Overview

overview

10

Static

static

10

1.exe

windows7-x64

3

1221.exe

windows7-x64

10

6b282d34fv2.exe

windows7-x64

1

B000CEF.exe

windows7-x64

10

Builder.exe

windows7-x64

1

POVOFJYqCo...Iu.exe

windows7-x64

1

Terracotta.exe

windows7-x64

1

TerracottaGUI.exe

windows7-x64

1

Zver.exe

windows7-x64

3

a.exe

windows7-x64

10

amdcontroller.exe

windows7-x64

10

bg.exe

windows7-x64

1

bin.exe

windows7-x64

10

bin2.exe

windows7-x64

7

ej.exe

windows7-x64

10

fban4.exe

windows7-x64

7

glash.exe

windows7-x64

1

johngotovo (2).exe

windows7-x64

10

johngotovo...al.exe

windows7-x64

10

ktg.exe

windows7-x64

1

otIXAOPqOV...LX.exe

windows7-x64

3

scvsots.exe

windows7-x64

10

setup.exe

windows7-x64

1

shit.exe

windows7-x64

10

ss.exe

windows7-x64

10

stealedd517v2.exe

windows7-x64

1

steel.exe

windows7-x64

1

ted.exe

windows7-x64

1

update_b.exe

windows7-x64

1

update_z.exe

windows7-x64

1

uyo.exe

windows7-x64

1

v72d8z2.exe

windows7-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    URLhaus.rar

  • Size

    23MB

  • Sample

    230813-w658gsdg67

  • MD5

    7500442939e9a87f5fd7ccf31614ae2c

  • SHA1

    ae3d786e709601d09934eebd178df9d1fcf2f523

  • SHA256

    31fcc1a7c79fa0e760d81e479154824551be394658821275380c9fc45343ae22

  • SHA512

    296f773a7b446f0248060d6e28eb82359fa457d221c8faaf4b8db1ebe38e24ad873d486dafac78469e93155a73827bffb223948ce3fe3c6170db30007c2c704b

  • SSDEEP

    393216:4+MP2MD3WnDrzbI6GnTaIE0AGyYy6VpgXiBxsWko1EVHdoz07MHQ2q+SWJUlp/Do:4+42MszM6afAGyT6HgSUbo+VH80Mw2qG

Score
10/10
azorultformbookhawkeyelokibotponyremcosxmrighostremotehostdaelinfostealerkeyloggerminerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

pony

C2

http�--kek.b4mb4m.ru/gate.php

http://b4mb4m.ru/kek/

http://jo-blanc-fils.com/vsop/panelnew/gate.php
Attributes
  • payload_url

    http://185.222.202.114/uploads/uploads/update_z.exe

Extracted

Family

formbook

Version

3.8

Campaign

da

Decoy

chainwalkchambers.com

foxyhaul.com

yetisnackdesigns.com

paleodiettips.xyz

51zxsf.com

jisulianxiufu.com

qianbianyun.com

unitedresponders.info

contentlab.video

traveloyunnan.com

tonybehrenslaw.com

adithyafuels.com

huanayule.net

conscious-cross.com

link2register.com

anchoritis.com

vicente20.com

jnmbc.info

m-1944.com

naap-tol.com

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

C2

194.68.59.44:9074

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-D19I5H

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

formbook

Version

3.8

Campaign

el

Decoy

fundayinc.com

91shiping.red

piccgz.com

greylockiceandheating.com

6-15hothamstreetstkildaeast.com

bladspiegel.com

xn--ruq41buok09a6r0azmh.com

reallifeandlipstick.com

wwwjinsha594.com

wpnull.info

dtaubman.net

eldhw.win

caringhouseholds.com

texasisrael.com

confiservice.com

unihome.store

xn--doqs90b84tkjg.com

xuanweiping.com

edictiosapiens.com

kalkulatorkredytow.online

Extracted

Family

lokibot

C2

http://botnet.americaircairmakan.com/ace8/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

