Overview
overview
10Static
static
7a61687ff53...4e.exe
windows7-x64
9a97144cc0c...8d.exe
windows7-x64
10aea715bfa7...5a.exe
windows7-x64
b02c56d294...b8.dll
windows7-x64
1b0e6f40411...9c.exe
windows7-x64
6b332a1fcf2...21.exe
windows7-x64
8b4a1e3f563...31.exe
windows7-x64
8b53fcca86f...25.exe
windows7-x64
7bfd66ffd0d...46.exe
windows7-x64
10c05e67fce1...06.exe
windows7-x64
10c0a9e9fd6a...3d.exe
windows7-x64
1c986e48ec5...f1.exe
windows7-x64
8cd4f0b526d...5e.exe
windows7-x64
3ce85525853...de.exe
windows7-x64
10d252bfd7ba...87.exe
windows7-x64
10d5769c04e3...e1.exe
windows7-x64
8d70f8173a4...f8.exe
windows7-x64
8dd0f55e997...a3.exe
windows7-x64
8dd5034dcb2...3c.exe
windows7-x64
10de73100c81...24.exe
windows7-x64
10dea47b5e48...25.exe
windows7-x64
6df92a2bd49...aa.exe
windows7-x64
8e4b7ed427f...16.exe
windows7-x64
8e740d97669...b5.exe
windows7-x64
10eb6f04c51a...c6.exe
windows7-x64
10ec3461092c...d0.exe
windows7-x64
10f74c4be876...66.exe
windows7-x64
8f82be76715...2b.exe
windows7-x64
7f858bb58de...ab.exe
windows7-x64
8f9c60c7b4d...b4.exe
windows7-x64
10fac93c3091...96.exe
windows7-x64
10fc96e837e9...97.dll
windows7-x64
1General
-
Target
njnj.zip
-
Size
16.2MB
-
Sample
230907-ybehdsdf28
-
MD5
2f0f71fc681d83a24d5ea70faaa54799
-
SHA1
1bb680d757450b939ea237b7edd59f8bc46718ed
-
SHA256
0955083a248cff54f8944f0ee729bf4a59ab594bd7288b2c0247175d1756e717
-
SHA512
d9a4c3f5967288a0de9296c2adf712b5c70c0fa77f338fe6863dc701c086dbe7403c22fe7ab7e33684e797c631b5f40ef6ac0aaee9138694c1b1608139efb95f
-
SSDEEP
393216:fqWpE8e7dITsk1TRWMgm+DlSbyZivjNAEKhEqQQsWfa+qYPr:fqWGuh1TRW3P1Z6Ry9itc
Behavioral task
behavioral1
Sample
a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d.exe
Resource
win7-20230831-en
Behavioral task
behavioral3
Sample
aea715bfa7b66172a5278ec1ab18bc557412c03f9e1107c7871cc8b852c7fe5a.exe
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
b02c56d29447690cdafd8f2f6877d526d1f6efcaae74017719c460d9b3ee38b8.dll
Resource
win7-20230831-en
Behavioral task
behavioral5
Sample
b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c.exe
Resource
win7-20230831-en
Behavioral task
behavioral6
Sample
b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121.exe
Resource
win7-20230831-en
Behavioral task
behavioral7
Sample
b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe
Resource
win7-20230831-en
Behavioral task
behavioral8
Sample
b53fcca86fa3b578e636240aaef0423decca19869b56a3e1d49357d913976225.exe
Resource
win7-20230831-en
Behavioral task
behavioral9
Sample
bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe
Resource
win7-20230831-en
Behavioral task
behavioral10
Sample
c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106.exe
Resource
win7-20230831-en
Behavioral task
behavioral11
Sample
c0a9e9fd6ab4965981c06e373ea6d75b1d6e31ad8041f9657b9c6fb895ef883d.exe
Resource
win7-20230831-en
Behavioral task
behavioral12
Sample
