Overview

overview

10

Static

static

10

Downloads.rar

windows7-x64

3

Downloads.rar

windows10-2004-x64

3

08751be484...2d.dll

windows7-x64

10

08751be484...2d.dll

windows10-2004-x64

10

0a9f79abd4...51.exe

windows7-x64

3

0a9f79abd4...51.exe

windows10-2004-x64

3

1.bin/1.exe

windows7-x64

10

1.bin/1.exe

windows10-2004-x64

10

2019-09-02...10.exe

windows7-x64

10

2019-09-02...10.exe

windows10-2004-x64

10

2b5e50bc30...ba.dll

windows7-x64

10

2b5e50bc30...ba.dll

windows10-2004-x64

10

2c01b00772...eb.exe

windows7-x64

10

2c01b00772...eb.exe

windows10-2004-x64

10

31.exe

windows7-x64

10

31.exe

windows10-2004-x64

10

3DMark 11 ...on.exe

windows7-x64

1

3DMark 11 ...on.exe

windows10-2004-x64

1

42f9729255...61.exe

windows7-x64

10

42f9729255...61.exe

windows10-2004-x64

10

5da0116af4...18.exe

windows7-x64

7

5da0116af4...18.exe

windows10-2004-x64

7

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

6a9e7107c9...91.exe

windows7-x64

10

6a9e7107c9...91.exe

windows10-2004-x64

10

905d572f23...50.exe

windows7-x64

10

905d572f23...50.exe

windows10-2004-x64

10

948340be97...54.exe

windows7-x64

10

948340be97...54.exe

windows10-2004-x64

10

95560f1a46...f9.dll

windows7-x64

1

95560f1a46...f9.dll

windows10-2004-x64

1

Resubmissions

22-11-2023 17:02

231122-vkac9adg64 10

19-01-2021 19:24

210119-s26yznnqsn 10

19-11-2020 13:14

201119-s41ec6lt86 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloads.rar

  • Size

    154.7MB

  • Sample

    231122-vkac9adg64

  • MD5

    f82e19eade5962a21f69504a854de42e

  • SHA1

    2af264fdf337f13723e4f2d5ca4904e083db56ae

  • SHA256

    1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

  • SHA512

    a7b0a23e8765d4f98edc6e912a75116584217ede98dd7fd81523b6d19cef4192135745efe52219bf198cab2b3a5f798b26331422c0a5da45f0b163a155e8092a

  • SSDEEP

    3145728:UNl8iFXjPnIxNlZyN+c3cKBnxrtWSlJFfvcVZM:Gy0TIf69tbXcLM

Score
10/10
agentteslaasyncratbabylonratcobaltstrikedanabotdarkcometdcratdharmaformbookgoziguloaderhakbithawkeyemodiloadernjratqakbotraccoonrevengeratsmokeloaderwarzoneratzeppelinzloader07/0409/042020nov125/0330541989686920224canadaloadshackhackedinsert-coinmainsamayspx129systemvictimexdsdddyt159073433926.02.2020i0qinerinow9zagilenetbackdoorbankerbotnetcollectioncryptonediscoverydownloaderevasionguloaderinfostealerkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojanupx

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php
Attributes
  • build_id

    19

rc4.plain

Extracted

Family

zloader

Botnet

07/04

C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php
Attributes
  • build_id

    131

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

C2

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

revengerat

Botnet

Victime

C2

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php
Attributes
  • build_id

    103

rc4.plain

Extracted

Family

revengerat

Botnet

samay

C2

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.91.237.42:8443/__utm.gif

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    47.91.237.42,/__utm.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    60000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)

  • watermark

    305419896

Extracted

Family

zloader

Botnet

09/04

C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php
Attributes
  • build_id

