Overview

overview

10

Static

static

10

1.exe

windows7-x64

1

400.exe

windows7-x64

10

Chase_Bank...or.exe

windows7-x64

10

ChromeSoft.exe

windows7-x64

7

Fake Windo...er.exe

windows7-x64

4

Injector(v_5.24).exe

windows7-x64

8

RCE.exe

windows7-x64

10

TemD.exe

windows7-x64

10

best.exe

windows7-x64

10

btf.exe

windows7-x64

8

build.exe

windows7-x64

6

crypted.exe

windows7-x64

1

download.exe

windows7-x64

7

dp.exe

windows7-x64

7

etbnoc.exe

windows7-x64

1

fran.exe

windows7-x64

10

fud.exe

windows7-x64

1

gift_generator.exe

windows7-x64

7

lol.exe

windows7-x64

10

mt20200012.exe

windows7-x64

1

nopax.exe

windows7-x64

10

porn.jpg.exe

windows7-x64

1

putty.exe

windows7-x64

10

t.exe

windows7-x64

10

vnc.exe

windows7-x64

7

yk.exe

windows7-x64

10

zztop.exe

windows7-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Uncategorized.rar

  • Size

    10.1MB

  • Sample

    231214-b7snkaagbl

  • MD5

    f70a779b93fb98c2498e47ae9c412bfa

  • SHA1

    3efba5fdaa770d91407b5acc0d07f2855fb9540d

  • SHA256

    2f7c6195415c8d32bbf266557f2e31b945204713487644c46328160d1e730337

  • SHA512

    48feadec999dcd8ed09ddfcf7f17e4f6c1331e479de65b126a0560e6bd7c3b71b63634241d2c9fb9e7ddbba8debfdeac574e6d60871fdd7c5bc03b2e484ad734

  • SSDEEP

    196608:Z2vjGm/blzayw8+P0GiUHLU7wXFbsYbhNWSgDkJWAmDGYYfzuNpk9aJ0GeznL:6xzPwxFTHLTZrtNLgDT1YUsGezL

Score
10/10
darkcometgandcrablokibotnetwireremcossmokeloaderxmrigxtremerathackerremotehostscammerbackdoorbotnetcollectionevasionminerpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

lokibot

C2

http://vicesstudios.ru/frank/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

