Overview

overview

10

Static

static

10

f33535fb28...a7.exe

windows7-x64

10

f33535fb28...a7.exe

windows10-2004-x64

10

f3476b5441...96.exe

windows7-x64

10

f3476b5441...96.exe

windows10-2004-x64

10

f479112f0f...e2.msi

windows7-x64

7

f479112f0f...e2.msi

windows10-2004-x64

8

f64398ee74...a4.exe

windows7-x64

10

f64398ee74...a4.exe

windows10-2004-x64

10

f672ba8bf0...6f.exe

windows7-x64

10

f672ba8bf0...6f.exe

windows10-2004-x64

10

f92501ffd4...76.exe

windows7-x64

10

f92501ffd4...76.exe

windows10-2004-x64

10

fa20559cba...8e.exe

windows7-x64

10

fa20559cba...8e.exe

windows10-2004-x64

10

fa98feb0fc...05.exe

windows7-x64

7

fa98feb0fc...05.exe

windows10-2004-x64

7

fb1c133bb4...90.exe

windows7-x64

10

fb1c133bb4...90.exe

windows10-2004-x64

10

fbce724386...fe.exe

windows7-x64

10

fbce724386...fe.exe

windows10-2004-x64

10

fc82f1f187...54.exe

windows7-x64

10

fc82f1f187...54.exe

windows10-2004-x64

10

fd03ea32f5...54.exe

windows7-x64

7

fd03ea32f5...54.exe

windows10-2004-x64

7

fe21006be0...ea.exe

windows7-x64

10

fe21006be0...ea.exe

windows10-2004-x64

10

fe53c0822d...00.elf

debian-9-armhf

1

fe6b8e0d18...a4.exe

windows7-x64

10

fe6b8e0d18...a4.exe

windows10-2004-x64

10

ff53a80edb...60.bat

windows7-x64

7

ff53a80edb...60.bat

windows10-2004-x64

7

ffbd6ffb75...4e.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b526ee0de0fac93563730dfd03d7c647f658db2ef54b327a2c8f85e7fab04755

  • Size

    10.6MB

  • Sample

    231010-qa9yxadf5t

  • MD5

    9a0dbb1d696a1256ddddd7c0ce0272c4

  • SHA1

    0d9d33243608213e53ed0354072a2155b69ae13a

  • SHA256

    b526ee0de0fac93563730dfd03d7c647f658db2ef54b327a2c8f85e7fab04755

  • SHA512

    021393656085eb7f3c57e627db3a88e6bed648375db7572e66edc711f5aff07898b2e74802eb7afed2670aaa1d3140813df69432e992bfcec89439171730e30b

  • SSDEEP

    196608:pW4+Lbgh/Kcds6UHD0g0rxFnoQcsqdA+fe3pCYA2ZG3yRrZFPvp:pWfg9OD0LgQcsqdAIJ8ZFZ

Score
10/10
agentteslaamadeydcratgluptebahealerlokibotredlinesmokeloaderstealctofseexmrig6012068394_99lutyrmagiasmokiez285unique28.5up3backdoormicrosoftcollectiondiscoverydropperevasioninfostealerkeyloggerloaderminerpersistencephishingratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

unique28.5

C2

194.169.175.232:45451

Extracted

Family

redline

Botnet

magia

C2

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

6012068394_99

C2

https://pastebin.com/raw/8baCJyMF

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Extracted

Family

lokibot

C2

http://alimatata.topendpower.top/_errorpages/alimatata/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

agenttesla

Credentials

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.telefoonreparatiebovenkarspel.nl
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Madarjan007!

Extracted

Family

redline

Botnet

smokiez285

C2

194.169.175.232:45451

Extracted

Family

stealc

C2

http://dominiczachary.top

Attributes
  • url_path

    /e9c345fc99a4e67e.php

rc4.plain

Targets

    • Target

      f33535fb2813fbfee8e03ea80d11b1a9007db801ec8b6261277377c35d233ba7.exe

    • Size

      1.1MB

    • MD5

      e2e189e6abd23f63639330d243ef115d

    • SHA1

      81dc11ebfa2027b58abb4e36b5bc015a682ab439

    • SHA256

      f33535fb2813fbfee8e03ea80d11b1a9007db801ec8b6261277377c35d233ba7

    • SHA512

      68bb83206d20862160a448c844df437103f79653ea2be3e24659163fbf35180dd75e2f33f15984f9e30dee320a5c9f1da55fca231fffdb0337d023dc83f59dbd

