Overview

overview

10

Static

static

10

сентя...49.exe

windows7-x64

10

сентя...49.exe

windows10-2004-x64

10

сентя...df.exe

windows7-x64

10

сентя...df.exe

windows10-2004-x64

10

сентя...5d.exe

windows7-x64

8

сентя...5d.exe

windows10-2004-x64

8

сентя...ba.exe

windows7-x64

10

сентя...ba.exe

windows10-2004-x64

10

сентя...bd.exe

windows7-x64

7

сентя...bd.exe

windows10-2004-x64

7

сентя...14.exe

windows7-x64

3

сентя...14.exe

windows10-2004-x64

3

сентя...04.exe

windows7-x64

10

сентя...04.exe

windows10-2004-x64

10

сентя...73.exe

windows7-x64

10

сентя...73.exe

windows10-2004-x64

сентя...4b.exe

windows7-x64

1

сентя...4b.exe

windows10-2004-x64

10

сентя...ee.exe

windows7-x64

3

сентя...ee.exe

windows10-2004-x64

7

сентя...75.exe

windows7-x64

3

сентя...75.exe

windows10-2004-x64

7

сентя...53.exe

windows7-x64

10

сентя...53.exe

windows10-2004-x64

сентя...fa.exe

windows7-x64

10

сентя...fa.exe

windows10-2004-x64

10

сентя...e3.exe

windows7-x64

10

сентя...e3.exe

windows10-2004-x64

10

сентя...3a.exe

windows7-x64

3

сентя...3a.exe

windows10-2004-x64

3

сентя...25.exe

windows7-x64

10

сентя...25.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    00deb73a1738a3b3bfd9504b70775d668581f504481c7f37c20831504f9b77aa

  • Size

    624.9MB

  • Sample

    231231-chq9wadha6

  • MD5

    f22adaa0dfabd5881d45c3bd79e5780e

  • SHA1

    95d321cf181c53a0ca3c0d6975728a47d7cb1fd1

  • SHA256

    00deb73a1738a3b3bfd9504b70775d668581f504481c7f37c20831504f9b77aa

  • SHA512

    f1fa66cdfd8cb5a424260e954827363c2871266e003acb4a65b2ec66da4b9175a6c18a09968f3aba0df5a35a6cd415dca5a86383ace47bc2b2beb4302197ecef

  • SSDEEP

    12582912:6PfgdWzhS6yMcQiHZLM1uart1Y9TfRyZD8ZF78RPCDucSTMcGfreIvlz7o5NPggN:6X4WzhiMiHZotx1Y9TZy48R2CKv17oUm

Score
10/10
agentteslaasyncratchaosdarkgatedcratempyreaneternitygozikutakilummamerlinmimikatznjratprivateloaderquasarraccoonredlineriseprosectopratsmokeloaderstealctofseevidarwarzoneratxwormzgrat0da2e3700aa6f05465fdfc323d37148811 septie5050569c252f73517f386dcc9086d37bc4abaa11abbaaloshcapzc2abfb0e7157a4fe8c1096547c466cbbdefaultgeneral7hackedhomelammermybotnewkrrrnyan catoffice04youtubeadsbackdoorbankercollectionisfbkeyloggerpyinstallerratspywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

darkgate

Version

4.1

Botnet

general7

C2

http://zochao.com

Attributes
  • alternative_c2_port

    9999

  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    2351

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    true

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • crypto_key

    ehxLJhIdOExtNE

  • internal_mutex

    dcbCbK

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    general7

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

slim1.thruhere.net:7171

slim1.thruhere.net:8181

slim1.thruhere.net:1000

erorr2.webhop.net:7171

erorr2.webhop.net:8181

erorr2.webhop.net:1000

viper34.servebbs.net:7171

viper34.servebbs.net:8181

viper34.servebbs.net:1000
Mutex

AsyncMutex_IoIaww

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1150363626331451392/diQm3_-LAtuDqv52znxS979lWgZku3L6w_1YxVEt-0J336JdLcEM-R02NLCvYjDtnmBt

