cybergate | 1d0128fd3184a765076397dd308e51bbc578a3639cb9c08ab6b5c36704d772b4

Resubmissions

14-11-2023 17:31

231114-v3qg7acf42 10

14-11-2023 17:21

28-10-2023 19:29

24-10-2023 13:29

18-10-2023 12:04

07-09-2023 12:10

Sharing

Copy URL

Twitter E-mail

General

Target

Gimemo.rar
Size

10.0MB
Sample

231024-qrn3rsdb6z
MD5

708eb8b29ff097cdaef6a7d3db9bb518
SHA1

3000cb985e5f8c1096803263eac10394359445ed
SHA256

1d0128fd3184a765076397dd308e51bbc578a3639cb9c08ab6b5c36704d772b4
SHA512

6e2db26edc0f098fb7aeff686c2e2699d9b304c2c2eeb46fb3a16a4149cb9515cbdcf5ffde919489f96b4bbc2ff6090afd5a24823859b412479a3a3f40b35cbc
SSDEEP

196608:ivXQswJLYzb1i9PMbo8Z4Fc2gJHP9JqxSylRkjCld2eAqFN:TXJLYzpqMbqO/FJpMRkWv2VqD

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

185.244.30.114:2404

Mutex

822e1333-5c33-4c42-9d46-9e51dfe00457

Attributes

activate_away_mode
true
backup_connection_host
185.244.30.114
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-12-17T02:26:47.689583036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2404
default_group
1234
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
822e1333-5c33-4c42-9d46-9e51dfe00457
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.244.30.114
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

djvu

http://dell1.ug/Asjd74ywuhodfgdfgpenelop5/45y87hzjdfg/get.php

Attributes

extension
.boot
offline_id
zZyLTRlsJ8hv1HPF6BPmiyHxTSON3B8vILboott1
payload_url
http://dell1.ug/files/penelop/updatewin1.exe

http://dell1.ug/files/penelop/updatewin2.exe

http://dell1.ug/files/penelop/updatewin.exe

http://dell1.ug/files/penelop/3.exe

http://dell1.ug/files/penelop/4.exe

http://dell1.ug/files/penelop/5.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-JeLOm18e5g Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0167A73uHsdfs89

rsa_pubkey.plain

Extracted

Family

cybergate

Version

v1.07.5

Botnet

1112

111220402011.no-ip.org:8020

Mutex

XVYJ6C4S2P1EUJ

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Nvidia
install_file
csrss.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1112
regkey_hkcu
Nvidia
regkey_hklm
Nvidia

Extracted

Family

quasar

Version

1.4.0.0

Botnet

osu

maniac.http80.info:4545

Mutex

zBta8WeDOfnNzuyXon

Attributes

encryption_key
8Egbvbf22NkYGBnTSrbh
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Family

xtremerat

sexsevngmail.zapto.org

Targets

- Target
  
  013e80dc8e53bd7d98dd94915f05563499b6a323df343bb765a1d3f188753aa8
- Size
  
  153KB
- MD5
  
  7014c96f6c8951c5b5fe7902c33e9d05
- SHA1
  
  ad2c032bd59263aa8ea56c3f9a414213841c9a93
- SHA256
  
  013e80dc8e53bd7d98dd94915f05563499b6a323df343bb765a1d3f188753aa8
- SHA512
  
  34c61f13d0bcf00faccf5aab35ac0b3bb7097621fd6eea3497262b3a33ef61d02995f3839abfb0e619cce2e4ffe7b536fadb1fe6b01d29ffdb3e9a8274714f92
- SSDEEP
  
  3072:nvbZhfzC3YfisNt6+Qpd+aPpKozLEM+gBsiVcUD8Bs/YXr+fbhGIRL:nvLfm3psaZpIqBsiQBNrws
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  040677c072d3f39edc3d3ec5f95573c1532875c1d57ddc1b62ce396afae016cc
- Size
  