    140

rc4.plain

Extracted

Family

revengerat

Botnet

INSERT-COIN

C2

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

srpmx.ddns.net:5552

Mutex

c6c84eeabbf10b049aa4efdb90558a88

Attributes
  • reg_key

    c6c84eeabbf10b049aa4efdb90558a88

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HACK

C2

43.229.151.64:5552

Mutex

6825da1e045502b22d4b02d4028214ab

Attributes
  • reg_key

    6825da1e045502b22d4b02d4028214ab

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

smokeloader

Version

2019

C2

http://advertserv25.world/logstatx77/

http://mailstatm74.club/logstatx77/

http://kxservx7zx.club/logstatx77/

http://dsmail977sx.xyz/logstatx77/

http://fdmail709.club/logstatx77/

http://servicestar751.club/logstatx77/

http://staradvert9075.club/logstatx77/

http://staradvert1883.club/logstatx77/
rc4.i32
rc4.i32

Extracted

Family

gozi

Attributes
  • build

    300869

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi

Botnet

86920224

C2

https://sibelikinciel.xyz

Attributes
  • build

    300869

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Extracted

Family

danabot

C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247
rsa_pubkey.plain

Extracted

Family

formbook

Version

4.1

Campaign

i0qi

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Extracted

Family

qakbot

Version

324.141

Botnet

spx129

Campaign

1590734339

C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Extracted

Family

guloader

C2

https://onedrive.live.com/download?cid=8D14D74EB13B02D0&resid=8D14D74EB13B02D0%21161&authkey=AAzCpAsT_Jf9zKg

https://cmdtech.com.vn/MY_XXX_VUVHawg214.bin

https://qif.ac.ke/flow_AoGPhiVz245.bin

https://onedrive.live.com/download?cid=46B98FE6F0D79519&resid=46B98FE6F0D79519%211842&authkey=ANcfRm-0LjxFJQY

https://drive.google.com/uc?export=download&id=1ELoiNSVTziaBatbVNZQWxal_RsriCCrt

http://ffacscs.ug/nw_kUILGeMGK73.bin

http://blockchains.pk/nw_kUILGeMGK73.bin

https://drive.google.com/uc?export=download&id=11NAZslAWBWkK1b4dFviELvvgWl48QHr6
xor.base64
xor.base64
xor.base64
xor.base64
xor.base64
xor.base64

Extracted

Family

warzonerat

C2

sandyclark255.hopto.org:5200

Extracted

Family

darkcomet

Botnet

2020NOV1

C2

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6XT818D

Attributes
  • InstallPath

    excelsl.exe

  • gencode

    n7asq0Dbu7D2

  • install

    true

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    true

  • reg_key

    office

Extracted

Family

asyncrat

Version

0.5.6A

C2

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707
Mutex

adweqsds56332

Attributes
  • delay

    5

  • install

    true

  • install_file

    prndrvest.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

zloader

Botnet

CanadaLoads

Campaign

Nerino

C2

https://monanuslanus.com/bFnF0y1r/7QKpXmV3Pz.php

https://lericastrongs.com/bFnF0y1r/7QKpXmV3Pz.php

https://hyllionsudks.com/bFnF0y1r/7QKpXmV3Pz.php

https://crimewasddef.com/bFnF0y1r/7QKpXmV3Pz.php

https://derekdsingel.com/bFnF0y1r/7QKpXmV3Pz.php

https://simplereffiret.com/bFnF0y1r/7QKpXmV3Pz.php

https://regeerscomba.com/bFnF0y1r/7QKpXmV3Pz.php
Attributes
  • build_id

    77

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      Downloads.rar

    • Size

      154.7MB

    • MD5

      f82e19eade5962a21f69504a854de42e

    • SHA1

      2af264fdf337f13723e4f2d5ca4904e083db56ae

    • SHA256

      1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

    • SHA512

      a7b0a23e8765d4f98edc6e912a75116584217ede98dd7fd81523b6d19cef4192135745efe52219bf198cab2b3a5f798b26331422c0a5da45f0b163a155e8092a

