General
-
Target
Desktop.rar
-
Size
5.6MB
-
Sample
231023-z4pphafg4y
-
MD5
9462bef27d5673bc39e7c6197f0b30f1
-
SHA1
5f4814afabbcc89a9d47b99f90b91b13b5edf250
-
SHA256
ad3bcb65313043b1a43b8fb210f3a20a87df8a8145ed9a18b086d0859616caa2
-
SHA512
f4c64d04ff64646e21abbe5d8abc828546e765e0f00817fbe70c1f11983ff46f9cc09ee94bfda335a1f0c5db01010ac1173746bee4e9dc52b802973dfc1dba7f
-
SSDEEP
98304:1fyslh/MRTs8LWWCxyJrMqTnucb85kcK5+u4CYtivrRFQNogZX/Tko+0+xE:Mqh0RI8LW3xkrxV9cArLQH
Malware Config
Extracted
gandcrab
http://gdcbghvjyqy7jclk.onion.top/
Extracted
sodinokibi
33
360
2020hindsight.info
frameshift.it
billyoart.com
omegamarbella.com
scholarquotes.com
ziliak.com
matthieupetel.fr
cardsandloyalty.com
limmortelyouth.com
solutionshosting.co.uk
gsconcretecoatings.com
annenymus.com
barbaramcfadyenjewelry.com
ciga-france.fr
ayudaespiritualtamara.com
fann.ru
paprikapod.com
galaniuklaw.com
azerbaycanas.com
testitjavertailut.net
-
net
true
-
pid
33
-
prc
xfssvccon.exe
mspub.exe
tbirdconfig.exe
sqlservr.exe
dbeng50.exe
oracle.exe
excel.exe
winword.exe
synctime.exe
sqlagent.exe
encsvc.exe
msftesql.exe
mydesktopqos.exe
mysqld_nt.exe
thebat.exe
dbsnmp.exe
msaccess.exe
thebat64.exe
mydesktopservice.exe
mysqld.exe
outlook.exe
ocssd.exe
ocautoupds.exe
onenote.exe
thunderbird.exe
infopath.exe
sqbcoreservice.exe
wordpad.exe
sqlbrowser.exe
powerpnt.exe
firefoxconfig.exe
ocomm.exe
mysqld_opt.exe
sqlwriter.exe
steam.exe
agntsvc.exe
isqlplussvc.exe
visio.exe
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
360
Targets
-
-
Target
001e9becdd7d9887c6fbe487073ad3dc068124a5300f4128d9ed32db4f63f793
-
Size
31KB
-
MD5
6ad501cfa7dad1014e008cbfd988404c
-
SHA1
27be2f03ec2e1c0ecf566f0f3fd3c0bdf75a9fb8
-
SHA256
001e9becdd7d9887c6fbe487073ad3dc068124a5300f4128d9ed32db4f63f793
-
SHA512
798838c0eea397797a2daaf98a77344e70e75b18304a7cb864a3920b5c255721b84220ea550e61715f92fb8f28ca2d91522e138fbf8d76d8e74ad5ecf8410307
-
SSDEEP
768:Ik+HPVo3WDZ7g1p4nZPTB7cZt7L0BlYfHCkr:n+H9ou7g1p4nr74OLYfHC6
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
1a1cf2a2f6a49b8d2a84b9b5ec5f783e7d9be30b6a17a28795bc351bb3cdde31
-
Size
125KB
-
MD5
f589a54f5660a756b745212fcc5b3c2c
-
SHA1
5103d785c2dba038f7ce2f7f00dbd55a3c1f9a3e
-
SHA256
1a1cf2a2f6a49b8d2a84b9b5ec5f783e7d9be30b6a17a28795bc351bb3cdde31
-
SHA512
8effd05c1ead4342e6a612f5368469b7a923c9d7697cce074261bc9b078e75861a8105e2c179270cda00fe22a1d75e389d4a4c463ba8990c749d5ad7f029537b
-
SSDEEP
1536:vEpR+iRa2LNCkfAI6wzMb6tEVBLK5wvFS2qeAb1WVPShFBkblSAeTNa5G3U/1:DKxBMb6sBJfQASh3MlKTNa5P/
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
2eac3720bcfb4550e3093f053880b373068360bc8583f2aee059905bcad29c61
