General

  • Target

    The-MALWARE-Repo-master.zip

  • Size

    198.8MB

  • Sample

    240301-1bn3yade61

  • MD5

    af60ad5b6cafd14d7ebce530813e68a0

  • SHA1

    ad81b87e7e9bbc21eb93aca7638d827498e78076

  • SHA256

    b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

  • SHA512

    81314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3

  • SSDEEP

    6291456:wNl3aFW2h9/fiTwCzCLS6iilVkLZgAEtknRzq:wDaFd//Orcpi4VkL6AfRG

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Geforce

C2

startitit2-23969.portmap.host:1604

Mutex

b9584a316aeb9ca9b31edd4db18381f5

Attributes
  • reg_key

    b9584a316aeb9ca9b31edd4db18381f5

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Userdata.exe

  • copy_folder

    Userdata

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    remcos_vcexssuhap

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://erpoweredent.at/3/zte.dll

Targets

    • Target

      The-MALWARE-Repo-master/Banking-Malware/DanaBot.exe

    • Size

      2.7MB

    • MD5

      48d8f7bbb500af66baa765279ce58045

    • SHA1

      2cdb5fdeee4e9c7bd2e5f744150521963487eb71

    • SHA256

      db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

    • SHA512

      aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

    • SSDEEP

      49152:bbevayZlMTWkygVy0nQZfVY2BtZzpPL4PuQ65+6Dv7m0KXTn:bbexZlMQcEVY2BtZzpPL4WQI9U

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Target

      The-MALWARE-Repo-master/Banking-Malware/Dridex/Dridex.JhiSharp.dll.9d75ff0e9447ceb89c90cca24a1dbec1

    • Size

      148KB

    • MD5

      9d75ff0e9447ceb89c90cca24a1dbec1

    • SHA1

      ebae1054d69619e9e70c9b2e806edb9000d7feb9

    • SHA256

      f2b33edb7efa853eb7f11cb8259243238e220fdc0bfc6987835ba1b12c4af1eb

    • SHA512

      6df94dbe3681c1cb572d63e54a6753b3bae7075b86507f33f152795c6e61f1feac6742986d7c72a2834f28c85d0a1890bb31b5888b98b29754300dceb63e210d

    • SSDEEP

      1536:t1hWmKdZ9WmQTt+6KK2Ml+dZyx6wVIWiwiuvro1d2C91q5nYaY4vV4KBmX:t1hYZQtTt+02G+dHgMuzWZ1qISVkX

    Score
    10/10
    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Deletes itself

    • Target

      The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexDroppedVBS.925da3a10f7dde802c8d87047b14fda6

    • Size

      140KB

    • MD5

      925da3a10f7dde802c8d87047b14fda6

    • SHA1

      1fc59fbf692f690b9fe82cfafc9dcbd5aac31a68

    • SHA256

      c94fe7b646b681ac85756b4ce7f85f4745a7b505f1a2215ba8b58375238bad10

    • SHA512

      82588188de13f34cd751da7409f780c4fc5814da780fe8cad1fa73370414fb24b9822fc56f1f162d0db4a5c27159c225bc4d4fb061a87cb3c0d89b067353a478

    • SSDEEP

      3072:X9z9zjy6WEba5uuoLPhiVF3NT5nNpytoQE:X9J9gu0td5nN4

    Score
    10/10
    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Deletes itself

    • Target

      The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexLoader.bin.exe.c26203af4b3e9c81a9e634178b603601

    • Size

      212KB

    • MD5

      c26203af4b3e9c81a9e634178b603601

    • SHA1

      5e41cbc4d7a1afdf05f441086c2caf45a44bac9e

    • SHA256

      7b8fc6e62ef39770587a056af9709cb38f052aad5d815f808346494b7a3d00c5

    • SHA512

      bb5aeb995d7b9b2b532812be0da4644db5f3d22635c37d7154ba39691f3561da574597618e7359b9a45b3bb906ec0b8b0104cbc05689455c952e995759e188b6

