amadey

Sharing

Copy URL

Twitter E-mail

General

Target

Downloads.zip
Size

75.1MB
Sample

240308-2cw1lsaa51
MD5

a0988d6fcd126c3c2a76190bb15b6c5a
SHA1

3c6c5f3e97c9228455a3efc416605df9cc991bea
SHA256

56ac86f444037f33eb84d1c4bf10ed74bbbba3a73da2d64f4608b27efef60866
SHA512

e6bc37a420ecb25cd0d17fff96381edf54b02c68f3573922a21a5a8a2f0b11e9440d7d8828386ffd81da515d573ab0a159a7bd28a71a3141aed0ac4ca9dd840c
SSDEEP

1572864:BRkEP+24LwPTQqWHo5liKDVfgeRxFFOcYIHr+oKtC7V7XzG8:BPm246TvHiW+enFpQC

Malware Config

Extracted

Family

xtremerat

hackerdecontas.no-ip.org

翿hackerdecontas.no-ip.org

Extracted

Family

redline

Botnet

cheat

91.198.77.158:4483

Extracted

Family

gozi

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.wisz
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
payload_url
http://sdfjhuz.com/dl/build2.exe

http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS

rsa_pubkey.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

20.218.68.91:7690

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

https://detectordiscusser.shop/api

https://technologyenterdo.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Extracted

Family

xworm

Version

5.0

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Targets

- Target
  
  5geplik.ru.exe
- Size
  
  301KB
- MD5
  
  6528e3c44027d013e9b7d68d36120aa9
- SHA1
  
  2f7b08ac26a38de24c288ae9594e2847f3e0f518
- SHA256
  
  59bf58575e5cb95edd0cba98c8cc536ca096615260c43273dad177c353609f54
- SHA512
  
  71103b6333802ded57993e969c002f8f507b17e35449e0a2501f1920cb4f8761c1220247876a11c752c0dae07e9102780edf95ab5517390ac99e1295803fa5ac
- SSDEEP
  
  768:k8m1Sq4NQErBsH1tzoisBKQI6dObAG/dq8uW29Ifnca/yyR+P2ujfGiiw8YqagXx:msq+QV4rObAdXWpf/y+Ub9giox
Score

10^/10

xtremerat persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  63geplik.ru.exe
- Size
  
  261KB
- MD5
  
  661b8bf0e1ab11c5544007cfed5234e2
- SHA1
  
  4bd8a08bb4b1cc8930d681ccd2a139263d611739
- SHA256
  
  4a442ef8863e6589bc6fad1e20cb6ca3b96d3d5be3d720f9875e004039195d2d
- SHA512
  
  3552092623d40a3baf40d53a039a7615ab7ed8dc5584e6c65fafda066b10809cb185a6f2eac41ec3273b40b0e2602f6be36c215bb205c02cd6a31cf82c672ce7
- SSDEEP
  
  3072:R7a/ESqMbn1mNa9bPWn2TzZCaM+CR+sqItssVN0rsVcVB255HqNW3:09bwNubP/TlCSotlVC4VcO
Score

10^/10

amadey smokeloader backdoor evasion persistence trojan upx lumma redline livetraffic infostealer spyware stealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  64cb42720817fd92283fc9dfac1e96dd1518d3ac0cd542701e14938f900b212c
- Size
  
  205KB
- MD5
  
  ea5bdba28c25ce240630a7a9de2d77e9
- SHA1
  
  fdbc9bbb4b35094670b74800fe249831786c8f48
- SHA256
  
  64cb42720817fd92283fc9dfac1e96dd1518d3ac0cd542701e14938f900b212c
- SHA512
  
  c5f8d4ba0956178acd3ae382a4dcedb68e9bc6482f8d874d0f2d9f90ef15eb8dabc97b910e9616d49f4b144af63ac68473a81a5a57f246a1993b538487b84e8f
- SSDEEP
  
  3072:ZRpAyazIliazTh+r/0XzhtQtfElMyQD7i9WdBfBqQGAG7G0qNACPPd1cs5/yZh/8:xZ8azQru/QtfEC40LfBqsG9rCrt/Q58
Score

7^/10

persistence spyware stealer
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral5 behavioral6
- Target
  
  CheatEngine75.exe
- Size
  
  28.5MB
- MD5
  
  8cef61e2080c38400698bc3265fd7f95
- SHA1
  
  a174b7dd8bd1eacfa6a9accd878c16bdc8aa1936
- SHA256
  
  cb73a9806e39e7c694cd79bbdb0fd3c836ec82810f6ded1852aa1ac9c7b3012c
- SHA512
  
  81781fdb49a3b949725ff508a96eef01599ff90c2fd42f104dda311cfb37dfb90d4aa38d0d4694634c3a469fbdac4c7421a5aee99067536848bbc50bda4658cb
- SSDEEP
  
  786432:0TCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH:02EXFhV0KAcNjxAItj
Score

6^/10
- Checks for any installed AV software in registry
behavioral7 behavioral8
- Target
  
  Screenshot 2024-01-15 8.57.49 AM.png
- Size
  
  88KB
- MD5
  
  9a7656a88a1945967f4df3cf49348bca
- SHA1
  
  a137dbab438ba26f66b0214f4ceeeb235ed554b8
- SHA256
  
  7d8c6e8fda24e1a038f0741982d9e62fc53ba2502d8371f4ec38b74525a68684
- SHA512
  
  b08d45b2739a838bb904a87f5daf2b1ff835d29f964fafca5a0f5957f7f3224aa23993e5cafef07d96b7d15a269100edc92eb398aab78c038a374a54b4e2ff84
- SSDEEP
  
  1536:TY+l3aCrlVXnKXz/rIBi8FvI3vaPInmSNxgNlTlCNmlFfPmmfpGWLtWB:cgaUKj/EBDFv4aPdSOPCNYHbceMB
Score

3^/10
behavioral10 behavioral9
- Target
  
  aware2.0.exe
- Size
  
  17.0MB
- MD5
  
  97cb8b3a2607a6ff9839e76ed7841ab7
- SHA1
  
  4cbb14b7d67aa40588c552d0372ed413925937a5
- SHA256
  
  e8ea10c3d64051d884a5814f499af8d7fdcff0d28baecb8d032763e301fb0e86
- SHA512
  
  ad083b6bab60ba7fa1f1eae42da932f36fc8b617c143c7794aae5fa2972b4928c53f40fc7d3faa6248c312ee703776dea3984c013cf22cb152c63a9fa1941609
- SSDEEP
  
  393216:LdG13d6KculSiTNZnyByA2AkUWzhDhQ5CEDcZkyPs6:hgcuYiT+XXQtgCEDcZky/
Score

10^/10

pyinstaller themida gozi banker isfb spyware stealer trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral11 behavioral12
- Target
  
  mape2.pyc
- Size
  
  60KB
- MD5
  
  d4d58c18cf079a1a2cf2b25d1fb6fff1
- SHA1
  
  4a602163d3f07661920c8edf2d52fbdf3e7a6a73
- SHA256
  
  0fb712559f22faee51273103af60782f17e743e99d0717f78e106e3668d3b1bc
- SHA512
  
  49dbaf0be58afd08cd37e4ef78f0e8ca20bd53ef7a6b66e08d480f172a36cea9c1e948f81fe1b1a6779ff7e76cde2ad9e4d62f5a97325f9997428c957131dafa
- SSDEEP
  
  768:Gg1j8WoR/Z74Tikbh26iQ9PcOv33gzNJ7di8BTlk9eu36++HMae2kSXMcyY9:Gg1j8lR/V4xh26z33sNldiczsv12M1Y9
Score

3^/10
behavioral13 behavioral14
- Target
  
  creal.exe
- Size
  
  20.9MB
- MD5
  
  bfc2354891d7e2c18811d62221ceb0d4
- SHA1
  
  2dbaed797e3b2dcf2d0b2eed0738312fe6cc1773
- SHA256
  
  40c60131dcf9503afe01ed7f68162460debf1c11e3d8761515d002bbae7e0565
- SHA512
  
  5f1f0951fdc36f10c5cb56acb29ac61338a7b96f17265d0955e35c3a85f65ddd14dea67adfb7478c4c18839e67a79f9c6b13de7588d06290d2a237cfd88d941c
- SSDEEP
  
  393216:OEkZQtsJiP8AxYD/QETSrvJQ7tsrxzGxdgN8v1:OhQts7XjQEWrhQJssINg
Score

7^/10

spyware stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15 behavioral16
- Target
  
  creal.pyc
- Size
  
  72KB
- MD5
  
  1ceec2fc9a5af3276ee2886fee27c5dd
- SHA1
  
  9d11b07bc8f28f2176bd6d097258531b2fa38fb6
- SHA256
  
  70f5dfb5761c398395edc2f5a8ff5222eeb004c8a57f2ee91ec9e5be1da055e4
- SHA512
  
  41f4e9eec0a0e0e16d0a469960dc1a1b8840437bfe3cc6db72eee2633bb9a9e1781793850b706cbf12b56ac8ff4974ce7763eae08ea3addd9b2f5cc56ecc5c09
- SSDEEP
  
  1536:36TOrTSzYPQlWXV2IsBORbHBwG+ObIrSyKEgR2ez:31hv2IsBeWG+OuSyKEgR7
Score

3^/10
behavioral17 behavioral18
- Target
  
  geplik (2).ru666.exe
- Size
  
  275KB
- MD5
  
  b81c443ac8c4ba37ec8460ae94a3341a
- SHA1
  
  af4d873579cebc1486d2b89f1be9ec4721252a72
- SHA256
  
  4add0f8906e6fad4f971845761aad49fa1d0c7fbff554b2a78dfc2d1b25284e7
- SHA512
  
  0225e3bd1eaf58f7b0f04ea054780dc7d69de9fbeb805aefac8583449141125462550d4adc4153324f16cae0000bb064f53d252976a4bf8b304578cf5a73810b
- SSDEEP
  
  6144:q6Rk3IXDmAE71E8AxUT7X7DujDnwoZhnYtvoIECF5Htn:qN3UDXE719T7/uvnwoZ9IpF5
Score

10^/10

pony discovery evasion persistence rat spyware stealer upx
- Modifies security service
  evasion
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Disables taskbar notifications via registry modification
  evasion
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral19 behavioral20
- Target
  
  geplik ru.js
- Size
  
  2.5MB
- MD5
  
  65449e1b1f857cb5168a2524d5d37681
- SHA1
  
  2a22c03165abd965b816f17dfc30c9d4fe826ac5
- SHA256
  
  3a5c4bcadbdfdae9975bd89b29a553cf249d1c9492f4f08e99a1468b27ac8306
- SHA512
  
  d6ef3418386bb3026aa0c8b236cb08393b458bff7afb6561e16ec9bda091c4a4ec1baf8130919b165b7096fe4ab0b80dbe2b7f9b791f84c4d3edd455517b6d6a
- SSDEEP
  
  384:oCd2ZCd2ZCd2ZCd2ZCd2ZCd2ZCd2ZCd2ZCd2ZCd2ZCd2ZCd2ZCd2ZCd2ZCd2ZCdV:3xxxxxxxxxxxxxxxxxx7
Score

8^/10
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral21 behavioral22
- Target
  
  geplik.ru.exe
- Size
  
  161KB
- MD5
  
  fb8ddd837ad8b94f1faf0b4920ce7b2b
- SHA1
  
  c3bc51f18a1180be27c4ee0978aaa9e1295dbd4b
- SHA256
  
  29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee
- SHA512
  
  db218213ee139583f69b00ea7e33986857cbc73f0e549f996e0dc3b0b34282c838f874a65c13fa7e21adfb8d876ca6cef9421a19171c214b1ea98b1a99f1bc74
- SSDEEP
  
  1536:IwYZ5gZyjech8y/nK/bobGPgeMWKQxljH3PBe/8YkfbM9Wzw1mE3SmJQENYmAzTa:YiZpyDz/WVPX/9CWz9xmJQMYmAzsX
Score

10^/10

djvu smokeloader pub1 backdoor discovery persistence ransomware trojan
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  geplik.ru2.exe
- Size
  
  1.8MB
- MD5
  
  b19fe476f4fd4be81746e50107301004
- SHA1
  
  e893c50bf22da4a4153bd492536261dba9e4a95d
- SHA256
  
  262cc987d16421f31e2e29c8d532da5f6e14f116b43b49ac7162cedde815cb6a
- SHA512
  
  19ed40890970d183b56dd45cf9f38ef75066c3680face9ed2bcb5366e066b9b12bcd21024f170a73c9bb2754c2d92d76dc63fd672970bf4fe318212954ddd59f
- SSDEEP
  
  49152:LHJrcZmUZotIKfuytRrnVFQ9vAbDn2D/pgYn:LprcZeGKfuytO9vAn2TZ
Score

10^/10

amadey evasion trojan lumma redline livetraffic discovery infostealer spyware stealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  geplik.ru3.exe
- Size
  
  6.6MB
- MD5
  
  72fcadf5196585dce72e2982da60fae6
- SHA1
  
  d4c6406f3de0eb0a98ef7d33440f7a920b6e9fca
- SHA256
  
  b3df220dc7edc143d630cd47300a4f5aa5c6d0ec4940209204084bf4880fa373
- SHA512
  
  bf8dbd66a4750c1c27098128c932373f2945c9f9f745011bb3910729a40eb9b81297c0deb36a69396415288d65326c7502e54519f8bf8a01a181bbbdf67b272a
- SSDEEP
  
  196608:YFAzFI0lsRlaQVM4vtsV5iyihCKqEkQt:oAI0mFVMG4EhTqEtt
Score

10^/10

zgrat rat upx spyware stealer
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  geplik.ru4.exe
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

neshta xworm zgrat persistence rat spyware stealer trojan phorphiex evasion loader worm
- Detect Neshta payload
- Detect Xworm Payload
- Detect ZGRat V1
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Phorphiex
  Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Phorphiex payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  geplik.ru666.exe
- Size
  
  95KB
- MD5
  
  b116641699225bbcea28892995f65115
- SHA1
  
  b43f932fa89ba3ca01bbd7739a7e01d0508cfd70
- SHA256
  
  309d20f7a18a1ae1fed72e5c27b0ef2cc0d52dd1629efc250ca74b916730258f
- SHA512
  
  ac921b0d78f61070903096d31a0cf8d6a80375fbbbb5f1c211bcc8b8d88d982b40cc9088991ddd53b0fe553b0e1bf1f779a2ccae0779c756bea269cd857d79ff
- SSDEEP
  
  1536:9qs+XqrzWBlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2X3tmulgS6pY:r0gzWHY3+zi0ZbYe1g0ujyzdfY
Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral31 behavioral32