c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1.exe
Resource
win7-20230831-en
Behavioral task
behavioral13
Sample
cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e.exe
Resource
win7-20230831-en
Behavioral task
behavioral14
Sample
ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de.exe
Resource
win7-20230831-en
Behavioral task
behavioral15
Sample
d252bfd7bacd90fd0ab8bd70db07188a7053d9fa7b1f732b490ff46c53214e87.exe
Resource
win7-20230831-en
Behavioral task
behavioral16
Sample
d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1.exe
Resource
win7-20230831-en
Behavioral task
behavioral17
Sample
d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8.exe
Resource
win7-20230831-en
Behavioral task
behavioral18
Sample
dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3.exe
Resource
win7-20230831-en
Behavioral task
behavioral19
Sample
dd5034dcb25f245382e610ded811f03d85dadeab0865aebb048fdec9a575e93c.exe
Resource
win7-20230831-en
Behavioral task
behavioral20
Sample
de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024.exe
Resource
win7-20230831-en
Behavioral task
behavioral21
Sample
dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25.exe
Resource
win7-20230831-en
Behavioral task
behavioral22
Sample
df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe
Resource
win7-20230831-en
Behavioral task
behavioral23
Sample
e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716.exe
Resource
win7-20230831-en
Behavioral task
behavioral24
Sample
e740d976696b7913b1586ea19833622c972482f51e3fb30e3225c94be8cbeeb5.exe
Resource
win7-20230831-en
Behavioral task
behavioral25
Sample
eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe
Resource
win7-20230831-en
Behavioral task
behavioral26
Sample
ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0.exe
Resource
win7-20230831-en
Behavioral task
behavioral27
Sample
f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66.exe
Resource
win7-20230831-en
Behavioral task
behavioral28
Sample
f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe
Resource
win7-20230831-en
Behavioral task
behavioral29
Sample
f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab.exe
Resource
win7-20230831-en
Behavioral task
behavioral30
Sample
f9c60c7b4de2e4b14abd165cfe72dce93b224f64c515b1be72ea7b9e7e4432b4.exe
Resource
win7-20230831-en
Behavioral task
behavioral31
Sample
fac93c30912ddcb200dde77e3a2976e606f4d6668fc4f79d170865c536064d96.exe
Resource
win7-20230831-en
Behavioral task
behavioral32
Sample
fc96e837e9902d3941210eeee94d79f9d268f9715fb966945bdb20cb93c9e497.dll
Resource
win7-20230831-en
Malware Config
Extracted
njrat
0.7d
lol
808080.ml:5555
39ea446b8ade9effcf7ab7c0d68621da
-
reg_key
39ea446b8ade9effcf7ab7c0d68621da
-
splitter
|'|'|
Extracted
njrat
0.7d
nj
199.241.146.179:31922
c5dbc4b5114eccb1261dfdb2194089a8
-
reg_key
c5dbc4b5114eccb1261dfdb2194089a8
-
splitter
|'|'|