-
Size
1.2MB
-
MD5
76d26edcad21f551904c2022b13f9e18
-
SHA1
be08028c16a264259df8a0406534aea99ffcb63e
-
SHA256
2eac3720bcfb4550e3093f053880b373068360bc8583f2aee059905bcad29c61
-
SHA512
7be1982f8c7a7f1cfec0b62cd84516c05986caad8b3ab2bad767d4dc249f0d75b450a9548e923ae971cfcce5527d350678207f0ac60533d99c02c6f49118e4cb
-
SSDEEP
24576:kZv4B9NbMTWRoX3Uusm5RnveE0QBS6M4MRbEjAtmXfSrF6CT:kZA38bvoQBS6MVbmYjrEm
Score1/10 -
-
-
Target
320e3af17bb8787283fe0c4af9d3a778c191d8374f19c0bc6b6ee2f22363094c
-
Size
96KB
-
MD5
d5df2bc1cd0cbc5ad1d4886336cfe61c
-
SHA1
44fe30558cedef580bb115e81b6eb2ebd4910a81
-
SHA256
320e3af17bb8787283fe0c4af9d3a778c191d8374f19c0bc6b6ee2f22363094c
-
SHA512
446a7422f9b023d5e98276766838d31e5954413d9153b985d96eced001277e28645e39d7f3a7c23ec721dedb8ee3326a48d12e2350967e9324e44d6bde7a7a27
-
SSDEEP
1536:nhUNGjqT4RDyXlsxbJZ/w7XAxx9ul0HZHHq/HHGCkLa+daxo5:OGtRD2lsxb47QH1Dz4xo5
Score3/10 -
-
-
Target
33bcab70334406fb3331b4b3fffbf8c51df52d93efb5d673d865b7a7496b1570
-
Size
445KB
-
MD5
e988bb37ac1a1215def5f77c679fb701
-
SHA1
020fecf6072e87035411808552ead5a73a34ce6a
-
SHA256
33bcab70334406fb3331b4b3fffbf8c51df52d93efb5d673d865b7a7496b1570
-
SHA512
997ac8e3d18405705624434dfe5e2985f7fae39a77e3763a1ac879e799d58f24fcd1b2966eae951cf7447517c489a37a01aac1adb0f16df04c911a33fb0c0163
-
SSDEEP
6144:z4rhk3Qi52SBsimmsGJJ7iVTEcUahucFYkLdHHexabB5g5KimJin7S/qYu2a:zpQi52SBs710JZcD5ReMNu5Ft76uX
Score6/10-
Adds Run key to start application
-
-
-
Target
47a52afd63406238b1b5ce59a7cb282685629b14169405015b0cef20fbe4f62e
-
Size
692KB
-
MD5
d631afaace32d5329733a9a9a49e51c1
-
SHA1
898bbd2972f932b201aa0d0470b971777965839e
-
SHA256
47a52afd63406238b1b5ce59a7cb282685629b14169405015b0cef20fbe4f62e
-
SHA512
c01266f21d9b3b0ad171389cd5e0fc7b65f51dad98436dc73bd37f6d997ec87197fd0303af4b26e296ac4b9bdc975127dcaed2898c02def7bb4f3845ea155c94
-
SSDEEP
12288:1ijnGp4df9EfRSnFwj6pNYSb8mXcfeD+EJY7bZHJNzejM2vkdISFDfken5:wnGabS2FwewZHvd/dLdTBnn5
Score10/10-
Modifies WinLogon for persistence
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
4b24d273019579ba3c1e0ad261954c0941d114aab802fa2d1fcb14dab9f3e869
-
Size
766KB
-
MD5
97c79f53087fe9e29d9cb33c30d00333
-
SHA1
b65db348b65e13cd6669d71f293be4b21e2edec0
-
SHA256
4b24d273019579ba3c1e0ad261954c0941d114aab802fa2d1fcb14dab9f3e869
-
SHA512
4c3ae99b5462b1c030343baa663d94500be40bd0cae14557e1c997ff63ee6966293f4e5e1e4967085ce61f1e132dcfb00baae5e54afbb99be9ae2f68e471eed1
-
SSDEEP
12288:65MUXQCYVScN3p+bOT8DOHQjsfku5JEO7ShNqc124tjsZlpfqreZKC08nxN:85A9D3pYOQeQjs8S2xTv2IoZldqrepnx
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
4c481d251f29295af1af599374ea93f9fc24b6139fbb02ec115bec9f4e7bc25a
