Overview
overview
10Static
static
10231113-01-...72.exe
windows7-x64
1231113-01-...72.exe
windows10-2004-x64
10231113-02-Gh0st.exe
windows7-x64
3231113-02-Gh0st.exe
windows10-2004-x64
3231113-03-...2f.exe
windows7-x64
10231113-03-...2f.exe
windows10-2004-x64
10231113-04-...62.exe
windows7-x64
10231113-04-...62.exe
windows10-2004-x64
10231113-05-...18.exe
windows7-x64
10231113-05-...18.exe
windows10-2004-x64
10231113-06-...la.exe
windows7-x64
10231113-06-...la.exe
windows10-2004-x64
10231113-07-...6d.exe
windows7-x64
10231113-07-...6d.exe
windows10-2004-x64
7231113-08-...ed.exe
windows7-x64
10231113-08-...ed.exe
windows10-2004-x64
10231113-09-...3e.exe
windows7-x64
10231113-09-...3e.exe
windows10-2004-x64
10231113-10-Redline.exe
windows7-x64
10231113-10-Redline.exe
windows10-2004-x64
10231113-11-Lokibot.exe
windows7-x64
10231113-11-Lokibot.exe
windows10-2004-x64
10231113-12-...ke.exe
windows7-x64
10231113-12-...ke.exe
windows10-2004-x64
10General
-
Target
292015abee48b2c8bd29e505cf4aceb13f698195aa0b9df4566250997e94a7d7
-
Size
7.0MB
-
Sample
231220-pvhvgsaehj
-
MD5
3f29057b16c405448b6b43262b007776
-
SHA1
9bd1a63f471d77a5ce3fed262c71a55a1686a3a3
-
SHA256
292015abee48b2c8bd29e505cf4aceb13f698195aa0b9df4566250997e94a7d7
-
SHA512
dfe3eae71f12e835b43a411659990658f2bd3e1c92c41263f29059ebde65835fcdc37fce12a541f6a945be500f2846793e52b2587b53bc7f2f7932553dc0cc46
-
SSDEEP
196608:962K+HjSb/r1nIWbddasvbbh/ZwcWIs08eGnWQHr9:bKGjQ/r1nx5d3vhRwJ09GW09
Behavioral task
behavioral1
Sample
231113-01-Formbook-47d372.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
231113-01-Formbook-47d372.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
231113-02-Gh0st.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
231113-02-Gh0st.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
231113-03-Formbook-f8862f.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
231113-03-Formbook-f8862f.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
231113-04-Formbook-ffda62.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
231113-04-Formbook-ffda62.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
231113-05-Frombook-678f18.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
231113-05-Frombook-678f18.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
231113-06-AgentTesla.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
231113-06-AgentTesla.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
231113-07-Frombook-b13b6d.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
231113-07-Frombook-b13b6d.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
231113-08-Snake-d91fed.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
231113-08-Snake-d91fed.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
231113-09-Snake-1c2c3e.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
231113-09-Snake-1c2c3e.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
