Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    6523.exe

  • Size

    270KB

  • MD5

    2c64d25f93529b36cd27edfda1cac334

  • SHA1

    c5b203ecf73ee3f3ace7991b99ac3e4951767089

  • SHA256

    333303c7b9f0f951ddc68973cc187280287ecdf28dde13bf9f3dd60c572b0d69

  • SHA512

    802be998bacc7b47c50038c5fd28b24778e8d4729985966c9e174dcf89dfe75a16e1b03c41f2ccdd1554e4f260371865293af8abe3ca4f96f85e3f10c139e12f

  • SSDEEP

    3072:7sH37bKH3o0RzJwIu2PuuQcdsMcLK8egt:I37bK7RzJwIueuuQcH2Eg

  Score

  10^/10

  smokeloaderbackdoortrojan

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Deletes itself

  • Executes dropped EXE

  behavioral1behavioral2

• • Target

    Amdau.exe

  • Size

    3.2MB

  • MD5

    c3ee25c18f2c408c9054d9c6d4c1e147

  • SHA1

    80d2395709b713647b199c22fdec5415d3a68052

  • SHA256

    c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0

  • SHA512

    d91a1675ca9a2923020ce244d00da6a9b686240dc7ef50185709ecbc2f6b8f92c371ee94ec277a2d3b0e33704c532d2f8779b39ac9f630b9b40f0794312d72f4

  • SSDEEP

    24576:0cUe92VHXy4fv6hfZQGwSWF6r+tLq9rNE0TR5sTlcJxbTGX+tIonLiMjrWD:rt9L4p7GJEeR51TGX10LPjrWD

  Score

  10^/10

  amadeytrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Drops startup file

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

  behavioral3behavioral4

• • Target

    CLEP.exe

  • Size

    4.6MB

  • MD5

    2b3bff5880cb5d9ab44c302bd1047313

  • SHA1

    8cf83c7e71254a6ca5d40d58470897479c49e4c3

  • SHA256

    e65f40ce3d58d2634807945b468acf0fbc3f6b06631d499dcd99536ed4fae4bc

  • SHA512

    c3d46ca94eb85db7614f0c9ad57d5ab2afe380e5ae57b6967795d285936ee9133439010ddd3bd28267e203bb396062192cd3398092e2f37f46fa2be5aff426b4

  • SSDEEP

    49152:l7LFs2B0KVUUzpyZ9vAaE5FKY/t76oUz7UQqAOiyjrbsnHzvSP9rsvl/m9NjJTnP:RpsC/VyZpoUzJqTknTRQdXOY

  Score

  10^/10

  laplasclipperstealer

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas

  • Executes dropped EXE

  behavioral5behavioral6

• • Target

    DCKA.exe

  • Size

    179KB

  • MD5

    cee44021a4841cf66516938c3b09cd3a

  • SHA1

    0e2d3a5f496f87ea41b0fe273332dee4b0988d9f

  • SHA256

    7d16edee6fbccf5bcb73691b8f69113f3e80c804d66b49e71be48ef21eea30b5

  • SHA512

    43e3a990b9a19f6890c1a86ddf41a59d2f42c3dd902dcd73ece9f6fcf4ffb9347b785a10ab0a7a9e0fc8c72ad14d31e2a90593dd585d3a1aee71b72208b5c4cb

  • SSDEEP

    3072:bwevYpKTDMDU3fuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8m+u3wB4HzlrzPOefxoEBK7

  Score

  10^/10

  rhadamanthysstealer

  • Detect rhadamanthys stealer shellcode

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  behavioral7behavioral8

• • Target

    DEV.exe

  • Size

    179KB

  • MD5

    9775295a19eff01e8ccb2d7f5702569d

  • SHA1

    8b069c942631ac9b642031005ba20f03324ecc84

  • SHA256

    7aadc76471387981789a8aa1d2c34ed48b79f84febe3160feea5f32c4aaaceb7

  • SHA512

    fdc7ce7da4ca98aa67ea9652c13e1d316f4bad8f7ae07224754fdffc559fd93b3e5488aa13e622610c7b3db22261183bffedccde6a76147e5cfc898a0b5a3733

  • SSDEEP

    3072:bwevYpKTDMDUjfuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8mCu3wB4HzlrzPOefxoEBK7

