agenttesla

Resubmissions

10-05-2024 17:13

240510-vrrk4sgd7t 10

10-05-2024 17:09

240510-vphv7abd29 10

Sharing

Copy URL

Twitter E-mail

General

Target

Malware.zip
Size

29.6MB
Sample

240510-vrrk4sgd7t
MD5

a183e3b120b7ca0a5db957a18a8c8845
SHA1

4936d61e6925e48b4f9d9db46183ecc4959a5758
SHA256

64c665b2dbdaca4a20aaef96d625091757008c88b49d71070e4eefcd45d986d8
SHA512

3db1ca29268109dd43dae4f5d8e75ae537f5408fc9cf1dc2192eeaf251e5f970d7649cbcbecfac4a9533292164d14965424617a559960280ed0b78ade57ff240
SSDEEP

786432:Xxn+oCm/Da8WA3C5BENmtAWzdVTkqGY8NEXcJap4DFZEwnT:XxH/W8WAS5BENmtZ1kqGYi8pwTnT

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/2jTT3Lnj

Extracted

Family

revengerat

Botnet

system

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

cobaltstrike

Botnet

305419896

http://47.91.237.42:8443/__utm.gif

Attributes

access_type
512
beacon_type
2048
host
47.91.237.42,/__utm.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
watermark
305419896

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Path

C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 23F-00B-36E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi

Attributes

exe_type
loader

Extracted

Family

gozi

Botnet

86920224

https://sibelikinciel.xyz

Attributes

build
300869
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Extracted

Family

danabot

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family

formbook

Version

4.1

Campaign

i0qi

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Extracted

Family

formbook

Version

4.1

Campaign

app

Decoy

niresandcard.com

bonusscommesseonline.com

mezhyhirya.com

paklfz.com

bespokewomensuits.com

smarteralarm.info

munespansiyon.com

pmtradehouse.com

hotmobile-uk.com

ntdao.com

zohariaz.com

www145123.com

oceanstateofstyle.com

palermofelicissima.info

yourkinas.com

pthwheel.net

vfmagent.com

xn--3v0bw66b.com

comsystematrisk.win

on9.party

Targets

- Target
  
  High Priority/)}ì~)J0ø‰º!Ã²@x&ÚâØaßHÍôõ.exe
- Size
  
  609KB
- MD5
  
  347d7700eb4a4537df6bb7492ca21702
- SHA1
  
  983189dab4b523e19f8efd35eee4d7d43d84aca2
- SHA256
  
  a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
- SHA512
  
  5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
- SSDEEP
  
  12288:Y71ezsKspcx7aSekHeX/BoVrWyrl/XYUx58wT7tRw:IYzsDyAS/HeyWql/XYUz8wTDw
Score

10^/10

betabot modiloader backdoor botnet evasion persistence trojan
- BetaBot
  Beta Bot is a Trojan that infects computers and disables Antivirus.
  trojan backdoor botnet betabot
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies firewall policy service
  evasion
- ModiLoader Second Stage
- Sets file execution options in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  High Priority/2019-09-02_22-41-10.exe
- Size
  
  251KB
- MD5
  
  924aa6c26f6f43e0893a40728eac3b32
- SHA1
  
  baa9b4c895b09d315ed747b3bd087f4583aa84fc
- SHA256
  
  30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
- SHA512
  
  3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
- SSDEEP
  
  6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF
Score

10^/10

smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  High Priority/31.exe
- Size
  
  12.5MB
- MD5
  
  af8e86c5d4198549f6375df9378f983c
- SHA1
  
  7ab5ed449b891bd4899fba62d027a2cc26a05e6f
- SHA256
  
  7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
- SHA512
  
  137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
- SSDEEP
  
  393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r
Score

10^/10

agenttesla danabot formbook gozi 86920224 app i0qi w9z agilenet banker botnet cryptone defense_evasion discovery execution impact keylogger packer ransomware rat rezer0 rm3 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- AgentTesla payload
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Formbook payload
  rat
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Suspicious use of SetThreadContext
behavioral3
- Target
  