-
Size
76KB
-
MD5
8ef0e38c773de949ff39c4642528e2fa
-
SHA1
c9f7258af7766bf093567ff5bb8413547593e814
-
SHA256
4c481d251f29295af1af599374ea93f9fc24b6139fbb02ec115bec9f4e7bc25a
-
SHA512
2bae3c9458537e6494b5fac4508ff2f251d42ea50c7b15561f7ea21e3af7c44a69339e45806f98bb9adefe225c13dd4224ffc04692347b57ee5bfbc48bf749b2
-
SSDEEP
1536:KP0B3eu/yVqAJfBgIX2/ULX6htt25Prhx7a9:Kc3e4yIW5F6Q6WhFa
Score1/10 -
-
-
Target
4c9ab763001721e04e9efc44e1e97351557f8a4b1cf5471b141e7358cd1296dd
-
Size
73KB
-
MD5
0b86474cc124beeec871e7ca53b333f5
-
SHA1
43e4c87efaf509a17bc4f517cb9133f6cd5297ea
-
SHA256
4c9ab763001721e04e9efc44e1e97351557f8a4b1cf5471b141e7358cd1296dd
-
SHA512
71274745d3ff6b3e26571ee4dacad7084f04be705afd7196de697fd985ffa289d7e87b962d707130bde0af9eb9784ad6fd005f308843de8feedcceae78d0f58b
-
SSDEEP
1536:n55u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rJ:DMSjOnrmBTMqqDL2/mr3IdE8we0Avu5h
Score6/10-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
50a04b093c8f05481eb672ebec0537f61e233071798d1f3b939e17e333b51795
-
Size
349KB
-
MD5
8b5ea4d800861e7dfb4bfcad593e8ca3
-
SHA1
ec5379f66dbc66afe09eaa7dc07bcba551f9739d
-
SHA256
50a04b093c8f05481eb672ebec0537f61e233071798d1f3b939e17e333b51795
-
SHA512
7a9cb045bb8b811254ff01d5389ec5e4a799ecde5441ddf0b35d52d524c2bfd142da8f5701ed88672fd451866f32cce7ca8c1d409153e7d71678e8a466fb1418
-
SSDEEP
6144:W323b9t48aRkIzdNrFt9tlZZspbSoA1v3j0ciHMnjKiV6p/KBTA/:W3wb9ukIzdNrZtBkk3EHAWiZBTA
Score6/10-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
-
-
Target
5266183553addd392a0968ea9e835c00e55a27468829ab65832cda37508c8e2f
-
Size
28KB
-
MD5
f9440a2aa3f1cdeb448e4fbe7a09cfd4
-
SHA1
6fcc6bc2df88ea794cf06f388c36d218f448b21b
-
SHA256
5266183553addd392a0968ea9e835c00e55a27468829ab65832cda37508c8e2f
-
SHA512
813c772160ebc72a8d832eb4e9e6e40fe9b1d4b4d8243ae19184cf7d9f1c24f95557aec2f9965efc442b3cdac1f619fbed5c9f1a7fae4664ad04ea864e3d47bd
-
SSDEEP
384:y31jyYPVeDmeJWjgye9OQ/1/ZMDseMySH:MRyYPVQm3Er/9wNhSH
Score8/10-
Blocklisted process makes network request
-
Adds Run key to start application
-
-
-
Target
547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e
-
Size
161KB
-
MD5
adcf55265a209bad0f166437319396ef
-
SHA1
00e99ecb276e96f54dd99759c72a71aca09b4fa1
-
SHA256
547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e
-
SHA512
98876cee418e7ab54f5e120c550c2be1050a4fd79e4102e343a446fd63ef9d4f8b49c7b6a9acccd49c2be1791665e9561c9b7c6e6d76a8168981f8cfde412c39
-
SSDEEP
1536:Lbb832pdNx0q8KStnznExkW+pkK8i7Pbi4eTMluxtXDCntTnICS4AKEqtUJCaoKc:Hp5SexkWi1Lbi4eTMlwDCnu/qWdb0r
Score10/10-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