Extracted
njrat
0.7d
svhost
62.109.11.164:5552
31e68c5230c737766d0bca9d8a3e9590
-
reg_key
31e68c5230c737766d0bca9d8a3e9590
-
splitter
|'|'|
Extracted
njrat
0.7d
Sixtnn
linkadrum.nl:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|'|'|
Extracted
njrat
0.7d
COM
new4love.myftp.biz:6777
2f6d138161c7b1e5b6fd8e205c417d59
-
reg_key
2f6d138161c7b1e5b6fd8e205c417d59
-
splitter
|'|'|
Extracted
njrat
0.7.3
OfficEr09
194.5.99.17:6521
ClienNe.exe
-
reg_key
ClienNe.exe
-
splitter
1111
Extracted
nanocore
1.2.2.0
77.48.28.247:5378
d05852ee-0a7b-481c-a286-25366e65816c
-
activate_away_mode
true
-
backup_connection_host
77.48.28.247
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-02-03T10:23:08.755936536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5378
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d05852ee-0a7b-481c-a286-25366e65816c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
77.48.28.247
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
njrat
0.7d
14.04
akilay.kingx.info:1177
9602a33d103f6d5047701f6f6b9c2652
-
reg_key
9602a33d103f6d5047701f6f6b9c2652
-
splitter
|'|'|
Extracted
netwire
henry.dvrcam.info:5509
-
activex_autorun
true
-
activex_key
{00873Y32-6U30-7YV1-H8UC-3IWTQ12184BG}
-
copy_executable
false
-
delete_original
false
-
host_id
MAY1
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
ecIKRlng
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
true
Targets
-
-
Target
a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e
-
Size
937KB
-
MD5
d2aca4967231eb63f091ddadb9a364de
-
SHA1
9fd9ff93b6b9905f4400df11b1e8d260e3ba3954
-
SHA256
a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e
-
SHA512
104f3da39fc6ad08fbf62d076d8f246278e5af61b3a8f64275be1d9103b49b118cfcb367edb76cdd968351439f70b21335b16f867f75c9313224d75bc375e5b2
-
SSDEEP
12288:ij6WXYcmypf+tCYIgPVFBStIx9myb1tHA39XX0o1ymxgCZwLfbUUNDD3o:6Y1mf+tCYIKBCU9f/HAJgCmLfbvDc
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d
-
Size
1.4MB
-
MD5
0dd5d8ff4fa87c8ef8473493a3634021
-
SHA1
8bf0f5b86de710213be1cc25c9d866bb8a10d1ed
-
SHA256
a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d
-
SHA512
6401b2d565e6f5a436c46a9c39198e2c39c6001ab423fcf1e9ba5be049785ecd7a6772f184b322004aabe99d197c85eb227a072fc892a9c3afddd0422bdedfdc
-
SSDEEP
24576:lPk6yfp+zHavJ09dBYcGEwby0eNVqMBxLFPSuw5HYdno6fHbBu8cHYsxTPQC:lPjyfpBvJWdBYcL0eHq0qvanoSB0dxEC
Score10/10-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
aea715bfa7b66172a5278ec1ab18bc557412c03f9e1107c7871cc8b852c7fe5a
-
Size
37KB
-
MD5
6e7beaca3981e88b5c7cb784540d04ed
-
SHA1
8cd185e2cc72724e2b379715a0854d0ad48b0f8b
-
SHA256
aea715bfa7b66172a5278ec1ab18bc557412c03f9e1107c7871cc8b852c7fe5a
-
SHA512
e4e0a4f814c9b63e36f020a8cc418390d695fc7cbc5c27a5bcca4e6674133cda3806cd33ddc96b54b989ce148ddae4e937195b41cb96120ac277525d5b150d91
-
SSDEEP
384:6qTk6iumi/o8VS5x/BV3+BEbGxhnG9px+cRqM6Vq5eEQ6pZmJW2TlVcMW+k3e/JD:6sk6m0KFL+BpcOMr5eEFpZO8GT8jmZ