xtremerat

C2

securecenter.sytes.net

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://pioter.xyz/min.php

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.118.167.198:8485/task.ps1

Extracted

Family

smokeloader

Version

2018

C2

http://segodnya.bit/

rc4.i32
rc4.i32

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1514849007-2165033493-4114354048-1000\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/5d5212de55099b66 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGXK5T9dtzGtcFfz9k4tKnXf0RD6dbi/AeAiF3qcGRy5oALUGrReib98Vj8Dm/wUR9x6amCER7kmKLXaljukn6edEDoU978BLFr4Obz3grQ8LaHvAcop3s9ZyyJl91BkCnEJuUjl9mAnUG/1+gGeZmOAXH0rrEAKrGft7csFxdN+7Cqn1eKEaOK1jdzlYmgviVdEo3cdeEf0tIqkJ+ydgIsluvLHR6G4IxuC+Z/75j4A7lY8dG8VxuZRPRfhT1VFxTJD8UZ2zpBqqfFCEWCPSi10XfHC82sAGVty4gR/mX1BtpamMUijzqCyrg78NHjlDNK9VJs+jjaMhY16FqHSlrpvkmfOKocsucPm3O6wIQCvfsLMG1WeKBooWLPqvegS9z6AWXQAPVPPHMrkRxjtPb31bUT2HSuZ+RcHMG7fDyXP8Nc4DQ/sJlPEekvZ3lrJ5Fp8rBf9ZatwffzNGa+UUkHCyn+kDdwD8CBMVJmW/OjOEIgQwSKxTigC9fjGZ7NKZX+6KBBYoDyzBeOu/2K57B3ypc9BgJIcv2cGK8P3rAU324AcRVYyp1YBpa3QLRj20FgTngeTk8tc9fn/eTyq0EHVyMsu3ePXEdxT88JKFmJerelDsrmilW4+3ythiG5K3vBnYnd2N+Z1ljbT72nc6c2B93X7BfWajQfyepbBO0p1BDqTYKvNDTDFcmh0MEwKp+JibknLMX+bEyDQBKR3sn9XGLpHJRqlc/33ELZTBawxZ4M2AV3WlIAZAVKMyOjdpSJCQEJBRrr38j16oYD2TcZ8PItjTD9NyNCEtVUjoYT9Jd5yFTg42Ixys22TqT08rRL+jBoyDqqG6CLD6DWcto4obzRVyLpsO6rBhRXtMaZBbGksDMhLxMJPy8p4DP6pAOb4eFeCEGHUx3hM+D7Z6n3fVqFX4EdXlHGdy55XDON08p47i2qOpvWHARjJEKYD9wcIyyKVqHWlBqa9jCX+jRUuOrksXg1LrrzVmgU6XtEEAG8UL/9IEfu1IXf1uWUXFFi6bimJhDBrZg3ypqXLtCOAXIyUFc2dswpadkOVv8w73Q7jFXdrcr3OKeuUEPrrUNcvgCgL8qKlwm/OKCVarD/9QBbSsRSyXVtl62MAXl3+xROCf87WhfEsv0wIn1m1uphG0kErKZ104YBTAyWUn77wCO5rjmUe77m3VVMbA3fguPhsntsLCzcD4X1AFd0g1EmJhU4TF285EKAOP5lA0Pd6kVS+sUpUhipLtNntnnFIVpcFN1cDJwKtEAKP9c1TOQN7LGim2FEGbj6D6MnItDTKZuU4K1Dq9LzNyxvIsdRDX5ayvjIvnuUV1MwCQDUmsgEIspXANGRCLc4s/nB9RYRdqXDo9+3791E8KqkqJMRrOxtWEJb4lkU23hWe/NR4ckpzftWTCs1jqUnh1b6BOcxBSh9IF784SjQ56a1ZkE7TG4nXmSfBIiSNqAyscbrsAoRBr+Va0fLTez14rsnHXZt6gwuUdkSKa187cbHsJQl7yxDFtn4j/vUPsxrTqoydXZdA7AnvCpoIlNzIuVKSqZhndiJg4nJiOPkNZy1ywSUc3OoJ+DMTlnqY8ZFvIn29jjCDOOklJuErjd/jbHicB8eHB6rooezwEGCZmYvffkKu909QLVORIjo3AiSajLs64o4Hp6fAe9xFoWZub3omA4O3+QrvZnQ6I62SzGAQqHEMJDfw/XhSpGODx7kAIYCAQDggdoplC44V32idFl7vbpJNMWq3+1QS6O0UA/EjRO0y9kKu5yJA5e3rfwV57HJvlaX+QCm7dx+ux6zxi8pGiqV+4nO+S3QaElnrPhV1ZL/HigXgLn8r+/GhHgR0oYDBMyLpbyU81wF1EAjUEIVwvF4BYGt4mBCuI4kWr3AK6YvGSohXvhgv9AZhZOeMhaIwxAABcJ7e19b4v2zvvY8VeaKO77iZRP943/S5OgohgHnRmbJAGU+ckUYKC8zE9fMl7ItNrGV6Q/iBVAkWZQHOLZrLUiCLWzl0HS9oZfavB9mh26cfDJKOz8YCEhwNY38ZKA4HzoKap5+fT2WMpQZvhWmmLun4mFWltr390g+Q/eJhZ5AvuEV7jXpHt3puDtYMbvrHX0gjwYfyoy2RFNS27fuVql+VoBzHyaUHmZ/z2FtVF7tTSj1uf0I1zSz8cFM1Hqc1V1tlVcid9eygp4h+lhJH2+AmUYbQ0GAfyc5ENhUV6/7Ka6WMsqxsS7eVo0mKZF1WiDI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZZTphRvXYd7npWobfYTGCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi5rEmkU3B4uKl/2Q2RetzGt5YaVqDBi7tpBGEEd8bpycE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72Zi/pCBFK3vDLNeah1w4ZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH0HpoOar+NRZwP9okRV/rusrPFzMX9P3YBh9gzrewdRb9tHf+DbmDW4OIcXpReLdQq9FxhO1LL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/5d5212de55099b66