Extracted

Family

redline

Botnet

youtubeads

C2

185.241.208.44:35361

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

dugpanan.ddns.net:2247

Mutex

cdb09b7e00330671fe79126230922d8b

Attributes
  • reg_key

    cdb09b7e00330671fe79126230922d8b

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

warzonerat

C2

94.177.217.207:5200

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

camera-shadows.gl.at.ply.gg:48659

Mutex

97b58a06e9c88b28bf2602ea3047ff4b

Attributes
  • reg_key

    97b58a06e9c88b28bf2602ea3047ff4b

  • splitter

    |'|'|

Extracted

Family

darkgate

Version

4.17b

Botnet

AA11

C2

http://94.228.169.143

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    false

  • c2_port

    2351

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    true

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • crypto_key

    jujITkHwUiQMkA

  • internal_mutex

    txtMut

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    AA11

Extracted

Family

quasar

Version

1.4.1

Botnet

ABBA

C2

72.18.130.237:7321

Mutex

679ea829-cf42-4e9c-97a1-58411c2e0617

Attributes
  • encryption_key

    EAB4034DBBDD510051D9D34D60A8DB173C15B207

  • install_name

    Update.exe

  • log_directory

    Task

  • reconnect_delay

    3000

  • startup_key

    MicrosoftUpdate.exe

  • subdirectory

    MicroServer

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

nodetecton.duckdns.org:5552

177.106.210.102:5552

20.197.224.91:1098
Mutex

90af1c5cf8c345

Attributes
  • reg_key

    90af1c5cf8c345

  • splitter

    @!#&^%$

Extracted

Family

vidar

Version

5.8

Botnet

c2abfb0e7157a4fe8c1096547c466cbb

C2

https://steamcommunity.com/profiles/76561199555780195

https://t.me/solonichat
Attributes
  • profile_id_v2

    c2abfb0e7157a4fe8c1096547c466cbb

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

0.tcp.sa.ngrok.io:14488

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

raccoon

Botnet

0da2e3700aa6f05465fdfc323d371488

C2

http://94.142.138.19:80

Attributes
  • user_agent

    GeekingToTheMoon

xor.plain

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

6.tcp.eu.ngrok.io:15392

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

stealc

C2

http://95.214.25.241

Attributes
  • url_path

    /29dca981ee82db8c.php

rc4.plain

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

NEWKRRR

C2

IROEXJDS.WORK.GD:2301

IROEXJDS.WORK.GD:2302

IROEXJDS.WORK.GD:2303

IROEXJDS.WORK.GD:2304

IROEXJDS.WORK.GD:2424

IROEXJDS.WORK.GD:2525

IROEXJDS.WORK.GD:2626

IROEXJDS.WORK.GD:2727
Mutex

AsyncMutex_6xxxx434

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Home

C2

185.81.157.153:100

Mutex

AsyncMutex_home

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

microsoft-virtualpc.duckdns.org:1177

Mutex

a22f01d30c37339e652f2f834002ccfc

Attributes
  • reg_key

    a22f01d30c37339e652f2f834002ccfc

  • splitter

    |'|'|

Extracted

Family

kutaki

C2

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Aloshcapz

C2

telachapesu.com:6606

telachapesu.com:7707

telachapesu.com:8808
Mutex

AsyncMutex_Aloshcapz

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

11 SEPTIE

C2

esteesparahoy.duckdns.org:7000

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

microsoft-virtualpc.duckdns.org:4782

Mutex

E2YATkLA294znzRxeX

Attributes
  • encryption_key

    gTJCDtT0AcfvyNJB5Vqb

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

Version

3.1

C2

mo1010.duckdns.org:7000

freshinxworm.ddns.net:7000
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

vidar

Version

5.8

Botnet

569c252f73517f386dcc9086d37bc4ab

C2

https://steamcommunity.com/profiles/76561199555780195

https://t.me/solonichat
Attributes
  • profile_id_v2

    569c252f73517f386dcc9086d37bc4ab

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com
Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/
rc4.i32
rc4.i32

Targets

    • Target

      сентябрь 2023(570)/00053bf64ec3040b73c84979799768dba9a03c5f0d2f73512977c7030e29dd49.exe

    • Size

      652KB

    • MD5

      50d3fe24b4b57469167b40234893b668

    • SHA1

      8daa76666366781a4c057a0c6191bdf97d9277d7

    • SHA256

      00053bf64ec3040b73c84979799768dba9a03c5f0d2f73512977c7030e29dd49

    • SHA512

      e61ab6648a1fcd2aea2bb645d5de2e6a921e7630af8929b7d48fb61a9f4e6c7aa6e1af0a0efab16a957c421ebb5a8637ada193da346f3f02d2a83c5fe89c0b2a