Score1/10 -
-
-
Target
b02c56d29447690cdafd8f2f6877d526d1f6efcaae74017719c460d9b3ee38b8
-
Size
63KB
-
MD5
0a1ca904b3d688c01f4e5faae811922b
-
SHA1
143a3d4a5865c59926b49add4d596c6fc3e1a797
-
SHA256
b02c56d29447690cdafd8f2f6877d526d1f6efcaae74017719c460d9b3ee38b8
-
SHA512
fdf9b6a6d8ed0f2443907923dcfba6401145ee377454e196ccd057e9ae126d7e66b2607d9c4ed95bbfbdb26321904cd72ed052c3cd8d942785f12f340a864424
-
SSDEEP
1536:srUlse2ToVMjLb6M0VqSep+cx4sDEl3N6:OyP+b6MMBep+cx5DET6
Score1/10 -
-
-
Target
b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c
-
Size
20KB
-
MD5
2b52153a1ec8cc4ec1325fc9281b588c
-
SHA1
351d03dd0da046ac290e5d007db9567e753c8ebb
-
SHA256
b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c
-
SHA512
1f68665996268c8314ff14b992af27d70aea246cb4732c04ec5a49612adbc40ce798f911a40c0bc7f24c02567259aca982a5f5b489950abd26428dd956eedcd8
-
SSDEEP
384:jUYmHMA+Xi8EECJaAV6BEGqJ3n9N3Hu7TeZwBYRWjilUf/Z:4DHMAGcahwJ393wqR4i8
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121
-
Size
28KB
-
MD5
b58f170bed7f9957bc929ad9fe669692
-
SHA1
55dfe9b436059ad1fc007e9264e942ab4ba4f986
-
SHA256
b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121
-
SHA512
089dc07e7bdb591b69fa16a3e7d9087138e2981747613ed3d10929ad7a8a4314ee2a3c04a04af1144861e293b856678cd227d25f9a363c92f9f106c0e30ed6d8
-
SSDEEP
768:EYftj96nRnmSsSkd8HXVEu5TWYId/vOa:hknxjsLdQEUWrFvOa
Score8/10-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831
-
Size
596KB
-
MD5
3317cb0537262f5aeac914678fc36ad9
-
SHA1
86b79d8241cb5bb67e92120d51546b99128ab50f
-
SHA256
b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831
-
SHA512
91db338f5b80a46a998543ade85805c3a7c0aa68137c9bf0fb139411cf42f9ce064e49311aaf2d6ce5c30c38f5f412ee325005ee71c495cbcd6410f3c095a9e3
-
SSDEEP
6144:YLLd7X/c9czUgJYBicivmV//7SJIwM3XBNBit:6Jj/c9ngJYAYX7E70xit
Score8/10-
Modifies Windows Firewall
-
Adds Run key to start application
-
-
-
Target
b53fcca86fa3b578e636240aaef0423decca19869b56a3e1d49357d913976225
-
Size
7.4MB
-
MD5
46a614bb825039eb6ff3f91c717e3d07
-
SHA1
47d7367b96e64c24de194493c5d993abb882d11b
-
SHA256
b53fcca86fa3b578e636240aaef0423decca19869b56a3e1d49357d913976225
-
SHA512
46a8c32c8170d09a622730d81e204bb9b24ffac9a74781aec3d45dc0277291bba5c33dbfb2dae1f363599fe984278bcade1c60f657e3f7dc14a8df4cdd2d99c0
-
SSDEEP
196608:P1SiJ26+skCPWANeixq47r8zsXbVK3HoA:NJwNANeW57r84rmHo
Score7/10 -
-
-
Target
bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646
-
Size
1.1MB
-
MD5
8eaae8e3963b93009aff4ff791370bc1
-
SHA1
6c877f753df6a71684df2a1a19841b6058cbd519
-
SHA256
bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646
-
SHA512
71a465a46db9f60c57a22fc4ea50bb5948cda39e9716c92eff8aff234d5d871f9d5816e0220fb2e9652f40fae68f898ff43c97627210d84e12cf6a351c94dfda
-
SSDEEP
24576:fAHnh+eWsN3skA4RV1Hom2KXMmHavzbzl7YWaFvuK4ImIqgkx5:Ch+ZkldoPK8YavzbztYWaQK4ImI6