67.21.81.85:1481

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Microsoft HD Video Card.exe

  • copy_folder

    Microsoft HD Video Card

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Microsoft HD Video Card

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_fpvcewmpthnemuo

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    Microsoft HD Video Card

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      1.exe

    • Size

      582KB

    • MD5

      5bbe49ada7ef535b87bd1e3c3d2b42c3

    • SHA1

      1e94057198bdf893683d30591601aa88f51eed49

    • SHA256

      7be2a5923ba5e4acb9f1e5eee42c04b2b6620c82efe013e751415a495590895d

    • SHA512

      f859b1efc80ddcfe3f54aae4ebb4a3f4612a8a4b1ecd0b965f1e65f8decf8018999ce48e32a71515f78bc223c24815aa8bd645b517947d65227e083d0ff9c45d

    • SSDEEP

      12288:S1lqDbsmSxn3Iv9XyePFQkLkRvJSA5V40mjz5Auz6r0Sn:i4Db7Sxn3IvrRgRRSwL4tz6rd

    Score
    3/10
    behavioral1

    • Target

      1221.exe

    • Size

      789KB

    • MD5

      10dec51d466fde5077a06dbbedcbfad7

    • SHA1

      a667d6c1aca853f5eda2763fc982a0ecc6d801db

    • SHA256

      da0d1f2e79659c06cb55a3d6b11f9e3ae9af3ce7de9df26049ff9a8e78ec4e29

    • SHA512

      79a1883e71afdc251f344047a830a3bbb71321dd8a5d1f9989a56b425b85887195669abe33e426d18eca3f6f7cff0f9aa44c666b437b116bcfd58cad610d31da

    • SSDEEP

      12288:keSNcgbb1Ku4XYxqSSFFYrh1Zxn7FrY4f38S33ueK4gZfj7J:kVXqYQKLZp9F339RgZ7F

    Score
    10/10
    lokibotspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      6b282d34fv2.exe

    • Size

      1MB

    • MD5

      f7f866371543363a694b8a6f0c5e2c13

    • SHA1

      89bd0d071b273bd1cffc2e4d2871f7063973447f

    • SHA256

      c0242d686b4c1707f9db2eb5afdd306507ceb5637d72662dff56c439330dbdf1

    • SHA512

      8b253b1910a66425cd920dd04d39ab1732a72b05ff20675ac8d95b66d9916c338c1df0e4b79fedfd9b917f2a38b5551c8e46d28a68275752cc38700c2ecc36dd

    • SSDEEP

      24576:3r+0fmbAVqW6sLh8c+Uf2TltunOyBHzbmnfIdNG:3ebkqjs2zNhylzbmfONG

    Score
    1/10
    behavioral3

    • Target

      B000CEF.exe

    • Size

      936KB

    • MD5

      d245c27f94d51b95436b5f778d46ef54

    • SHA1

      3e52447eda7da0afd4ae2c0bf1a23d3120d8a794

    • SHA256

      0a13fbebefbb460de7565dfc7fd6b86674daecd42cfed4626ddcfe303d2b9670

    • SHA512

      e3700b192266387ce5b4c9b34c77300e812f76eb87f15fc7dd2f9e59b73bb14d0dc65d3d8937f55a786b16b75d4beffdeb5c038f7e69e402e21d85e3bc2193fa

    • SSDEEP

      12288:bEVDDja8h6jIV1Pe71bw6tZxp8v1sy24wljM1a4NOthR+bFCAtW36r:QI8QY1Pe71bw67A1sKsDth4jWg

    Score
    10/10
    hawkeyeremcoshostkeyloggerpersistenceratspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      Builder.exe

    • Size

      1MB

    • MD5

      01495ba46244aece2b35872ad90f5773

    • SHA1

      ff97a566190da9de5405fc457d451c4754ad47a5

    • SHA256

      85d88e38495bc011bcaabfd5dd65a8c213b6422ed90001f4002353e59c6edd4a

    • SHA512

      54964ef4ad08868afd46b3ed2d827a6eee9cce9aac2087663b861aa27cb1425061c2f648872eeb3a0abe31ac49aa394c37fa2332622ef6a7d4bf07fc69fccaff