  63KB
- MD5
  
  752c4a3b9f769be2d6f630ba82911359
- SHA1
  
  be2efef703c6dc90fee9e2cb279942034f02ddf5
- SHA256
  
  040677c072d3f39edc3d3ec5f95573c1532875c1d57ddc1b62ce396afae016cc
- SHA512
  
  00062c45b8141d0c4e966288e754fc10d65cff22f6e720650aeee7f19ac6675c7b4513f3115457f675be5b69e4accda11409a3378a28fc8259c44318946f2e91
- SSDEEP
  
  768:ROmlvI5QKedEGn9qeNXalsFHp1fDaAL7X07dsYmTCknHq4OXxAiTqF6:ROmijynylifDaAX07dsYcnnon
Score

1^/10
behavioral2
- Target
  
  0ba3a15c5f29bca02e4b54f3146092558841962e5ee66a87218f130a4dfec36a
- Size
  
  290KB
- MD5
  
  7ee1ec661c83f963eedc619390d1cf0d
- SHA1
  
  088400864842aa89878b59b6520ac6dc489b01a1
- SHA256
  
  0ba3a15c5f29bca02e4b54f3146092558841962e5ee66a87218f130a4dfec36a
- SHA512
  
  02ea27b45edb24e5a5ef4ff7003648c76f305d155a4fc7761a8c761c5437d7cf9d132f017b20fea2f9c2ef28b1dd0cd10d8400f0be90d6e55b0920d3c909c500
- SSDEEP
  
  6144://0uoAgR+cX0ijt+/wLZ+mlRY5Fas7qcJ:/Jdu+cXbt+/wV/YTuC
Score

10^/10

xtremerat persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral3
- Target
  
  19d029dd80a0823d4abe2dfea87b17935844142cb0921eb35a390f70d5f522b2
- Size
  
  5.0MB
- MD5
  
  16742fb1098a4b134700ea45115284a8
- SHA1
  
  9d99856573b2c3bc5350aad7490b35c195e66fda
- SHA256
  
  19d029dd80a0823d4abe2dfea87b17935844142cb0921eb35a390f70d5f522b2
- SHA512
  
  f90adad0fba522ff8bbe2d32193974ca7e214c90a02e1ff73f2474d4607b28fd7ab2975b25375f68d6a4c98d4fb4d5f3905884b4f290ac51668c0cf9129b9686
- SSDEEP
  
  49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:TDqPoBhz1aRxcSUDk36SA
Score

10^/10

wannacry discovery ransomware worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Contacts a large (14537) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Executes dropped EXE
behavioral4
- Target
  
  1ac4f94c2d34dbf38aaf1b7b7103349479fbe5b427e45fd213d4f31845958b83
- Size
  
  715KB
- MD5
  
  fa9aca37c20903a64e6d68ef716efe14
- SHA1
  
  ae6c3d8464e14cc07c894fba964a38a99f594154
- SHA256
  
  1ac4f94c2d34dbf38aaf1b7b7103349479fbe5b427e45fd213d4f31845958b83
- SHA512
  
  cf542fac6695ee2f7b357663693608ef11ba2a89cd9562bd779f2cea0d562b751e8105462476d3eaa7536d265c2849bc74aff3cec958bbfd2914c3ca3f486474
- SSDEEP
  
  12288:riJfaxer6HB6AuY6PxMkDsdHOASzBO+gJn1LxqfJWT:riJ3eQYcxMkYuArxqfgT
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral5
- Target
  
  1efeb078625478129da10c0e62b0c842e54286312fbb55c38187bda4d78974bb
- Size
  
  44KB
- MD5
  
  aedfa7bf1c0e71e0fc136df7a94c0e50
- SHA1
  
  b4c51c6f5d161e9cb4752883e49fa1ebebbd6459
- SHA256
  
  1efeb078625478129da10c0e62b0c842e54286312fbb55c38187bda4d78974bb
- SHA512
  
  72c2f76d73f3e10d0aa761eabed5ad6e1e072991cdb3537719b8833c446a405946cb98cee9858774451d291b1fe00db287830367ff31b0e128bce4b12f8e2684
- SSDEEP
  