Score10/10-
NetWire RAT payload
-
Modifies Installed Components in the registry
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106
-
Size
235KB
-
MD5
b5476d95231211c1ed5b9f36b068cfe3
-
SHA1
8522563d2601f0059816d6594a7c2bb44ba374df
-
SHA256
c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106
-
SHA512
717bc9081ebf38ed08014bf190d4d77cf8a602ff373d2465d7adf45037a9e5adacc2bebbe8a3d1c3b5f683e6226c56eb45a3e21a99c966b4b83e09a527c8bc2f
-
SSDEEP
6144:rMc2LxfEXhO67G4r6zYIfnu+AEDffVoLbNeia:rafg7G86zYIfnu+fDffVoLZa
-
Modifies Windows Firewall
-
Drops startup file
-
Suspicious use of SetThreadContext
-
-
-
Target
c0a9e9fd6ab4965981c06e373ea6d75b1d6e31ad8041f9657b9c6fb895ef883d
-
Size
29KB
-
MD5
f80685487edb158c1dcde36869bd29c7
-
SHA1
def148a3d55ca88ca4ac853cfdcf12e2311ca677
-
SHA256
c0a9e9fd6ab4965981c06e373ea6d75b1d6e31ad8041f9657b9c6fb895ef883d
-
SHA512
f4c1de8afb1bb91ab8bcdd7728994fb0eef77c2a824213b234e10cba00d23b5ec677d41abbb5064c40ea83fd779809b44bc62192017bb094c36e9e40cc7e040e
-
SSDEEP
384:B++qy+kS7Ehb0UhoPRRCiJ20ZITLk24jXPl8uoC/hC5Z7UzDFIv:Q+QkMgb7s5fc2XP/Iv
Score1/10 -
-
-
Target
c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1
-
Size
26KB
-
MD5
467d44fbd5546afd2fec88d34d1e8791
-
SHA1
8520c2890b3a898695126e8d782d966403ea071f
-
SHA256
c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1
-
SHA512
75f713fefd4eb00c182bdb7d437ccc95142ac48f0f6908e0a2b46baf12a3439e2fd8b3c7d10fe5f2810defa15a5e1bf64ba88637766c78361947c11b6865b72c
-
SSDEEP
384:SItlccdz9rt0uUndn1zxudjwZWeo/N2W8HXVEu59uLS5U/ANpp4DovhezRKqRN/J:SIJz9un1zMwAjd8HXVEu5TWM1+/vOa
Score8/10-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e
-
Size
1.1MB
-
MD5
efebe6072187368183e14c2d561624dc
-
SHA1
c0ef36b220a235a12eb610edf616db7a8b02c3fc
-
SHA256
cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e
-
SHA512
40b15edfd8d5f5fd2b2fde78ff13ed47cd6b68f17f07b727858c134649a1851c464f2edaf48d8c9214a06d57711586afdd63742b7ba3c5f093c9964a7f9a2ab2
-
SSDEEP
24576:e84bJcpabe3UMM54Fvo/oW/VtB0YsrKkG:eBbJcpaa3UMjFw/oW/10Ysr2
Score3/10 -
-
-
Target
ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de
-
Size
67KB
-
MD5
ed00beeccdd96f42c60aefc4d1dde58e
-
SHA1
7d25d5d149370846b10c4ea91695ced647a32d82
-
SHA256
ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de
-
SHA512
448d6fc8af70c1e1769be48fab8d60966f217889ff9b646b14070b527ccfa02ec389f6e1c6bedca28e28f6e5d6e44068554a7409532a5d972f21cc72911a263d
-
SSDEEP
1536:gjbzXAJks5uQa7fVwLgi1evRIH1ZQ3aMJnDQZhoPbkILpC0O6sc3+69e:gjbzXAJks5uQa7fVwLgiMvR61axah
Score10/10-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
d252bfd7bacd90fd0ab8bd70db07188a7053d9fa7b1f732b490ff46c53214e87
-
Size
1.3MB
-
MD5
46526b1804320c45581d61ed7ac36650
-
SHA1
9ffc3dd00036daa0a537b8b316ee9f6724504e56
-
SHA256
d252bfd7bacd90fd0ab8bd70db07188a7053d9fa7b1f732b490ff46c53214e87
-
SHA512