    • SSDEEP

      49152:aHtlwlZ4xcB1fj7tyHCcG0GGusAwKrohEgdY77IuBIsUg9ijgQO1PMDozYAPz2U:Ey1fj7tyHCcG0GGusAwKrohEgdY77IuQ

    Score
    1/10
    behavioral5

    • Target

      POVOFJYqCoZfOoPkWOsSBcVYWIu.exe

    • Size

      309KB

    • MD5

      c88aedd2caf71b00d90cd1e4e93d97e4

    • SHA1

      edf4f0c5cc90df955e92f2b53891904bb6597fde

    • SHA256

      0530e8413c58d9e61e84278d6fa2ef0f00184d7ac95786fed515178b23b41502

    • SHA512

      57dbb9c26da19d809ae1277a02f76f76db860cc34cccba253ad4a5b8859846e681f5b27318f6e8dba3397c6621e59f82c1853cdfabdf36542f71b2e1c18cbfd7

    • SSDEEP

      6144:wObsZ6HLhmV0rVCRzRTr8p/cGPO0oqQrjNcxf3RfUVKWMK:waWc2RT4w0nSjNsfJUYWT

    Score
    1/10
    behavioral6

    • Target

      Terracotta.exe

    • Size

      2MB

    • MD5

      e2b3163f5c60dfeb9e46b2887ab911e5

    • SHA1

      85b3c6b5421922edda88d674d361a468b015b90f

    • SHA256

      03c9b3b5c689fd393784ef484a6c8498fa447d34d0dd207f2d5c30065459b113

    • SHA512

      12282d05781329f0a55aebf6f2fd822c9eba056a90e14d438dfd1e6d8791c366682bfcd50d791c0405968bc613663058e863fc3e60fea30ea22b389c8e546401

    • SSDEEP

      24576:68DzzrOzftPpnLrR/P5bJcNSkaiM11io8eRuxhmkOmkSkkzwxBkkzwxYkkzwxLEh:6GrOzftL5WIsmkOmk98AwVRsX7b

    Score
    1/10
    behavioral7

    • Target

      TerracottaGUI.exe

    • Size

      8MB

    • MD5

      033241bbad592ac7a65d38e97e486754

    • SHA1

      e62a800845838ffa8702d79a1d6fac607b256309

    • SHA256

      9f169846a0a4a51838f0a804b3b1cd8d8dd2b0ac574e6ee08356a649a7393d70

    • SHA512

      a479529d937052b6597e83f67169c5750d323c4d63e1342a855dba5affa3e404c875de384b9c287eb529990a9cd93782363b65a47e1a2af25454a5d56593fceb

    • SSDEEP

      196608:AWEEioqrBnBjD5FaalnJodfBUfj5kM8h:AWdioq5FxlnvOh

    Score
    1/10
    behavioral8

    • Target

      Zver.exe

    • Size

      587KB

    • MD5

      fbc7e2ab249193e054efd4fccd18bc53

    • SHA1

      4ff3c8466bb95053ebb448d9aa700d5edbf0c0c9

    • SHA256

      ec4ea4cf8c0583898bfafe4994c822f4f2848e996431c1847d9acac0d30c8a63

    • SHA512

      fa2f43fc5cd06f2d492ece30142a91d821e6827b17e5b9d1077a8eeff097533deecc79ae3119f2db2f14ab3ee3f034fcce5d096515e71f555b3e05001056bacc

    • SSDEEP

      12288:Z+v9e7pXF7UERD7jCYp66lpzLDzAy0NQLvDh/i69wP:C9e3PmalpzLPeQ3hEP

    Score
    3/10
    behavioral9

    • Target

      a.exe

    • Size

      257KB

    • MD5

      c6b0de7a393d112604142cdca1605f4a

    • SHA1

      db3f8ae80a2257cf00b8ff421f55753acc1a5081

    • SHA256

      f40f50cc3f6b7ed49501fb4266672d0a8da960e28dc0912688ad0c8d7fb2c1d3

    • SHA512

      83032a2336f0c8b858eddeb9fb940255c5f97469a533de0fd771ff6616d8b3e6bd46e9cc4e1fa30788f1105fba204e8f29f9c9c8f82ef84264904494a839f362