  768:Iq1MYKFDoccJ7dn8CXvTgyV6J+q6MXCNYKkvPUDrIdwI/CwRoKhG3m+wJoK+:IqeFkcE7dntfTdu+pcSkkD0bqwRTwPwO
Score

3^/10
behavioral6
- Target
  
  27861dacdddfebc6862f96085da5ede9249b76bdb4b7af16371c51caee417503
- Size
  
  1.3MB
- MD5
  
  ab10e574b270345ae0c5b25045f637ec
- SHA1
  
  b7b80abf720246f149c9d57b7daf744690ef1381
- SHA256
  
  27861dacdddfebc6862f96085da5ede9249b76bdb4b7af16371c51caee417503
- SHA512
  
  b04f2eead322694f588ac47bbf80df7f9161ab6cd460da726619c7bca2b3bc319c2c141d668fa20076a5d8882df1157bd43c8b7a5cdc238fa61c857824df0d25
- SSDEEP
  
  24576:hUtPLf3UeTgLPgOzwUi9ERQm85EKXqKi76:hU1fUeTwPJzk98e7i76
Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral7
- Target
  
  31860041f633899f97e48bcd189a406bdc37d6be297b3dd6431f446aff2852ff
- Size
  
  603KB
- MD5
  
  386ad5036e95b8cbe06967ee2171114e
- SHA1
  
  c159cf6e8382231043060f647768987dec7505df
- SHA256
  
  31860041f633899f97e48bcd189a406bdc37d6be297b3dd6431f446aff2852ff
- SHA512
  
  5012595611c96f08cf729fac14a3c97417917cbdd18f581f306b65f28b4248d1c8a7ad003e2f1f7aa9695dacfaba18d641ac1f6db1da248be109c18accaa06fd
- SSDEEP
  
  12288:4xbFLS7NHbRobFSkfg+g3j0viyzQA9F67afYScr80O7Rf:4eRH+5w+o0vEwd0Q08Rf
Score

3^/10
behavioral8
- Target
  
  3c49ffd8bfdcc42aee16d8679893aa28f3ed5e433dcf0900ed32f7a88da3f386
- Size
  
  9KB
- MD5
  
  ff9c91d98beed56a001b00d148e74496
- SHA1
  
  cccdfcb2770a62e6b55ba1d9768dac150cc68c96
- SHA256
  
  3c49ffd8bfdcc42aee16d8679893aa28f3ed5e433dcf0900ed32f7a88da3f386
- SHA512
  
  f417b5a6ebdea3c55c2f77977b575754611590a84d46dbe751d4ba44bdc7dda9d374b9885b25b62bbc7ffaffdf50b987aafe895a9c2cf56893440c6a208de590
- SSDEEP
  
  192:uLtKId0jjGu63bwz8g4KeHXHAk9tIHWdttiJ4l5wIb/:UkE3u8RX3d841
Score

1^/10
behavioral9
- Target
  
  41edb742c1b69881657a48b74568410eb0dc7bfc9f540ab15c4ed0a665d97d45
- Size
  
  49KB
- MD5
  
  67db842cfda0f13f7f9eb862f98b82ea
- SHA1
  
  96d4dc7b88edae9ca25f99a0bb635b50c90a72b0
- SHA256
  
  41edb742c1b69881657a48b74568410eb0dc7bfc9f540ab15c4ed0a665d97d45
- SHA512
  
  864aa524d7cfe156c3d5e44e7693243e78dba0b8a7974f0a7186e5c82f09025f74f693bb3378123d485f1c669a1ff6859064a1bb372e57d572a0e17fd98edb0e
- SSDEEP
  
  768:ljRGdM7TcGI0oDfkibwPi3xLrXdWBM6QQEUoaD0g9WXuekoD7j2wVUj6ZKl:ljUWI0+hwetdOvDz9Ilko/tUj6ZKl
Score