  High Priority/5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
- Size
  
  669KB
- MD5
  
  ead18f3a909685922d7213714ea9a183
- SHA1
  
  1270bd7fd62acc00447b30f066bb23f4745869bf
- SHA256
  
  5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
- SHA512
  
  6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
- SSDEEP
  
  6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL
Score

7^/10

discovery persistence upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral4
- Target
  
  High Priority/Client-2.exe
- Size
  
  80KB
- MD5
  
  8152a3d0d76f7e968597f4f834fdfa9d
- SHA1
  
  c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
- SHA256
  
  69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
- SHA512
  
  eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
- SSDEEP
  
  1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0
Score

10^/10

hakbit evasion execution ransomware spyware stealer
- Disables service(s)
  evasion execution
- Hakbit
  Ransomware which encrypts files using AES, first seen in November 2019.
  ransomware hakbit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral5
- Target
  
  High Priority/ComparevalidatorIgamerefreshable.exe
- Size
  
  898KB
- MD5
  
  cb2b4cd74c7b57a12bd822a168e4e608
- SHA1
  
  f2182062719f0537071545b77ca75f39c2922bf5
- SHA256
  
  5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
- SHA512
  
  7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348
- SSDEEP
  
  12288:vI3h+hoVEZnvy/hF4CMWZrU7S/iAfMIItotPP2rbPCrF7:vu+hIE9BYO7S/iAOtc4be
Score

3^/10
behavioral6
- Target
  
  High Priority/OnlineInstaller.exe
- Size
  
  3.6MB
- MD5
  
  4b042bfd9c11ab6a3fb78fa5c34f55d0
- SHA1
  
  b0f506640c205d3fbcfe90bde81e49934b870eab
- SHA256
  
  59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834
- SHA512
  
  dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3
- SSDEEP
  
  98304:ghXqJiXwwhwvxR7FI6wYroMUQrYeoFj6bjsKzZx7T7:ghXqsX3hs79bxiEbgKX7
Score

8^/10
- Drops file in Drivers directory
- Executes dropped EXE
- Checks for any installed AV software in registry
- Drops file in System32 directory
behavioral7
- Target
  
  High Priority/XClient.exe
- Size
  
  172KB
- MD5
  
  75ba783757c5b61bd841afa136fc3eda
- SHA1
  
  8db9cda9508471a23f9b743027fa115e01bc1fe1
- SHA256
  
  75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a
- SHA512
  
  9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1
- SSDEEP
  
  1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral8
- Target
  
  High Priority/criticalupdate01.exe
- Size
  
  261KB
- MD5
  
  7d80230df68ccba871815d68f016c282
- SHA1
  
  e10874c6108a26ceedfc84f50881824462b5b6b6
- SHA256
  
  f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
- SHA512
  
  64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
- SSDEEP
  
  3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
Score

10^/10

fantom evasion ransomware
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Renames multiple (1352) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral9
- Target
  
  High Priority/file.exe
- Size
  
  101KB
- MD5
  
  88dbffbc0062b913cbddfde8249ef2f3
- SHA1
  
  e2534efda3080e7e5f3419c24ea663fe9d35b4cc
- SHA256
  
  275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
- SHA512
  
  036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
- SSDEEP
  
  1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS
Score

7^/10

persistence
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral10
- Target
  
  High Priority/good.exe
- Size
  
  143KB
- MD5
  
  b034e2a7cd76b757b7c62ce514b378b4
- SHA1
  
  27d15f36cb5e3338a19a7f6441ece58439f830f2
- SHA256
  
  90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac
- SHA512
  
  1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385
- SSDEEP
  
  3072:VMb/kbqjO/3FxV8l8wiEXHPV9r99rWhzAxH7wpjv4z:VMxo3Z8BvV9rL6h2H7wJ4
Score

10^/10

phorphiex evasion loader persistence trojan upx worm
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Phorphiex
  Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral11
- Target
  
  High Priority/temp5.exe
- Size
  
  10.6MB
- MD5
  
  5e25abc3a3ad181d2213e47fa36c4a37
- SHA1
  
  ba365097003860c8fb9d332f377e2f8103d220e0
- SHA256
  
  3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9
- SHA512
  
  676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681
- SSDEEP
  
  196608:Lj43l1SYnShCcjEtOsZ1MJWTqHkzNcWUU5QH7MiXBhxsns3qveh1DCJv/zdM:LGzUCcUOmKoTqH0N9UV7VxHsnpjXK
Score