    • SSDEEP

      3072:Te8LOIa22GwayjbzJ4xgAW8NeN00w7Aoalm2HdTStgjuPaMe+H9tJA:iUOIa2sZjPJJQiw4igjAL

    Score
    7/10
    • Deletes itself

    • Target

      The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A. dbf96ab40b728c12951d317642fbd9da

    • Size

      132KB

    • MD5

      dbf96ab40b728c12951d317642fbd9da

    • SHA1

      38687e06f4f66a6a661b94aaf4e73d0012dfb8e3

    • SHA256

      daab430bb5771eaa7af0fbd3417604e8af5f4693099a6393a4dc3b440863bced

    • SHA512

      a49cc96651d01da5d6cbb833df36b7987eafb4f09cc9c516c10d0d812002d06ae8edee4e7256c84e300dc2eadad90f7bb37c797bccdee4bad16fcaf88277b381

    • SSDEEP

      3072:uItv1YJOQnVc2pEANuoUeyCx9CC5O86BJaoqsf:xrr2pEANuXCx9Jd6c

    Score
    7/10
    • Deletes itself

    • Target

      The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.6164228ed2cc0eceba9ce1828d87d827

    • Size

      152KB

    • MD5

      6164228ed2cc0eceba9ce1828d87d827

    • SHA1

      cea5bc473c948a78ce565b6e195e6e25f029c0c6

    • SHA256

      7fa83f0588f0f50d0635313918137c05cb59aa672d842f864073aebb72c66195

    • SHA512

      b53ac27397ce5453fa008d1a2e98f9f66be7d7f08375b92c88007544c09ab844d6c8eeceb2221c988e0a0d6ffc2a8a290e49715e3062a74bcd2310d41bffcc37

    • SSDEEP

      3072:VqD/ri6AM4odK4J663POAQgG8rYKvh+5Nl:V0xlIBwPOA+8Zhu

    Score
    10/10
    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Deletes itself

    • Target

      The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.97a26d9e3598fea2e1715c6c77b645c2

    • Size

      628KB

    • MD5

      97a26d9e3598fea2e1715c6c77b645c2

    • SHA1

      c4bf3a00c9223201aa11178d0f0b53c761a551c4

    • SHA256

      e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f

    • SHA512

      acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c

    • SSDEEP

      12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

    Score
    7/10
    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      The-MALWARE-Repo-master/Banking-Malware/Zloader.xlsm

    • Size

      93KB

    • MD5

      b36a0543b28f4ad61d0f64b729b2511b

    • SHA1

      bf62dc338b1dd50a3f7410371bc3f2206350ebea

    • SHA256

      90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c

    • SHA512

      cf691e088f9852a3850ee458ef56406ead4aea539a46f8f90eb8e300bc06612a66dfa6c9dee8dcb801e7edf7fb4ed35226a5684f4164eaad073b9511189af037

    • SSDEEP

      1536:0sqG3SkDNIVXnR8TeYSSkCXgN+Uu+j6XJaRqWD/0ACKNONUhfy:0sNrxWXnCjiubXKD/EQA

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

    • Size

      8.7MB

    • MD5

      799c965e0a5a132ec2263d5fea0b0e1c

    • SHA1

      a15c5a706122fabdef1989c893c72c6530fedcb4

    • SHA256

      001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

    • SHA512

      6c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8

    • SSDEEP

      98304:VqGMOLT5E2Dy8Ji6LrDl3bTMsEplZ1GW5w+Aw:wGMOLTmaHjLXl3bTMsEpf1x5

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742

    • Size

      8.7MB

    • MD5

      76fe4fdd628218f630ba50f91ceba852

    • SHA1

      6e90f2fe619597115e5b8dd8b0d1fb0c8ad33fa4

    • SHA256

      041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742

    • SHA512

      7956505ae0d8479a92ddf97bb09a757566ef526934ee06b4273f0fc450e4da9204808ffa4f4674f4e6e313eb718a7c65f258ef8d23b9769b8aa12d47610d8011