Extracted

Family

netwire

C2

popupcalls.ddns.net:1177

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

darkcomet

Botnet

Scammer

C2

leakedfilesvpn.ddns.net:1605

Mutex

DC_MUTEX-C03PN9U

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    szVRti820J02

  • install

    true

  • offline_keylogger

    true

  • password

    TheDivinity1989

  • persistence

    false

  • reg_key

    MicroUpdate

Extracted

Family

darkcomet

Botnet

hacker

C2

snatchfou.zapto.org:1604

Mutex

DC_MUTEX-EAGMYFG

Attributes
  • gencode

    QwbT0i9M7Prw

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

remcos

Version

2.0.4 Pro

Botnet

RemoteHost

C2

77.48.28.227:2442

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-TWB7DH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      1.exe

    • Size

      34KB

    • MD5

      c11be6a813f90bcd8c494893b91dc83a

    • SHA1

      6e95d7d17a1f066e321101a077bed00f8202f19d

    • SHA256

      03fe30fbe2e088a4a708b42d7f96de72738adb6f1c9f2a427d6826be4fc8104a

    • SHA512

      909a4def92871df1c3cb836475f8bac9c44e4d13aa13b2f7c39f2f07f0d6634b7bb573c927843de137ff0401fc064bf6de41708ad9b37f2b2e6e53d5408e8e35

    • SSDEEP

      768:JmHqsQmJex3elE9aHRAvSghgujT4wgutm/eMRw/DghUdgUkc:0HqsQmWZ9QGFguQ/er4qD

    Score
    1/10
    behavioral1

    • Target

      400.exe

    • Size

      147KB

    • MD5

      7ca230d03a194762401f67ce9e72fcd1

    • SHA1

      21e03b6f2b687a9b95d2779ed846db19126d6e07

    • SHA256

      3d7bcee5647287b9e2c3ceb552e8c71379eb1c4946d74881edc730dd5501a78f

    • SHA512

      1ba90b5017b859a915abc772a78d0da3060f01115ae6d25115d2d916d56bf4f1e2e78628b07284a2de18b75ebbffbb381d281673b7f82c3cfc2f5e7cb7f1cd35

    • SSDEEP

      3072:5oFRQGCIIm1xT5GWp1icKAArDZz4N9GhbkrNEk13gL:YQGCIImhp0yN90QEN

    Score
    10/10
    persistence

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      Chase_Bank_Transaction_Authenticator.exe

    • Size

      579KB

    • MD5

      5192bbb0ed2aafeb162ceedeff0f945c

    • SHA1

      81a0ee9d8292cb6afdf7a64058037fb59ece0d3b

    • SHA256

      7a70ea2507a42c784dee6b15aad72cc1d02c054fceec43c41537cbd5f7413b8d

    • SHA512

      0514aa556d8e5ca553d44170ff57bfc5c51b68d7f997828b2804dc13cd41a131049ccbd92ff2c26be9b698e50c18d7165b3629f9af8e2ad92c2910828059f8c8

    • SSDEEP

      12288:6urRW9O5h9vWpoTlznthtzOyRV2eEv5+V0+3K7OIVoBG:6kU9ofKMhlOyV2eTV004NoBG

    Score
    10/10
    darkcometscammerevasionpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      ChromeSoft.exe

    • Size

      991KB

    • MD5

      35a9b0b465f5518c5ede57b5a61e96bd

    • SHA1

      99870ddf8052eebf53925238510bda22a0666a19

    • SHA256

      44f0c8410f5308e7b9e23f056611997c4e3152d3a4f029bce26f6dae1fbc067f

    • SHA512

      49bb9ac046c4f6d597c2cb3446defc179eab25f594cd30d6ed81429fef95998838c3a321ff34410a3bd10a73b3c39428deff03617cf2865cae9322ee0c1df50a

    • SSDEEP

      24576:TUlZA/teq/PTCzG5hPSw24aSeNc5xnPB9Mb7u2mQHpep:TYZKtemTCC5h6J4QNcfPBub7Lmb

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral4

    • Target

      Fake Windows Live Messenger.exe

    • Size

      1.4MB

    • MD5

      a7a75a56b4b960c8532c37d3c705f88f

    • SHA1

      e69d26db431e383131826fab5db213559ee68814

    • SHA256

      6b34cf6100ac5bf4479250048d61cc4d873dd84af74e5b2771b3205e2dbf0d22

    • SHA512

      8ae713ee44d87bfc91aeb34fe26ffc2ce20c6080037478bb5abf406abe09f86217ab4a8915fc3833a81fe3c629186217c17c9568adcb64d7399f9f5f3d0f2a48