7^/10

persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral10
- Target
  
  4ad4c837ce02e146680abb4f673fbca2d5f8588f4ae2c766b393c2b4141a9ee1
- Size
  
  29KB
- MD5
  
  e834ffbc1f0c01f2e43b9066632fcdbb
- SHA1
  
  dda9fb88c89155dad508895556d24df3a1546a86
- SHA256
  
  4ad4c837ce02e146680abb4f673fbca2d5f8588f4ae2c766b393c2b4141a9ee1
- SHA512
  
  c30a6ca6834288bad90dbefde8ed7ecf14ba202700c7a2b4dd774672008aa226992b2604b2d0aea1696e9ac836d7c8953052ea188e4af75ad32edf79f028b865
- SSDEEP
  
  384:9n/IK1wOfl/NhSl2EKIQ03KJXxP0PHfGZlCLL04OVhul2:9AKJfl6lewaZxP0PHilYROnul
Score

1^/10
behavioral11
- Target
  
  50682871a2a335d7c5f89cfc1ed16bec99abfa7856a05f54477ee639bbbfd453
- Size
  
  794KB
- MD5
  
  551c587f0fe4a8821a2758521468c459
- SHA1
  
  f64eb00c558b8f640aaf0c78da5ea3c9918bb59a
- SHA256
  
  50682871a2a335d7c5f89cfc1ed16bec99abfa7856a05f54477ee639bbbfd453
- SHA512
  
  a4d6dc86249d8d3714f3cc1dfd0b1ac595ac65d977a81c6dd6b1a52183f56226113799aaeb48a437da587a51d65763fc1f806e15f148877eded6411500db3c0a
- SSDEEP
  
  12288:jsJjU7X1ehXuKRPfl7rRf3sBVLhtNuzkRbJBhTVXXfoEH7sg:jQmieit3sDdfuz4bnPHfoy
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral12
- Target
  
  5f3bfe76bbd22dd8fd936b3833220ba03964b08e28ecf13dafdbbae24a620cb6
- Size
  
  117KB
- MD5
  
  9a97fcbfb92a1cd2bea185320ffb8d77
- SHA1
  
  6796d5101d50fa0f0689bf0c4201a39f37b10151
- SHA256
  
  5f3bfe76bbd22dd8fd936b3833220ba03964b08e28ecf13dafdbbae24a620cb6
- SHA512
  
  64a8df2bc8db6f32268858eb40af4e1912f755bbad40e1c807330e11a2b791d9a8ea29912b00ab258291c90a95c3ffa4ec4120c392d04a06dbba30f3c4e32155
- SSDEEP
  
  3072:GiYoDJ9UIfLL6y5KxDObWClw5jsNezaiY4d1tok:GijF9UIfLL6ywxabWClujsNH4d1X
Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Drops startup file
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral13
- Target
  
  784f3902fdf296683a82c32aba987fd4c12bbed74a6300582da2d53e23954112
- Size
  
  1.7MB
- MD5
  
  61b26f24a7c056f8224f89d90204b3f7
- SHA1
  
  b2ea41a5457b1d0b7528288aa586449e448db235
- SHA256
  
  784f3902fdf296683a82c32aba987fd4c12bbed74a6300582da2d53e23954112
- SHA512
  
  99d9690741f0543e44f6acd26574d67e54139af92179e7455b4d3f0d1a0a75ff2205b6a8c512a1048eaacd65403cbbb742b59e0611acc11a9085b67b73be2e24
- SSDEEP
  
  49152:ih+ZkldoPKi2aFYv89an4TJ/jG3R8xve/RG0n:72cPKiSk97bG3R8xWR
Score

10^/10

nanocore keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  816c0e4debc58580e62e0698d31111436c8f99bd895ad2b4d0c9b7c2798dd96c
- Size
  
  327KB
- MD5
  
  ca676eca408ec71dd3c4d7a015bce41f
- SHA1
  
  de0bb11ed0b2764c3adbdfa945e568f8c070d4b8
- SHA256
  
  816c0e4debc58580e62e0698d31111436c8f99bd895ad2b4d0c9b7c2798dd96c
- SHA512
  
  043e9a2ca6b104fe2a0bd8a2528f404835f6aab2edbe0b99b657dcdf6fec965d25f9dacd727ee3c94cf36b40bf0b70feb9a5572affbcf83c735716c990476895
- SSDEEP
  