    • SSDEEP

      6144:AHJyyLOaBG2TBf1EYxk8T5t7P5qbGVNqbU7U:AHUlhC/xk8ltFqbYNMU7U

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      amdcontroller.exe

    • Size

      90KB

    • MD5

      6b645fbf570f4d09f059d8fed734fa3e

    • SHA1

      83f12011bfaa99ac994fa5b9003ff4a7123d4f14

    • SHA256

      2573b356452dd5ee24c10537fa4848d882fa40a2a8fa5a181624ba460e1f769a

    • SHA512

      ec428673fa3c881de143689b679fcc190897068a7cbee509c8ff6eaa0792ec8951c5b6b620de2c116cccfc3954ed71c142eb19397dcca5a6198f1e7b5d7a45ac

    • SSDEEP

      1536:UnSncgyGqTDRXmGcwSCfZDalZNg9tvo0iO3AX4ApTvMEIqkzmt2l:2SnMuGc/CfZDap6COU45EIStm

    Score
    10/10
    ponyratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral11

    • Target

      bg.exe

    • Size

      688KB

    • MD5

      054b2bae2fde2432570c1e201915d5c2

    • SHA1

      f6ff9c425953a09c43952b7e50287eb9b2962e69

    • SHA256

      aa7d7ea346331c9c6967d59a073ee7ae81d11613680f28dee831ca9fbf1fe7fb

    • SHA512

      a62a9301a53504284a0d3596429c16887ba95809e28753df86d5cc9a57c5a2fcbe91dd83748678408f4406214b3ab7395b449755c92173577f6f7d588d30a904

    • SSDEEP

      12288:QoPCLS7hVU4xHribMZXK7RfXpqHRcSD5RyyBEAge1sMKB/VdmRxuweSG0:Qo02bhKZpqyuUo8/k1eSx

    Score
    1/10
    behavioral12

    • Target

      bin.exe

    • Size

      167KB

    • MD5

      efb72c1ec0608a79de8bd3ee79c0bad2

    • SHA1

      b7ca0fde5e0b4e86d5f7f66defd9c20fbbd2ba23

    • SHA256

      a78a59d1d3598c29e0bfba14bb0ca09a2263f7e60af88cd09a85ee39272bcf79

    • SHA512

      31e720486a325d89e7f80193b9ed37298c50a9cc1dc34d112c8c6ec6e421590fac4284daa98c49f91ac5b3b6b3bec230d58e1f58f0fa9f47ba150f724365198b

    • SSDEEP

      3072:16VXCc3/7KNo2ymzGLo3Kh4zVVBYDPhSkrKjQSKT55oGUFCy:Mj/03zG86KzVVBYDJSAK0T4GUb

    Score
    10/10
    formbookdaratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      bin2.exe

    • Size

      565KB

    • MD5

      66a777ef1448979e315f5be959a20a67

    • SHA1

      d1b4fb00df2f5d48498a6001007ebf5f91841394

    • SHA256

      eec2437b0d9853f2416a800826692e9d74d052ba346465b0541a563c7adb8082

    • SHA512

      9adc10f59f6527da9c4ef015827305e0490b3ff0d261ed0c0e029209c28e00f21321552292004e295857e1ac5a511130e9572b84c7a1f85034ef0dde9386f723

    • SSDEEP

      12288:2JdJIY6hz+4ewbrOiroANc1nRDWVSpR8dIC/TSTA6YIild+2+XbivoqSlxVJb2:s/Ifz5eavrouynRDWkpOdIC/TSc6YtlV

    Score
    7/10
    spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware
    behavioral14