    • SSDEEP

      12288:ebcuIcRD7ZPotep+8dG0Kxi+M9IrQscUjMRWENBui09YAaAWapJOhzqzW1:eYdsZPNJ5QEN4eABpJOg

    Score
    4/10
    behavioral5

    • Target

      Injector(v_5.24).exe

    • Size

      1.4MB

    • MD5

      e90b6e88aff0deb37ba50c0204086321

    • SHA1

      755874282e3fc6eb633a230c2f6c7b9612e8078f

    • SHA256

      42e978f65d8e988cbfc34055418421f6b7988defba5b3503b5ce4f3a8974908a

    • SHA512

      3d9bf6249969574e9b27528765f30b810986ceab18af4a8025c42e694d2c3aea7bfdce7ee9da41de3b056bb2acb9ffd2418bdbb0efbc4d5f88e3d4d0ae7cca8b

    • SSDEEP

      24576:eq7CqHPYkqjQcrhgWd3IJjqWMKWh0X+7q/zdTAxSZuHlWG26+USxle/b2mhfx:e+Zc1gWd3IeBMzdTA8ilW96+deVhfx

    Score
    8/10
    evasionpersistence

    • Creates new service(s)

      persistence

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral6

    • Target

      RCE.exe

    • Size

      586KB

    • MD5

      bc2c57458db20a2a2d4ea99b3f5b8d37

    • SHA1

      25e08e1ee03372c5ce2f14fde486eee8bf6d6669

    • SHA256

      af6ea3e8d3f391d34464e30e2622162b417050345b429fb7553ff57d2c168be1

    • SHA512

      62ba9a5a19ff048eeebf3b611d83cdc3ac78805adc03751c30d5c530f4542f94fb0216d52c4ba94dbe3dc81604f6074c45c22ddc306891a994fabe6fdc923132

    • SSDEEP

      12288:uh1Lk70TnvjcQ+QSUofDRJsaVZ/OP4400KBIqLdMQT:ik70TrcQWHsgdZBISrT

    Score
    10/10
    darkcomethackerevasionpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      TemD.exe

    • Size

      648KB

    • MD5

      e7d36392836c350b47e1e485465f2446

    • SHA1

      b4cfaca779557d14cbccf09accefaf4ec8cec30e

    • SHA256

      e037f166b8e3066f5b8fc2f4dea6cf0d052dde5234b46c81e3d5ecf73dc713c2

    • SHA512

      c6f530cbfcf8d145e06c7850b1c51f2dc9efbd893229d12a2fe035be89d3c32979c803f4122f77278aa7d3595f70b99cd3fb867adeaea51fbafbaae7d265a3a1

    • SSDEEP

      6144:DHtgbfyyNili9mp2kS4/JfrtkXl5w5R0koDQY1/rIPpGV8eY2M:TtcK+iEJ6RraXfwBoUY1/r8KB

    Score
    10/10
    remcospersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      best.exe

    • Size

      626KB

    • MD5

      d7078f34bfa30ec5781ffb8f4508365e

    • SHA1

      d586787f851c548d151c17326e866ce025485cd9

    • SHA256

      0cfe9c1725dfc5f73bb36ae2b168958f8ee8cf008f1240cf2808a91a513e22d4

    • SHA512

      9b20e3e8a40dcee460d0296b5d70dc1e29eb2c1f00feba7e83e60cd829bfeef1cb5e13970e6ed8f904e65f07a7817eea46e3f6c0b500dd7a6f91f8dbf1f59172

    • SSDEEP

      6144:8xkJDc+HCvgLqdLaUI4AMg9NnFkAD+X6I+RyK:8+DcOq5aUI4AMuFkAKZ

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      btf.exe

    • Size

      227KB

    • MD5

      46d7fd84e5b0f5e1fcdef83849adc51f

    • SHA1

      c81eca8a560b3c8125d98a13cca3df6bc0c05902

    • SHA256

      87b87c2135fcff2177dfb95507421a129516cda41d8fd53afd4e9abeff2b8128

    • SHA512

      e9e58cf166a9625b7e5a4481d68970fef204e055f9f26a3c1d6c09ba8708f2fc493c36e8e79e65dedf33dde6e80706d7c5b2b92f9e7c94d1b6875029f4f3c427

