agenttesla | 5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9

Resubmissions

23/02/2024, 03:45

240223-ea6qpsaf9t 10

23/02/2024, 02:03

240223-cg4htahg5x 10

Sharing

Copy URL

Twitter E-mail

General

Target

5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9
Size

285.1MB
Sample

240223-ea6qpsaf9t
MD5

be703c491575eecc60d4cbd09c3205e3
SHA1

69aad609e9e6621bd83881d116adeeba72f77249
SHA256

5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9
SHA512

610f0c81ea41b8ab884a27a30374ed6642e2e07d59b575f8c10b94b360f61437b7e1b1b2b853dce12351dd83d9d6f45a900605dada6c35521ea9c8e9655955ae
SSDEEP

6291456:ELXxkOxmKeHhrX/CNQMH5QeV1ubbxbuRi2zer2FoIxIlPUHDIy:gpxDeB8F5QhHx72zeUoI6q0y

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

agenttesla

https://api.telegram.org/bot7013847015:AAGJ9U6sgMmsBCQ0DNkHT8DYuslAtpiqCbA/

Extracted

Family

gafgyt

185.91.127.233:23

103.82.20.7:42516

93.123.39.166:671

Extracted

Family

mirai

Botnet

UNSTABLE

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

mirai

scan.rebirthltd.dev

love.booter.cat

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

BOTNET

scan.rebirthltd.dev

194.169.175.31

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

Botnet

UNST

Extracted

Family

njrat

Version

im523

Botnet

Hacked

0.tcp.eu.ngrok.io:19599

Mutex

3a8ee47129614a8ed745ed44d22e4759

Attributes

reg_key
3a8ee47129614a8ed745ed44d22e4759
splitter
|'|'|

Extracted

Family

mirai

Botnet

UNSTABLE

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

Botnet

UNSTABLE

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

revengerat

Botnet

NyanCatRevenge

marcelotatuape.ddns.net:333

Mutex

13b150f8ef23499092

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

scamanje.stresserit.pro

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

patria.duckdns.org:1998

Mutex

85f10a8a09aa4

Attributes

reg_key
85f10a8a09aa4
splitter
@!#&^%$

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

Botnet

UNSTABLE

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

mirai

Botnet

UNSTABLE

unratio.funpass.services

scamanje.stresserit.pro

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

nanocore

Version

1.2.2.0

0.tcp.ngrok.io:18237

127.0.0.1:18237

Mutex

25d94285-e644-4394-8a59-361d828035f4

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-11-29T08:14:25.249811736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
3988
connection_port
18237
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
25d94285-e644-4394-8a59-361d828035f4
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
0.tcp.ngrok.io
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

amadey

Version

4.18

http://147.45.47.35

Attributes

install_dir
0a25b59f74
install_file
Dctooux.exe
strings_key
57658e7aa84093060e0ebefa5ad4aa45
url_paths
/bDjkb2xSd/index.php

rc4.plain

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked

amma.myftp.biz:1177

Mutex

5067798511594293a736c9b0b92fa333

Attributes

reg_key
5067798511594293a736c9b0b92fa333
splitter
|'|'|

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

amadey

Version

4.18

http://147.45.47.35

Attributes

strings_key
57658e7aa84093060e0ebefa5ad4aa45
url_paths
/bDjkb2xSd/index.php

rc4.plain

Extracted

Family

njrat

Version

im523

Botnet

Лошок

5.tcp.eu.ngrok.io:13326

Mutex

1c7d94c93e29463dd3914e19ee6714b6

Attributes

reg_key
1c7d94c93e29463dd3914e19ee6714b6
splitter
|'|'|

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

BOTNET

scan.rebirthltd.dev

194.169.175.31

Extracted

Family

risepro

193.233.132.62

193.233.132.62:50500

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
valleycountysar.org
Port:
25
Username:
[email protected]
Password:
iU0Ta!$K8L51

Targets

- Target
  
  e0324f9407031cdea025049097bf0d30a80f02eeb6e04a5d1d4a21eb8d703bc3.exe
- Size
  
  2.2MB
- MD5
  
  b1c4be84e40e10b9ff3eb14074b402af
- SHA1
  
  c792a0dc991474d0d5feba031983f67e6efc35fd
- SHA256
  
  e0324f9407031cdea025049097bf0d30a80f02eeb6e04a5d1d4a21eb8d703bc3
- SHA512
  
  32da555bb9ba29f0b7762407732b5e9a4c4d815aac8e7c4bc97c4a5dc07b6b5b26d63db605fca971c5321fde52a48b4c4fd868cf0711f055af6810f6a5302a2b
- SSDEEP
  