31ee16705a08c764cd3fa5fdb39940fccb86b69ce6e380dcb6086f800d397158889fb8b49a5852a268b8443205953a4b16cab56f66a492ad76989a7aff1ce2a3
-
SSDEEP
24576:hY78fKhxQqpm8+GVQo71yrCTg6bjQXABCsRJAcPmLk06Urjw:a78fEe4m8+fK1yrCU6bjQwTRScegrUA
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1
-
Size
26KB
-
MD5
b30238ea2be78a6b74b05d320e584890
-
SHA1
fb20d4cb4450d8befa217085793883b1b1568583
-
SHA256
d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1
-
SHA512
ef81fea2fad1a26f654896568d19472ef294bb1e7b050f191ade70c2579172f90fdef3f28bf30fa87ef8672a212a586f16730627deca510a17d9c19b3e8ae891
-
SSDEEP
384:RiN9ccVj9rt0GUnFnRnxud5SseO/N2W8HXVEu59uLS5U/ANpp4Dtg4ezpKKON/vx:RiZj9OnRnmSs1d8HXVEu5TWKaF/vOa
Score8/10-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8
-
Size
36KB
-
MD5
1c29c38b0799dd67080c657ec1b9fc3b
-
SHA1
6517029f4bfbf6f55aa6b34f51447d37ef38c4af
-
SHA256
d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8
-
SHA512
07fa0227dd2f4b107524b595845d9adadd56571967503638618a3e8d914d684c06a463ec77bc043027aa13c8fe5a584df3a35f9d1dd9badbefdcbd4d6ed196b2
-
SSDEEP
768:HQZj9On1zMwA7d8HXVEu5TW6aq/vOaC5wcSvM:wonhfA7dQEUWX+vOa9cSvM
Score8/10-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3
-
Size
26KB
-
MD5
00683c2668d0329457a67a5d5523d1ef
-
SHA1
8831515122545e6eb889bfefc66615b78cd0df2e
-
SHA256
dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3
-
SHA512
6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff
-
SSDEEP
384:1iN9ccVj9rt0GUnFnRnxud5SseO/N2W8HXVEu59uLS5U/ANpp4Df26eznKKfN/vx:1iZj9OnRnmSs1d8HXVEu5TWyO8/vOa
Score8/10-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
dd5034dcb25f245382e610ded811f03d85dadeab0865aebb048fdec9a575e93c
-
Size
1.3MB
-
MD5
7169974902e5b51350b00a5644a6088c
-
SHA1
ded834d8f228bfc599220e687a28f46b37d087b5
-
SHA256
dd5034dcb25f245382e610ded811f03d85dadeab0865aebb048fdec9a575e93c
-
SHA512
24ff4715889b6173113ec5652ee3e007e959b8afed69457ab6c1641097e98c83d48db9606d4b26e4a8417025c3692853c55a63d22dac42630cf0bb39ba765f4d
-
SSDEEP
24576:mNA3R5drXpijjuLLjthBWEPrKHDKSaemoe0ASVgRr7rl4u1h6LId7nT1RMwaMm3O:H5sjivjvk2mJeIV0r7R1h6LIdzTXM769
Score10/10-
Modifies Windows Firewall
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024
-
Size
206KB
-
MD5
700c0c3cb81bc180b2a5157b183c1664
-
SHA1
170914b526bb391b3b00d502ea4ba2e78038ae79
-
SHA256
de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024
-
SHA512
6d149a9e0060de6da1309de21352f56c71ffbaf9b9599df52b26b5f9b75b0fad260fc517a68f19eb99d946e649623370d85bf10c4b3bf1e4c0d6e2a97580b861
-
SSDEEP
3072:bUFmaznVF+HigtmeUfqf9WFkJ19xLOnY31gd+rvIP2qJlnqdizo:uK9Wzk
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25
-
Size
93KB
-
MD5
4220ba70c74cad091e00dd84cf84a3f1
-
SHA1
ec1a5e1964e8de04ec1bde1103198779960aa3be
-
SHA256
dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25
-
SHA512
4bcc58fac6370cad38b1a42c8e6871a76cdbeb586db741369beb35542af23657fb3ec2b657212552b20bfb98d8a45d84699e72a3b8ebe0039726c62b951783f3