5fb2242c04ce18830b84de73c4f0fc4e9c8a5e6877a14f414fcbfaa5a3948896
-
Size
2KB
-
MD5
f2f14d0487ffb297f6ddb67b8e1643d5
-
SHA1
f92ca8b8d2cd1512017e5b4a656f2f79fd640722
-
SHA256
5fb2242c04ce18830b84de73c4f0fc4e9c8a5e6877a14f414fcbfaa5a3948896
-
SHA512
a0f89aafdeb693951d12adfeb90e4e2025e9ce015498169cb3e7023b7c611b536556befde2fabfb58d504bef88d0e4509bf3192d81a6471defe9c0d34402308c
Score1/10 -
-
-
Target
63a0bf6385356dd0297449bdca2a2f171846315505800e81a4c0285f09c87312
-
Size
304KB
-
MD5
abebbf12d4f5c17f5fc6d295b780e5a0
-
SHA1
58f129763b6b98483f44c5847de8c34c01316d65
-
SHA256
63a0bf6385356dd0297449bdca2a2f171846315505800e81a4c0285f09c87312
-
SHA512
8f64772716006990bbca182fbee187d6792fd9eb9b6d891296bb4d9067a7568fc57ec845a5302afe206b935900e8f76061035f5cfd14bbe487f3311ae9dbb900
-
SSDEEP
6144:6h+ykFDX/tt5ipwQd3Zks1NqZNlPur5UMRjIjXn+Z:s+ykFJfimQd3V1QZNu5FRQ3s
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry
-
ModiLoader Second Stage
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
6a08b51e02a7b510972907c326041222ff4632ba53b89573fca7e80b59c4e168
-
Size
260KB
-
MD5
1603aa73ddc1b52002505f49f4680ae0
-
SHA1
82bea2f53c75ff446723bf2842fa357c3b0fe0ce
-
SHA256
6a08b51e02a7b510972907c326041222ff4632ba53b89573fca7e80b59c4e168
-
SHA512
39f49d626c38be26d413570e490998f62d769badacb872dce295657dbbd9cb3690d9324f26b59e377c4be1716ec34d2e3e4f8d3586078432b18b2f3178a34511
-
SSDEEP
6144:CkMYmk7nSPwZCNnRFujfLRvhgmvH/VCrEfEa:CkMdkDSPlfFurLdfVCPa
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53
-
Size
1.1MB
-
MD5
ae90880e6556ebb938795518af3a08b2
-
SHA1
8647dce3b9cce0197ab0e9b832de1f6d2413dd45
-
SHA256
803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53
-
SHA512
049ee5204617be840fbce46209b52e788932ffa061c7aa7121caee80d3bcbd26cede1d5657ef4e06bde550f16b7f12d0fbf965340a75ed1b4f6e281afa3135fe
-
SSDEEP
24576:xdtRKR7yXFNlMcc7xWzyXe0nyrFPZM7ZNe+d+8/zUX0rSbKnvW5iaO:/y70F0vNXfn+FSlPc4SkvWXO
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
85523c6377c27e22068a2ef347997a295981b91e103b3cf3387ed80aa0b010c3
-
Size
134KB
-
MD5
0b70c8523df90c5c45c4c6eeb2bd5f9a
-
SHA1
478ccd48fa43dcff2f213ee7763a6c5423531e7b
-
SHA256
85523c6377c27e22068a2ef347997a295981b91e103b3cf3387ed80aa0b010c3
-
SHA512
da9390a8cf04db418386bc6c696eccbc738d61d4560888b14c4085d1c96b43b9a144ef97cc5366806c24cf7ffb0a6b7300be6b88f8b5a31ded15b3af219097bd
-
SSDEEP
3072:i/aSNtBvGruIQdaoVOWNq6zrUYh9oDrFcgNe6wPFbQ:iiSx+PQdao4WprhvofFfNxE
Score3/10 -
-
-
Target
8ab3db7349f38d6463a3c6a7155ab297f18d92262a098064ea2472cecc7e3103
-
Size
652KB
-
MD5
245e27d4cbe922994b4f53fa96e1159b
-
SHA1
47d2c5a68e96ae7bc43f305a7d5df082f93c623e
-
SHA256
8ab3db7349f38d6463a3c6a7155ab297f18d92262a098064ea2472cecc7e3103