    • Target

      ej.exe

    • Size

      472KB

    • MD5

      0948d25e80d3fe36133ea70394d16c93

    • SHA1

      b1d9c2f690fb5820055439d9f4a0a2e858621b03

    • SHA256

      9c2c89920c9d9d94674149fb789e2cf78cb9e20c451658d63b95cfd77c58a1d5

    • SHA512

      538a25805e24f39d122d06a9f877b0116941bc668f21f5c0306a7c8f96e112b98b2ecaa1d8dc8f9ad39fbffe49c4b909407152ac21e78dfd926f00ae9460b772

    • SSDEEP

      6144:GCmB8MwX6rWu5dIybQNcpYB1UukBvWxNMfuGe3wRpZSvANzC+3A0RvdtDsAyFRqo:c6X6rId+uEKNOk3EWvczC+Lv9UR4

    Score
    10/10
    formbookelratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      fban4.exe

    • Size

      796KB

    • MD5

      7c813b54d429d4b71aca35778bca6d5c

    • SHA1

      2dc6d1caab9825998bb735c7fdfef0ba4623a436

    • SHA256

      5ceac115340684b175646a247d2eacdefaa695b040985fcf4de3fa19aa15c106

    • SHA512

      bd391be9e4ff65e175daec2fbbeae06436f48fded823589f6f64a7cd5ab3a5079909c21f0cb7281b0ce1bca2554670810fb5d900a98a09f1694b00a989386fdc

    • SSDEEP

      12288:FYX//nvg7tc+q6y6yLqskH1OjjgUeZ537r3vxFxAqzeJ0im:KPPvE6Z6y6QqskH1Ofgd5rr3vxFxAqz

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      glash.exe

    • Size

      539KB

    • MD5

      2f23fd48041dd847519304db897ffbc7

    • SHA1

      bd863c5559aeaca2f4179357fb73d54de0215c00

    • SHA256

      2fefb8dce78610a357a3c6f37a85da2cbb0940201d7bcd4e2052c4d8bacb6756

    • SHA512

      77742f770459d6c70716293227816f2b1ef853d559929e9bfb5ad75cbbb264b95688fc198085cffe4653a237541f18ad989813d9a1cdbb8b51497032d1311ddb

    • SSDEEP

      12288:Vs+V1qGTOehWmXcO+7kHsCOhqXcftt3NYqhWKFmy4JI5UNkz2h:V3fPh0Vv3Ey4JXh

    Score
    1/10
    behavioral17

    • Target

      johngotovo (2).exe

    • Size

      2MB

    • MD5

      65b91f22c0d3b69a245c374ebdb6d041

    • SHA1

      88a51a6128202ee53e2f0ebcc3a6ff33dea9c3fc

    • SHA256

      d0f6ed2e665841e4655437c0e83ab5b8ab9d83c4c8ca5367a6f6a7afca204d3e

    • SHA512

      8eff45e564ad90755fe1d1b1348e5b184afe109612403461d46a65a90398beb20f3d404e24c3f900841e108b6a85d22bdb7cadd4db71245f3e91d9f76c95c979

    • SSDEEP

      49152:pcNRa+mO3X9Qp7ZysBDVPdiw8fM96HOOP2qxuqGSJ+1lInYq6rpyxyD5nrnVvXzD:pcSg967ZHrxV96HV/fGS0IpIDtJXzdSe

    Score
    10/10
    azorultinfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult
    behavioral18

    • Target

      johngotovo (2)_original_original.exe

    • Size

      2MB

    • MD5

      7cc005bf1923f56d495fd9de362f4f0e

    • SHA1

      ee9ee7221a40c86f35437bf70372a638494e01d5

    • SHA256

      c0a6c5b64a00af256ea44c2390f4b533cb7a972ea039152ab9e81fef0df2670a

    • SHA512

      6a5dad75958d0fae6b0e4ccf41268187bbe3805fb27c9808a9198b310963df8f1956f9acc394923c312e7b17bf133bc4ebeb10374467ed5d99ef2b2485a37a11