    • SSDEEP

      98304:f27or8Dynb9c4EHv9/fW/NQXPvTCaedHuaJE3fSdCnKg27Xk:f27or8DyO4UnwQfvTCXdHua4No

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732

    • Size

      8.7MB

    • MD5

      0263de27fd997a4904ee4a92f91ac733

    • SHA1

      da090fd76b2d92320cf7e55666bb5bd8f50796c9

    • SHA256

      0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732

    • SHA512

      09ef02532eb7c3a968c1d04bf1f3aa9a4bf400f8485d3be596d7db3aed5f705fc1f85a1f6218397a70830ad747aa03c61b9c5b1cca24c2620cdbb3e5361db194

    • SSDEEP

      98304:bKwGam/zeDrZCDcryHlc5Qp+FLk0h6u9SrS2D8t7Xk:bKwGam/z4C3FKQ8FLTh6u9S4

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

    • Size

      8.6MB

    • MD5

      ae747bc7fff9bc23f06635ef60ea0e8d

    • SHA1

      64315e834f67905ed4e47f36155362a78ac23462

    • SHA256

      103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

    • SHA512

      e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2

    • SSDEEP

      98304:rDSceJ/GqDu6P0ypQ0Qv5knSTH20ejwBcHjI7Xk:rDSceJ/GqD18RZv5knS720e7s

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86

    • Size

      8.7MB

    • MD5

      3a371a09bfcba3d545465339f1e1d481

    • SHA1

      7f5712878929aab6a2ab297072a5a5f3d3c15a01

    • SHA256

      2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86

    • SHA512

      35efc5129316ea697f1f4591c37e70c74b643942cdb3cb1aac6a0f14f5d133da39c0c393439490bc059361e9feeacee3d4056f88700f56dfe1088ba0ab22613b

    • SSDEEP

      98304:f/VrKprvLVtb8E0dD71puy219CZ2gT3/3Khbw+Aw:3VrKpjROndH1puy219CZBShb

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01

    • Size

      8.6MB

    • MD5

      819b0fdb2b9c8a440b734a7b72522f12

    • SHA1

      f3aff7e1c44d21508eb60797211570c84a53597a

    • SHA256

      30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01

    • SHA512

      fee2c0dbbc91e2486e409e8b6a877c6ec500e6c7c0491d4c44d37006c30de79b95dd4640c7c8c8efcc920abccbdb659a590fde1e2526126279b7486778d08b5a

    • SSDEEP

      98304:zhPTaS9ki2kJxOU/ci9Z6uHFg3+QIEvRihdF7Xk:dPTaS9kitnEi9Z6uHq3+XE8z

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5

    • Size

      8.7MB

    • MD5

      8f0cb7af15afe40ed85f35e1b40b8f38

    • SHA1

      525f97d6e7e3cbb611a1cf37e955c0656f4b3c06

    • SHA256

      3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5

    • SHA512

      bd9e97b4042d89e081eced5781149b0d8e28a6e9d35c2a449a21aee26765ed8eea560434ba5e9a897c4e4c89d7a2b8997e31ad4ac2202a940b8731a5f447170d

    • SSDEEP

      98304:xFjhn+LznCFajBKs/Q1N4KGWISZOLor5lkFIGGw+Aw:Hjhn+HCS4s41N4KGWISZd5lrGG

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619

    • Size

      8.7MB

    • MD5

      682ac123d740321e6ba04d82e8cc4ed8

    • SHA1

      088a8c8c2b7f9db92ec0ae39e1dc77c8707d3895

    • SHA256

      453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619

    • SHA512

      26ddc0a1b91337de2314465f82f3a02ec478f32708fa91b7cdf75fc235eda7b3cf7c495616145dc29fc081ac4398cab5aac0d42978ea694fa183518533fcf4ad