231113-10-Redline.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
231113-10-Redline.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
231113-11-Lokibot.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
231113-11-Lokibot.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
231113-12-Cobaltstrike.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
231113-12-Cobaltstrike.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
formbook
4.1
o11y
bilenoer.online
1gocasino.click
bm9qn.top
wzefoy.com
5-minutemoney.com
tx5288.com
ssteaq.com
ztxsm2gxqvl.asia
familyfishing.world
moocytrading.com
dondebusques.com
dtservicesillinois.com
korpativnighs.com
resilientjoy.com
greensclps.com
actionkillsfear.com
siwu81.com
localorion.online
spoke99.com
taxinhanh24h.site
viptop77.pro
okriches.com
steakf990.gay
synicationrescuefunds.com
teambaddiesent.com
sierarhodes.com
web-it.digital
agileadgen.com
keepjimbo.com
zslhthui.com
loganlawanda.com
kidssestablish.com
gamebaidoithuong51.vip
insungflex.com
christaafful.com
nextwavekorea.com
cmbw.club
caturdaily.com
ndbth.fun
valorant-rich.com
gripspeedofficial.com
psniederrhein.com
thriveil-stores.com
xb633.vip
viqvp.fun
fashiusta.com
mxvoly.xyz
lyttoncosmetics.com
5q3.info
yid999.com
kingstoniansupportersclub.com
nivara.diamonds
iptvbooth.com
savagelogisticsandservices.com
thevurp.com
fjkvv3.top
mzwcn.com
pumpkinspicedonuts.com
capitalloanssolution.com
sug2news.online
wile7.net
nordpost.shop
vastcapybarra.com
xyzb0451.com
shelterinds.com
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.status-automation.com - Port:
587 - Username:
bkkhoo@status-automation.com - Password:
bkkhoostatus2018 - Email To:
goodnewsrnan@yandex.com
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
boys@opttools-tw.com - Password:
kV$bSqJ1 daniel - Email To:
boys@opttools-tw.com
Extracted
formbook
4.1
st58
ariaspuccini.coach
ailebasvurulari.xyz
apexconsys.com
paymentnland.com
anniestannie.net
airdriechristianyouthgroup.com
vibezclothings.com
ariellabrock.autos
gloverconsulting.online
cc66007d.com
d55hnw.top
larrydeviney.com
zbhhzs.com
salarapk.com
llamalister.com
bzykaj.com
camloi.xyz
vitalidadenaturalebemestar.com
thefitmove.com
abbyamuwo.com
alcaponestreetwear.store
capeannpropertyservices.com
rivederauditing.online
orlandosfencing.com
blitzmine.com
0869529738.buzz
promodubz.com
stove-mk.bond
wetoala7.vip
50614.top
thetoit.com
l81rv578r.shop
gobabysafety.shop
courses.best
kais460.xyz
darkwebs.xyz
lifecycleimages.com
rtpslotklik313gacor.com
jtq7y.top
ytgrowthhub.com
babsoutdoor.online
thebuggyponcho.com
airgalonjakarta.site
toptitlecompaniesinflorida.com
jizzoffproducts.online
sewtag.com
increasingmyhappiness.com
22galbraithstreet.com
olivaclothes.com
mictor14.site
cornerlapf.cfd
onaenterprise.com
hkbduidaausuy.com
withmaca.com
therealcreditplugs.com
mediaverseproduction.com
klemail.top
truepanthersecurity.info
cruises-95349.bond
napkimcuongpati.shop
arcos-us.com