  49152:oipYE7O1mpoToQJQnE+R2tXBsahaBIWRbLJJZj9W8bQY5ezjYsU:IIpolJQfRmXB9oLxJTj9WNY5e4J
Score

10^/10

risepro collection discovery evasion persistence spyware stealer
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe
- Size
  
  4.3MB
- MD5
  
  ae2b1b79c7579bb64b1640303f88c05f
- SHA1
  
  aca79755589eaaaffb9d8beb477b0d3df50982c4
- SHA256
  
  e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f
- SHA512
  
  b5bad1bb105f85edb7389d1e2914e54468e7871aa46baf8395f985cbe2e8d9cda1da24dc2245c4bcf6de28ca8fc176b35be6af4a489c8f2cef4c4cb1b595aa27
- SSDEEP
  
  98304:oHj/GBkxFCBLVvr/jsfLy+y/rk3zw/EZk9oaE9AyiR2BWoA:w/ciFQVvXsOqdZydH20oA
Score

10^/10

evasion themida trojan mirai botnet
- Mirai
  Mirai is a prevalent Linux malware infecting exposed network devices.
  botnet mirai
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  e226857f5c5f9a274825a537fe84a8d636b5d920368f20206089a99b56d7de7f.elf
- Size
  
  123KB
- MD5
  
  b7c3e42502fb69b7ae243db09b36a53d
- SHA1
  
  f8a6584152eb3eccb579f92b91d5379c21fc369c
- SHA256
  
  e226857f5c5f9a274825a537fe84a8d636b5d920368f20206089a99b56d7de7f
- SHA512
  
  eda6aa89e2a6eb61d76621feaac93de248551e36c8ede80c2891bf2af1c453dd1dabafa8008b51588846741cec705fc7ab0ebd324042d299b0b98a7d8347c47e
- SSDEEP
  
  1536:yEsksTuVY80FkbkgcQBkrBN95rxtgKR83tchphak2yEmsEt9/skYEP/UDjSQrD/R:nFgrBNProKhphak2Mr9/nYEP/UnSQf/R
Score

1^/10
behavioral5 behavioral6 behavioral7 behavioral8
- Target
  
  e268df66fb92ff6e5b2719279c5bee5383d56a4b97add2c7dc0ede45d2aec175.exe
- Size
  
  1.4MB
- MD5
  
  032cc19c2a356047c9d6a952c55f593b
- SHA1
  
  d9be0c3c31ab6bce38157fb15609a6bd1a1c4d76
- SHA256
  
  e268df66fb92ff6e5b2719279c5bee5383d56a4b97add2c7dc0ede45d2aec175
- SHA512
  
  b61d312d0a4c45b6eb7c4a1353ffc2377d04341fc60c5b0ea67e19a5dc8d2fa283e03e51621f8e6513986b3d078f2d38c3fd7652bd2b85f9e8b44d501587268e
- SSDEEP
  
  24576:KXhgAcwd+KW2+Cuv6XWBFLB6Acwcr394SuAHisP3SH6CoffrF:Kmpw51+CuvrrQw0N4DACsPAoff
Score

10^/10

zgrat collection persistence rat spyware stealer
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  e4499912964280ec3adc3131a12d5415a577bcd29d7259a38e928ba87ad6c03a.vbs
- Size
  
  25KB
- MD5
  
  1551bbfea2c142e2bd5ecd100015a9e4
- SHA1
  
  bfb829ed539f0a34d80ef70d13a82163b6823075
- SHA256
  
  e4499912964280ec3adc3131a12d5415a577bcd29d7259a38e928ba87ad6c03a
- SHA512
  
  e5cd1e9365d2555de804268dab3b38aed02bbe2a767a43a2712cecbc9e25e7cd3fcd7c7fdd71759f446da93c2d61bdfcbd295f71950f9916ff6befd64b11440d
- SSDEEP
  
  384:MviwoXl26mMYhPD5nvjaO8b/29/Bk+TZdR5X8nMPoa/pDF63NXEltOp:twonmBhPNraOo/29/N7nX+ioA63ubw
Score

8^/10
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral11 behavioral12
- Target
  
  e4dafea0263823affefe445b40ea002c5f63b785cb3b18270b045b86b22ba682.elf
- Size
  
  38KB
- MD5
  
  f8367535fe42a1822bb5086fc51afc59
- SHA1
  
  aac3818015d307214de117eb99c95282bd9b3243
- SHA256
  
  e4dafea0263823affefe445b40ea002c5f63b785cb3b18270b045b86b22ba682
- SHA512
  
  f1af6462e31a7672c78b4380072cf9427d3396b2d03dc12aaf479357c0d7362de1aa3956b9ae292bc5cd6d013cb4d1bd0133d78db342699e542186328a3c2855
- SSDEEP
  