    • SSDEEP

      3145728:UNl8iFXjPnIxNlZyN+c3cKBnxrtWSlJFfvcVZM:Gy0TIf69tbXcLM

    Score
    3/10
    behavioral1behavioral2

    • Target

      08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d

    • Size

      144KB

    • MD5

      9e9bb42a965b89a9dce86c8b36b24799

    • SHA1

      e2d1161ac7fa3420648ba59f7a5315ed0acb04c2

    • SHA256

      08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d

    • SHA512

      e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8

    • SSDEEP

      3072:ep1qwbk6Wbh/UR++pz1OBrNtZtHpspurmxwPtnneZY:epoP6WV/C116rNbtHpsYrmSP1neZY

    Score
    10/10
    zloaderbotnetpersistencetrojanmain26.02.2020

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

    • Size

      355KB

    • MD5

      b403152a9d1a6e02be9952ff3ea10214

    • SHA1

      74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5

    • SHA256

      0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51

    • SHA512

      0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8

    • SSDEEP

      6144:Fs3o0YvJiTQLmCUmLG0HhLjSKHkYp6dDERdBHMlU8LF:Fs3FmDL5P6YpaAt8LF

    Score
    3/10
    behavioral5behavioral6

    • Target

      1.bin/1.exe

    • Size

      12.5MB

    • MD5

      af8e86c5d4198549f6375df9378f983c

    • SHA1

      7ab5ed449b891bd4899fba62d027a2cc26a05e6f

    • SHA256

      7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

    • SHA512

      137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

    • SSDEEP

      393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r

    Score
    10/10
    agenttesladanabotformbookgoziguloaderqakbotraccoon86920224spx1291590734339i0qiw9zagilenetbankercryptonedownloaderkeyloggerpackerransomwareratrezer0rm3spywarestealertrojandiscovery

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer payload

    • AgentTesla payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Formbook payload

      rat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral7behavioral8

    • Target

      2019-09-02_22-41-10.exe

    • Size

      251KB

    • MD5

      924aa6c26f6f43e0893a40728eac3b32

    • SHA1

      baa9b4c895b09d315ed747b3bd087f4583aa84fc

    • SHA256

      30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

    • SHA512

      3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

    • SSDEEP

      6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF

    Score
    10/10
    smokeloaderbackdoortrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba

    • Size

      183KB

    • MD5

      6d2864f9d3349fc4292884e7baab4bcc

    • SHA1

      b4e7df23ccd50f4d136f66e62d56815eab09e720

    • SHA256

      2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba

    • SHA512

      dcfc50105df4ea00add6dc3d121baa3ff93180a0be71e444e89e3a8249d1fd2103eb34aa61aa57ada45c5a86ed5783a67e10f21eeb9dda802a49f627aaa0cec0

    • SSDEEP

      3072:V+EdIHvacHR4IJ1/eIvfHJKsopu5Zu1yiJ1nE8dFZfdcn0TctjCQ9gXaj0jjh3DL:V+aKvac72IfHJmpu5g1yUpE8dFZls0o6

    Score
    10/10
    zloader07/04botnettrojan

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      2c01b007729230c415420ad641ad92eb

    • Size

      1.3MB

    • MD5

      daef338f9c47d5394b7e1e60ce38d02d

    • SHA1

      c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e

    • SHA256

      5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58

    • SHA512

      d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4

    • SSDEEP

      24576:W85y6Jwdt8jtWoJpXWHALGX+C1Co3aP8jvuC7g6zwm4m53Sb21SR:HXsSGuC/MIvuC5kFm53Sy1SR

    Score
    10/10
    hawkeyecollectionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      31.exe

    • Size

      12.5MB

    • MD5

      af8e86c5d4198549f6375df9378f983c

    • SHA1

      7ab5ed449b891bd4899fba62d027a2cc26a05e6f

    • SHA256

      7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

    • SHA512

      137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

    • SSDEEP

      393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r

    Score
    10/10
    agenttesladanabotdharmaformbookgoziguloaderqakbotraccoon86920224spx1291590734339i0qiw9zagilenetbankercryptonedownloaderguloaderkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojandiscovery

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer payload

    • AgentTesla payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Formbook payload

      rat

    • Guloader payload

      guloader

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Renames multiple (73) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      3DMark 11 Advanced Edition.exe

    • Size

      11.6MB

    • MD5

      236d7524027dbce337c671906c9fe10b

    • SHA1

      7d345aa201b50273176ae0ec7324739d882da32e

    • SHA256

      400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

    • SHA512

      e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

    • SSDEEP

      196608:8YG+5pO1Ppb1rAMQQkIscfAb3mO5iW8uO2Kq1TIxz2HU6QPXJ0M2m9b/hE4:8/Bv1zsG2fm2bTcWBIXJHVrW4

    Score
    1/10
    behavioral17behavioral18

    • Target

      42f972925508a82236e8533567487761

    • Size

      3.7MB

    • MD5

      9d2a888ca79e1ff3820882ea1d88d574

    • SHA1

      112c38d80bf2c0d48256249bbabe906b834b1f66

    • SHA256

      8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

    • SHA512

      17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

    • SSDEEP

      98304:Nn1CVf+y/EFc7DvOUxlpq2JdnQ+O2M7hlXKUmkbtT2TMI:A/EqaUFqItO2M7PXKUmkbtT2T

    Score
    10/10
    asyncratdarkcometnjratwarzonerat2020nov1evasioninfostealerpersistencerattrojanbabylonrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

      trojanbabylonrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Async RAT payload

      rat

    • Warzone RAT payload

      rat

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    • Size

      669KB

    • MD5

      ead18f3a909685922d7213714ea9a183

    • SHA1

      1270bd7fd62acc00447b30f066bb23f4745869bf

    • SHA256

      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    • SHA512

      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    • SSDEEP

      6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

    Score
    7/10
    discoverypersistenceupx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral21behavioral22

    • Target

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

    • Size

      80KB

    • MD5

      8152a3d0d76f7e968597f4f834fdfa9d

    • SHA1

      c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

    • SHA256

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

    • SHA512

      eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

    • SSDEEP

      1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

    Score
    10/10
    hakbitransomwarespywarestealer

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Renames multiple (54) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral23behavioral24

    • Target

      6a9e7107c97762eb1196a64baeadb291

    • Size

      209KB

    • MD5

      417457ac3e000697959127259c73ee46

    • SHA1

      e060125845cc1c4098f87632f453969ad9ec01ab

    • SHA256

      d74e9aa01bffcb4944742f93ad5b87d4c057f4faad008f04f7397634fe3f234d

    • SHA512

      7e2dac573db052dc03d89499d9e879bc530e94f3d1235898064aa87e99aee8fced1ac4aeeba342b77afd1480e0584a238ad7cd79cdef9c562bb89d65ba365b31

    • SSDEEP

      3072:tnwDl1lJiIPMUMEhTo6pWmuRdIDAP2Oh0oF14tO/m92B96W5ryx0d:y1DUUMETotmubnP2O314am92

    Score
    10/10
    zloadercanadaloadsnerinobotnettrojan

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader
    behavioral25behavioral26

    • Target

      905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

    • Size

      21KB

    • MD5

      6fe3fb85216045fdf8186429c27458a7

    • SHA1

      ef2c68d0b3edf3def5d90f1525fe87c2142e5710

    • SHA256

      905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

    • SHA512

      d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

    • SSDEEP

      384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

    Score
    10/10
    revengeratxdsdddstealertrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • RevengeRat Executable

      stealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    behavioral27behavioral28