-
SHA512
6daa517675e33e223412e9d5b1f6e724359bec45cae0bde1743d158c91bf932fc1c29e4c4d0db16eae585a63a8d7a5124dd86c7c15dbb89074927fa12a3cc7fd
-
SSDEEP
12288:txSSwVr2GJCW87DJxtG0etNNYwnb8mjEJW++GzPUeS4SvS/incHD:nVnGJCW8JxE5ywnb8HW++LeS4Sq/inCD
Score9/10-
Renames multiple (2022) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory
-
-
-
Target
9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0
-
Size
60KB
-
MD5
6aa22fd28d56b38bdf8dfc90dbd6dc96
-
SHA1
1e28cf53cbcacde5a272669cdd1670785183272a
-
SHA256
9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0
-
SHA512
cb882269950289b614c1009eabc0a69ac8fb371a62af4e488413e10c60c0defeb5ad891e56a680e9cd60cb6971bcef8e35cc2899b17897d6ba1767e5be97ec35
-
SSDEEP
768:3kWI7wOxRW1Hn/txYKtXeQJCAhxPPqEAQemUJiKrji0tSdZRNoN5J:3kWI7kHn/f/tugCsxPSEA3mUJiKadYJ
Score8/10-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
a3c7b0df189bdd47c7e113ff3b664f26b0bcd6f4f878186e882ea199e15c28cc
-
Size
118KB
-
MD5
07f771d8afa8f16121d508edd32fbbf1
-
SHA1
77e5b9e6cb0f35585863430e7611289a293a6e06
-
SHA256
a3c7b0df189bdd47c7e113ff3b664f26b0bcd6f4f878186e882ea199e15c28cc
-
SHA512
f9cd46f37499d1239ba8a032f17858be2b9a6aaea769535303313d50ca04ede10189a63dc8ac158fb1c2ead04092d18b846e7c043b72af1300e127b354bd6108
-
SSDEEP
3072:dSKf2N9xxjcgjQFrUBX/7RVIc7BFNROGgn:8KfUjcOWrY/7jxE
Score1/10 -
-
-
Target
ab4fa067af1c9a107b879341e255eb9f05779608ce31217c1a2d60d28a2c8838
-
Size
84KB
-
MD5
7d3294046b8db4fa7229ea4e226808c9
-
SHA1
3586e1d378e8547b0d7c3eb58fcbf9d789b1981d
-
SHA256
ab4fa067af1c9a107b879341e255eb9f05779608ce31217c1a2d60d28a2c8838
-
SHA512
4028df37dc553d47141f32a6e09019878ef66923f2fa87f17ae2b0f4068d11b7f4e10a22acf9120f710151a638bbf9a5fd121b6876361e23df36ecdc12b1c07a
-
SSDEEP
1536:6C8Kd354Ru7qqWIk0rJ771bI6tcMCFnZGqckwVXicpt:6C8AJR/tH1b/GZtckwVXTpt
Score10/10-
Modifies WinLogon for persistence
-
-
-
Target
b1c5c3ca41c322b47a5feb62ebb0e5daa3c1c682aa1dedb98fd3b7dff3eca57d
-
Size
181KB
-
MD5
4e8226759c8ef58bab4c3253ecc61c52
-
SHA1
9a2380a1992841b12392e7da6bbee7c95a0ae1af
-
SHA256
b1c5c3ca41c322b47a5feb62ebb0e5daa3c1c682aa1dedb98fd3b7dff3eca57d
-
SHA512
0bf9a36f8c68b532d9f215be5897597ccc130157e4936cae008f43fe5ecfd25fc633c65437a8870eea51218812bfb5c0e2cf9c1babb69e8faa1fb120973e777e
-
SSDEEP
3072:ou6a+u8pfzqrKlG3lV+3p/k0Dkjok5SUnkKkvdDtz+P+0:NvGh+Wl2lVQV1DulkKmNtz+G0
Score3/10 -
-
-
Target
ca561f9403ab4be76ca66646df1a3da826fa2cc1972dd005ad23861abb317cc5
-
Size
36KB
-
MD5
1d6e8403b70897468d8e8c983e7d39f5
-
SHA1
55941b50024fde3e014ba921de892228215ff464
-
SHA256
ca561f9403ab4be76ca66646df1a3da826fa2cc1972dd005ad23861abb317cc5
-
SHA512
