67a0d78569f6f02ec5062d9bbf5d995027e57445613b163b5511eae2d8bc6773

Sharing

Copy URL

Twitter E-mail

General

Target

SAMWARE[1].rar
Size

19.8MB
Sample

240502-bz5yxsdc6y
MD5

d35ba3860b635c2a2c9511c92e06a0ed
SHA1

72bbb05829c4dd21570a1f75111bf5bebba6211c
SHA256

67a0d78569f6f02ec5062d9bbf5d995027e57445613b163b5511eae2d8bc6773
SHA512

31eed83ff0174c7cbf8ad1157b5a832f9f4caa6ac8eb6ca584ac9f280fb79f011581a3b5b8118bd2c44567b0bc840af2be3f06e48188d957b80a538447b201f5
SSDEEP

393216:JzgkHeDViyKeLzCqo2Ciu8n/qr7XsyzxVKWSSjh8zPNdmslqaAdC90R9jfVp2Kw5:aweDVic+T8n/qfXDzxYY2dlq7C90Rlf4

Score

10^/10

Malware Config

Targets

- Target
  
  SAMWARE/SAMWARE/SAMWARE/SAMWARE-Free.exe
- Size
  
  7.2MB
- MD5
  
  6ec04fa24f0695f286801366108942f3
- SHA1
  
  309ee6a08c8ab0159dc3137865b6cfeb9f3e4e04
- SHA256
  
  ae27243a53f4c399aeb6bb39e67fa79f8378d51ef6b4fef9263791ec1acb6e78
- SHA512
  
  d835f387bb19b353f58eb72a94c2b32857826f3f1322c7b5be253a6dc3b2c6a9cf4cd0340ab001df74092899346bd0e4d1dfa8c5c8d77a2893b418311103a6b5
- SSDEEP
  
  98304:cMYzS+CQQ4vBmVK0Psj6+qU483Aj9urJBSzrAhzZVT6e3JKPfjV4ZTNy6oeZ2gCc:KS4qKsW80FIryV4fZo0/
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  SAMWARE/SAMWARE/SAMWARE/Serials_Checker.bat
- Size
  
  862B
- MD5
  
  70b7863d0ca809751200f9300cd21033
- SHA1
  
  8f9fca90e24ec21c00b539b82256ed6cd9712ea8
- SHA256
  
  ed63d2195825398b5523fcd9cd312b775c0fe3f4cc0472c9f06edeb8f32c325d
- SHA512
  
  d5d7d05d5e1861b88ce660c9a2939a3a7891a1e70d65171b347908b8e1c9ece9223b487fddc34a1f100e8401d2d441b1488bb7728caab47075c90fc0448041b6
Score

1^/10
behavioral2
- Target
  
  SAMWARE/SAMWARE/SAMWARE/cleaners/AppleCleaner.exe
- Size
  
  3.6MB
- MD5
  
  da2176757b2fead6539243b42057cb3c
- SHA1
  
  e14195bd4066e90c821caabd6ca63a173c1ca802
- SHA256
  
  1a62ed192ff4a7bd746fa24c8d7cd96578a4c7e9f0d4a6651a2a3d0baff9c433
- SHA512
  
  b9d13ecd8679064bc4cd9dbd823ba5367aebe13177c9ed5e6c6c40d70823ed32977bd40cde73ccfaa49f6f32b19b4f06f9396beb145bd774891d4290873c735d
- SSDEEP
  
  98304:gmQu0iNucsADierKQYRc4sNHOZjKg5tkdv+HR5+a:fQabDieOQ944HOZjp5tkx+x3
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3
- Target
  
  SAMWARE/SAMWARE/SAMWARE/cleaners/AppleS5-DEL.exe
- Size
  
  3.1MB
- MD5
  
  6af7ea6d60309e7a05339a72accc2074
- SHA1
  
  1ccfcccae4a481c29c8b142715a9dee070918df9
- SHA256
  
  eb8302fbd0a3eda7620c0af1728a5d151afe1648d07525862c3701fc34c36d63
- SHA512
  
  bd5e87af04689d7ba11f4d08dae3396de3260d0af8d5813a664bce4b4105f1721b2cbddfc3c8bfb1013f357581b2841790ae523213fa5487c9b39b12198bdc2d
- SSDEEP
  
  49152:WMn54uFpQJqpleSBtthqtwRTJP8fOa9pu75KEpIj4ZVCbshPW6G9VSpnZ:AJmeqt31qOaPIUEnbOePWv3gZ
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral4
- Target
  
  SAMWARE/SAMWARE/SAMWARE/cleaners/EventCleaner.exe
- Size
  
  219KB
- MD5
  
  9353ed7c3ba8e2417ce2664ae7afac16
- SHA1
  
  05699a2a2792795db1d8f59273172ad80bdc8b06
- SHA256
  
  069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628
- SHA512
  
  cb456c14c9ef6f49a92c989668bedb423e4020b761e627c4d67f90e855e9385d58cf0d1e024a0c728126cccdad2836615d23cd3011a8447470482ca939795262
- SSDEEP
  
  6144:Qtzsb5Uh28+V1WW69B9VjMdxPedN9ug0z9TB9SmDqzW:QtzE5elwLz9TrVeW
Score

9^/10

evasion ransomware
- Clears Windows event logs
  evasion ransomware
behavioral5
- Target
  