    • SSDEEP

      49152:KcNRa+mO3X9Qp7ZysBDVPdiw8fM96HOOP2qxuqGSJ+1lInYq6rpyxyD5nrnVvXzD:KcSg967ZHrxV96HV/fGS0IpIDtJXzdSe

    Score
    10/10
    azorultinfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult
    behavioral19

    • Target

      ktg.exe

    • Size

      546KB

    • MD5

      6774fe92ccdefa34e2f743a885b5a887

    • SHA1

      3282f100f3596f423f92b361f66e0726ef6f5a0f

    • SHA256

      de7f5c83f3f931c93e57e21eb4811e826d81f8470c54bd3da88043bbaf3bcfba

    • SHA512

      f0b7503e387d1000c84567776df354e707a0ebe023cf53e9b0e510caec759ffd8bd1f11f55c5e2df9bc745006d517323afd72efad266a14dd4b93d461d13efc7

    • SSDEEP

      12288:7AeENnsFMbHKlNaNiBN3yJOZLvlsj8lsgGwfQ:sBGZNf7GO5vOj6I

    Score
    1/10
    behavioral20

    • Target

      otIXAOPqOVgvIKePlwFQLX.exe

    • Size

      543KB

    • MD5

      db3c474b698889e9f1f05de6dedae185

    • SHA1

      78b7e6ca6c4e23080a4d28c287646690c24c3026

    • SHA256

      9ba71bc46a160ca3334e8866bab9fc438e671c0f18897aaa08a3dc815281aab5

    • SHA512

      c5a1c8531bbb26f0105e6b49d8b7a223783ab7d97c8f4a33989094d96753446bb7c5bc41c6048f0a74d60fde4338de68ddd3d8601cab928531f8059693df2dd1

    • SSDEEP

      12288:2Z6nZpubQrDwJ2RPl/Ctpv9QUb43a8gCtSWoCO5qqp:hZpBwJE5CtHQUs3NjoRqq

    Score
    3/10
    behavioral21

    • Target

      scvsots.exe

    • Size

      2MB

    • MD5

      fd409d4d20e580215c1ec0803eed9725

    • SHA1

      02f9cf94ed6ab9e780755215857c9ba0a3e25065

    • SHA256

      483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79

    • SHA512

      253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38

    • SSDEEP

      49152:Sq6zl3M9b5H5RB4jyVzsb0cUgq0EtlR3vOtNhHduFYq4sTm:Sq6zMrSyNsb0fP0yitNh5qNS

    Score
    10/10
    xmrigminerpersistenceupx

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Sets file execution options in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Creates a Windows Service

      persistence

    • Drops file in System32 directory

    behavioral22

    • Target

      setup.exe

    • Size

      307KB

    • MD5

      a82ad2c37738e8e34cdee6291414e52d

    • SHA1

      cff18164a33be214c39b3911675f600de323decc

    • SHA256

      ecb9bf008aefc4aebaff02e66aa5d8c518519ac806cf63a44099594cfe9ac1aa

    • SHA512

      5551deeff969e4c9864ee13ee9a20f3d1142e8e429a5e5e6c6afc3d160b58538825324ac5564536ca3c74a98d08a2b8f7689feb8f63ef41ad89da51ce1db0fdc

    • SSDEEP

      6144:ijJ2Iv1y8mtC/6iCCJQ8ns+NomZLsqyNS0A9gDMuid1WO+Hd3FQFV:ijJnriiCH2hZLsDNSDgIdETd3yFV

    Score
    1/10
    behavioral23

    • Target

      shit.exe

    • Size

      90KB

    • MD5

      86c20760edac3503e9cbffb18e9c0ffd

    • SHA1

      e97eb0b6e8489002189f074efdaf44896ba1b175

    • SHA256

      eaf3a35a01a43d0be584a1418126e1203836f874b7c9517ebceada3068b6b62c

    • SHA512

      b40d2db4443ac625337ef67f4cc0e3efcf4f3d4fc178b5054d0f3fad426f078ed673c0fb2317844c79b2d3c6a56ce4d9ca20e2493582548077487d4221626188