    • SSDEEP

      24576:0yhhl9w7aXBz8kFv8AiqcNlLETzaOEqUjbNXUyBctDX:Dhhl9gaXBz8mv8Ai/NlLETzaODsxB8

    Score
    10/10
    evasionpersistencetrojanamadeydcratgluptebahealerredlinesmokeloader6012068394_99lutyrmagiaup3backdoorcollectiondiscoverydropperinfostealerloaderratrootkitspywarestealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detects Healer an antivirus disabler dropper

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      f3476b5441c34dfe8ca745464622aea4a00cb1196861a6972d66c38f50b2f096.exe

    • Size

      1.2MB

    • MD5

      b9fffc3dc1fb552e9f513f07bd2a9074

    • SHA1

      7cdd7208a18e436991dfabc7445be5e216ddc954

    • SHA256

      f3476b5441c34dfe8ca745464622aea4a00cb1196861a6972d66c38f50b2f096

    • SHA512

      c22c6d1c392f416e910cbd0cbb9a4e2916062acb064020adda55765aafebc99a8ad26196e98193d17b95c4a739e7a53d55285eabe0d28ccc4202a3f677753d70

    • SSDEEP

      24576:zdm1hgZk90yimqq2k5rGXvFcFsb3nrGs7Vff:Hm90yimf2lNcOp3

    Score
    10/10
    redlineinfostealerspyware

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      f479112f0f56f314af5aada9e84225ff60b6d68d2271850a442494205db0e6e2.msi

    • Size

      660KB

    • MD5

      8e68a2869daf1ba9eaebf31d2d87973e

    • SHA1

      739627919a7d4b972454158911edce0106eb5df0

    • SHA256

      f479112f0f56f314af5aada9e84225ff60b6d68d2271850a442494205db0e6e2

    • SHA512

      35997befc485f7491e5e0fd0cb50a3e5a2f7111638eeb58d36498f68c48d380d9c08d2d03f8c49cc0300830438550e2fb7fa3ac4f9f1bcede2bcad3f3b14f513

    • SSDEEP

      12288:ntvRQ+gjpjegGdo8kgLKxBTi9byLw2wHvHgU3qfrbDW:ntncpVGPkgtyLHw33qjbD

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

    • Target

      f64398ee74ab5760caccfef93c615d537375c92241c15d2ea09fd402138786a4.exe

    • Size

      217KB

    • MD5

      0b474c6739cbae86839d614d973d161f

    • SHA1

      fb4ec82b145060eb3de4e40a37a4889cae2c4cfa

    • SHA256

      f64398ee74ab5760caccfef93c615d537375c92241c15d2ea09fd402138786a4

    • SHA512

      3e8b5932bb2e135e54b12f5671b6a351bbfad9dd870f257e84b2d4916f341cc7dbd513389e3d0cee73c5af21ebaba91dc0d6597f4a5eae0759cb0dc63cb3f978

    • SSDEEP

      3072:THXubBYim17CEys0UazhcMLEvx+RQftVuJfW5+XT7:bubBS7C5s0UAu1vx+REtIhXT

    Score
    10/10
    stealcdiscoverystealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral7behavioral8

    • Target

      f672ba8bf05715a07351bf661588fcc42a13f814b4b6c3c9ea3519d35861a86f.exe

    • Size

      461KB

    • MD5

      9d388a4fd1967964c6aad56cd03ab084

    • SHA1

      5fa3d121998a267301ecafe49e69f97091436488

    • SHA256

      f672ba8bf05715a07351bf661588fcc42a13f814b4b6c3c9ea3519d35861a86f

    • SHA512

      0f12705317ed212e9f94138f901681a34e5181821a9d80f6881331223c13dda1ac63e28e54175af9e86ffc30ce4cc21aabe30b9af686ff1619c7c92f50a6a05b

    • SSDEEP

      12288:vUG+TUnCxfCHyqFVtXusi6Kuf8Dw4dlD4CdMxGp:vUGWUnXyqFVtesH8Dw4dlDv

    Score
    10/10
    redlineunique28.5infostealerspyware

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      f92501ffd4feea52666cbf60a5fe88c6583c1264680cf53950739370686fd776.exe