5317f0ed0b56a7e34085f8d3d99995b1c166a188ce57c2354d4b4444df275e2edc2e55034501221408477a4e2876f807e7c368ea2f829079095df377c781475d
-
SSDEEP
384:DXqQR5hXOQiEREEZMFfINYl+b/fXoiSv6m7k7t8ekuD7p:WQThXpyf/l+LoH7E5H
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
d278eb3d6cc29c6de4b086aaa6214412d62fe2bb850c0ead63a403c3a24b2c8f
-
Size
124KB
-
MD5
a0e69d718631af37a4421fc84f658f93
-
SHA1
af15fa80ce962a445e4742c50d97e23cb622502b
-
SHA256
d278eb3d6cc29c6de4b086aaa6214412d62fe2bb850c0ead63a403c3a24b2c8f
-
SHA512
93f6ec3c3d3e0bf7b007f302b18bb5e230a2b390663d4030d1614a1e5e7417a3e4ed7229a601805618d8adc6a768f7b598543f38c9b67cb585c10d9f7ec88bce
-
SSDEEP
1536:yJdAwtDCFXLkauQpeVwLXJi+bfE2i0JL4iDSiLseoM4gkuSrgJsTUZ:yfDCFime85vjiKIYr4gtSUKTUZ
Score6/10-
Adds Run key to start application
-
-
-
Target
d3e04348f412615e23ad0aebfee1b4338f5edf99776bdedf08fbb0462868ef91
-
Size
94KB
-
MD5
2ce9d15f7b43b0dec6c3935de0743113
-
SHA1
50cf913875f1447f894cf795a549df3c84f8f402
-
SHA256
d3e04348f412615e23ad0aebfee1b4338f5edf99776bdedf08fbb0462868ef91
-
SHA512
f06a98af22ecd806604f32a6b8584b918997b021ca1b91ab86dff9e3d9a7cdfb65aa8ab73edfd5cef5b98949cd6bd84a3925f3f1b5078b34bce7ee6c866ae42e
-
SSDEEP
1536:Ga/ySwKA8SE/+PN7A80iTubsESYPgFYtJEpTC2WbJCH7lkJJtn3gOt0:Ga/ySwK1SUYuXuYP8abNJtn3gOt0
Score10/10-
Modifies WinLogon for persistence
-
-
-
Target
d7e876a714e2632fa42e6636177962516736074c76f486dc34de020ec13af0c9
-
Size
303KB
-
MD5
70e94f2ed65211ee0b4ee143fa6d300b
-
SHA1
ff8bb6f7220ed3f67d23b710bffddfa3e2e46d83
-
SHA256
d7e876a714e2632fa42e6636177962516736074c76f486dc34de020ec13af0c9
-
SHA512
fbd1fde8675d966fb47f86f59f6bd8c3dc2d5f97d12d56d1cd978cd918058b128496c5b1382fda9876958f91e32088d97646ebca2926833c738e39f62d6a8332
-
SSDEEP
6144:7CSOgPDKvKum02kU1zZcYfNE+JoEPNaUW/AFSjNCi:+SxPDfuuVH1bPNaUWFj3
Score7/10-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
dd8bf2763ce09cbeb21cdbf802b9f7475c7998e459714150fae07ffcd027bb38
-
Size
88KB
-
MD5
46cd91959a5d80e0071c70f101abc27d
-
SHA1
1baadd139627a8f7ea60c97abcfd47ce18c222f3
-
SHA256
dd8bf2763ce09cbeb21cdbf802b9f7475c7998e459714150fae07ffcd027bb38
-
SHA512
02cbac9abc7b5faa7b2fe02453b3b6c8374538671593fd83b7828c22fad1b450c7bd0d9c34d87fac36fd82b9172b3a6ca0fb97f4be496b694d0ed210d3e20547
-
SSDEEP
1536:6ru1VBhAud18xM0fvtDCa29nupLIvidmpaXI60csCBXo4fnqd+Ax478KqTTong:yubBhAud1R0fv49nuq5U0cB3C+noKqT5
Score1/10 -
-
-
Target
dd9ca1355ff3ddd883f9d2d0e6df9b7a8ebff650003a616c533b30554cee2a9a
-
Size
27KB
-
MD5
c3681538fb48175e2c02e54f4f333011
-
SHA1
9f4c1c10f5e85116655adf4848d603a7d9812ce0
-
SHA256
dd9ca1355ff3ddd883f9d2d0e6df9b7a8ebff650003a616c533b30554cee2a9a
-
SHA512