  6144:r5QWN9lPz1YVcVc4ozamxr3p+junKYZRY4+6/5Xq8h516lql8jMx6tjh3E:dp9N1YRDx3p9e4lNxh5EqlYW6X
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral15
- Target
  
  81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9
- Size
  
  1.1MB
- MD5
  
  5b3c8242aab49db13a10b3454bf14ac8
- SHA1
  
  9667f4b95635d6e464963b47a2b559ca8a6add94
- SHA256
  
  81b49d3c6151419a242ba8491dff24bc345ba1dc696ff9c6aaf3c698bacefea9
- SHA512
  
  4aa7493a8a978e67b3e7a6f2f6008b74ca92e7a2bf34846bec189180ffce1022c38b80af39d52713c36e026ff20c9e660c6f80157fc05de4c25b502f35a2be32
- SSDEEP
  
  24576:mABwP/lOtVi7TlVvmgwdaeiQAAJLqnVd:5W4q5wg6HZJG
Score

10^/10

djvu discovery persistence ransomware
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral16
- Target
  
  82d1e979d2e673d0b1a47d34c1c968582185e284e0532ed66fd69d0e21063c67
- Size
  
  6KB
- MD5
  
  9c35b0f91e55bd95ae535256b9b44a9b
- SHA1
  
  3d1811c67e784dd706d9588b6da77925592592c9
- SHA256
  
  82d1e979d2e673d0b1a47d34c1c968582185e284e0532ed66fd69d0e21063c67
- SHA512
  
  a2e89f38fbf00e3126ceb71adf8da3a822702f9d8639bc0e7f57db8b51eac86efc0af34820a1244dd394640323c8e61d065b5d871ccc49ce4b1080929ce53219
- SSDEEP
  
  192:oba5FJIXA/becdOzfawCzWQMpMKhAKgbmFTNw:hGA/bvdg4zzM6wgqFe
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral17
- Target
  
  8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f
- Size
  
  3.5MB
- MD5
  
  54837d1612edd427f413f55d6079fd5d
- SHA1
  
  d25af43ee7df4d41373d66bcba7da0a7d217c1c1
- SHA256
  
  8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f
- SHA512
  
  cdd9687d6382f5cd3ff031753e00b5cd2a6abd403e37547143d0ac8ed1447b243c5f24d34f98ac08c5aab62c232e9cac2c0b287d7df8cdee605b7eeb07bdcdb3
- SSDEEP
  
  6144:FSAP5c1MI2QLb9/REfzrjNG7i1BV+GKdyIpNd0f:FVTI2QLb9/kzHNGcaXIf
Score

10^/10

cybergate 1112 persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral18
- Target
  
  8d8576432cd79c4c6a8902e9fcbdad16c871afae3731a4d9ec9cb6a0be727ffe
- Size
  
  173KB
- MD5
  
  bfdf311cad652de3e51a581ec3a19338
- SHA1
  
  df3cc8cdc962de4f0624a927fcda16f84eb804db
- SHA256
  
  8d8576432cd79c4c6a8902e9fcbdad16c871afae3731a4d9ec9cb6a0be727ffe
- SHA512
  
  6860d7b32831949fba14bbdce1d9bc4d674031dcbf012db9be26192946200b63522f6eb3f33987539d5145b94ed697bfe768c9836eaaff6ef77d5d178fd2f0b8
- SSDEEP
  
  3072:bUhIPIFXANhUUnE7uuvptpyE6cDoqifjffcxy:aI5UUE7uuxDoqcEy
Score

7^/10
- Drops startup file
- Suspicious use of SetThreadContext
behavioral19
- Target
  
