224cd7acf7836cb1e65a4dfd4b38e95dd8fce62c

  • SSDEEP

    12288:9rI128T22OA9bwbz8elTAOJlB1CrbFFXi:Vr8T2iJwbz80MOzurbfS

  Score

  10^/10

  persistence

  • Modifies WinLogon for persistence

    persistence

  • Executes dropped EXE

  • Sets file execution options in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Checks for any installed AV software in registry

  • Drops desktop.ini file(s)

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral10behavioral9

• • Target

    106.exe

  • Size

    332KB

  • MD5

    67abb102366bd7c06300496c3d630936

  • SHA1

    718c01cea0371b44fd086903065202961c8835fe

  • SHA256

    683e8a62cbd58fbf1b0fff4a232d953768b50edf484c42bda1bdab5a4291d662

  • SHA512

    ee85cbce1b91fae3aa757c771d558997c4a6e41c12b623261d8ec4ea9c1df10d8318be73617f0b5125f21b88522616cc258991b6b700a5eddb7263442f1613fa

  • SSDEEP

    3072:+yNx6ONRoVtNChz/3VqDd3+YKYkbrtFVCZODEBcGnsgq/fTQdHYivQZ6g3/s3PMB:HNxjeN8/4kYkoL

  Score

  8^/10

  evasionpersistence

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral11behavioral12

• • Target

    107.exe

  • Size

    8KB

  • MD5

    339e4181fe7c160461c885faf5e6fd14

  • SHA1

    b90c1adb7483723b177aca3e423119f5c3803a11

  • SHA256

    403a36221ba0f7f94c0fd180058d033215ec3a0cbbd9cf18dc573ca312dae3a6

  • SHA512

    e3adf3a194b7a7d02b64a0f1e0b5c5315d02f6f501c77cc07a97d5a4a24f200bba5d5080d5205fe8ff6a59e282e0f3946410e548c09f54e0ce277b078d8df662

  • SSDEEP

    96:q2Imfd/26jgx0G60G9kSfkYGol8NDOFs8yoGvhUko9+r5M/24q9eRY0bqOi:q4fdSxK0akSTV4LhNo9w2awOO

  Score

  6^/10

  • Legitimate hosting services abused for malware hosting/C2

  behavioral13behavioral14

• • Target

    108.exe

  • Size

    1.5MB

  • MD5

    10d88208d6fc2e26cb4eed0397dab235

  • SHA1

    7f008ecd348766769d024c8c85dbf9c6a46f4833

  • SHA256

    0f4ecea31c8a309dc0c26d4cdddc38f0aaf307399a4705df82088b38553901eb

  • SHA512

    80c9e1403860884e5e361c1ecbb95335636924d1897794078ff0286abb900dc040c3441a7ab5f1ce475b32c22a5ebf03ea4235be2c6db4ab6a5fd601cd38cc05

  • SSDEEP

    24576:vOFgW1J2afML80j0YLKh45y/nsfkNzUOtS0i3lPb0KIEEFNPaNETiLb+J2vs9:vD022+90Dn/Ukw0iVTPEF9LiVE

  Score

  10^/10

  darkcometmtcnpersistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Modifies WinLogon for persistence

    persistence

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

  behavioral15behavioral16

• • Target

    109.exe

  • Size

    1.5MB

  • MD5

    48b5f870cd52e63adff35391961974b5

  • SHA1

    b355a7ea90387606c41b9641c9c7857250335ed9

  • SHA256

    7a84c0090ef3aa1210ff677298007ab3c6a626b047473f6f4854955cd4e0213f

  • SHA512

    a3245fcfc944514a0a28e9e0887eeba7b971fdc2a7c5168e4b3311f38a2bdc2692800fc7e42e64938e7ec91b9f4dcdb57f77d33f5dcc2e36e8590c065e2f698f

  • SSDEEP

    24576:w6LGRV7EMd5A5/B81TJvWkw1RaksEloH6KWUIuYYTcrL7VF3JOkK74gYx:w6qRV7EMd5A561TKTPTsW8A34NYx

  Score

  10^/10

  hawkeyecollectionkeyloggerspywarestealertrojan

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral17behavioral18

• • Target

    110.exe

  • Size

    242KB

  • MD5

    c0224c4d9628b324db1af4d9007fa46c

  • SHA1

    1d264386f3d36b28f78f3cba45c189e0c065ce16

  • SHA256

    673a680f2bad58c131f64dcf538e9e4539ea5b5319020ce27d05baffe9ea0984

  • SHA512

    339492a6de4aa920db03f8e4cff3e76052372096f068d4d5984ffc7fc93d15423ee4a35b24f583a2edb67658e7411d9789fe4024223c27015fe8f555407bbe03

  • SSDEEP

    3072:5hmeYAv6OUGsjtZfSPAnk2eFkf2zXm5XHxXQ41lfmLjCsyQQHX0LTvNaJS7X9hkg:JYAUGs/fSPAkDFKXJHQgENaU7X9h

  Score

  10^/10

  ponycollectiondiscoverypersistenceratspywarestealer

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral19behavioral20

• • Target

    111.exe

  • Size

    346KB

  • MD5

    7eb1dab5352b08d22f9bc9adff2fe769

  • SHA1

    3b7d70bd225c687a86481ca1fad6a9979c02b512

  • SHA256

    31451031271efb07c67bf5a6864471ffc092f16e63aac290a49bdb86f6e47fd8

  • SHA512

    55120acc9c744d13e42907ea6da1a8b7572c30c7f40d384dd40060fab3a6c72144ee723284b0201bb98a1ef96620436666fd67415b432c2013dc976d83697d51

