General
-
Target
Malw.rar
-
Size
22.2MB
-
Sample
231007-kf74lscd82
-
MD5
cd872060986ed067e89bf917300348b9
-
SHA1
7132ed454d6dd9e0553ca9862e63387185141ee6
-
SHA256
999d43ee4c9a1ec38c0b00fc38abe0b29b13cc83983c6ee895cbb2768b29022d
-
SHA512
7280dd388e1222f99e23c8cfd0edfdb20833274e77839505b084604ad668f97cb9401806d44ded23126059c6b2f5a0a392f9200697ad90ecbd7e29aca120b23a
-
SSDEEP
393216:yJYqXY9Vg0dz1XRIyusiBpSyGcteLnwHGd7JLDAZt5BWRc8APdFTvMEN9Ky:G+99dZRBusKoctgwHx5BLPLNwy
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Extracted
mirai
BOTNET
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
http://77.91.68.78/help/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6415420186:AAFl1R3-Kr5zbvKkeofTPjxvxd9leZKNs2M/sendMessage?chat_id=940609421
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
5.0.5
Crypt One
194.180.49.190:9254
c7737c6a-d18e-4344-9a5b-860541cfb072
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
gozi
Extracted
gozi
5050
mifrutty.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
http://igrovdow.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Extracted
redline
frant
77.91.124.55:19071
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
gigant
77.91.124.55:19071
Extracted
amadey
3.83
http://5.42.65.80/8bmeVwqx/index.php
-
install_dir
207aa4515d
-
install_file
oneetx.exe
-
strings_key
3e634dd0840c68ae2ced83c2be7bf0d4
Extracted
redline
@ytlogsbot
176.123.4.46:33783
Extracted
mystic
http://5.42.92.211/loghub/master
Extracted
agenttesla
Protocol: smtp- Host:
mail.giroplastic.com.br - Port:
587 - Username:
jesiane@giroplastic.com.br - Password:
#no2@tec - Email To:
originallog@mail.com
Extracted
redline
virad
77.91.124.82:19071
-
auth_value
434dd63619ca8bbf10125913fb40ca28
Targets
-
-
Target
189ca1951e90f92454d9e6f451847f17d5d3e85639e474147d9d63ec529189df.bin
-
Size
1.5MB
-
MD5
6419a1e59348225baafa1b58ed611fc9
-
SHA1
89e4e06f33ddacf9092907bca221ad111fd4dcf1
-
SHA256
189ca1951e90f92454d9e6f451847f17d5d3e85639e474147d9d63ec529189df
-
SHA512
0d85752488eedc84c3bc858e171a1b73ffda869b14b9404e121f5a71cbb4aa64510b51a57890fe3d97ccd9beab854361e009e27e1cc4796f5d5c7bdba36c0634
-
SSDEEP
24576:twFgDyuHZ0uHO/dqvTrHxm/vDlDLIgNgOknWH:phHZ02O/dGc9UgbsY
Score10/10-
Detects Eternity clipper
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-
-
-
Target
37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60.exe
-
Size
953KB
-
MD5
5fc3bd9632a02f189d81f75fc3b12ebf
-
SHA1
6abbc78a6fb421adf80051365dbfaff0b3fb696b
-
SHA256
37ca1cfa1f30b57408d3e855f98f9e5fd6900b23643bbc0c6163a875edf00b60
-
SHA512
cf0b9df6db5c85ebc85967dbfbdd99ada401f718445f69f258d9d0a9466f7b58a7bb2f1287cb5679988bd79b42807fa0e0e7fc419557f0af3fbb620b40b2c2af
-
SSDEEP
12288:OzEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzz5:0ztQE1ov2AZ9HjkftWyq
Score10/10-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware
-
Renames multiple (191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (215) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