    • SSDEEP

      3072:JsILl8Skwzl58qNtX7BVpHCsJlbApo309BDrZdOrALcfEjrtH3:aILnzlNr7JHVZNE9JHGxf

    Score
    8/10
    evasion

    • Stops running service(s)

      evasion

    • Deletes itself

    behavioral10

    • Target

      build.exe

    • Size

      575KB

    • MD5

      4914bee9bf904b881fcb0f7fee9d0d76

    • SHA1

      b31d933efd9aef7c571cd0fcd0e46ae4b8f8e0df

    • SHA256

      797d8df51b4efddd420d5629bf7151fe233503b9056384a498c9112355bb5aa8

    • SHA512

      b32388e46ee90bb5aa7bebb1e74d7d35c3b951bb51730aa50afab8f68353e89a0a90d5076c29f61162bd7002af0ff8e5cd9502dfe3a6f1f70d7390079e6563a0

    • SSDEEP

      12288:yJWIL1y06PRyOqTusJiTJZJplL16sGYS67K:yYIw06ZyOqTuTNHL1PHS6m

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      crypted.exe

    • Size

      1.5MB

    • MD5

      f073e14adb7e3f4e14f77cc1f8926e3f

    • SHA1

      674a65bcea3c2a46e25cab15c4b96c62dc05f6cb

    • SHA256

      bcd39cc58fbe682eb0a3126c9e19a04fcfaf38e520e2a4d0fe75f5175c9d0bad

    • SHA512

      7657d7e58b9dc975f710e8eb84532f483d9c1279ba26e2e0b87e8cd0b02dfe91ee2e12f87cdb37d8f5bfeb900b3a6af1b9fbbf9bdcef13b8d405db2d2874dd2e

    • SSDEEP

      24576:vD/wom6ZtxQE6EjYsZB4regvCaXUOHWdEzDoJusUAk/XdSL9/E7fIMsDbm4GjqZ:rdjy80s4reQC2U8rucXQJE7fIMsDitG

    Score
    1/10
    behavioral12

    • Target

      download.exe

    • Size

      314KB

    • MD5

      3977010fbf956cf80875f7fb23e67585

    • SHA1

      45c4128c77ebe801e26d370eb5f9ce01de50548e

    • SHA256

      ef4a6b750e05c1bd61e3e096ed036e7715cd5abac5e29219a3565587508bec4c

    • SHA512

      bf22d5a46d81fc8016fc332abf0df1b8eeee4d244434e785792cb316f9f1ee0089d01981810c880bed0cf69d9975fea06df9c4b5029ae888113543f36b54fe5d

    • SSDEEP

      6144:x0QYb7lWphzxoL0uEYeRYByIYVCw9EJvYXW+6j5HXHngZBUIGmM:GQ2WiL0ul8Io/9T9m53AZBBt

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Creates a Windows Service

      persistence

    • Drops file in System32 directory

    behavioral13

    • Target

      dp.exe

    • Size

      626KB

    • MD5

      e8d034a10d9f1328d70e0e6ff86af115

    • SHA1

      86773bf3028d4ce4c453810b7a8db87cac27cfc1

    • SHA256

      f88ff0acb3e08e51fa051bff9a176ddb952a99bf2989032e6000b7d7c0836c07

    • SHA512

      d267737a4eb59200bb6a7bea7fffb45be3ef564f38a2d65f27cd22b7e09abbd52463806b144f0b6fa49887821f1a1d27dd555776a910291b213d5f9c85be1f6c

    • SSDEEP

      6144:MjNiSxkJDc+HCvgLqdLZhUIb7ImU46zNsOJt3:56+DcOq5Zd3IN44b

    Score
    7/10

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral14

    • Target

      etbnoc.exe

    • Size

      756KB

    • MD5

      6ae3ffdc97e5f6f61cbb343fc2ccdb3b

    • SHA1

      b0db875f64203532338e60ed41e3f91dab680075

    • SHA256

      8a6fe641d7bd4ea61247380051f466d3e985d7cad1988f929020c36554adaf98

    • SHA512

      384acad7dc62dd8014fc7a388482d9c88da311adbe4033f64c9d4f7b67f5fd327acff70f2ba5723d70493934252fc38ed78d00312a927778c1cd3c558a4236b3