  Score

  10^/10

  rhadamanthysstealer

  • Detect rhadamanthys stealer shellcode

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  behavioral10behavioral9

• • Target

    DEVMin.exe

  • Size

    3.6MB

  • MD5

    279c66b28f19a510ad6c0f155871fac3

  • SHA1

    427bcf049de4b9a848593463e0f36265baa6164c

  • SHA256

    ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

  • SHA512

    f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161

  • SSDEEP

    98304:JHmeIFVx0/o2Jrd9o2oNiN0KL5Zm2kVehky:DIFVxQJM2eRZfQhky

  Score

  10^/10

  evasion

  • Modifies security service

    evasion

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Drops file in Drivers directory

  • Stops running service(s)

    evasion

  • Deletes itself

  • Drops file in System32 directory

  behavioral11behavioral12

• • Target

    DevSt.exe

  • Size

    2.9MB

  • MD5

    97824a1a018a194220866d5548eeff95

  • SHA1

    35538496cf8c2761fc44f2d5f58882cda4d78400

  • SHA256

    07df13bc321083e74a3512b9861332e566c8d2ff201a3a5c8fcd2fd9fc8bfef6

  • SHA512

    754576ae3794dda1d9a86f87369f5cb3a4f951fbbb9e81560a8cd056e603c81a8b9ae644802a5a81d6e263608fdbd371fb9056cf8b6ea1e7e1e42b4c02e13aed

  • SSDEEP

    49152:WW32/5/uXfOGcCwXwJeAqyKWJBafsL6M8Aoek1t:UsXW3wJrq2Ld8Ai

  Score

  1^/10
  behavioral13behavioral14

• • Target

    Documents-EnemyFrauz.exe

  • Size

    1.1MB

  • MD5

    a490f1848b792df4dc37c9e1b200578d

  • SHA1

    f862b1f3460aafd54b1159b2a180f70e6b3d8d21

  • SHA256

    b61325a676000c0afb169f63048c583bc81cb52e1690a6ccf5642decb7831b5e

  • SHA512

    1e9a492976d2c80acd7cebfa8ca8fba55c3a9cb71ecf12a5c29e648f6fcc0d9d41930a33964c6b85ecbc96150a25dcc08578da5d2e0dd509d370256d4d20f268

  • SSDEEP

    24576:mDXdMCbh0lhSMXlPFN3RFEuHhra2oQfKhBdY7O8gz/7:mBMPt/G29fKhBdYy8ij

  Score

  7^/10

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext

  behavioral15behavioral16

• • Target

    IqXYLXKzl6.exe

  • Size

    17KB

  • MD5

    076569d51c616ec2446a2e6b85205764

  • SHA1

    e66ed4fd01550e7fef7fe4b6b4d57aaaf1109c11

  • SHA256

    754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300

  • SHA512

    cb11acacb7c5d73b84e01fe54d7c2b1ccba60c76b1c0aa5561d7482e598716f9228ef21690a85fcdf797c181cc44d6bcc7f0734d357bdac1b14d7ebc2e24162a

  • SSDEEP

    384:GWeOtTbX4sJStS77uBLbt+B6a2CaneFrmbSEM1+TAVDxfEHufIJzJf:HetAidANFAA36uwJzJf

  Score

  1^/10
  behavioral17behavioral18

• • Target

    LEMON.exe

  • Size

    179KB

  • MD5

    6d5f74f263d5ab9b0e3315b495eb72d5

  • SHA1

    356f4e0a47151992426c425665d0382eb396a093

  • SHA256

    91ae44bd5a35834354cc69c2e04f9260cbf7025d18ec59af558f4213b81d7403

  • SHA512

    0fdb51ca3d04be5b82a5d5eb67ec9fe7ca02e3fbced6a1cd95224aa074dfcf3cabf101d7fa4f5d369a0f837ef3caf04ac96f12eada09ec834f7e244f5572afd1

  • SSDEEP

    3072:bwevYpKTDMDUKfuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8mlu3wB4HzlrzPOefxoEBK7

  Score

  10^/10

  rhadamanthysstealer

  • Detect rhadamanthys stealer shellcode

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  behavioral19behavioral20

• • Target

    LIMMin.exe

  • Size

    3.6MB

  • MD5

    d0525e69e54066d5b3764acefd16a754

  • SHA1

    513304e7eca83acedad4655a135a6f4c2c1f4aed

  • SHA256

    d700f47bdc52906c398c026b3ac69382fb012434f7a6967323ede937af1658ce

  • SHA512

    b958797b913b1860daa2cdf4f6741835042e170fea4c4b5f3ae61432a9e24054dbcd40dbc4871d19b12d3f40d90523490caa37e6152d66850c05f18b7d738f03