    • SSDEEP

      12288:7Zg188alukx+SVnDkzvkzaNasKbk9ma8lE4JSWj0k0Bupjeeeeeeeeeeieeeeee3:7SpatVngzvkiQaEzkB6MxF

    Score
    10/10
    lummastealer

    • Detect Lumma Stealer payload V4

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma
    behavioral1behavioral2

    • Target

      сентябрь 2023(570)/00985db874d9177de4a18999f7a420260b3a4665ba2b5b32aa39433ef79819df.exe

    • Size

      481KB

    • MD5

      82c7c522cdc0901d92b51e3134694ce0

    • SHA1

      16bdc73d5c8f7b2a9c88c67c5ffe65b54e6ce5dd

    • SHA256

      00985db874d9177de4a18999f7a420260b3a4665ba2b5b32aa39433ef79819df

    • SHA512

      dd9e2841ee24fe5c249408fa8df73840a018d158123d6769fd43190c95ddd0a9b246aaa764a6cc43e4f503723db23a30d903825b09e59eae8645d2f39797d3e1

    • SSDEEP

      12288:h3UfhXnGqWoLl8NZdk85scA9t8WBvQog37MKMZyqnuQ/LmAg:hiWqWoaNZdk859A9t8WBQ937MKMZy+uL

    Score
    10/10
    darkgategeneral7stealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    behavioral3behavioral4

    • Target

      сентябрь 2023(570)/0110e1c3c1bd79626a55e770490d4ceba396e907c4cff4ec8d7c7293f6915e5d.exe

    • Size

      15KB

    • MD5

      4ff01cbc0d241becc42c762c7aba5f43

    • SHA1

      db9b78306832022c3d23f0be749bb63d7dc29de7

    • SHA256

      0110e1c3c1bd79626a55e770490d4ceba396e907c4cff4ec8d7c7293f6915e5d

    • SHA512

      0f630d6336ee07a8fa39859310a8d4729b39402edd3efe538037d2da96b891662e3fbcaf0564ae0e224d98d8a8e08d70e8d1bbe42a4aafce81389b271e6bfd6d

    • SSDEEP

      192:xsPFgKBeKpBIRL4CXE1Mzpe/RaSuu/pabagFjwtFwpB0assgAV2Pt3Q5tfMcT:xsPOC/wlXE1MNGRa3uYugTK3M

    Score
    8/10

    • Downloads MZ/PE file

    behavioral5behavioral6

    • Target

      сентябрь 2023(570)/018f7e7da2bf6e6cfd768c6ec8c568e0866654bd03eeb1e672d115811741e6ba.exe

    • Size

      246KB

    • MD5

      cdc39c2b9ad647c285c16e734f8a42ab

    • SHA1

      18ea017d22592adce69d7bd9dabca3f3336d3602

    • SHA256

      018f7e7da2bf6e6cfd768c6ec8c568e0866654bd03eeb1e672d115811741e6ba

    • SHA512

      37003ddc3f7ebf119b496b68e526351e62521e08aa916530147ae9f940690b4f89037e45e08bda0e6cbbb98de7b31479be2ccfb45e8c91f78430a80306e8c078

    • SSDEEP

      6144:iF5QP2lHLJIGWj4RjZotIWspGzgu4edgthBuVTtL:iLiUHZWj4R5WsAxsBuBp

    Score
    10/10
    tofseetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral7behavioral8

    • Target

      сентябрь 2023(570)/01e5ebc2c096d465800660a0ad6d62208a5b2b675e3700f3734fac225b1d38bd.exe

    • Size

      4.7MB

    • MD5

      54e8ef4a553687f5421256f9b792327c

    • SHA1

      a31332d8e142d883391c624b53484987bbe3bbbf

    • SHA256

      01e5ebc2c096d465800660a0ad6d62208a5b2b675e3700f3734fac225b1d38bd

    • SHA512

      81ba774fa364b6b7edc6fa737b66a75dec5539d9dbba1ed711d47d64bb3441969cbafe463738c8fdff681b75f2b35cd9a828eff275dea5a781e41ba11780df4a