37e3ba3283cd2b6f56990318a0861f92f76aac467a79df61b72878a493c476c3.elf
-
Size
37KB
-
MD5
b8c5a7bc9c67b60b4aebb5f9cd450a86
-
SHA1
405cbbe067d9ee9197d6d533dddb912f8e7805b1
-
SHA256
37e3ba3283cd2b6f56990318a0861f92f76aac467a79df61b72878a493c476c3
-
SHA512
459549ee1ec094ebd88f7a16e3c506fcb31928ff92c1410ecd11b4cc818c022a5b6a251849195d96e6ce7e70388b7c5a98368eb25a6e766e7555a55ce5e3901b
-
SSDEEP
768:B6MpMrH1oYDg4QWttgSYpkD1/wdVkP3F2H5oMxMgll+Y9q3UELOC:BSjE45tvYpQdsktIbll+BL5
Score1/10 -
-
-
Target
3898dfa5cb6bbc6d6c48c202d31333d3b214d0f2ac7c4396eb54d6ed09bf24ba.exe
-
Size
334KB
-
MD5
242c47b16c8755e72d7d1fdbc9ff0f17
-
SHA1
445486022335d121378877268cfc5a0625b53e4f
-
SHA256
3898dfa5cb6bbc6d6c48c202d31333d3b214d0f2ac7c4396eb54d6ed09bf24ba
-
SHA512
f46985cb70a351a57fcf2dfb4b6a0733ac26b93c09daecadc611c5c80e749cc5a52fe10b03a761a4c6de903f3f79bacde7c1f61d056e51040d55bb1ee77317b1
-
SSDEEP
6144:ge1/duat9Ej/QUsovmgk17/G1aQx9pf7IWbhrC:ge1/dUso61gVRI
Score10/10-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.docx
-
Size
5.2MB
-
MD5
d381d9db9cbd1b60afdfb4f05e52a775
-
SHA1
d59c52583ca791e07f3e6aec2ee2590ab9bfd67e
-
SHA256
3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9
-
SHA512
cebe8732fbcdc7d5672667d94473245377780e7cce940f5162789fcb6684c49b3c9c9cef6d7aff3cb005d614e32c228fe958011ee27d5063ca488b28b594d861
-
SSDEEP
98304:Qp4L/JhqnNKIjRFlrDlyzVd/dCR36YDAbJC5kZne:QeL/JhqNRrhyXCR3FAbfhe
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
-
-
Target
505fe3cf697c698f75b5135389463f40af5c90b576cd1d637db3400fe2701bcb.bin
-
Size
1.0MB
-
MD5
32d6a8fbfd4b362c8281c3caf0dfebaa
-
SHA1
c7a119c8f5731d280b65394cdfdc3ff665dc989d
-
SHA256
505fe3cf697c698f75b5135389463f40af5c90b576cd1d637db3400fe2701bcb
-
SHA512
6b3e9a57df867a21270f6f2e1dd472bfd360ae03856f96318d5485b5339a15c95e7f590d6fcdc6f6bf3dea7711f81930eed0122927d3880cdc6aed67bebf5725
-
SSDEEP
24576:CyNGXsSg4D8nP/xmtAuBqR0ZZEZ9MrRKKuo8FzUjTMiyT6:pwg4Dk/xmtAdiZmg0KuajTqT
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Mystic stealer payload
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.bin
-
Size
10.2MB
-
MD5
6cfc8a19911d2a4401c1c362587e83ce
-
SHA1
757f656302382738175a6a73ed7e412bba55011c
-
SHA256
6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984
-
SHA512
4da1ae530f9e06cf69ee4d68f5166586096940248f58954e928e16d56faa2cdefcb4ba865588964a254659c14642de8af9fe8e393a168a642e9a5648ef5f29a2
-
SSDEEP
98304:01+qfbaSe1um0WohRcxAqV6EiTEEhG8VdjDEJgkKQ:nGWM0x7VdiAfj
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload
-
Suspicious use of SetThreadContext
-
-
-
Target
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
-
Size
274KB
-
MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec
-
SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12
-
SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
-
SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
-
SSDEEP
3072:utyJSwPI9F4BwVVO+kjH4wjyIphvo3ZDivScpBaa4l8QU:iyrPa4BI7wuIphg3ZDi6cnA8Q
