Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    a.exe

  • Size

    5KB

  • MD5

    800a6337b0b38274efe64875d15f70c5

  • SHA1

    6b0858c5f9a2e2b5980aac05749e3d6664a60870

  • SHA256

    76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571

  • SHA512

    bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e

  • SSDEEP

    48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt

  Score

  10^/10

  agentteslaamadeyasyncratgluptebaprivateloaderredlinesmokeloadervidarxmrigdefaultf02b730f81476e82205d9d2eb21e0ef8pub1up3backdoordiscoverydropperevasioninfostealerkeyloggerloaderminerpersistenceratspywarestealerthemidatrojanupxvmprotect

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • XMRig Miner payload

    miner

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Async RAT payload

    rat

  • Contacts a large (1250) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Downloads MZ/PE file

  • Stops running service(s)

    evasion

  • Executes dropped EXE

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Uses the VBS compiler for execution

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1