    • SSDEEP

      98304:i7ihKiuH4QpmHh/vN0SyDbQy5lZGJJRgOX5f4y+n47Xk:i7ihKiuH4QIha1PQaZGTRgOXxR

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59

    • Size

      8.7MB

    • MD5

      97cfb3c26a12e13792f7d1741309d767

    • SHA1

      a010f85cdda9f83cbc738eb1b41cd621f3d6018e

    • SHA256

      5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59

    • SHA512

      162028b9e93bb4718427304a96767880da7094c99ae6145e61a562f09dae0ce6726b2dfac95782990f50fa9bfc9f82b1aacb9e7b12442094137872fa8a3f3379

    • SSDEEP

      98304:yM1SkPCVk8rOmgYcGrr69gRQTI6xmiiLuSESStOAco7Xk:yM1SkPCVkIgcWAQ06xniLuSExR

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c

    • Size

      8.7MB

    • MD5

      3fe7b88a9ba6c5acee4faae760642b78

    • SHA1

      bae245bc98c516604838c6ce5a233f066de44a50

    • SHA256

      6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c

    • SHA512

      02abc8d4fe280306a9ac6a25d28cf174a8d51a43d98b6837bc129701d8c0ab486eebaeef11062b58c455627d4de7c8782b3828aa02891fe439ca1ca617038f95

    • SSDEEP

      98304:g4K0/V2eKEDj+VK61qXXiQqwMwUa/f0OstejSUVv7Xk:g4K0/V2eKM+D4SQbMwX/f0Oskz

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6

    • Size

      8.7MB

    • MD5

      d4e533f9c11b5cc9e755d94c1315553a

    • SHA1

      9e15020cd2688b537bae18e5f291ee8cbe9a85e7

    • SHA256

      7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6

    • SHA512

      149226355b2e5c3fac403289b5e66bd4164a7aee76d8dc8f1d698c509db7a081bad9d4172cc950bb0e6e6909e0073d551dcde82cbeaaf61a9c1b02c9ba48fb38

    • SSDEEP

      98304:H27or8Dynb9c4EHv9/fW/NQXPvTCaedQuMBiHAUU4C7Xk:H27or8DyO4UnwQfvTCXdQuMoUj

    Score
    8/10
    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd

    • Size

      8.7MB

    • MD5

      b2e0eede7b18253dccd0d44ebb5db85a

    • SHA1

      ee5db9590090efd5549e1c17ec1ee956ef1ed3d1

    • SHA256

      7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd

    • SHA512

      5608fe7bde5072de7c98bacfe7beb928e6073be87c0fbccd8075c808d9a7c642abe254f6eb620d627f5324e35821fc9b41a31970264abcc472adfbe2c214a9fe

    • SSDEEP

      98304:zbc+G4RTwJg0GTvmF3D4cQ1XmkPF0ihOehaOE3Ok7Xk:zbc+G4RTwJGOzfQYkPGihOekj

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/90b61cc77bb2d726219fd00ae2d0ecdf6f0fe7078529e87b7ec8e603008232d5

    • Size

      8.7MB

    • MD5

      100bff2f4ee4d88b005bb016daa04fe6

    • SHA1

      36e5f8f70890601aa2adaffb203afd06516097f0

    • SHA256

      90b61cc77bb2d726219fd00ae2d0ecdf6f0fe7078529e87b7ec8e603008232d5

    • SHA512

      a1cb52bc6edaa7f8bb216d2a5f3deb0b8468c64b43931ef570c05e6a9872c63f00aff50d69686fdc2ea25d3d83da4bf9d78f5e6910643163570d0bd6279c6e16

    • SSDEEP

      98304:wRINZeR9Zy031d3eDi2dZQT3/S1GVlOre53ziKZ7Xk:wRINZeR9Zx1CFDQD/SQVlOrKr

    Score
    8/10
    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948

    • Size

      8.6MB

    • MD5

      4842d5cc29c97aa611fba5ca07b060a5

    • SHA1

      f93772038406f28fa4ca1cfb23349193562414b2

    • SHA256

      9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948

    • SHA512

      cf1cb3f0291f3e0c3b47ff3ee9074b624e2d9781f9637d14ede0628ebb4b8b0fe13e16583f6a933a3e20872ec084dc812237f021757efe2a6d527a0a1723b5c8

    • SSDEEP

      98304:JcZJWD3qZL7I9lysBfU9OWQcIImfWoezuA+dTlwO0Fz7Xk:JcZJWTqZLGlHsHQl3fNezuAI5g

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/985ffee662969825146d1b465d068ea4f5f01990d13827511415fd497cf9db86

    • Size

      8.7MB

    • MD5

      c947363b50231882723bd6b07bc291ca

    • SHA1

      7b9a425f09da9be5dda5facff18c5fd15eed253a

    • SHA256

      985ffee662969825146d1b465d068ea4f5f01990d13827511415fd497cf9db86

    • SHA512

      45f511f6fe78bba853789f85549c8ac591b7812e2fc969a13148bbd1112fa356f6a1ee88a22a907e7f62ef79a0d14d75681eecd2a17f027d105afd381f161184

    • SSDEEP

      98304:vM6uc5LRC1PApsX8mygFiQS8Mi0e6oIOPxOGdG20t7Xk:vM6uc5LRCepmPEQXMir6oIOPoCM

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      The-MALWARE-Repo-master/Botnets/FritzFrog/d1e82d4a37959a9e6b661e31b8c8c6d2813c93ac92508a2771b2491b04ea2485

    • Size

      8.7MB

    • MD5

      aa55272ad8db954381a8eab889f087cf

    • SHA1

      d7df26bf57530c0475247b0f3335e5d19d9cb30d

    • SHA256

      d1e82d4a37959a9e6b661e31b8c8c6d2813c93ac92508a2771b2491b04ea2485

    • SHA512

      5590c039eb50708fe8fe417a5b5adf1d9019db0590dee119d0907bb588114bcbeb980c5ec7f3f77e85aefcbba76c1560e8b81069434ef5774ca60b1e28dbac20

    • SSDEEP

      98304:WjLz0rgRnuINVhcBSTDQaQqfViO7tauT8Xu4RM7Xk:WjLz0rgRXVzP5QkViitauT8Y

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Deletes itself

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

MITRE ATT&CK Enterprise v15

Tasks

static1

macroupxaspackv2macro_on_actiongeforcehoststealerguestdarkcometnjratmodiloaderremcosrevengeratwipelock
Score
10/10

behavioral1

danabotbankerbotnettrojan
Score
10/10

behavioral2

danabotbankerbotnettrojan
Score
10/10

behavioral3

dridexbotnet
Score
10/10

behavioral4

dridexbotnet
Score
10/10

behavioral5

dridexbotnet
Score
10/10

behavioral6

dridexbotnet
Score
10/10

behavioral7

Score
7/10

behavioral8

Score
7/10

behavioral9

Score
7/10

behavioral10

Score
7/10

behavioral11

dridexbotnet
Score
10/10

behavioral12

dridexbotnet
Score
10/10

behavioral13

persistence
Score
7/10

behavioral14

persistence
Score
6/10

behavioral15

Score
10/10

behavioral16

Score
10/10

behavioral17

antivminfostealerpersistence
Score
8/10

behavioral18

antivminfostealerpersistence
Score
8/10

behavioral19

antivminfostealerpersistence
Score
8/10

behavioral20

antivminfostealerpersistence
Score
8/10

behavioral21

antivminfostealerpersistence
Score
8/10

behavioral22

antivminfostealerpersistence
Score
8/10

behavioral23

antivminfostealerpersistence
Score
8/10

behavioral24

antivminfostealerpersistence
Score
8/10

behavioral25

antivminfostealerpersistence
Score
8/10

behavioral26

antivminfostealerpersistence
Score
8/10

behavioral27

antivmpersistence
Score
8/10

behavioral28

antivminfostealerpersistence
Score
8/10

behavioral29

antivmpersistence
Score
8/10

behavioral30

antivminfostealerpersistence
Score
8/10

behavioral31

antivminfostealerpersistence
Score
8/10

behavioral32

antivminfostealerpersistence
Score
8/10