    • Size

      1.1MB

    • MD5

      94154f9dab2359231571870c2cee910f

    • SHA1

      cfcc4227bce9540644c7f5a9094da58936cf8d90

    • SHA256

      f92501ffd4feea52666cbf60a5fe88c6583c1264680cf53950739370686fd776

    • SHA512

      da4709298568c0a3d9644ec8ebc594593f62c9fd9d9628627d9df568efb093b47adb851123892cc61a0df68a2d4fce52651a7c9cabd243b12bd5f454ad800fb2

    • SSDEEP

      24576:yyLxsNFJJ9KwfheAhWDpPFiYwf5U1w2Kt0vaWeVbjnL9/17+t:Ze1J9KwfheAhWDpPFirU+2LUbjnL9V

    Score
    10/10
    evasionpersistencetrojanamadeydcratgluptebahealerredlinesmokeloader6012068394_99lutyrmagiaup3backdoordiscoverydropperinfostealerloaderratrootkitspywarestealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detects Healer an antivirus disabler dropper

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      fa20559cbae909b4b7307dc6dc7a10ecd482af8ff4f2fd588f950185d5695d8e.exe

    • Size

      267KB

    • MD5

      b5b23c028151b53aa8cdd25389bfcb4c

    • SHA1

      559181d09e2974d190470995ce30aa3c66e5c7f3

    • SHA256

      fa20559cbae909b4b7307dc6dc7a10ecd482af8ff4f2fd588f950185d5695d8e

    • SHA512

      3cbd0a41f739885409366166d61d17fc03ce930dfd2d8dfd98986ea24efe54b8a97d59983e65dd4cee2f509359fe790acb34e76cc735900a5abf34a65019ebfc

    • SSDEEP

      3072:Bsq/q/xNO2JySv3KySTgW6evFbi2UIjfW78ea6PSrrpv8E:uqypA2JySyysu2m8ea6PWa

    Score
    10/10
    lokibotcollectionspywarestealertrojan
    behavioral13behavioral14

    • Target

      fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105.exe

    • Size

      1.9MB

    • MD5

      b0f43da8d5e294f83d9acaeee4023888

    • SHA1

      6f050ea88b1f005ebc8a09b385f609214c15d9d7

    • SHA256

      fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105

    • SHA512

      b33d2d3e7e38ea32b89d0573321e83090632ec81e684072f5d35f49295e21b1a7ca2d66a9af739f3b3228e78e3c7b8c143c0513371b49a137b4c17eab3aca60d

    • SSDEEP

      24576:7LdoWOG0h0DlBtcuRvfxsSc/JgVkmw24kBMM0:2G0h0DdvzQgVkmY

    Score
    7/10

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      fb1c133bb4d681619adff92051b62f07da505ca6f15906b4fbb125bd65b1f190.exe

    • Size

      575KB

    • MD5

      0dffc7074ad574b0748ef8e60a52f068

    • SHA1

      6c573e941701381625d10817496632994c83fd11

    • SHA256

      fb1c133bb4d681619adff92051b62f07da505ca6f15906b4fbb125bd65b1f190

    • SHA512

      0450dfc3562b3484c2482f44e1180e53cf6c6cee2cc93ad8ab6c723c6f7daf08ecc673b046feab6ecf30a5919c6a7a7c288d309f5ef43b585bd6f1e71658661b

    • SSDEEP

      12288:b37s93Kd3l4IrCUJQs7pBuguvAAuvjMHIzgzX0cGW:r7s96x+IrClPj9j

    Score
    10/10
    agentteslakeyloggerspywarestealertrojancollectionpersistence

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      fbce72438627da5767059d2f925ac2a318283149c77cd507a7b82ddb614fc6fe.exe

    • Size

      341KB

    • MD5

      2823a053cb3512532ca475cc6eaec825

    • SHA1

      2285cf41d7db74d9b25c0005fabae74af816e13c

    • SHA256

      fbce72438627da5767059d2f925ac2a318283149c77cd507a7b82ddb614fc6fe

    • SHA512

      9472daafaf23a625e9d096e6f37323a5df27c3e017e006ff72a7ec1d75e8bd36c584aa4d3a361df61b2537fd74c0a9892c9d7af913c57b0948eda5eaf1742736

    • SSDEEP

      6144:3rqX8nNfwn4Hx/nwR9zHp+ab6yeiN1aLTi:bqXaon4cJ+ab6yes

    Score
    10/10
    redlinediscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral19behavioral20