thestylingkit.com
riseupwithpaiges.com
520upland.com
goanyq.icu
Extracted
Protocol: smtp- Host:
mail.status-automation.com - Port:
587 - Username:
bkkhoo@status-automation.com - Password:
bkkhoostatus2018
Extracted
formbook
4.1
fs35
latechdz.com
sdp-ploce.com
ss203.site
sm6yuy.net
needstothink.com
heginstwp.com
blueplumespirit.com
vemconferirshop.click
yorent-auto.com
eleononaly.com
medicalspacelocators.com
7law.info
imacanberra.online
bbtyss.top
onlyanfans.com
varenty.com
fappies.shop
313865.com
hongpools.com
babkacuisine.xyz
usofty.com
jdjnxsu.com
teammonitoringservices.com
retortprocessinglab.com
rooferstakeoff.com
hansonelecs.com
em4ai.com
urbiznet.com
merchantgeniussaiyanflame.com
elegance-x-agency.com
cheekyfancy.com
ciaraile-hair.store
exactix.online
essentiallymotherearth.com
thebrollybuddy.com
associacaoacademicaguarda.com
manjort.xyz
mylifestylelounge.com
ser25kgr.monster
abbiejhooper.xyz
mjp77.com
dompompomdompom.shop
sugikougei.com
tacosantojrz.com
7yyhdjwwqq.com
vri4d.com
53b9fd8cfbfb.info
xlookcoins.top
uncongneniality.shop
coats-34172.bond
amazingpawpalace.com
actionkillsfear.com
supportlakecentral.com
xn--9kq7ik28o.club
lasermywords.com
t5-1682468.xyz
eastonelitesoftball.com
bagpackgalaxy.com
petlove6.com
fryconnect.online
autolusaccess.com
planetbravos.com
80smaoi.top
iit.world
i-ooedo.com
Extracted
lokibot
http://305.ebnsina.top/_errorpages/305/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
cobaltstrike
1359593325
http://192.236.146.5:80/cx
-
access_type
512
-
host
192.236.146.5,/cx
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHFcV/jTWIWbMLGsg/xD3cCk0yHN+dWUBeSAZEdvXFEiawkFkWyJWyGyT0NbgSrwHmz+krYJY6l6YOoUNPWMNc6YpuQUYrBiilMX6rDkmmqUqem2tP6G4E6nBva8DOwNu671c8iFZeK4M8s6PPnUDuEuSHchHBLc5wV6Ew7BLO5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
-
watermark
1359593325
Extracted
formbook
4.1
hs94
hrnlius.com
righthouse39.store
nh12dgsdh.top
d6es.com
qjgx8ol.xyz
claricraft.com
amor-de-luxo.com
triokitchenbar.com
britlleysantos.com
hairluxe.info
openclosetstore.com
edubraintoys.com
goldeneaglescoin.com
mayacottage.com
taekyoong.com
mahiguel.com
dramulyamullapudi.com
osaruru.com
momaustralia.com
xiaotu.gay
gokenko.com
simplywarehouses.com
jacketshops.com
pranayketineni.com
wmrnyy.icu
fmloo23.top
annadoshina.online
dhctpsp.com
jjjj88888.com
agentoto.life
siterapido.click
ursrobotics.online
sdrsg.top
buzzatbuzz.com
hzliping.com
susanwolff.com
mikexkwt9sd.com
fdd7021.com
taltusinvestimentos.com
tommilye.com
cartoonteeshood.com
loginputra.xyz
digibyten.com
qjzg607.com
scxf.xyz
dfkld.fun
gyaantree.com
icarepassport.com
netflixmirorr.com
buyfirstratefinds.com
rosaebody.com
kavabarsforsale.com
nudeaunts.com
shjmele.com
351660.com
masukslotgacor.top
calcium2049.pro
boldshop1.click
early-lung-cancer-signs.bond
zibloo.com
dafacoins.com
lotte-finance.icu
betaverse204.com
surptb.xyz
5stargeneralcontractor.net
Targets
-
-
Target
231113-01-Formbook-47d372.exe