    • SSDEEP

      1536:UnSncgyGqTDRXmGcwSCfZDalZNg9tvo0iO3AX4ApTvMEIckzmt2l:2SnMuGc/CfZDap6COU45EIwtm

    Score
    10/10
    ponyratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral24

    • Target

      ss.exe

    • Size

      556KB

    • MD5

      e6b6af3fa3af6e9f4ae44fce90988389

    • SHA1

      bd325fdf83d8c2d37f04163a07d3ec8eea58bba9

    • SHA256

      b2050e70dd2d045b445e372f31e83215291e2128b95461498c91de7d6f82e3af

    • SHA512

      88a68cfac89f56a8f9c680de1de47c51125e7dc266592978a39dd145aec190b33d5d5cf5b437162235351c1cb4a1909d8a1d47fc65d372615a9ed898f3675558

    • SSDEEP

      6144:xIoSRgtpfD2ywM9r6o/AT59zMXd509EdXYH0U5p4:xwCfD2A9mS859YXdKgn3

    Score
    10/10
    ponyratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Drops startup file

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral25

    • Target

      stealedd517v2.exe

    • Size

      1MB

    • MD5

      32d9482543716162241e4f946254d82f

    • SHA1

      e7b5023d456416954568a32b7d7cfb53e02dbff9

    • SHA256

      b108dfc054ceb8781ce8e0fd83534ee20b6807328c561ca47c8051af3dbcb5e8

    • SHA512

      2e208e1a498f4387534be14f2f5db6e81423f52875379dac8956383626be433d7061449d0b2b4c184319f3fb5b3861b5f7cd9cbf28d95308f11b50e69588e75e

    • SSDEEP

      24576:6r+0fmbAVqW6sLh8JD3TAONQzJ1lPXfDMWxvb:6ebkqjs2JD3TJNoJ1lZD

    Score
    1/10
    behavioral26

    • Target

      steel.exe

    • Size

      636KB

    • MD5

      caeec65dafcee7d8af5bd3abbbbad3e3

    • SHA1

      ba0d35e7a3fdab8d08da142847fc6c760c54e94a

    • SHA256

      0a2dcea9507eae4d7d2f76ba2aaf1199b29355c675bfae6915bd148b9075e64d

    • SHA512

      59e4080e653eb7fbd0ae73f46c1022f55057f04f77f90a235a5e0a176672e921e3311f6490a9cc39c4ad957fdc5e4e915206fe08cd27b3ec8db314abe6a7b1f2

    • SSDEEP

      12288:aDx8D922G89w35bW1yJQlCFVjI/MXMjVil/NAh5k/g:IiDzH9sKEOlk3XCVG1AXh

    Score
    1/10
    behavioral27

    • Target

      ted.exe

    • Size

      496KB

    • MD5

      9699ff0cbc3936fbc5b223db9c442b04

    • SHA1

      6aca03cfda845015eb0026180b6e276e88e0c4ef

    • SHA256

      63830225bc72ebde208448beb37f155e9d4e5c360b0e78185af21f348e651cea

    • SHA512

      33db8a94e76cbd8b60e43630440ff16860244d55db533a5b5152c62b07f77198859e9e1a6737bff274cf4d675ba76782da0f5d1daf1100521e2fba5d655b94de

    • SSDEEP

      12288:aHqClQkf4WNWL821Jmecs00yznXjNdwFEoBxB7TKL7GoWny3Sv7n5lm/JfhSac:aH32U

    Score
    1/10
    behavioral28

    • Target

      update_b.exe

    • Size

      487KB

    • MD5

      1926f559ba4d0a13824a3ac46e664e3d

    • SHA1

      d2d6ba1086ff6cf688f666ae0a2cafb9b32b6d5e

    • SHA256

      cf5ce1c3f405a009c4a0302a50693b91f956592ec05a088085ad974097ccae88

    • SHA512

      1402cf7e8c18cbf6735b23f643139c46c40492c53af8caa4cc5c4bc9cec56a0ec6079e04eed17e4cb617153dce736d1c07848f292a881964a4ac3b19779681ed