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
913aec7dc792e606551464e3203a1545bed4f032de9dfced990183fa65c53360.bin
-
Size
1.1MB
-
MD5
97db5929795af713a29da7ee311097b6
-
SHA1
4edbba98c44d3e0871144507e076afca15bb34d2
-
SHA256
913aec7dc792e606551464e3203a1545bed4f032de9dfced990183fa65c53360
-
SHA512
dfaceddde78a58b7a5957961496c2e5b81106ed0b1d2dbd439548ba90f21515e43a9dc69bb5aa0e5b33199c92d1ef9aff34b099641fd2ca4cb382e6546b6ecbf
-
SSDEEP
24576:lyLFc4gILHSFdApaMPP+3jauS/PHOb7LnssG3Ge1:ALMLdM+zauSHYst
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
NEAS.arm7elf_JC.elf
-
Size
50KB
-
MD5
5c7b331aa38795a202db1a98352c342f
-
SHA1
a2ccdc33f1ee246eb466c6ae43bce71d3c170f94
-
SHA256
bce4f077424f31cfff3f8ec50a7c9bda802b4a0b08b27e18e69ad7c4127c32bb
-
SHA512
b963c9a2f1f6cb0aedbc4cf80a55af99a6fe3f5a273e76cd24421f567928ed1e138768e1e72e86cc784ccce42cf424ab7e4f8f8f5e3fa3bdcd9dbe567cdc1f0b
-
SSDEEP
1536:la8ZqK2kfJzQA3XbURnB+0J06Kz4sjHLYwKeokllDiP:lHqK2kfX3XbUpBBKz4qHLjW
Score1/10 -
-
-
Target
a23543464a64fea0ed91623e16dc9631a2274c4a4f929a04eacf149590c6c448.exe
-
Size
387KB
-
MD5
f646c097913ec9dc3897ec3b5e452919
-
SHA1
0948b7d2f5b0ebcbc5c3b7c8ef29a271abbfa93f
-
SHA256
a23543464a64fea0ed91623e16dc9631a2274c4a4f929a04eacf149590c6c448
-
SHA512
5e2d2e7356f5c69b6ef676ccb266c58786030a0d751aa8c6e52e9a8ef5365d7d7f41c0434e25260998bbf53d99122f363b0f620a4a8dd4d68e5952545416cf07
-
SSDEEP
12288:kDoSU8AcJIoxecqF2kTJFLb1ChbNdP+kfXuBuKUv0HJg0YBmgMylojOPcoDYyFtz:kcFpQmyojOwUPXzqSd
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
ad21aff38e3b20ca7c9c7236977dfb0821d515962cb5c705d8a5b9a8cbc43859.bin
-
Size
592KB
-
MD5
2b17ef662bfb9464153c8dbd60ccbad9
-
SHA1
a2883daa62d0f99d6cbf8b51b28d3f479c3807dc
-
SHA256
ad21aff38e3b20ca7c9c7236977dfb0821d515962cb5c705d8a5b9a8cbc43859
-
SHA512
e0cb94d546284ee3400a2e8f372b3365c0686ae5a6265b6bbd598f33d677d0582d29e0b6ef33dbadda496f89089a89a3bc9ead862708c4f19a7a5c96793284b4
-
SSDEEP
12288:Wi+rhsEgj79G/vpZyofAj+KD5icYPahZ:zITpq5icYPahZ
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
-
Size
3.9MB
-
MD5
2746cf67ced0c91f1cefd3d137bd6a5c
-
SHA1
c42e2e0080ec2f357c7306754ea82b976bdc220c
-
SHA256
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff
-
SHA512
2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238
-
SSDEEP
98304:s7ZyplW12iRY7CWkdntsrBRAxQyvIYA+7THD:duLaCv0BeOyvIYA+Hj
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
UAC bypass
-
Windows security bypass
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
-
-
Target
ca1af61fd2c6ecd3827b63604900beaaf6382c8bf6ef6b7a6e469e250f9b2e7f.elf
-
Size
74KB
-
MD5
7712622b406f7bbf8ba62a28e1e35158
-
SHA1
eb5fdd089b82ed7634965f6569eeb6c5302b5a71
-
SHA256
ca1af61fd2c6ecd3827b63604900beaaf6382c8bf6ef6b7a6e469e250f9b2e7f
-
SHA512
f410834285c2d6f3642eb758a6ac6fc94acf610d853cedc2c6c129f8bcd51b6bcf87d814df9919329179a706c999c92570c6642bc9168af1c3d036fea64c98b2
-
SSDEEP
1536:znTcO2ULJEAnDrRSWHQLgTPoMgr3d4MXRPd:zTD2ULJEApUiM
Score9/10-