    • SSDEEP

      98304:99g390hVkbxZY5Pgz9atWYiBCZjTxB7Z7sQt8K1DrP:I3eQvY5Pgz9atWYiBCxHt47K1Dj

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral10behavioral9

    • Target

      сентябрь 2023(570)/01fc4ee8bd9cd9c2ee70ccd486f4f3d1fdd42f40fffc6ab66e9f3973f2000e14.exe

    • Size

      631KB

    • MD5

      11fe0dcda9aee42fcee0a34b93f614da

    • SHA1

      0091194332c80cc2fad2539dafd3f5e13b56b69c

    • SHA256

      01fc4ee8bd9cd9c2ee70ccd486f4f3d1fdd42f40fffc6ab66e9f3973f2000e14

    • SHA512

      037549484e88fa545abbe092e58ac07fa09b5b74c486ee50a01d5949eb1ba8e28e4e93548a328b31403f499d6e781c57f942587c386252fb81314b8fec50799e

    • SSDEEP

      12288:lG2iNy8OgbO2f9J/KcdTRSoDgXJPa2eFZa0Px6B2a+FV/DdR+d:lG1k8Oqf3/Kue9alF96B18Ddgd

    Score
    3/10
    behavioral11behavioral12

    • Target

      сентябрь 2023(570)/0249c64b8858a7ba84f14c058f7a10d41ef807eb4f015ee34c6b388a3a2f1804.exe

    • Size

      1.2MB

    • MD5

      432385402013c4f7301767eff3d81929

    • SHA1

      249c107d10b2590bcae805663343723ad8f794bd

    • SHA256

      0249c64b8858a7ba84f14c058f7a10d41ef807eb4f015ee34c6b388a3a2f1804

    • SHA512

      798e303a2829225c03dbd29634bd5fef5a63e9f1bbf57371d087eeb34715cd096d18e2e34c4c418a44af0954a756fa2c816eb4e9ba56e9aecb95b9133a1d14fd

    • SSDEEP

      24576:V20lhvrCxcONV5EjvWkq9kqpK6dRE1Iu/zu0Gs9W5mq9N1YwmXnEPUozh0gd:Ighvuxccgb1qpK6dRozu0r4NZmX7+Zd

    Score
    10/10
    vidar569c252f73517f386dcc9086d37bc4abstealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      сентябрь 2023(570)/0322477813c2550386f1bfa31c31fd9f70b4581df866d0a9b068170b2f6d3373.exe

    • Size

      300KB

    • MD5

      932fedbdcfb766561e80aa60cbf49f50

    • SHA1

      880e555a43c9a937755ad8eb9a0320c74fb53abd

    • SHA256

      0322477813c2550386f1bfa31c31fd9f70b4581df866d0a9b068170b2f6d3373

    • SHA512

      a1c0b3428ece76c8330e74aefa1dc4e5a8c5d307bec3f3415a7fe98f4fed86ce2e443ebe5383a6ad63279b5381cca0973e0beed023b0f90ca156afd2917040d4

    • SSDEEP

      3072:+vbSno5heDId0acndOvVmWlQVheIdSEB6sL2iHQeT6IdjAUu6KC3:eIMesd0aAdOtThIM0Lj+IZAS

    Score
    10/10
    tofseetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee
    behavioral15behavioral16

    • Target

      сентябрь 2023(570)/036db747914ccb896aa34f6c58f9f7b2343fb031c2fef98558925526941ad74b.exe

    • Size

      2.0MB

    • MD5

      b1c405577c64cb91aceae1beeec5a6cf

    • SHA1

      ba1a03540f1cbe62ceb6523093a288682380d5ee

    • SHA256

      036db747914ccb896aa34f6c58f9f7b2343fb031c2fef98558925526941ad74b

    • SHA512

      cecfb576bf878d7ba27d64cda129894daa84bfce99dd30e66e77af877e64d24c6cf427b31f5e5196a6a6bf778a5b5ad38d7505034c9109b26283a49becc061d7

    • SSDEEP

      6144:1A8BdXQQd50VIfoEWlvf4Dxqa0aeytsnHCH5:DXv1VWlX43tw

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm
    behavioral17behavioral18