  962bbb1929620dc69e35d52ce7e9684412e16e8ad2727222dbe3e47e9220f8e2
- Size
  
  756KB
- MD5
  
  24badcb6d982b8851e6b6d8bbf07cd80
- SHA1
  
  9532a957539e1f6a460028662bfbb1272c13c4c9
- SHA256
  
  962bbb1929620dc69e35d52ce7e9684412e16e8ad2727222dbe3e47e9220f8e2
- SHA512
  
  937de43c7c30b197e2b20cee535d5b326030f9f4ba9a69ff4e1ab59d47aa9eb9f0dcc56c06501f13cfc6d468759ddcd0e0c274885d855464946cee0e04a72a5d
- SSDEEP
  
  12288:xpYbOsMEDla4b+o6rZa97avKECLgCZMaxq:/6MERa4ibZa9t8GMa
Score

10^/10

quasar osu persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral20
- Target
  
  96f295d08c64e21aa847dcff5d942dd2beec65fa4957a6690ee2b7b79382cdd1
- Size
  
  657KB
- MD5
  
  582f17fc7c96a8b86c4610ac7d61c78c
- SHA1
  
  cd873543b014547928e8ae4a4879b5023e978483
- SHA256
  
  96f295d08c64e21aa847dcff5d942dd2beec65fa4957a6690ee2b7b79382cdd1
- SHA512
  
  8286d23c63b66a9f6a19efe59db5ba9c51ddcb5dd3a68194043395879db8e116765481f435629c28db6b3d8c7f71b0249212b4df6abedc3b086226b423a98803
- SSDEEP
  
  6144:gdnECeEwzQSj2tcxZdOFaFkvm9MoSQgj2x+zofMmpUpdaRsrSlLOkWcn7xJ:hCpwzQSj2th/uKoSkNfrUXIm46khNJ
Score

7^/10

persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral21
- Target
  
  96f2bcea04abecb6ba4e87bb6cd62beb439882a9bb013fa12def110ea3335528
- Size
  
  448KB
- MD5
  
  ad53609d80259f7f329bf724c55a3ee7
- SHA1
  
  71dac241fb99cde30fc2feae60483c479f96b174
- SHA256
  
  96f2bcea04abecb6ba4e87bb6cd62beb439882a9bb013fa12def110ea3335528
- SHA512
  
  83f972453bcc65afd8944a5a28190c8289aa02329e22bdc9170b2a1d0c3947086f6dd10e4cb1d28bf20d8d279a9013ec9861abafa265923821454c5a9221996e
- SSDEEP
  
  12288:ON9ugSNkvm9f+MgvLwabghCE2SN7YDaLsz6J7yCXjmZfMc3ed/37z0M/n/sCbMe2:1OSN7YDaLsWJ7yimGn/sCE
Score

10^/10

neshta persistence spyware stealer
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral22
- Target
  
  9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64
- Size
  
  585KB
- MD5
  
  f1334ba4ffac39c0df566bcc6b5c5c6c
- SHA1
  
  dea070a650abacb26f0a76276dcd501828546b50
- SHA256
  
  9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64
- SHA512
  
  9dbb7c6e67a03fc0cb371b73ebd454a0216598b290eedbcd7fcd22686c4c26b862acd7af229a595e9c34397254156f083771d270de4bcc67ff0f77493cbbc5d2
- SSDEEP
  
  12288:Lp4pNfz3ymJnJ8QCFkxCaQTOl2+U866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFa:FEtl9mRda1nSGB2uJ2s4otqFCJrW9Fq8
Score

10^/10

persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Renames multiple (4588) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral23
- Target
  
  9ff988d7ea76e8379b5da6af3455b859957e7dfe572181041c35b10390780909
- Size
  
  60KB
- MD5
  
  45b1f6b08b638607c986ae69b49fb6aa
- SHA1
  
  e3bdde86d74c49fe509973433682e45a297cbfc1
- SHA256
  
  9ff988d7ea76e8379b5da6af3455b859957e7dfe572181041c35b10390780909
- SHA512
  
  da41008b77cdf32f1585ad1d0ebf9855d2fea30e50fb167c493202665b6e43f0eb7b5c2e8264e8fbf5d3c73ab1142c5cf0721a24a24ddcfc04b9d04aa66760c7
- SSDEEP
  
