Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    0dc2870f5bbcf289c0cbcdaba91492f88da72f3a000e41721ccfe08461094724

  • Size

    6.7MB

  • MD5

    4975b794102c6aa719c89b00f3444ac2

  • SHA1

    5c83d1a4798565723d9aa51f42b638614fa2c150

  • SHA256

    0dc2870f5bbcf289c0cbcdaba91492f88da72f3a000e41721ccfe08461094724

  • SHA512

    fa2d817b4bf3c606a4250c924f9d5eea6a7cf08b610f3dbe622e6e12ce5b17baaada3bcd89239e8ac21c475b573cb31adcf048794d7b2e0cac8d0aed7c4b5d77

  • SSDEEP

    196608:PWeBipf+AgWSmIql5oigGrCWrcUOTONAoGqv8N1uFMx5fBO:rBip0puoivdDNNAoGqv8N1Lx5f

  Score

  10^/10

  fabookiegluptebasmokeloaderup3backdoordiscoverydropperevasionloaderpersistencerootkitspywarestealertrojanupxamadeydcratvidar5a1fadccb27cfce506dba962fc85426dinfostealerrat

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Detect Fabookie payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • UAC bypass

    evasiontrojan

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Windows security bypass

    evasiontrojan

  • Modifies boot configuration data using bcdedit

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • Stops running service(s)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Windows security modification

    evasiontrojan

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Manipulates WinMon driver.

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2