    • Target

      сентябрь 2023(570)/045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee.exe

    • Size

      353KB

    • MD5

      ea43f0645fd447ab4201f8d695876740

    • SHA1

      6d0f0a6000cb9a2d4faf45eeac86ac7b6cf2dd08

    • SHA256

      045cbc9ff518aa3bf58f568868c326af3ea7dea491e2543233885ecbaec30eee

    • SHA512

      bc232de46325c6ff6272d37bd1170dbb5d10e8ba2faa9db8fd5c24891542f1c0149a54787deb10a57a55a4a1efbe6d370e8f0270408f563b775d34bbc6d380ee

    • SSDEEP

      6144:aSOvOmqgkVGrLda6FvB76uWBM+evnWI+Xiw:ah71kVGHdaBuH+efWI+Xi

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral19behavioral20

    • Target

      сентябрь 2023(570)/057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75.exe

    • Size

      609KB

    • MD5

      725cf8ad8ed8f096e03cd373c8abde91

    • SHA1

      c8fa598234529b94280bdb8fceeeeafe326f9575

    • SHA256

      057e86a5c22e1d0cc4a2c0e189fb5f118859a2554afcb111ebc280af9dc05c75

    • SHA512

      52bed1b613f897e6354b1c05d55880400937f288c8a7e32a3d4c15ce58e1efe25f7889114ccaf46626141491b862cfbb6f896c49ae200e686c70797617a07f8a

    • SSDEEP

      12288:ICn9t5725IAGZ64fzBt3hQJ0FyqNI6EO96f4zU2c1MlBBW75NJiaxmwS:ICEQk4VzQJvqNI6vMwzU0XBfaxM

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral21behavioral22

    • Target

      сентябрь 2023(570)/0593d290e0110f628cd3922e52e1997354d1eaaf40f2ab192c5d12c811f5ba53.exe

    • Size

      243KB

    • MD5

      8fc19309b5cea833bcd32517aef20e6c

    • SHA1

      6e2e8cab3c4dfe75f99d12cf9cff7fd9ce322a34

    • SHA256

      0593d290e0110f628cd3922e52e1997354d1eaaf40f2ab192c5d12c811f5ba53

    • SHA512

      34033761eb90f87e48a9edfd93819f3e1bffeb9a32f6504c76dc70de78521f6ff57b4ad1121d7eb9149df0d30d10db653fcde8ae7d94340a488682c8f0f314ff

    • SSDEEP

      3072:5W1+KQuqZdPACX/VIlBuPMVEOqFo67UFMQBzttxq8i7u5s5cPSPTrbp:52c9Z5AOVAEPUEOq5UqCwyP0TJ

    Score
    10/10
    gozi5050bankerisfbtrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi
    behavioral23behavioral24

    • Target

      сентябрь 2023(570)/05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa.exe

    • Size

      196KB

    • MD5

      49d8743b2ca1a7b66775d58fbf1945da

    • SHA1

      93291502aca15f8f12db3b4143d37e2824af2cbb

    • SHA256

      05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa

    • SHA512

      693f4f69ebaf32c7d17bd51aab24acafc6113b198c9b5f5b8b0933d76fd828556f0ee1acdd3bd864ce146a73cdfed3ff6b5b86cfc6cc8ada3943dbd3d7a330bb

    • SSDEEP

      3072:iHhTzLMu8J2m6XSvoX6Ymdr+GZ/agfrZ84C5ER3QRK568bTTTR4P:WTzLM34UgXfWqGZvfrU5ERu2TTV4

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral25behavioral26

    • Target

      сентябрь 2023(570)/0651c1ebd22042c0f18964dcf445e7b4f350b2d7d01413040860a2187fdea5e3.exe

    • Size

      578KB

    • MD5

      0b9da7d4b218ae2f3c4b3468f101aa16

    • SHA1

      b32a3c69b824058276deae3b6d4ff950c659974b

    • SHA256

      0651c1ebd22042c0f18964dcf445e7b4f350b2d7d01413040860a2187fdea5e3

    • SHA512

      154289f7543a60957589391c4966831ab613da82d5af918ed49e19013d5797608ff2537a0e5c975be48d1217b3bd4324daa883f45445889cac56aa3e16a23f81