    • SSDEEP

      12288:WI/9ztf3KmGnin2lcRk8HTtaSbHUtuF768idW:fZ1KXnigca8zBUtul68iE

    Score
    1/10
    behavioral15

    • Target

      fran.exe

    • Size

      408KB

    • MD5

      d7c579d650a333141109e3d68a5b340d

    • SHA1

      707585b88365f8ab7979189039de1d4d895305f5

    • SHA256

      fdf39072431895a952df728972e57657f2a3774c5db7ac41235a32b98847eced

    • SHA512

      afe932d128e6567904d3dde9485cf8da109e02b8fad6241358f90fd9c5081da29a71495d17c3c31f12357a53a730adae90f804b2670a8b1870f9a1236229ab10

    • SSDEEP

      6144:iqblMNjjal406GLWT944U3Em3ffFPoeZV3JjCvm:iQ+Fjg76GLM490Wff9

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      fud.exe

    • Size

      32KB

    • MD5

      f8151c088ddc990b4d605558214c520d

    • SHA1

      7cd5e1801ee0a29b9bbdb4a71dc8d99c38729dbf

    • SHA256

      bcf048728f08339a629aa195da8a04f716902c20131cc0a82dad1d74d8cb1f9f

    • SHA512

      ed0cc44a6332e77b2fcf7d21702f6b8b9415a7c511923593c9d729155bcdff6cd65f80e86ae9f602c561cb03bdc64c758b36ad4f3b2aabe6920990109767394c

    • SSDEEP

      384:/Ttqrt7S6TC1kclC+SbvYr9OMZj2nqPtGUV:/BqZRTC12Mr9P/PtGU

    Score
    1/10
    behavioral17

    • Target

      gift_generator.exe

    • Size

      558KB

    • MD5

      b82df74ac1d74deb7fe4be8743cd7dfd

    • SHA1

      00a41f31b66f1484607d60c61f0d57766c6d2ca7

    • SHA256

      24c98fa7f3aa92fbb15b97556f870ffa0687d7aa29b8fbfd44cb520cc97130ca

    • SHA512

      286c65029029d41558e25d9269b0dd00d88c2627c0dd45ab52a22a25869f8f6604ea4efe010f9a4f763380935e89faa7dea83a34d0e19f050b7f52fa67484235

    • SSDEEP

      12288:vOuFiuVKNCjMlt3zaQujADveg/QChuZ2OdSkDOfFN/9vXLrE8nlZcxVJx:vgu4N3lhPujEveg/Nho2OdSkSfFN/tXc

    Score
    7/10
    spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware
    behavioral18

    • Target

      lol.exe

    • Size

      347KB

    • MD5

      bddda55fb978f891603a996d531f91ae

    • SHA1

      926d297215144f42cf6d71b04f01f1682b2571f5

    • SHA256

      4f382b6cb87c5413002055e474ea300d53c67bffdf63cb322fc1a55cfcf2e0ce

    • SHA512

      5a40b1f769778bd7ac64e38f285770f0e7257b15e2fefe52baa4af5164bd2b325407aece01c47ed7435136b464b6a486399f9f66f4e7bc81e0be360614bdfa38

    • SSDEEP

      6144:Xjbei105yc4ZU8a8vM+9HMg8kTs4GjJVV2RrqUuqrZ9FQ0CI:XuwFqhSMYHTVYjjJVgRrqUj7QLI

    Score
    10/10
    xtremeratpersistenceratspywareupx

    • Detect XtremeRAT payload

    • Modifies WinLogon for persistence

      persistence

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • Adds policy Run key to start application

      persistence

    • Modifies Installed Components in the registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      mt20200012.exe