10^/10

azorult rms xmrig aspackv2 discovery evasion execution infostealer miner persistence rat trojan upx
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- XMRig Miner payload
  miner
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion execution
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral12
- Target
  
  cobaltstrike_shellcode.exe
- Size
  
  219KB
- MD5
  
  8e4d8b8796d2188324a0cfd6fdc8de92
- SHA1
  
  9e7a053d34eb00e732e470bc28cc1fa4aa030b8f
- SHA256
  
  1ae532cc0fa2e16cac4f23e289741e256cf517afbbb536aeeb0d7cd601bc05a1
- SHA512
  
  db4ced8b71b63a7bd48a5bf96270e99c7380865ec31e875b9e0862535298828f4bbae3a4feeb52ef507a8ba461b744c1ce338e3ed191e90cb7079f209ecdbcf3
- SSDEEP
  
  6144:b5E/nRS7UwaWiVDSYOY0iZ4i1GrTxI43ZB:b5lUpDSCFfApP
Score

10^/10

cobaltstrike 305419896 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral13
- Target
  
  default.exe
- Size
  
  211KB
- MD5
  
  f42abb7569dbc2ff5faa7e078cb71476
- SHA1
  
  04530a6165fc29ab536bab1be16f6b87c46288e6
- SHA256
  
  516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
- SHA512
  
  3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
- SSDEEP
  
  6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn
Score

10^/10

buran zeppelin defense_evasion execution impact persistence ransomware
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Detects Zeppelin payload
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (6101) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral14
- Target
  
  file.exe
- Size
  
  2.7MB
- MD5
  
  731ff38afbc5a664f5a458e222d91f84
- SHA1
  
  5105f89898a3d9e5b5b52ddcd7d0a3b167aaf701
- SHA256
  
  a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0
- SHA512
  
  910b1c9fb8e28c3f24d35a875ff86f3ab2e2c573797e078ece204538a3bdc6d42bc92531197e57be577ffb2e4cacdd53fec6a61843e6c69be4794e68506f68c3
- SSDEEP
  
  24576:3RoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvxB5VA0UC1dUUKj/OZ8j3g3:BoKmo4jC6TovDRUC1doj/Tg3
Score

10^/10

glupteba stealc zgrat discovery dropper execution loader rat spyware stealer
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral15
- Target
  
  mouse_2.exe
- Size
  
  984KB
- MD5
  
  af8ab92992ccc4cc6a637953836edf93
- SHA1
  
  ac17c77cae31fdfeb618b0083285ba869baf29fc
- SHA256
  
  03968a3a5a7a880feefca31686fcfbed445080a0c06eda2b6d623757179b782c
- SHA512
  
  9dc3bdfe45f9333d62ef3b0aaf3860a9ef1e94ced02ed0437d3ac2f96b3b9aacf6e621703f13d62f356bd50dec84cc3a3dc787a8a14c9ce0ceeed9ff63c45ad2
- SSDEEP
  
  24576:iNg+tKkEYA7Gmvv/HGsvPw9vz/DrELE7VUH:0g4K7YA7vvRMbcLa
Score

10^/10

masslogger zgrat collection rat rezer0 spyware stealer
- Detect ZGRat V1
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main payload
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral16
- Target
  
  oof.exe
- Size
  
  662KB
- MD5
  
  0760d43d4adebe20fa0b5e5a7bca1714
- SHA1
  
  a0a9dae5e9be39bca31021dd9cf565fcdefb8474
- SHA256
  
  8f9067f2bd4a374539a40fddb8915600c9fd6ba3e5db20cbddcb3c5f22d9da44
- SHA512
  
  7e60c2726711bb8e822375f93cfb9ced7d172f3f0ae07041cbeea8c4cdb45488d1de90ee77dfef52aa86722a5dcbe521d1affeace3aec8811e851f693d74ef77
- SSDEEP
  
  12288:9TEUsvsVEcwaFNaxr7IwFnm1p7BmC10sHo0AhHL:9oBvRcxuxrksqRNI0i
Score

1^/10
behavioral17