-
SSDEEP
1536:r3eJG53G73mxdvdmkGeT5a0NH8ivVO4ZTAWbBC8Ff0639WgRrYO13y0XFpDoeLx/:r32GhNvxGeT5a0NH8ivVO4ZTAWbBC8FJ
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa
-
Size
604KB
-
MD5
2ba17b874477bcff2509e2e5deab9715
-
SHA1
5e4dfb24fc4777fd9c2126d3195bb39e82b9d7e2
-
SHA256
df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa
-
SHA512
5ad2a048115cc6912b9d5b102b37bcc8d6c6d5ce3d03e7e1d40709b4cf64d698e1ede164587854ec13630beb6e84edbeafa6df1e0f9c4335ab449709f4e16ee7
-
SSDEEP
12288:jecjcr2eyS5d57albpuClk6FJPxUlD6VlOuJE1kGm89:6Ycr2eb7gbEokYhJE1kX8
Score8/10-
Modifies Windows Firewall
-
Adds Run key to start application
-
-
-
Target
e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716
-
Size
26KB
-
MD5
0d40af16eec3e4b461fee10897ce7793
-
SHA1
6aded66dabd7e5b7d787892d0b1d1975cd9ee2ec
-
SHA256
e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716
-
SHA512
3efb11616472ceb24e1032c295ab1deca5a8317d12f45bea2381bca20c74a832d5a99319e0720c09548def4227dc4f16f2b1ca3370524d60a1b9c3ca1e4c6173
-
SSDEEP
768:qQZj9On1zMAA7d8HXVEu5TWGbZgv2/vOa:nonhDA7dQEUWRqvOa
Score8/10-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
e740d976696b7913b1586ea19833622c972482f51e3fb30e3225c94be8cbeeb5
-
Size
1.1MB
-
MD5
9237433077b158a908db30a6f1bdff34
-
SHA1
a057b8b37ed2ee5de4c40cbfc4c60e6811a6a0c8
-
SHA256
e740d976696b7913b1586ea19833622c972482f51e3fb30e3225c94be8cbeeb5
-
SHA512
40fafea42f71d5d531f671d73886e649f9151a1b9cc28636723962dc1a6d1cdb0a68adf18206012d208703aa0ffc08b8a47c13025291db25e78863106b171132
-
SSDEEP
24576:/Cdxte/80jYLT3U1jfsWa9T106d5qNdiQ:ew80cTsjkWa9+
-
Drops startup file
-
Suspicious use of SetThreadContext
-
-
-
Target
eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6
-
Size
717KB
-
MD5
c6bd4bc93848b6f0a5c9fccf121b3055
-
SHA1
fd96fd58178ce03d0dcc7dbbce7f60148b1dc117
-
SHA256
eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6
-
SHA512
bf209b03f04307f1956e12715a5088ea33b667b636dc79a31e649ca24212a4a1078b66a0223545a3da82efe10eb1133cf1acee27ca6a14861a4a40c02254ee59
-
SSDEEP
12288:rzlX6UDtz769iO1Z85Wk+0ePHEqfsLpGI2GU/b0/FszZCtHxUTA3mFZn5Rd:HlX6ktH6MOU5SlP3IS0s8HkA3cZn
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0
-
Size
1.7MB
-
MD5
b34fc356387febf6a41b22b6845a0913
-
SHA1
6c0514a134e8f6fa4bf3d709ded7b9feae7aa9f6
-
SHA256
ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0
-
SHA512
a32efac4708b746e2a7d4aa84211be9ed73da90caefdce7948c749f8ebd3b46f44b3d5ef4f9f3225302853e9ce7047c3fd8caaf598029cccedcd900e7d02469f
-
SSDEEP
24576:0MwTj1hBcvGHIGe45RFPDQCJ8rYegGHMtO5r4rR/S3zcw4UfXZycBADaxBcHq:1O1TcvGr1rj88egGs5k3zvo8ADaxBb
Score10/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66
-
Size
26KB
-
MD5
96783917c067f4a74c0dd2f56643eea1
-
SHA1
5a65e81d674500fac979aa8c2d854ac230bf598b
-
SHA256
f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66
-
SHA512