    • Size

      360KB

    • MD5

      096968ff322e774212e2ccf8a131c5c0

    • SHA1

      603ca5b5db5591012442c0b27939039bffc1d089

    • SHA256

      161de1e2e619fb08f3d9702ba9ec4db9fbea6e85a29eea568c5a53b0c903e4bb

    • SHA512

      d33566e014aae6dafe0baaa1ca3d1fd15dabb17b16bbc0d5c913479b1cfa990a679b4a2fa1cd206067b8e664bd9e5fc7161277ae2b9f90842ab2ba8dc5f9ed2b

    • SSDEEP

      6144:vxtYY+vbWjoIcbV6Tp3z/Z9VQruMMyvwFtDkbtUYVSjGagloK7GO:vxT+vCjPd3z/bar5MU+gloeG

    Score
    1/10
    behavioral20

    • Target

      nopax.exe

    • Size

      200KB

    • MD5

      882d3606ae24316cc0a0b1c879999437

    • SHA1

      7e4e484883474132e56c69cd87dc1ed390eb89ae

    • SHA256

      ed2620f248d304129d3772dcf6ff2e42850fd4daf79895c90a1a71a8ff2a260c

    • SHA512

      9bd9e551cddbbc5e1029aa2c423f6147d4a0128efdd8a161a6fb6d266b2b44c46402e754d8d8a3946b2ae05ca14f202d93e01e5f6e5b21db83581d25467bbf91

    • SSDEEP

      6144:rLgA/4OWNIaSKGL3icZcDrwOK43CMniZw:rMAAjgHZcDPKvcc

    Score
    10/10
    smokeloaderbackdoortrojanupx

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral21

    • Target

      porn.jpg.exe

    • Size

      211KB

    • MD5

      2ca1f87a624245db0a57bf439b71d460

    • SHA1

      2f6de1b66d8021b74ebcee0040b9a7c00b61d231

    • SHA256

      06af68780ff670177daf0d6e34918976a46f9e69787a284b8757470fb02903b3

    • SHA512

      7bc842d94abce1de0844c3d9c3f0c055e8bfd9465b63cb86ddb3dbb731ecf802b67694c0e258d78ad3eaadbe5476da1286e681af48368f896fffc6acbfb17347

    • SSDEEP

      6144:Agn5+W7mFJ+7kTJEBv4aR47s4nYiayol:n5+ZFY7kVQBR47s

    Score
    1/10
    behavioral22

    • Target

      putty.exe

    • Size

      218KB

    • MD5

      b29bfe0978cdeab5a09b8ab31eadbaf1

    • SHA1

      9c930ee306446556d22b5469a8c5943a56e7197f

    • SHA256

      2f022dacd013c10da72759a20cf7392637460f983d59631ebf636328d0f977ee

    • SHA512

      7f721aa07a073117575e7fe4cd10228f2da1c31ef6df32fbf0722577616998d476aef415f7b29be7ddd0384270f4c66f8021ac06da469799ebe739e6f667d71b

    • SSDEEP

      3072:/SAzTSCFUvN/0Lz/2rir+HrBNBB50FO+7Vcx8BBjlIGOPA2EeHOz3ctJ:6MFUaP/2ZVzJ+Jcx8xN2EEOzct

    Score
    10/10
    gandcrabbackdoorransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (290) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral23

    • Target

      t.exe

    • Size

      1.5MB

    • MD5

      78b78c70ad66d95e136a4cb10395f403

    • SHA1

      ece7e87cc76f8862218213c6775613604ad97d4a

    • SHA256

      389851b1a38b0079d88402edf0ebd0d5ba492dfd759a80c27b0b18a248feb2b8

    • SHA512

      cc6f701115c9bb27de712cede13fa693c3ae78f20ea524003627cb75cabae4eb84d86d03b9e963ff9ccb49fa404b142cf1b73b2c9e43cdf01fddad4d70513466

    • SSDEEP

      24576:59cs4/QiYjQSjCB65cTg56axZ5DwOGA5s0:0sgUjQFB60alkOp5

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire
    behavioral24

    • Target

      vnc.exe

    • Size

      385KB

    • MD5

      913120c0c8602bcb2abe0e1741d45566

    • SHA1

      7b569e8479ffbc85f6c70ddf8a7fea62b6c8ad32

    • SHA256

      70de0596db51d6b09be92271e7140dc949074224d29352b4e64889df152278b2

    • SHA512

      963b162a17e5c4a928df0e96c29b446d30dfc130e887fe74360fef79e974c3ba5175b914432a1879c9c16cfdb965acd414fdbc2e83ac74406dd02f660bd62abd