    • SSDEEP

      12288:N/uViGHpxQlwx8971kFa32D5nVSyYuG0s:4koxQ9XkFuyzDs

    Score
    1/10
    behavioral29

    • Target

      update_z.exe

    • Size

      486KB

    • MD5

      bf340b3ff326cede17c688bc4092a27b

    • SHA1

      a6d924bc3dad2877866477e0bb5052e09f11c81f

    • SHA256

      7682b842ed75b69e23c5deecf05a45ee79c723d98cfb6746380d748145bfc1af

    • SHA512

      0594940822e46b333f8a68443e98b66b05952d10b8f5d389beeb10bf886d1f4bc1026792c3f6fedfbab8d9595533ceab434c061a2393901de5ecba638286e1e3

    • SSDEEP

      12288:w/uViGHpxQlwx8971kFa32D5nVSyYuAD/h:NkoxQ9XkFuyzK/h

    Score
    1/10
    behavioral30

    • Target

      uyo.exe

    • Size

      549KB

    • MD5

      9d7e53149f9c3eab69c018e4d11819e0

    • SHA1

      8eca9fbe38159b764ec261231d3b0d27be97ed57

    • SHA256

      50be7992dce8548caa56a6935e2ede24b1025638f2cd17a992222f03f584a0ed

    • SHA512

      df5a3804eda1e4a5b997f50a81e9af127d8f33b8c11734c84fe812aa135e74b8b51418e3c9dab5714d6960ef3089cde387d3611cd36c3c2bfc851ddf225034af

    • SSDEEP

      12288:aLgbTG0Y6fh8vUrsJPyGHZ3f+Q6Js93Pjsx1zvJs/U8t1:+2KMyUKy4GQ6JO37g1ST

    Score
    1/10
    behavioral31

    • Target

      v72d8z2.exe

    • Size

      1MB

    • MD5

      1acd17efb3edd04e02b84b7eeca8eb95

    • SHA1

      39f3c8c574bfd33a2f8f39c1d53a57f48ed54907

    • SHA256

      f116f8f5a3d34a6925165ba8c85e4c3ff95ffd2276a11a9d3bfd5847e2f1fc0a

    • SHA512

      ab99a13436f0534d0eb2cb949652044c65bb861a3b55176217c91304713d7dd46ec3b2fc4a8da0d673a0228a47b6e1d9723982ae2713449eca1a178c253787f4

    • SSDEEP

      24576:2r+0fmbAVqW6sLh8zcC5OwiaTkvED48vuCu/SlQMhtuIHKcL71:2ebkqjs2zx5JiaTkshmnSll5

    Score
    1/10
    behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

2
T1064

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

2
T1064

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

8
T1552

Credentials In Files

8
T1552.001

Discovery

System Information Discovery

5
T1082

Remote System Discovery

1
T1018

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

8
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

ratdaupxponyformbook
Score
10/10

behavioral1

Score
3/10

behavioral2

lokibotspywarestealertrojan
Score
10/10

behavioral3

Score
1/10

behavioral4

hawkeyeremcoshostkeyloggerpersistenceratspywarestealertrojan
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
3/10

behavioral10

remcosremotehostrat
Score
10/10

behavioral11

ponyratspywarestealer
Score
10/10

behavioral12

Score
1/10

behavioral13

formbookdaratspywarestealertrojan
Score
10/10

behavioral14

spywarestealer
Score
7/10

behavioral15

formbookelratspywarestealertrojan
Score
10/10

behavioral16

persistence
Score
7/10

behavioral17

Score
1/10

behavioral18

azorultinfostealertrojan
Score
10/10

behavioral19

azorultinfostealertrojan
Score
10/10

behavioral20

Score
1/10

behavioral21

Score
3/10

behavioral22

xmrigminerpersistenceupx
Score
10/10

behavioral23

Score
1/10

behavioral24

ponyratspywarestealer
Score
10/10

behavioral25

ponyratspywarestealer
Score
10/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10