Extracted

Extracted

Extracted

• • Target

    file

  • Size

    273KB

  • MD5

    9a4c1ffa5524000e27d735a01b5c7046

  • SHA1

    1cd6d8a903945d1b21ff4261c3c50370fc4acca1

  • SHA256

    7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74

  • SHA512

    24929f0286499e683cdc7e90c95985d6e22360e5fe440990ccad17adfcf90b7eb14662f39d8d1cd42bee40f123f2fd596c4e465b15eda91a17a6699f2c4e6068

  • SSDEEP

    6144:T4UpOobfAtnh2LnXHkWNsJxlSKz0oWV8zrlSenTExmKV7qF:8UQDtnhoUashS20hizrlS2ExWF

  Score

  10^/10

  amadeydanabotfabookiegluptebavidar4841d6b1839c4fa7c20ecc420b82b347bankerdiscoverydropperevasionloaderpersistencerootkitspywarestealertrojanupxxmrigminer

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot

  • Detect Fabookie payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • UAC bypass

    evasiontrojan

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Modifies boot configuration data using bcdedit

  • XMRig Miner payload

    miner

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • Stops running service(s)

    evasion

  • .NET Reactor proctector

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Windows security modification

    evasiontrojan

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Manipulates WinMon driver.

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2