4e9ed852edcb46b222d1a2aa5d1983b06070d94b16834951bd4a89ed8cdf763cf8c373884bf0b1e1954393a86da6ec3a1fa836f0a7d827c10c9fc5c1927dff91
-
SSDEEP
768:MBGnobwYevtCIPLPjDIn4WZcLVY1DPmY5:MBGn/xhjPjDInrZcLux5
Score7/10-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
dd9d07d1f5bb4facb1b4e412ce9e52a5ca9a689f2f78c34bacf63af19f7ce127
-
Size
59KB
-
MD5
070ea95d38c625faa296ddf97f4ccbdd
-
SHA1
8edd4105e2598d8469452057b7ed407f7bc607c1
-
SHA256
dd9d07d1f5bb4facb1b4e412ce9e52a5ca9a689f2f78c34bacf63af19f7ce127
-
SHA512
e998d93352b7f212daaef055f687b8c6d55ba7ce9322e1877fc2c71253602fb9fde4186e5e7e9d3e7e9a50547422bca8d63f2907deeaf7213476de1e52738109
-
SSDEEP
768:ZPvCu13OPkWi8Bkpvtudj+Ms4QSsx4QQB1Z+A/B+Ubbiu1f/snPKaE42cFyqpe8Y:PI/ZB8vtYE4omAe/iQnoPFE6PBUz
Score10/10-
Modifies WinLogon for persistence
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
ef3c260fed0a71f0e679261aeb242133899f9ff03d68b5f95711a66ef919e549
-
Size
189KB
-
MD5
d8f3b153f6635d4257aa9de8cf5a0ef4
-
SHA1
6502eaaecc168dd58fd7efca671f15734e12f958
-
SHA256
ef3c260fed0a71f0e679261aeb242133899f9ff03d68b5f95711a66ef919e549
-
SHA512
2fcc85ba83d1fe07950a649834866c3c5d51df5cbf65356f24d219b3ef35741a5a08fa7d62c2ced7302b5b0930047dfecce60caf74eb73ad5c21d48dd35d92e7
-
SSDEEP
3072:qV8CZflmqu3ZJ9f1hzILPN54cuuu+meBwHAS//XpC2sk9PqcRxBCXfD2fS2zOy:qqChOZJt1hsLPN54cuuu+ZBDe/Bsk9DP
Score10/10-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
-
-
Target
f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df
-
Size
58KB
-
MD5
b364e74e14f8a51d8198ddf8716dea25
-
SHA1
a3477e425332dfec0c622f1a50cf80f1f6891110
-
SHA256
f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df
-
SHA512
cbc1a5f451d1fe8242466c357dcb6f6b7376ffb47f797930d88a282889711d6bcfad500243ce1b41bbc92ea4bab9094b8ea8f1415326ae2fceffae71a4f5f329
-
SSDEEP
1536:wskqTQNhMxETZWr6PEwnAdlN3MBDCAZp4Y4/e66:5QYiupWDLce
Score10/10-
Modifies WinLogon for persistence
-
Disables Task Manager via registry modification
-
Modifies WinLogon
-
-
-
Target
fb861230c088dd68f1a6c782e9ad0b44a1831ccc29c0516635cc4b3de2a91a01
-
Size
224KB
-
MD5
8e2ba1ae04b7eebbbfbfdf292b876ed3
-
SHA1
9bd3229a0cff8e7bbe6e5020765776f06c48e725
-
SHA256
fb861230c088dd68f1a6c782e9ad0b44a1831ccc29c0516635cc4b3de2a91a01
-
SHA512
dbb7fd54ba05891698fe7a496dcf51b08ff82ceef7015000260a9d61c9525bed218cabf56642578d58e8adffdc7c658bc0f35316cb3a81b7358ea21200b0c5e3
-
SSDEEP
6144:vCycg6P9CmZ3gcOofnxPl3sdO94SJJ+invrK9:vCycgR+3VtbDJJ1nzK
Score3/10 -
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
17Registry Run Keys / Startup Folder
11Winlogon Helper DLL
6Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
17Registry Run Keys / Startup Folder
11Winlogon Helper DLL
6