    • Target

      fc82f1f187a911727bd8bac3ab3c8aeba9eec12c9b9445547cf7c56b2097b954.exe

    • Size

      1.1MB

    • MD5

      8fccb7ed45b5c04c173fdea0f081fedc

    • SHA1

      a940c5ea36ecd2c575570954e503ef4f6d0e8b2a

    • SHA256

      fc82f1f187a911727bd8bac3ab3c8aeba9eec12c9b9445547cf7c56b2097b954

    • SHA512

      9b79ecdc0ab3adf10f14af863eb22d789d6b1b4a9f3ea97ac566df0b88e1258ee689d6ef800b7fd9234401b234f09b7cc089bbfa36f4fc2ecf838872a47b0faf

    • SSDEEP

      24576:Lym+8DJlyfnTANqN1ghFp5vJn1Bxo/4kWvMgf:+m+8Dj6nTANqDgrp7n1BSQkgh

    Score
    10/10
    evasionpersistencetrojanamadeydcratgluptebahealerredlinesmokeloader6012068394_99lutyrmagiaup3backdoormicrosoftdiscoverydropperinfostealerloaderphishingratspywarestealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detects Healer an antivirus disabler dropper

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      fd03ea32f520aa57ee6b4e29eedf1c897857f9368933c2bb3367d2016dc27454.exe

    • Size

      1.2MB

    • MD5

      752ea2c2fdc34de9cd8e50b0e35df912

    • SHA1

      a4a17fa6922d833f12ad2530a8431cac88b7ae81

    • SHA256

      fd03ea32f520aa57ee6b4e29eedf1c897857f9368933c2bb3367d2016dc27454

    • SHA512

      69e43fe185c34c9785155a115405f8d54580fccae8146c3272559e6896a1f7eda46384a684ded092109975ce5066c495e6495f7b418463390c2a735bbb50fb14

    • SSDEEP

      24576:IcLWn6QUUK3k4ntAL/IDpgpJKHj9UAdOj8XyBzfDWEnGARtby0Bpmz:IcL003lkI1gpJKHBUScR3JyEpo

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral23behavioral24

    • Target

      fe21006be0bc93da7054954bbd0ff37fc8ec20c4bb7984234a900589c2d5cbea.exe

    • Size

      217KB

    • MD5

      230ff2e809a0df012a0ef6b12c06bb45

    • SHA1

      084a7dcee5811e821f89b82f7852b9499aafd715

    • SHA256

      fe21006be0bc93da7054954bbd0ff37fc8ec20c4bb7984234a900589c2d5cbea

    • SHA512

      7cd672915fd04ea12f817be3659b0c651982993d5a9973483e7120952110278727ea440a0c80210c3870e0020bdbf754204ca2f85fa985860dd13def81767a11

    • SSDEEP

      3072:wHXDmRZY5duTJMTE1LkX3G2DpoCtPwIvY2MJlRAH0ev54G2T9K:CDoZbJG2wrPwf2uRO0euG2T

    Score
    10/10
    tofseexmrigevasionminerpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      fe53c0822d0b31a92436603f7f1d8892ecc21e43b5524767f83e93f05af0f500.elf

    • Size

      27KB

    • MD5

      546ee4af631a18812816e44e9e66b3bc

    • SHA1

      2e3c3c3a28e206918f59c6b85b0c29a233c2aeb4

    • SHA256

      fe53c0822d0b31a92436603f7f1d8892ecc21e43b5524767f83e93f05af0f500

    • SHA512

      8d0d1dd414e510b5d9230393899529f0f8fd42231e441cdcc123d98a21708c97b06cb9452081545a67f963e510875b8931e3f2b6eed4d098042c2282ba9a9947

    • SSDEEP

      768:ljoPOCZ/DkbngYAZa6VvS7P3+T7yH+s3Uozy:jCZIbgvZa6VvSz+fmjzy

    Score
    1/10
    behavioral27

    • Target

      fe6b8e0d183bf1cf3105a86efd5d70110afd4a05ddcfc7555bb2053f08812fa4.exe

    • Size

      655KB

    • MD5

      25d8dc370fae2e2a71b86392f352f479

    • SHA1

      d8027a8920844a29aed47a6f22761c8a69f60cfa

    • SHA256

      fe6b8e0d183bf1cf3105a86efd5d70110afd4a05ddcfc7555bb2053f08812fa4

    • SHA512

      f3a2fdccdd72967ed50d20be8738a3f1438b04434e88dbe3f2788b061a52dc9c285c7996cfa5ace5e47e0ef89b3b92c753d4e34025c5eb5f8a6284caeecfe62f