979a5210896e8a7405c415bf683984e8d514a9c15ca87a90c8333b5658f2e08df3ae69736e9eba74f8e35c76163f98c54ac928d21f21e5538183179d2db4b632
-
SSDEEP
768:3wcO79HKn1LMwAhd8HXVEu5TWKDQ/vOa:NOxKnpfAhdQEUWGUvOa
Score8/10-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b
-
Size
173KB
-
MD5
a086f197a46fe757785c767048f2d9f3
-
SHA1
62100a3d908db60faf193caf24515e0fcf5f625e
-
SHA256
f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b
-
SHA512
1aa399f46bb9212d72adf75c17bb7df436b6d6cd0bfb83d9f08927e9ad21f48b7bfb30682c4021ac1fc3f547fbe9fdb4a9488f981ad9a06255849399ba87ae15
-
SSDEEP
3072:I0tlAJw07xT/8RxM8SX0NtZ4Y2ZiQ/ZZ0AGVPBORLuy+gY/Ptfew6ziOOTYbL:RW7hwFj2YwZZ0AUkRLX+g8Z6OO
Score7/10-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab
-
Size
390KB
-
MD5
dc5cd2992a219d51a2b2e0878eeda416
-
SHA1
04b058f5e3087fd6ee63e97a87b08d228d9cc76f
-
SHA256
f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab
-
SHA512
41c0a582931dee21cdb83e621a029f0ab14addf265a72596104db6153f474342d859eab37f099b1bcf2e3e1ede72cab1c04a72ffe094ff6755da97b65551b2ee
-
SSDEEP
3072:monQdsWCvOppAVrEDC+p+u+7jKBVDC+TgElfoVI5Ow0qVJux8ksa7Uh+TlJ:Lns3lJMniD1rn10sV5yUh
Score8/10-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
f9c60c7b4de2e4b14abd165cfe72dce93b224f64c515b1be72ea7b9e7e4432b4
-
Size
77KB
-
MD5
689623dcf8cce31f412b1ad534a63c94
-
SHA1
e493ebed912d360ae7537a038357cd81bee73860
-
SHA256
f9c60c7b4de2e4b14abd165cfe72dce93b224f64c515b1be72ea7b9e7e4432b4
-
SHA512
4d347347f401a4d721905f76296d2a3fcec4541b64912efe12de0aba190953165eebe43d8bfd12873d91e64144829fc35f653bcaa1b385a58a7a3de82df0e4eb
-
SSDEEP
1536:ihXyZtq0kRVF8XVLkYteqDg2l6RfOaBs0jNnqsWdd9Go/rTXn:ihiZY978XlkYUqDg28RfOaBs46dLGoP
-
Modifies Windows Firewall
-
Drops startup file
-
Suspicious use of SetThreadContext
-
-
-
Target
fac93c30912ddcb200dde77e3a2976e606f4d6668fc4f79d170865c536064d96
-
Size
1.1MB
-
MD5
572c6a074a34978b05750fea0c97648e
-
SHA1
94f5853d63106365d0f6ed1e46c32ccb8550892b
-
SHA256
fac93c30912ddcb200dde77e3a2976e606f4d6668fc4f79d170865c536064d96
-
SHA512
8b5e809fc5c8348b07885033d6335f9559f7313ed0f45faf3361fb70bacfdda75a0593e836fb967986282027963bd1b19fbce80fc2a69beafdb62ce256235a30
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCKdBOYI9z7ogKQt91EamgMd:7JZoQrbTFZY1iaCn9z8VY9Id
Score10/10-
Modifies visiblity of hidden/system files in Explorer
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
fc96e837e9902d3941210eeee94d79f9d268f9715fb966945bdb20cb93c9e497
-
Size
40KB
-
MD5
80f3036110c00a57b09bba7343c16696
-
SHA1
aab69aa9dd1ae6c8ad38aca89720053c918d5560
-
SHA256
fc96e837e9902d3941210eeee94d79f9d268f9715fb966945bdb20cb93c9e497
-
SHA512
5e5140ec8a8b23d06ce3349e7c4b107c6a73fbe3fa55a05fa8178b3c3b76df6c417d3334a03824ac24c58208b03b46f94fa48f68cf313d93e214d40087b076e8
-
SSDEEP
768:B2FqkvDeUlJvlWwaYkzJzxGPZSCmfSUC9FQNBZyxGb1V29dpfo7h9Rp6oIGb+Elr:QFqkvDeUlJvlWwnkNlGPZSCmfS19FQNd
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2