  SAMWARE/SAMWARE/SAMWARE/cleaners/Fivem-Cleaner.bat
- Size
  
  1KB
- MD5
  
  74e7b9574aea7d121519ceaa8f5cb522
- SHA1
  
  97b634ef75ce87383ec4d5344e84e7abda65a523
- SHA256
  
  2e4462f3d686ccfff602b779941ff385144ed683d638b2ed49d552f88df88639
- SHA512
  
  a7dec954de38bb44478c0cec51fdb111f98ecd02587dd25dfb46a641cdc3c95554985216d5dff8cc81a077c2d1808061e033a4a30084d948226917c4ed98913a
Score

8^/10

evasion
- Drops file in Drivers directory
- Stops running service(s)
  evasion
behavioral6
- Target
  
  SAMWARE/SAMWARE/SAMWARE/cleaners/FortniteCleaner.bat
- Size
  
  1.5MB
- MD5
  
  2429db21a224c48fa6b17e55a6762328
- SHA1
  
  f86eb0c2de25e8970add83b66253d3f18b0994e1
- SHA256
  
  365685c1e71944bc955c6be46cc33a44099bcb0f8c625228e89445f18866b778
- SHA512
  
  0487e79a9b2b427f8c0e5bb860e78039bcf29626bd58ad8190df858fcfa130d15add3fcd350cdadaccbc1d2e13f822dab76e418029d692d2ccd972594b4c0e23
- SSDEEP
  
  49152:9TOB4ynYygOvXsMruROZyUpWvWOLZkORn:b
Score

1^/10
behavioral7
- Target
  
  SAMWARE/SAMWARE/SAMWARE/cleaners/NXTcleaner.exe
- Size
  
  3.2MB
- MD5
  
  644399a0aff07bd4f7dc1eb5aa5c0236
- SHA1
  
  243f1f7bb95af8d3c44a270772f408c6febb06af
- SHA256
  
  5d101b2efae1e9390ac98e014a05d54338ec45cd73ff5dd70842877910f7b758
- SHA512
  
  73db539182c67d18b4e491966672876054cdeaae9d5ac024f1991a0551aea74867d9f1df7487655a5c9089553b967c09f558b02e33ec0cc015b6587fd5eb2508
- SSDEEP
  
  49152:MVmDUcyg2ImpoHJSt6Ia+CZEV2o8vMT3/nwlU5igpWV7JEW8np2Klad4j0Vs:MsgcypOSUI+qmJo+QZladTV
Score

10^/10

ransomware spyware stealer
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral8
- Target
  
  SAMWARE/SAMWARE/SAMWARE/cleaners/SAMEWARECleaner.exe
- Size
  
  3.3MB
- MD5
  
  5f876b340b56f98e820816ec05e56d34
- SHA1
  
  3bcdb73f1672e21776cf0ce0c96c8d5496f91586
- SHA256
  
  08cf4a012c0aab62dc068e7a20fd1582f215f927c4185481da60ada9b636d282
- SHA512
  
  52497f6e6235da94dcfd84570df876905102e60b5ef030a6f445649c7b789574b09794a47640c27dc4d78fea0efd67cf1578532c8112ae24057da06091901cb9
- SSDEEP
  
  49152:kKtU2HL/scLu2asJ5RGCBF1hdgKtS5jwiCmNAlNsYmYmWA5IxfRU2Sph0afojHBX:BtqfsrgqSKA5jJCuAluvWA6fUD+0oB
Score

10^/10

evasion ransomware spyware stealer themida trojan
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral9
- Target
  
  SAMWARE/SAMWARE/SAMWARE/cleaners/SAMWAREDeepCleaner.exe
- Size
  
  771KB
- MD5
  
  344806d69d5895c4a178cb32278ca18f
- SHA1
  
  dac2dee6f31fe824cc639ccde87be0c83687e1a3
- SHA256
  
  5e7647b583e649e29af7662c858cac16041a8088e6f5deffa6f1d0148f460476
- SHA512
  
  2377db2048e1aeaea71b79d2fdf2090789c7c5d73cf0e02727e7c7ac6d9b024e6bcb4b40744bb5dd8166620e6a735b60c6cf7f3fccb39e27c309f988351c71fd
- SSDEEP
  
  24576:PP+pvZyI9oiJfJulj1CBMeIFjKuQdGhSaApNrWSvUghmjpoVb3/k2JPQIFfUnI8M:X+pxNoxlj1CBMeIFjKuQdGhSaApNrWS0
Score

8^/10

evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
behavioral10
- Target
  
  SAMWARE/SAMWARE/SAMWARE/cleaners/full deep cleaner by nigga mhatt lol.bat
- Size
  
  902KB
- MD5
  
  602ac0bd731b2615933dde1442e96ff7
- SHA1
  
  586be9b5bb086aa301eea7df5ee998390756b912
- SHA256
  
  97c781dfaa813232a8d13f7dcdfd1490f355ab85823b2cd73b9dd259d3a1ad07
- SHA512
  
  d5cee12b3c99cae442808c463636faa0f96cdae24d6caff13fd5e27a40f74ce58cd15f43430d5ebd15d968588d491dee17bb31b3f7c19ed7d55e2882a25d30eb
- SSDEEP
  
  3072:kOW9mafKzoz3g8gzRnvplYSc5mzozEzoz6zozn:5ykyuykyn
Score

8^/10

evasion
- Stops running service(s)
  evasion
behavioral11