Extracted

Extracted

• • Target

    14052163e50c197697c64b143.exe

  • Size

    17.6MB

  • MD5

    14052163e50c197697c64b1431b42271

  • SHA1

    df301332faa73c3d5f915fde61df2fc9de21a61a

  • SHA256

    4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778

  • SHA512

    124f6fb9812fe56fc9428a53206e67ada7a5221bbac08204c52fc9df970a492f133ac3911b1cfd2a76c58b8921580f58b2f8d32db7395442549bdfefafc3bfab

  • SSDEEP

    393216:LOh37DR+wwmOoDxRz016TCORfagi8boLH6fQmQa9T1AE0Grq:g/FRxRzlRfPeLajLlg

  Score

  10^/10

  strratevasionpersistencestealertrojandiscoveryxmrigminer

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

    trojanstealerstrrat

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • XMRig Miner payload

    miner

  • Blocklisted process makes network request

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2behavioral3behavioral4

• • Target

    Antimalware Service Executable.JS

  • Size

    713KB

  • MD5

    c958a31d5e439d5b0d01900e5a85992a

  • SHA1

    fc40d0ef637fe55fbaf83e8f4891e008ac736df6

  • SHA256

    e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf

  • SHA512

    2aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c

  • SSDEEP

    12288:KOmMdaDXBuOdAAxcHaMp7yk0AaDhlLBO0Xzaj1B+UquKbLZaQlx+2CRQlD+EhajH:KOmMdaDXBuOdAAxcHaMp7yk0AaDhlLBc

  Score

  8^/10

  persistence

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral5behavioral6behavioral7behavioral8

• • Target

    EmbraTor Mac Smash Bullet.exe

  • Size

    1012KB

  • MD5

    5d57e6b8aff1ec900f553789f6796648

  • SHA1

    f9a953cfe6decb237ed98c30faabec8654d99171

  • SHA256

    3863d2cab19dba2988e33810d9235e0f04aee019b696e4fdf4cf637b3072b19d

  • SHA512

    d66a6a97c5b3bb23df2b549af8dd6e2c201d0cdb08a2a4026bfbf831652ba5c8f133beba13f64426f1bdaf6cca83c4e54de8099ea0e02ac7a6c91f35d68f4915

  • SSDEEP

    12288:GgOVcYdHbAQkn+DXp79oN/LrveBU2vvFk/hHVEStxJX:GgOnDXToN/LreBU2vvaNtz

  Score

  1^/10
  behavioral10behavioral11behavioral12behavioral9

• • Target

    Java Install.jar

  • Size

    92KB

  • MD5

    c55f9247eb8ea19af96292f0893f86b5

  • SHA1

    bd5e6884b8151114af7e45a92525893f4d2aaabd

  • SHA256

    16ed7004aa68efab0eda75b3f9bff11508365a4224ef859c91f93029bc441284

  • SHA512

    3efab4ee9e3c9d81efd4e2f164c0a2ae72f688cbd0068cc44a063bf4787ba65b8d2a644ac2f7704fbd059d0ba96665aeff46c2bfba820fb42df06eea7e87ccdb

  • SSDEEP

    1536:QL/61A/qP1+9Qc1+jxjciQnGSzPsRBo0fpL9mjMT8mMhe3gnHGvPvxKpjHr9Uy:QLn/qP1CQpjEGyP0Bxf99mYTX3gmvKLn

  Score

  7^/10

  discovery

  • Modifies file permissions

    discovery
  behavioral13behavioral14behavioral15behavioral16

• • Target

    MsMpEng.js

  • Size

    24.2MB

  • MD5

    690d57b0d8670391bad0876cae078bab

  • SHA1

    32bea01d606128c606b71e19920099c6cb15030f

  • SHA256

    b27dd5407a22c8df93090fbc1a3eb93c6461f4a279cfabd87b4b21e246bda458

  • SHA512

    dd113765cd5cfeb99a98775c3c8e265463fca7863ffa519dcb7175312bbbeb4ea24ca45b4cef0320b430d413c020970346f4db671e0730e9e044cd2585f71fd4

  • SSDEEP

    49152:34aSO/UYGzBMZ09d1X5EdS76+B0RX8DQQs8ReDlpgU3HApVeOGMmb5cUNWcGTRPk:H

  Score

  10^/10

  xmrigevasionminer

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • XMRig Miner payload

    miner

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral17behavioral18behavioral19behavioral20

• • Target

    Windows Driver Foundation.vbs

  • Size

    984B

  • MD5

    df00d1e54f85ae90f2f69b73a34c90f4

  • SHA1

    1d3e521a8efc17334f4f578432d5af0bb1ef1951

  • SHA256

    2c5907389d374ed9efb86194a7f0f954349c93a7bc67b99c3d6b59bfc0d8296c

  • SHA512

    5636973f61dd7cce413049f246b5ede00c736f4ac333508a2176b65524327080e17ac97260cbe908fc2d0b18235ee6d7f7a74c808a7ceaddb9ee6518452fa618

  Score

  10^/10

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  behavioral21behavioral22behavioral23behavioral24