  768:51lmUVT0rOklf9uBcCmD6gwZ8E1g508AFN63Lul5b92SOjbxR1sWh7vZPrONK5:n2akOcvs8SiLul5Zmu+7prONK
Score

7^/10

persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral24
- Target
  
  bfddb59433bec29faf6210449f73503f38e61234c09be3f405be8196d9d6f8b0
- Size
  
  137KB
- MD5
  
  34796bb71a194c4efe6154b46db6f4e4
- SHA1
  
  d1518518198c23fe4226ed61b52c4c7844246fe1
- SHA256
  
  bfddb59433bec29faf6210449f73503f38e61234c09be3f405be8196d9d6f8b0
- SHA512
  
  6fbd87c03417aba7875ec07f42dfc078dcb5e36cdf3f80657d97087651a77f49a2345336e841a486e89c66c8e373fc7e19a572ab5124dad51eb01829df5a2472
- SSDEEP
  
  3072:62BuFSglbxkKbjDOfuCtihXwnTP/vhaBxVGVq0OP:62BuFSglbxkKbjDOfvixwjhaYVE
Score

3^/10
behavioral25
- Target
  
  c0ca77690ad65d797c3c9a662229046b0cc28e89ca54e0e39c70f656201280a5
- Size
  
  33KB
- MD5
  
  08b01dbf65a1e91923e94e128cd972b8
- SHA1
  
  39f4350c50bb190e14d9ca6fa4ab479c1d5bed04
- SHA256
  
  c0ca77690ad65d797c3c9a662229046b0cc28e89ca54e0e39c70f656201280a5
- SHA512
  
  82845810f75c19e7792bdb5e5601f2f976c7539393c822190234fe9bef0d9497433d09f85afc5bb84e789fae4a6f25cc335becaf6b4875ecbc2c28e754aef415
- SSDEEP
  
  768:k+aoi6qZOpQB5ZpOc06HCMN9GT6RJ5BHUEy2YEZZEo:k+av6qZ4QxpP0AtNfRJ5BHxY
Score

1^/10
behavioral26
- Target
  
  cb0f8c9180b92b75f130ecdd9fd42fa9c687796313cc968179d1c9b217c65e69
- Size
  
  134KB
- MD5
  
  98d7c096a603ac2ffdefac004abb202f
- SHA1
  
  45e0af760fb41efe844077a44ba546503f0ccec0
- SHA256
  
  cb0f8c9180b92b75f130ecdd9fd42fa9c687796313cc968179d1c9b217c65e69
- SHA512
  
  4c0d8c30a7355202e9c54de788acf975059342553f2e77df61d680ab7138320dcd7d727690254ca43f883ea9ec77426a92d6278fe3645aa2debd0b66396fc30c
- SSDEEP
  
  3072:5MGFzCHKSk/7LiVUdx/j9dyTt+WDjNM7YKQo0iS4HTrHd:5MG5CqSk/KVmj9AFMsy0iS4p
Score

10^/10

gh0strat wannacry discovery persistence ransomware rat worm
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Sets DLL path for service in the registry
  persistence
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
behavioral27
- Target
  
  cfbcc54f36dbdfc8d78d2be3a6b565f4e25b4d52f51de10ad7e4ca14c7f55d29
- Size
  
  88KB
- MD5
  
  424e86efb06533cefc14e07a8d6490d6
- SHA1
  
  4d96bc9de18c5018ad80b4e8667ec102e4d0bb97
- SHA256
  
  cfbcc54f36dbdfc8d78d2be3a6b565f4e25b4d52f51de10ad7e4ca14c7f55d29
- SHA512
  
  d9b4bec57d9eb253bcbbc7a25a7b5bb8129b347f2fe0de2eaa13002c0b5edcd947bafdd25d8fa942b0fcd8bd801d9f71e50bf5606280ab6eb76034cb7c5fab7d
- SSDEEP
  