  • SSDEEP

    98304:vKNU8zvQiW+xPSCcgu3ebV6GDRjar2H2wKr3:avhWXrycG1jamKr3

  Score

  10^/10

  evasion

  • Modifies security service

    evasion

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Drops file in Drivers directory

  • Stops running service(s)

    evasion

  • Deletes itself

  • Drops file in System32 directory

  behavioral21behavioral22

• • Target

    LIMSt.exe

  • Size

    2.9MB

  • MD5

    b26439eb7f5e2a7f1e2dabcfa8e3a7b1

  • SHA1

    4c4ca12b90e83e563408557e028580dd43b56975

  • SHA256

    47a40add511868171afab04d336c6120be951799b6230fdbd581e6469e1a088e

  • SHA512

    4d6fedbafd7f6ca7b0a3b9bf0162cd1d607098e82e474cca971fd828f1d0d4c9a1a00811583abd11d93b76f39972abbe7e6fae6b633c0062befc3d93612b0a5f

  • SSDEEP

    49152:EW32/5cuXfOG+CwXxDebqytiJCaLsL6M8Aoek1d:anXWRxDQqCLd8AK

  Score

  1^/10
  behavioral23behavioral24

• • Target

    LK2.exe

  • Size

    179KB

  • MD5

    27e018559bc0216c98fb188d3a3a8209

  • SHA1

    d0b477cf1d81182a2c0357432bd6b3e7a2bc43d4

  • SHA256

    563458d0d35d3e4a7809630809229fbe2977eabeb8639ceb677426308c156a3c

  • SHA512

    8ce3eccbef889189bebf0fd5cf36c257e4eba8344dc87d95d944718fd9bb16a833e951304420db0c46a9f4a8d050090b2758b709b5bacc47ed27b9a133b7e6be

  • SSDEEP

    3072:bwevYpKTDMDUqfuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8mlu3wB4HzlrzPOefxoEBK7

  Score

  10^/10

  rhadamanthysstealer

  • Detect rhadamanthys stealer shellcode

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  behavioral25behavioral26

• • Target

    NINJA.exe

  • Size

    817KB

  • MD5

    9e870f801dd759298a34be67b104d930

  • SHA1

    c770dab38fce750094a42b1d26311fe135e961ba

  • SHA256

    6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

  • SHA512

    f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

  • SSDEEP

    24576:5sGzuMNu2HWJD2U1zANRGTfllqapvYaqom:5tLezwRW3vJ

  Score

  7^/10

  persistence

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  behavioral27behavioral28

• • Target

    PolymodXT.exe

  • Size

    550KB

  • MD5

    c7692b713225ebf0138f3e93ea1e6fa6

  • SHA1

    0c0181326a0a91a7622a582470c317766a29a9d5

  • SHA256

    2f67f590cabb9c79257d27b578d8bf9d1a278afa96b205ad2b4704e7b9a87ca7

  • SHA512

    b492fb9918154082715a54a9436bbfd78f3cb1c5036a44857034a4a93498c634a19840af93e15fe1a283da285f1f806824e657660139215fb5f26024ab365778

  • SSDEEP

    12288:8l1DS0q8hoY1IWt6HTZ/QeMK2pOtOOugi7YZb9MaCs64vPtz6JERgpptZigfScUo:k1DSCt6qhKxO

  Score

  10^/10

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  behavioral29behavioral30

• • Target

    UM.exe

  • Size

    2.0MB

  • MD5

    ff7712b5d2dcafd6b9c775eecc8266a1

  • SHA1

    a11c9bd80f1c80f057517fc555fcf9b53c327302

  • SHA256

    51d0be1366d229621051abb5df81316256c997c46265be8c9fb6b6b01fd1ccb1

  • SHA512

    a8dbf46d54d80dd206c61007c668bd93a00a4d8b35937cfdf1b723d69484bc6230763a0cd73b602e58392a0b6814c8143877b479709fd6ab03ea98eda61c0edf

  • SSDEEP

    24576:Q1ZRQOCf1lwVKwZJ/g9zNCehkmWIUB+AzLXalEk1XgTQCQIIKY12ZvxjtXI/cMRW:FOCd4GdAB1d4DfUz5kGrr

  Score

  10^/10

  lgoogloaderdownloader

  • Detects LgoogLoader payload

  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader

  • Suspicious use of SetThreadContext

  behavioral31behavioral32