    • Target

      948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654

    • Size

      17KB

    • MD5

      aa0a434f00c138ef445bf89493a6d731

    • SHA1

      2e798c079b179b736247cf20d1346657db9632c7

    • SHA256

      948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654

    • SHA512

      e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952

    • SSDEEP

      384:rnhZ7/5eOHY9FmMoEIPJvnbisVK8ysLu2s2:bhdQOS8EIRmIa2

    Score
    10/10
    revengeratvictimepersistencestealertrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • RevengeRat Executable

      stealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral29behavioral30

    • Target

      95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9

    • Size

      260KB

    • MD5

      9e9719483cc24dc0ab94b31f76981f42

    • SHA1

      dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b

    • SHA256

      95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9

    • SHA512

      83cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309

    • SSDEEP

      6144:HP2sOvpPfQUH6+SqpcH1lH0CIuK8AWaULcka:HPXOv9RH6fEcH1h0vuLNyk

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

3
T1053

Scripting

2
T1064

Persistence

Boot or Logon Autostart Execution

7
T1547

Registry Run Keys / Startup Folder

6
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

3
T1053

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

7
T1547

Registry Run Keys / Startup Folder

6
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

3
T1053

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

8
T1112

Indicator Removal

4
T1070

File Deletion

4
T1070.004

File and Directory Permissions Modification

3
T1222

Scripting

2
T1064

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

19
T1082

Query Registry

10
T1012

Peripheral Device Discovery

2
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Email Collection

1
T1114

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Resource Development

Reconnaissance

Tasks

static1

main26.02.202007/04upxstealerxdsdddvictime25/03ratsamaycryptonepacker30541989609/04insert-coinsystemythackedhackzloaderrevengeratdcratcobaltstrikezeppelinnjratmodiloader
Score
10/10

behavioral1

Score
3/10

behavioral2

Score
3/10

behavioral3

zloaderbotnetpersistencetrojan
Score
10/10

behavioral4

zloadermain26.02.2020botnetpersistencetrojan
Score
10/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

agenttesladanabotformbookgoziguloaderqakbotraccoon86920224spx1291590734339i0qiw9zagilenetbankercryptonedownloaderkeyloggerpackerransomwareratrezer0rm3spywarestealertrojan
Score
10/10

behavioral8

agentteslaformbookgozi86920224w9zagilenetbankercryptonediscoverykeyloggerpackerratrezer0rm3spywarestealertrojan
Score
10/10

behavioral9

smokeloaderbackdoortrojan
Score
10/10

behavioral10

smokeloaderbackdoortrojan
Score
10/10

behavioral11

zloader07/04botnettrojan
Score
10/10

behavioral12

zloader07/04botnettrojan
Score
10/10

behavioral13

hawkeyecollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral14

hawkeyecollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral15

agenttesladanabotdharmaformbookgoziguloaderqakbotraccoon86920224spx1291590734339i0qiw9zagilenetbankercryptonedownloaderguloaderkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojan
Score
10/10

behavioral16

agentteslaformbookgozi86920224w9zagilenetbankercryptonediscoverykeyloggerpackerratrezer0rm3spywarestealertrojan
Score
10/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

asyncratdarkcometnjratwarzonerat2020nov1evasioninfostealerpersistencerattrojan
Score
10/10

behavioral20

asyncratbabylonratdarkcometnjratwarzonerat2020nov1evasioninfostealerpersistencerattrojan
Score
10/10

behavioral21

discoverypersistenceupx
Score
7/10

behavioral22

discoverypersistenceupx
Score
7/10

behavioral23

hakbitransomwarespywarestealer
Score
10/10

behavioral24

hakbitransomwarespywarestealer
Score
10/10

behavioral25

zloadercanadaloadsnerinobotnettrojan
Score
10/10

behavioral26

zloadercanadaloadsnerinobotnettrojan
Score
10/10

behavioral27

revengeratxdsdddstealertrojan
Score
10/10

behavioral28

revengeratxdsdddstealertrojan
Score
10/10

behavioral29

revengeratvictimepersistencestealertrojan
Score
10/10

behavioral30

revengeratvictimepersistencestealertrojan
Score
10/10

behavioral31

Score
1/10

behavioral32

Score
1/10