    • SSDEEP

      12288:pt7s9+cf017e6WtXpQjguZKni7EhXlLMt+NsG0atOsFAhAUDLpW:r7s9Tb6epKAi7EhXlPsRSYAq

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral28behavioral29

    • Target

      ff53a80edbe3f726f55d17b3671723ff1a2062b17b30beae33bdb4f173733660.bat

    • Size

      1013KB

    • MD5

      356726c6ef766005db80ef2f8c0ace6f

    • SHA1

      78aefea292bf9397cc4d4987af6f700da8bfafd2

    • SHA256

      ff53a80edbe3f726f55d17b3671723ff1a2062b17b30beae33bdb4f173733660

    • SHA512

      75182a0f3c20c4541be7de7df84f1683064c2ed6b8f134e9d3bc8f717ba9d96632fccdd76c243c70ab9ab42c9e327d6a3b12eb712f902117007270d0b1b23548

    • SSDEEP

      24576:Vf4Q9sdKUubPFgGuaD13/2pLe/jWw0tyKTo6W:BTbPbEaMEKPW

    Score
    7/10
    persistencespywarestealer

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral30behavioral31

    • Target

      ffbd6ffb75e77b342f3caa7729254ef5dc198c783a78310d74923fd86ce4614e.exe

    • Size

      460KB

    • MD5

      b3c1420b33a1a4bfa365bf8f07341414

    • SHA1

      5eb9b7164bba4dc44cf7dabb422b09dcd37be53e

    • SHA256

      ffbd6ffb75e77b342f3caa7729254ef5dc198c783a78310d74923fd86ce4614e

    • SHA512

      cda882d4aa85695243827cec2630c8635372cfcc3ef7e28536df0f53be6670dae7f85c4237acdcd91bdb5d7e64312fa39f52e9ce4278bae8ab61a7e2c63bb89e

    • SSDEEP

      6144:OwmEmkoh0h78AQWh2OohFAOOO/nqi4inYqfBcd4Qe+kDmYxoWK:OVEmt+h45LwGYjxeTp

    Score
    10/10
    redlinesmokiez285infostealerspyware

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

4
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

5
T1112

Scripting

1
T1064

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

System Information Discovery

7
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

upxredline
Score
10/10

behavioral1

evasionpersistencetrojan
Score
10/10

behavioral2

amadeydcratgluptebahealerredlinesmokeloader6012068394_99lutyrmagiaup3backdoorcollectiondiscoverydropperevasioninfostealerloaderpersistenceratrootkitspywarestealertrojan
Score
10/10

behavioral3

redlineinfostealerspyware
Score
10/10

behavioral4

redlineinfostealerspyware
Score
10/10

behavioral5

discovery
Score
7/10

behavioral6

discovery
Score
8/10

behavioral7

stealcdiscoverystealer
Score
10/10

behavioral8

stealcdiscoverystealer
Score
10/10

behavioral9

redlineunique28.5infostealerspyware
Score
10/10

behavioral10

redlineunique28.5infostealerspyware
Score
10/10

behavioral11

evasionpersistencetrojan
Score
10/10

behavioral12

amadeydcratgluptebahealerredlinesmokeloader6012068394_99lutyrmagiaup3backdoordiscoverydropperevasioninfostealerloaderpersistenceratrootkitspywarestealertrojan
Score
10/10

behavioral13

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral14

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral15

Score
7/10

behavioral16

Score
7/10

behavioral17

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral18

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral19

redlinediscoveryinfostealerspywarestealer
Score
10/10

behavioral20

redlinediscoveryinfostealerspywarestealer
Score
10/10

behavioral21

evasionpersistencetrojan
Score
10/10

behavioral22

amadeydcratgluptebahealerredlinesmokeloader6012068394_99lutyrmagiaup3backdoormicrosoftdiscoverydropperevasioninfostealerloaderpersistencephishingratspywarestealertrojan
Score
10/10

behavioral23

upx
Score
7/10

behavioral24

upx
Score
7/10

behavioral25

tofseexmrigevasionminerpersistencetrojan
Score
10/10

behavioral26

tofseeevasionpersistencetrojan
Score
10/10

behavioral27

Score
1/10

behavioral28

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral29

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral30

Score
7/10

behavioral31

persistencespywarestealer
Score
7/10

behavioral32

redlinesmokiez285infostealerspyware
Score
10/10