  • SSDEEP

    6144:aIsmmCy886hKGj1FzwVOHpLJPpRlYcgy8uuaaAiUDVoL0XYcYhUMdcL77s3QpjKv:KN8jhUsHpLPFl8uuaaloMdl

  Score

  10^/10

  isrstealercollectionpersistencestealertrojanupx

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer

  • ISR Stealer payload

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • Nirsoft

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral21behavioral22

• • Target

    112.exe

  • Size

    187KB

  • MD5

    1b16b152c1fde08b8089adf6132f5d4d

  • SHA1

    025f3f3760221f62415376ac2ecb6bd8d426762e

  • SHA256

    1fc0ea9775d1a71a08af06b83e829664b19a9122ce0dfececfc205aa72fcbc44

  • SHA512

    7af997e7b9daa383f6956d9c267ae14d83c223a625a47d5c5c7b9a1391c04332f4315d0ae314d2ab7ea1648c9db2d3b60251e431d288909dd9f31ce8cddaff4e

  • SSDEEP

    3072:EDQkrZoosbIfXJMq6WLs0JiG3VU2wBOZfYyqUElu/UvymUPPGwuDjwauVxrITZFE:EDpoeCOLNHFU2COZfYyTElu86mpFwa6/

  Score

  8^/10

  persistence

  • Executes dropped EXE

  • Deletes itself

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral23behavioral24

• • Target

    113.exe

  • Size

    721KB

  • MD5

    dcf4149718fb8d5a31976034452cb574

  • SHA1

    aef9286d24812051ebca0188a8c4dbaa833a6e3d

  • SHA256

    8aaace67e12ccd71bf30a3b844a81738860dde289f48ee41e61a42bc5797bf25

  • SHA512

    82d4c6c469bc75f9b11cffc7b8d71c262aeb4138162562b3dc3ddc8a5bcd256a51e0171f4f8b6e3e486e391a8c32ecfaf63c0bbef639d83ca806772bd4f48f9c

  • SSDEEP

    12288:U5OnerWhEgD3H08lJDftfNtsj4MNNtCYzsjgdXWYPPm6TWSvCrXIsB3BnqBzsTdN:UInN5k8lX/u4MNNInmjYIkBqzzAuN7st

  Score

  10^/10

  ponycollectiondiscoverypersistenceratspywarestealerupx

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral25behavioral26

• • Target

    114.exe

  • Size

    928KB

  • MD5

    1a3e186988e76f505a858eb30d77fa72

  • SHA1

    c9a8f4429f588f2332b2e61bbdd67bbe7b9128c3

  • SHA256

    d40a88423f47facdc46b66e7250866c8280b53733c1e366a077e8925aaa71953

  • SHA512

    7fe896b8f7a1e5f091ed5f19a559adb5a29b4bc703cfa161adafe73cd71bdf18cf438c0c46bc96187288727dbc45e337fa8b14d1b80b7deef9a964df82d85ce3

  • SSDEEP

    12288:x5OEfJo1mJxRHHE6mRsc9gC8NLhPtD6IA1x2eU8iacTSUvpvEIF8BQa7zPPm6TW4:xIEfJYOWQb8uTSURpF2NYIkBqzzKuN7v

  Score

  10^/10

  ponycollectiondiscoverypersistenceratspywarestealerupx

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral27behavioral28

• • Target

    115.exe

  • Size

    1.4MB

  • MD5

    ee42fadf6ff3380c26ba01b39d058e97

  • SHA1

    21789b55de06541a26b155317b26df95ccea8c58

  • SHA256

    b50c4330815418eaea6ba905f14ef10815cd3092397802333768ac8e7a71bc74

  • SHA512

    8ab435860d81f3140263a3dcb7fec4ca0d7b3e5484e3f2d51cc64336ee6754fad077642deb5244dd41e486aac78d9cc5c7645857108bfceabff5a29550a6499d

  • SSDEEP

    24576:Dq3jE25Zq4qCN3yQtEOzFxa1LBUYrFgzxzFSO2KDAXiW6BQ:4Fqc5tza8P0TKS

  Score

  10^/10

  hawkeyekeyloggerpersistencespywarestealertrojancollection

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral29behavioral30

• • Target

    116.exe

  • Size

    475KB

  • MD5

    5693b49732f95de6062b19b6aea6d5b5

  • SHA1

    fe2266c677a09e28fb86016331371976c133e7fd

  • SHA256

    30ac74e39be0cf57579fbffbda9138386b2eefd45eac6df28da251d43a0d3d42

  • SHA512

    fa7cb7f97b728322280a652d2f49735bf49daf47f5af6d50789c95d53979971255774bbadcf03a32e481dac17ec5e4905ab0221658f47ffdc12bc1a0727b80db

  • SSDEEP

    6144:1DpoeHt8QJCUN0C7Py1av5oam+vqFvmkHf3HZHLhSk2cKgL:ZtVTN0C7PyktXVVk2cbL

  Score

  8^/10

  persistence

  • Executes dropped EXE

  • Deletes itself

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral31behavioral32