  768:IUq+7GXJHnlBJxdpiVpwDNE5a5GOQKod7ufLOTh6kN6t0QZX7jWd3uWPlxi2l0O7:rJ6XJ3Jx0pwDNERKkCol6tlLjWd3rl0E
Score

10^/10

mirai botnet
- Mirai
  Mirai is a prevalent Linux malware infecting exposed network devices.
  botnet mirai
behavioral13
- Target
  
  e500b83db91a16021dc5f38a5cfacd4262a43c34bba5fa7211409e0ace06c85a.exe
- Size
  
  1.0MB
- MD5
  
  c97fe137ae1f90eff1e269cee50bbd03
- SHA1
  
  6bbd3375183ae7165bebfe4ed911a7436c518ae4
- SHA256
  
  e500b83db91a16021dc5f38a5cfacd4262a43c34bba5fa7211409e0ace06c85a
- SHA512
  
  13808cd71f267d6328c617f561c5aa120c65877ca3e6f936ac992099eb7a28649b67a0fb6e19f31ccf217e6a0d80dcb191d4a62bdddd11fbaccefe7b076f30c7
- SSDEEP
  
  24576:+iUmSB/o5d1ubcvi32l/pvcOa0mqL5mPAjZy:+/mU/ohubcvNlhZ5mPgZ
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral14 behavioral15
- Target
  
  e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15.exe
- Size
  
  3.4MB
- MD5
  
  4ee27e2086f3bae24a65d677185a98de
- SHA1
  
  8586cba64216c10301b82fea8a90637b574c0540
- SHA256
  
  e586bf17566b9188b9274097ddf059cf20569b87754f38e460c2fd884ae88a15
- SHA512
  
  bfeb2fab32ff3c6a8e27d2fcb342dc0fc840975a88efcf4d23585e2a289fc3c8f87e176a8d22eb800d3db889c719d20b549b51f7f6f65dd6477c5e534a5cb7bd
- SSDEEP
  
  98304:pQGxD61kWfdBnwZrU2j7A6F+eRvSQCKZUxR:SGxABwZ5/Aq+eHhZUxR
Score

10^/10

risepro google evasion phishing stealer
- Detected google phishing page
  phishing google
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral16 behavioral17
- Target
  
  e5b92c64269cc60d8db665c2a71cf0b7c917bb0585d833324f6e8c3a1d22025a.exe
- Size
  
  1.3MB
- MD5
  
  adcf943ca9a3cfaacc9eb925fac63a90
- SHA1
  
  86b1c5c717ca333cec5dba3ee3162e304bf0ae32
- SHA256
  
  e5b92c64269cc60d8db665c2a71cf0b7c917bb0585d833324f6e8c3a1d22025a
- SHA512
  
  0fecbf7f4e7392f5dc576ad86d7c86fa9209bf866be586c9b0355b5982bc9090de7ed0835d71ee7019333b20e711ae9559fa394073fac587d06d79caf097251e
- SSDEEP
  
  24576:FqDEvCTbMWu7rQYlBQcBiT6rprG8ad8QnGDLRWHz0Mogq0x2Pj:FTvC/MTQYxsWR7aaQnGDLRWHYMo8
Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral18 behavioral19
- Target
  
  e6152cc4702000546accc8d72aed7cb2a17381fbfed6b2dae32a336e15440549.exe
- Size
  
  2.2MB
- MD5
  
  1129a9368fb37bebc17280be6a0585a2
- SHA1
  
  32745b44b02d59149c2dbf0a71ea20d443bca7c0
- SHA256
  
  e6152cc4702000546accc8d72aed7cb2a17381fbfed6b2dae32a336e15440549
- SHA512
  
  7bfa721677e3fd238aa4e94be7db2535caa087567133f30184f739d495b77e5afa71ae1b412d51b9c530642b097d48d60ab968354e567730bbb39c29e25bc1bf
- SSDEEP
  
  49152:CIu+1zq/WAw1GnD1OfE7X9pEDxDy9LMU9YDrg/:CIP1elwIDwpO3o2
Score

10^/10

risepro evasion stealer
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral20 behavioral21
- Target
  
  e7757fdf8b8e6b584cab959c54383e10065ba2aceb5dd653dd0566d4cbce1ec8.exe
- Size
  
  696KB
- MD5
  
  c4218b58d2302e31d13f88661f66c64b
- SHA1
  
  169b29b77b3e30db3a883762159b45856c421590
- SHA256
  
  e7757fdf8b8e6b584cab959c54383e10065ba2aceb5dd653dd0566d4cbce1ec8
- SHA512
  
  3de50ca942275f9ec40599691e06e6c0011a25199706f3dcab696158daefa6e627ffac4b0b777295d3dfb3fdb1137b274c81ae4cf04828db61c635894a2e4cf0
- SSDEEP
  