  1536:JWxdI55EhugTp7mjZDqxFJZgi01T1vStzS2IoBwiQV4CSeCO54wc+bqDjzBNL0Hm:JUdMCg6pi1eFJKTSudVXV3bSCYjzBNLF
Score

7^/10
- Executes dropped EXE
- Drops file in System32 directory
behavioral28
- Target
  
  dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3
- Size
  
  26KB
- MD5
  
  00683c2668d0329457a67a5d5523d1ef
- SHA1
  
  8831515122545e6eb889bfefc66615b78cd0df2e
- SHA256
  
  dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3
- SHA512
  
  6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff
- SSDEEP
  
  384:1iN9ccVj9rt0GUnFnRnxud5SseO/N2W8HXVEu59uLS5U/ANpp4Df26eznKKfN/vx:1iZj9OnRnmSs1d8HXVEu5TWyO8/vOa
Score

8^/10

evasion persistence
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral29
- Target
  
  ded033da36fbf8287d0df6f21a0339b6e1046ce678b46e7cd558f63e22df1158
- Size
  
  278KB
- MD5
  
  6621340d04e507aaa1595cc078de9d74
- SHA1
  
  ea59335ea2c7504eeb1227cb741fee0d1ba1caf1
- SHA256
  
  ded033da36fbf8287d0df6f21a0339b6e1046ce678b46e7cd558f63e22df1158
- SHA512
  
  a9cb0f631e56e7350713e1c1c70fb62c2c5c40e89b2d74c3fb5e496cddef59497aae2bd8a4dbe0d8259cde7dadefd555c705b1b788f1d866b0d957966a95e6e3
- SSDEEP
  
  6144:QhNy9Dw3FKqOiUjkMbQ5DWku3s2A9/voANg6tOmEhko3laTv0vQ:8sJjkuQ5Yo9/vLyuOxkyaLl
Score

7^/10
- Executes dropped EXE
- Drops file in System32 directory
behavioral30
- Target
  
  ea55e146fed653416bd40c92ce89cd61b46035c7bc6f55a33c71a9872e2c9659
- Size
  
  564KB
- MD5
  
  bdfc510bad54e411a0e5ed3d479fdecd
- SHA1
  
  3f4fc2f5ec18d2205dffdc1bd3c27b0416cc7bb1
- SHA256
  
  ea55e146fed653416bd40c92ce89cd61b46035c7bc6f55a33c71a9872e2c9659
- SHA512
  
  544248ae466c36eed4ee5803863527212897aa71ca80e7f2cf5da494c25e26254e6266b951e3bfe3be305b74de806d229c338d9bb2790e7b974656d9c3ddb89c
- SSDEEP
  
  12288:auoRx16X8AQpbnQusfrSytqtFtALqP4vAvQHv:aXRx16X8HwFtqtFtmqPs
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral31
- Target
  
  fffd0cdd4935b9fa1ff5530a94ec648346d5f6c6521fc07641fd9254f5ef75d6
- Size
  
  1.9MB
- MD5
  
  430c2b63372064c3e6d909635a12cfe9
- SHA1
  
  992b607f528c0f9e59ace4fc83d6b0b999816c10
- SHA256
  
  fffd0cdd4935b9fa1ff5530a94ec648346d5f6c6521fc07641fd9254f5ef75d6
- SHA512
  
  9fad453b68ddb5ee3d36b751a9cee589c5a5de7337a1b008cedfcf75ca6f39d2b26251b99f52af028576b30081608385cf2343ca101374147b513555290e1c1b
- SSDEEP
  
  12288:RFfwcHcu8pMkZ3Fn9d+Vd3SUZ+7EeI1x7f7V3+hT6DaRWz58kc+1xy8SyiwPZ:RJcu8pl9d+VdCUhN1SsNK+1pSy1PZ
Score

10^/10

aspackv2 persistence
- Modifies WinLogon for persistence
  persistence
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
  persistence
- Drops file in System32 directory
behavioral32