Contacts a large (137941) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Changes its process name
-
Deletes itself
-
Modifies Watchdog functionality
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Enumerates active TCP sockets
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
-
-
Target
cad291a2df541313c6d296dcb798f5565ce591ca94f4649c21bc0e8b7e7a86eb.exe
-
Size
472KB
-
MD5
762bff46f0d8459d2fd83a7dbc0b3103
-
SHA1
5fdddc577baaa0ba8c7fe6b88be254866c959321
-
SHA256
cad291a2df541313c6d296dcb798f5565ce591ca94f4649c21bc0e8b7e7a86eb
-
SHA512
38a1e73a7d3c36817f53311c016a4ddf724dee9531c419298ea1f4452f60e4786ff16f25f5c73e01b7b9af971cc5c1acd323f436667a60ad77a0348f0a3256b5
-
SSDEEP
6144:WWMjNEqWNAML6edtpVYWNTLq01CQoSE0iHjbRfKugGdGQ/UDlVJHaCV:Wvuq2RL3ddNT+LKugjNTJ6
Score10/10-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload
-
-
-
Target
da8e7392c3c3d1c521d28c78d60425a2a5b7f52d17eb495d0e5cc581737344fb
-
Size
758KB
-
MD5
69910b8a839dcc28f1d96efeade65da8
-
SHA1
84fbe23ec514b722615a552c4906f50d15ffec08
-
SHA256
da8e7392c3c3d1c521d28c78d60425a2a5b7f52d17eb495d0e5cc581737344fb
-
SHA512
8babef83a23685704bbb9a84def0fa93f28c2c5626b7ecdd7ebd2417d532294d7fd64d7657ef60fc78f16fc61eb6e96a6e63262612017cb0ec59300ea9c80d57
-
SSDEEP
12288:TMrvy90UKTpSrjEM5OKm1AkJ89kUNYM6dlTIIqx0SF54qs6kMCqryeZF0KIcJo2I:sy2TpijEB5VIkU+nTWKSF54bzMDyeZur
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
e3a0367cf2ebe9a41c5972ce3e53c1eb89d81fa01d1fe3e29ecca89af8f5a802.bin
-
Size
356KB
-
MD5
eee483531e1ad411935f8d345d9492c8
-
SHA1
c7f69aade6bce67a54c768b6ee078fb3b294ce5c
-
SHA256
e3a0367cf2ebe9a41c5972ce3e53c1eb89d81fa01d1fe3e29ecca89af8f5a802
-
SHA512
a5fdff2635a23b4c75b25e4c65873fbf7a15f54ebee6f258066f6d958dc308760c55a2f8803bcb4c3ccbc375d123c40598a2dbb82e197b91b3ad6941dd1fbca2
-
SSDEEP
6144:UETeW/s5GqrO5aXnfEGIXWPvZAOXyftjXQTUr5cA72b857mML2GVs0BC+:cmcGqrOk86xutjXQTDjb8D/s0BC+
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
Suspicious use of SetThreadContext
-
-
-
Target
f8ac9d00a184e45b3c8600507eb21194712ea65d0e8e72657963c870f039d21b.bin
-
Size
269KB
-
MD5
aa305d193e030df354f932232c37492f
-
SHA1
26f350fa286c442695483e888ae4ad2f91575073
-
SHA256
f8ac9d00a184e45b3c8600507eb21194712ea65d0e8e72657963c870f039d21b
-
SHA512
4f73d6c9ed65340ad9159dd8742e9631cbd33c7f9500b70cd0d14a3e0b2b6c7cdf0e2cff2a4ae3c1b43acee596b3903576c0ebdead7e52a99095d52fee281c1a
-
SSDEEP
6144:YYUctlMQMY6Vo++E0R6gFAO2igELvwog35:YYrtiQMYlXoixvwT35
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected google phishing page
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Scheduled Task/Job
6Create or Modify System Process
7Windows Service
7Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
5Privilege Escalation
Scheduled Task/Job
6Create or Modify System Process
7Windows Service
7Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Subvert Trust Controls
1Install Root Certificate
1Modify Registry
20Impair Defenses
12Disable or Modify Tools
11Scripting
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1