-
Size
548KB
-
MD5
aa54cc75551a0903c7c6ad095791cdd7
-
SHA1
47d372a19fc28e8a825adb9511118fb15fa6c9ba
-
SHA256
f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22
-
SHA512
dba879ded111d8bfe690795ff7a9afb4d6497debfcebe8c48962907a3933f431476398f9cf72fd849272abc19a49734be774d3090ccdb6b83f848221f723bb42
-
SSDEEP
12288:r0VlgZ+9iPOxgFyxiXauAia7jebblCKEh0:rnsxgQxiXauAn2b5C
-
Formbook payload
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-02-Gh0st.exe
-
Size
152KB
-
MD5
b59b8b60633f4477d0160dfaddfa6899
-
SHA1
6702a138fb55ea3e15ab8a030f499925e4f02c1d
-
SHA256
6504d3d732a500bc1ee7cf81f2d00cefccaebed175cc1eb1df13d82d9b83e5d5
-
SHA512
f5e8e4f4a0c22a5bfb2b406f6662236e11693a1066f2e4937a8b8389d22735b683287b8d75b0eac1dc8e04667fa8864e24682065ca8944e9ae16be492b93a411
-
SSDEEP
1536:QVU7YpxuKobIY6TgTJhJh5tgpIy4TzfOMM/BQkZQA:QuoxQbIY6TgTKtr1
Score3/10 -
-
-
Target
231113-03-Formbook-f8862f.exe
-
Size
1.8MB
-
MD5
4176f7c4f301d2e844abdf4c8a7298cf
-
SHA1
f8862f6c2815a6c4aa5e8a7d46c1b66318d5da93
-
SHA256
66546bdf1106858267f20b74f7aea13115252e74c3a5f85482b70e564f660f0b
-
SHA512
541f802a68e083580215de1143d07f25af8bafdbff93ee984ec737c7f6714d9b201bfa80f9ac6b23355362fab2ed6d6445ecdb2dbf9df8497cee1b2748b5b4a3
-
SSDEEP
24576:SHstQKeB1JqJlLlRNouIKZqzPApw2BDO+7nLl2n/7a5Ox30UDLap:SopeBXqJou8Cw2BDO+70nW5YTv+
-
Formbook payload
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-04-Formbook-ffda62.exe
-
Size
184KB
-
MD5
0290553016df26e4890f66f68d91a23b
-
SHA1
ffda62ac3fd831ec2e95410f6ffa5b70f4455da1
-
SHA256
9a4b43e60f5fabee97075207242bcf5127e8ef726277667f050234fc35e1c810
-
SHA512
57b46657b9962789a7969a9f6aa1141cb41c4d78e9d4618576f3fb7ff41a50f30d0d13e507ddd01b7a356faff5c4f1f339c949d2996df52509e3e10edc24c475
-
SSDEEP
3072:qH5Dkc7/uZA3Am36ZSYOwIfZ/AEZ1gHSu6nV5Gs0vSo:a+Q6Ibw8Z/AEI6ntSSo
-
Formbook payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-05-Frombook-678f18.exe
-
Size
2.3MB
-
MD5
d260f22156670128176057ceb8283285
-
SHA1
678f18a7578c1943fd22cff0e7ac500cd95ca389
-
SHA256
8da211e160945b8260cb4a52216028ca93f0aeb0b468186e48af68525e01d892
-
SHA512
953f55ec4f2414189a189b03e87cc42fe2be2673862617c245b4b7759697d45768e98a05663bbd96020c7778b54591b044102695f20e1a6163d415e9379624b9
-
SSDEEP
49152:zmUjlGU/DDjqvOS6iy3iWOY+YLqaLOlTTrbs69V/:zH3cy3im3L67s69x
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Adds Run key to start application
-
-
-
Target
231113-06-AgentTesla.exe
-
Size
530KB
-
MD5
4e2367b54883a215b874f09ff299475a
-
SHA1
a1669c0d2e4791e6996149602f6b9502f74f3eae
-
SHA256
8c72d6594c46c605916cf3456b84810a1982c7f62f9c66d7eeb12bd0da0e82d0
-
SHA512
8e54ac718e3e8d4b7fdb7c2455895686b071bac61b2089118fbc9a29ca4eda1008bb83424312008db3a8b8de9aaebf3d287f1169bfc87c707519a51341597549
-
SSDEEP
12288:P0VcgMUZPqFQXEtXogTQI0I/cGT7zJqJmxYWNtP:PZ0PqKAJT0CzJdxYetP
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-07-Frombook-b13b6d.exe
-
Size
329KB
-
MD5
721d7f2dfc6c49e0e11e87361ac493d5