  12288:/k3jw7WkDA0CjZxYZ56i3ToFKlEsHj1Iiu+vht:M3jw7i0Cjc56YOK9vv
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral22 behavioral23
- Target
  
  e8028be583b1ea12a054ac8ae37abb2356e37f7c0aeff0ee40c17c9ac219973f.exe
- Size
  
  541KB
- MD5
  
  cca2004ec5d0ef164296b5d46f9ee868
- SHA1
  
  70f15c2aa1af1413b1d4be5268ab22d05be0146d
- SHA256
  
  e8028be583b1ea12a054ac8ae37abb2356e37f7c0aeff0ee40c17c9ac219973f
- SHA512
  
  b0104e137b1145b30a62a008cca1e493d16e55517a7e08154a5419a51f25a23150f4eb960fe77e8715d609136ae872fbff2ba1a32a19feab15526a2ad7750124
- SSDEEP
  
  12288:iRz7Z6olbSsCYBR2a/FtyG83sHYOZf+wTFaMdrroBPc2E:YkolbSsCmHOG88Z2yBdt
Score

7^/10
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral24 behavioral25
- Target
  
  e8ba4a43b8c03e1ea3ab83bed7c1c415cd17a289293a1e0e351da3ba85683eab.exe
- Size
  
  653KB
- MD5
  
  82a2300f5ac9771aac618047c1581dfc
- SHA1
  
  8caf25f2fd8ce3415998874a801e7f89f162c3af
- SHA256
  
  e8ba4a43b8c03e1ea3ab83bed7c1c415cd17a289293a1e0e351da3ba85683eab
- SHA512
  
  aa110a9dd610790af8dd94f17089cad127cf2d7887e862b84549befcb16a0cd45ee832ff2a3ed7d54bee51bdc8e7f713aa24266d70c16f84bec83a97fb30385a
- SSDEEP
  
  12288:vq8YtMZXW/3iR+Ge6aW3r19jn/yMVqdyDzRgSe26xeQazTtoz6I3LwL0Z6I:L2MZG/3iRJdhDz/y21RgSe2WPUTtMD3n
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral26 behavioral27
- Target
  
  eac1ffc2d94146ca2f9ae011468a19552430c78fc5c306dcf2d98edaf5273ead.elf
- Size
  
  65KB
- MD5
  
  74b8a568e27d1800ecdd098ecb6bd7cb
- SHA1
  
  25adf87d1ec2ac976007757b4adc1aba17ede704
- SHA256
  
  eac1ffc2d94146ca2f9ae011468a19552430c78fc5c306dcf2d98edaf5273ead
- SHA512
  
  757ba8595690ee646c4dd40c24a3147c35e27d3b3bfe7bfc907d20be8ba10db85ea0e1a5a8507b603f9a64b01da9dcaab255efc2bfbcebb437eba1b119ec42d1
- SSDEEP
  
  1536:ufOTQML/a+SoqOix4ku4qnYV1/n4xqEA8M3Cyi:38W/1SoqlxgnNqEbM3
Score

1^/10
behavioral28 behavioral29 behavioral30 behavioral31
- Target
  
  ec291f72135b5826eae935f229e4c1bc2bc14d3671c9001452be407fc130ca3b.exe
- Size
  
  2.2MB
- MD5
  
  879185bab33bfd8f52e1958155093bd2
- SHA1
  
  865d0dd25f9988da461328ec8eef160a31a57811
- SHA256
  
  ec291f72135b5826eae935f229e4c1bc2bc14d3671c9001452be407fc130ca3b
- SHA512
  
  010b6182ba5dd446c2a7ecfc72d97dd1257438e74923d7c96223e34c56064be392394402e848e163fb2bfb9022665f544903e7ab3819fd733b60e792b021a999
- SSDEEP
  
  49152:TsL6RlKy19ek1DOJ3aiXV1sawoef9QncLD8W7m9CNR6oOYdAojKahnLR1ybYqT:T86rK29P12L7saTMqnap7m9+dLjRhnLs
Score

10^/10

risepro evasion stealer
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Mirai

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Detect ZGRat V1

ZGRat

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

Blocklisted process makes network request

Checks computer location settings

Mirai

UPX packed file

AutoIT Executable

Detected google phishing page

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE