Extracted

• • Target

    .

  • Size

    146KB

  • MD5

    199f2cb418b3bbb67af234b8499c2577

  • SHA1

    8e1d482fc76fe9cfd5f3bc03020ddd234b6403b0

  • SHA256

    801f39a832a874089683a32d34b75d834147658644608cf3fa899f350dad026e

  • SHA512

    996481a21ac91d3c005dfd56074cb67455362586b57a2dbc60d71dbea76a0a75a864e7ca583c9f06b45ac3f27b3f1018284c7577408bf183cff333c5cbeeac7e

  • SSDEEP

    1536:oWkud8LFVMUK4DgnVR4DBllKoVkL30vD9329s4DvHhqiS:pkPLFoVsllXmxBHhqiS

  Score

  10^/10

  dharmalokibotagilenetcollectiondiscoveryevasionmacromacro_on_actionpersistenceransomwarespywarestealertrojanupx

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Renames multiple (650) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Creates new service(s)

    persistence

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Office macro that triggers on suspicious action

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action

  • Stops running service(s)

    evasion

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Registers COM server for autorun

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1