    • SSDEEP

      12288:TgjuPVrZZEA1tp4sVtRA+wYIRAIRjpztBPWhCiWbIynEs:TEuNr1tp4sVT5IRAIRjYhqICp

    Score
    10/10
    lummastealer

    • Detect Lumma Stealer payload V4

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma
    behavioral27behavioral28

    • Target

      сентябрь 2023(570)/07656dde7e964ab7e49378a310d439f5c3201528ec707e0b1a138d5c61b8d63a.exe

    • Size

      523KB

    • MD5

      2ee45a8f29a2a9650ecf303ba28ddf87

    • SHA1

      36fc7927deda663b5dea936f952e047a28ce1ed5

    • SHA256

      07656dde7e964ab7e49378a310d439f5c3201528ec707e0b1a138d5c61b8d63a

    • SHA512

      3be0aec6f0e7a13c69a81760ae1aaec7990416071087a4799f11ec9852ba475d80e6b5481b7f45f9f444747cec13160a5c015f2e6fb4dde0f79a8ad94333c046

    • SSDEEP

      12288:QjVtZ5/eTpd/upd/E2PKhk246c4MrgrMU0OViUYQF2xRTSns:QjTZ5GsPKWTQMQViUY1Xss

    Score
    3/10
    behavioral29behavioral30

    • Target

      сентябрь 2023(570)/0817f4e9a329fa90fba9136d6ba89a75cd7c3e78dffdd4d75f116f18c9610e25.exe

    • Size

      401KB

    • MD5

      f111e4ac9108f1bdbb1205b23abe1d28

    • SHA1

      66484a2da4e8a5c63c2f0ff551c281b9b9e031cc

    • SHA256

      0817f4e9a329fa90fba9136d6ba89a75cd7c3e78dffdd4d75f116f18c9610e25

    • SHA512

      b2c032ba315415b15ef8e020f4472c29e56e3a1de69a2e126bfd5c5ca2581ffdcd7cb17fffb0656c4306b058fc740d1bb31dc165eaff447896faf9254bd7bdf7

    • SSDEEP

      12288:GYIro7VTc2oUVyl793J0rUrWbcG9m+gkOYTth:GYKo5Tcu0993Sgi94gOGth

    Score
    10/10
    agentteslakeyloggerspywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

6
T1012

System Information Discovery

10
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

general7vmprotectratdefaultthemidayoutubeadsmybothackedaa11abbanyan catc2abfb0e7157a4fe8c1096547c466cbb0da2e3700aa6f05465fdfc323d371488upxnewkrrrhomepyinstallerlammeraloshcapz11 septieoffice04darkgatezgratasyncratagentteslaredlinesectopratdcratnjratchaoswarzoneratquasarvidarraccoonmimikatzstealcprivateloaderrisepromerlineternitykutakilummaempyreanxworm
Score
10/10

behavioral1

lummastealer
Score
10/10

behavioral2

lummastealer
Score
10/10

behavioral3

darkgategeneral7stealer
Score
10/10

behavioral4

darkgategeneral7stealer
Score
10/10

behavioral5

Score
8/10

behavioral6

Score
8/10

behavioral7

tofseetrojan
Score
10/10

behavioral8

tofseetrojan
Score
10/10

behavioral9

vmprotect
Score
7/10

behavioral10

vmprotect
Score
7/10

behavioral11

Score
3/10

behavioral12

Score
3/10

behavioral13

vidar569c252f73517f386dcc9086d37bc4abstealer
Score
10/10

behavioral14

vidar569c252f73517f386dcc9086d37bc4abstealer
Score
10/10

behavioral15

tofseetrojan
Score
10/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

xwormrattrojan
Score
10/10

behavioral19

Score
3/10

behavioral20

Score
7/10

behavioral21

Score
3/10

behavioral22

Score
7/10

behavioral23

gozi5050bankerisfbtrojan
Score
10/10

behavioral24

Score
1/10

behavioral25

smokeloaderbackdoortrojan
Score
10/10

behavioral26

smokeloaderbackdoortrojan
Score
10/10

behavioral27

lummastealer
Score
10/10

behavioral28

lummastealer
Score
10/10

behavioral29

Score
3/10

behavioral30

Score
3/10

behavioral31

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral32

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10