    • SSDEEP

      6144:39XdnJkIv5nQb9QVj99dMJmCxuOGGO4+Vmia5Re4wEWMuej7ul7tLM:/nOIvRQmpjKJxu3J8R/WMuW7I7JM

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Suspicious use of SetThreadContext

    behavioral25

    • Target

      yk.exe

    • Size

      1.1MB

    • MD5

      bb73060a44e8fb34f92dd1815c6a300f

    • SHA1

      ab65f6880b9dddda7af5d2289f4858f48b8162d4

    • SHA256

      c1f0d4cc18f34c9f111d74da644c3e21827a01f5e862deb667e9e18ee8e7258d

    • SHA512

      91be2ab84f17cc907c057c75c8dd9ccc0914aecadd19c390a7edce9efa21936fbc450d6267eb17af8213afd15daa4d12f0b10658d55a6a38232c9cc327409146

    • SSDEEP

      24576:+31SZSaMidm23AzTOAV4xhFIaSV5VZZGSDNVwftoJNDBki+4K4zI4VX9ImOfj:+wZSTidmvuAGhFA54qVwfoNDBkirJzIP

    Score
    10/10
    xmrigminer

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral26

    • Target

      zztop.exe

    • Size

      642KB

    • MD5

      72049be7bd30ea61297ea624ae198067

    • SHA1

      b7b74712a1d44aa3646eca78285e1e70c7c73083

    • SHA256

      a21a16b0d9bfad52eced7a74d50c2acdfa42654d0fea2049312adf92542c4cad

    • SHA512

      eb8f78b8e49c6df03409090b6c8bffe1a8a581baefad2b91855906bed284c52dfd74ae2fabde6eca52de8d89437c9ffdddeaf1a8cb000f5ea0ee699e9f14920a

    • SSDEEP

      6144:qJXmzzSHV/y1FNI8taGqHTU/Kt6flq66O8PtYivxLGD4qI1Yhjb2OZEX93/opbos:0mzrZIiagKUtq6vQlX8

    Score
    1/10
    behavioral27

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

11
T1547

Registry Run Keys / Startup Folder

9
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

11
T1547

Registry Run Keys / Startup Folder

9
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Defense Evasion

Modify Registry

17
T1112

Impair Defenses

4
T1562

Disable or Modify Tools

2
T1562.001

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

5
T1552

Credentials In Files

5
T1552.001

Discovery

System Information Discovery

18
T1082

Query Registry

5
T1012

Peripheral Device Discovery

3
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Service Stop

2
T1489

Inhibit System Recovery

1
T1490

Resource Development

Reconnaissance

Tasks

static1

upxminerxmrig
Score
10/10

behavioral1

Score
1/10

behavioral2

persistence
Score
10/10

behavioral3

darkcometscammerevasionpersistencerattrojanupx
Score
10/10

behavioral4

upx
Score
7/10

behavioral5

Score
4/10

behavioral6

evasionpersistence
Score
8/10

behavioral7

darkcomethackerevasionpersistencerattrojanupx
Score
10/10

behavioral8

remcospersistencerat
Score
10/10

behavioral9

remcosremotehostpersistencerat
Score
10/10

behavioral10

evasion
Score
8/10

behavioral11

persistence
Score
6/10

behavioral12

Score
1/10

behavioral13

persistenceupx
Score
7/10

behavioral14

Score
7/10

behavioral15

Score
1/10

behavioral16

lokibotcollectionspywarestealertrojan
Score
10/10

behavioral17

Score
1/10

behavioral18

spywarestealer
Score
7/10

behavioral19

xtremeratpersistenceratspywareupx
Score
10/10

behavioral20

Score
1/10

behavioral21

smokeloaderbackdoortrojanupx
Score
10/10

behavioral22

Score
1/10

behavioral23

gandcrabbackdoorransomwarespywarestealer
Score
10/10

behavioral24

netwirebotnetratstealer
Score
10/10

behavioral25

upx
Score
7/10

behavioral26

xmrigminer
Score
10/10

behavioral27

Score
1/10