-
SHA1
b13b6d2d1e9eca3f87c22d6f2eebbf39b0ee6e0b
-
SHA256
818f9ba3c7565feb703c742d5e4a8134582cc419dbbf315df8e96a2eacc3b710
-
SHA512
48f3a6ceebd2dfd13eec4a9889b83e7ffe1c92d84f20861c3968bbbf2a9d5a05e0031ef27d50557be2f658661c64700818ec33e797f82b7fed7fa093a643a5b6
-
SSDEEP
6144:wBlL/9bp63FQUD4MAwlpKd9mgTRm+YMCpGAqgQM5KEDTgYsMiJw75r8Uo3ues8y:C/bpeREMAapKd9jTs+YMCpGJM5KEDTge
-
Formbook payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-08-Snake-d91fed.exe
-
Size
496KB
-
MD5
1b278305cb4e9f2127d141e7bf35208c
-
SHA1
d91fedc2f515fe0b94f808700c6c94d123bbf6f9
-
SHA256
0fcc6d53f8ef84332db1f7e6f884870964ef6b6d718000cfbaaa224dcb5fb90e
-
SHA512
a858319b18666671f1f94cd41789cef35cb526e36482b622deb9b64ef98fbe4c851ff204c68714183ef6f5be4c2ffe312ec419065a32e3b486925d89f1eab85d
-
SSDEEP
12288:wcR4gPI6771YWj8+rhD9TvwsJVXAlonR8HFBN:tN7ljB9rwsJ9ny
Score10/10-
Snake Keylogger payload
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-09-Snake-1c2c3e.exe
-
Size
125KB
-
MD5
2a733f0fff0f3b5d01d1a11837d1db16
-
SHA1
1c2c3ea80cfb3cab2b5aa655e7bcabd04a06c759
-
SHA256
fac0ceb2a8b38f28f0e167613d7bb732621ba060543a5a7cc3566734c717a84a
-
SHA512
89b8ddc01a8a3252ce9e1c041671cf5cb91f2be2447989883b84f599eea93a3aac9dedf4491f910e1a6115c3806477b780fe3ace3f5e6684812d1272d1bb295e
-
SSDEEP
1536:1R2lYen2RwKeRWJF8Atp+vBUFMlY6OgkKwBmsb+o16MFigB1b/zu2C/mKRJpiOW2:72lYlqsF8A8OgMz1b71qLwBgnvgbY
Score10/10-
Snake Keylogger payload
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
231113-10-Redline.exe
-
Size
399KB
-
MD5
b42248f56f3df85e63aa0f41e0bca0d7
-
SHA1
96ad673a7c5e6a6a8cca12c8fadfffc1d240014f
-
SHA256
189597859f74a7db84a4bc3d49b4464e4023a6df1c6c28b948239401f9291c25
-
SHA512
dd9fddc46ba4ac29dc700497f809bb089f7828db8a1f5984f3088ad2df0ad4e82702e8f95f50bedffa6180863290e245ce5d299eb4858fc937ef6cd7f59eb74c
-
SSDEEP
12288:wXfp/8W1Jf3XbWlajGJ/q4EbRcMmnVwyxjeWF/s11v:wXfrJvEaj+/q4EbRcMmnVwyxjeWF/s11
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
-
-
Target
231113-11-Lokibot.exe
-
Size
458KB
-
MD5
b16f61dceaf2256373c594735b8cbf4e
-
SHA1
af44533a826dfd5f732fb107dacba00c686835b8
-
SHA256
20fa2e8a490cd396fd059d2a6996a00a33dd3ffbca083cd6873eb14fc56d177b
-
SHA512
b79de47166e2eac9c0485726b2a72c78d3091734afed5c418636f7b1ff74725b8db895bd188db55141e401c29d282e50b60f3791fe0e4279709f0a3cda171091
-
SSDEEP
6144:AxxG0VMiG0g6PvH7CW6JfddFRoRsjNrrSggrlWasvAdxA2wAQpSixfb5fuTFXFLp:N0V1gVW6PdFK02gONvogyft4FZPjsPh
Score10/10-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
231113-12-Cobaltstrike.exe
-
Size
6.0MB
-
MD5
82162d22a57da0916f939341994d8a70
-
SHA1
c44229b799ba687cf25948f9933bc848844d48f8
-
SHA256
c06b7c429d664ab28086c4ff45d704838d28d1f2492ad8d8de15ec0bae01e9b3
-
SHA512
d848417f7eba6d2fdae9839b12305bd7dc963200d626f4f361e1e6fa87a084eeb31d59c5a20e4d7eb3ff015848ec80991560aac8a566fbc26b435e5f4d072e8c
-
SSDEEP
49152:NW+0bVXeQqZUhh4r5VC9PI+Kt/KaDZL/kUkDU199XPUprpB5Qxb/DR2UGovAJg8z:NWpbwQqZUha5jtSyZIUb
Score10/10 -