Extracted

Extracted

• • Target

    file.rar

  • Size

    8.8MB

  • MD5

    3443deb58509fdef6b491faecb2af7c3

  • SHA1

    06a8d45a279f1b5bccb37f20f1d0551860aa1849

  • SHA256

    0e1dc7a84177af8d5ce9df7049e6fbd7ee7c4acf65e4e882383baa343700a85b

  • SHA512

    d5a43c37257c045b69c4316cced0a50b32386560851710c82549b3e5b342db090168d4563a5272814e5a1399486b74f4bc3fc2723ec553577cb34fdf3bd981fa

  • SSDEEP

    196608:ulofIzfDC8WqVrQT4tzXXg83wb0MCKFu46X9PckOeIXhGQN:u3TN3A83gKK84OHOeEN

  Score

  10^/10

  privateloaderriseprosocks5systemztofseebootkitbotnetcollectiondiscoveryevasionexecutionloaderpersistencespywarestealertrojan

  • Modifies firewall policy service

    evasion

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

    botnetsocks5systemz

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Creates new service(s)

    persistenceexecution

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Stops running service(s)

    evasionexecution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks for any installed AV software in registry

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops Chrome extension

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1

• • Target

    amdhip64.dll

  • Size

    10.1MB

  • MD5

    da6bba744ffe35bd63e61ef2824ff15d

  • SHA1

    54f12b2bc458c72e071cdff727c4a2f7a33d0ab5

  • SHA256

    66d5725519eec9f0c16696c9bcf32ba3442551f36ec4bdb17e12f6e0d24027c7

  • SHA512

    74ba3f3c817fb0519b42e7f68ac8d87692e461c1a8529ae86051bbf891350bab05023046da6b69648681e26656624c97bac9707938511190e1dab8afd45ded4a

  • SSDEEP

    98304:FqFhXse/Y7jUHRRFcwETkorMg/696ffjZMXNDVjCXN2MX2:AXs37juRTcwETkGMUjZMXNDVjCXN2V

  Score

  1^/10
  behavioral2

• • Target

    concrt140.dll

  • Size

    309KB

  • MD5

    31f210ed5c6f2d8faa1d896cda18584b

  • SHA1

    5444d919f5014fb6bf58cefc6f01088c32a24a00

  • SHA256

    5393f592cded7bd8ae07b2afc3efdcc4a0b05f7e8e74380a267398266fc02d41

  • SHA512

    d39aa7acfd982759825b537a9ca5b04e6cdd9c0a28089e0f666ae4b75e84e2e2e58180103da38bea79efe3252cb9f1932efa69b64461cb76173645e8b6ddf3f6

  • SSDEEP

    6144:Ylm+bq4hSdOec4xWMXdtvo4KbrniIzb7wQjnWzgCE33g:pmP/eJXzvSCzW3g

  Score

  1^/10
  behavioral3

• • Target

    msvcp140.dll

  • Size

    576KB

  • MD5

    a11a1d761d757d367146f0f772632d8c

  • SHA1

    9fd3eee4c4111dc386510a930192d56a2e938dfe

  • SHA256

    2cc02c5e6654aa9175d5963f811cac222f4a2604dc28553139c675b1a78995a7

  • SHA512

    6fbbb77766ee9846d6d3bde2ced5eeaafe721de5524a410a4821dfa6c08edbd00905bec2b9237b8f7986d6d06dbe444c5845130193da537cadaf29ea784c48e1

  • SSDEEP

    12288:fFrCZUcfGI/O+bE9krdFFM5lle0dkM4X2n08ukSIAg6wQEKZm+jWodEEVrR+:9rCZUNYX2nSkGg6wQEKZm+jWodEE9R+

  Score

  1^/10
  behavioral4

• • Target

    res_mods/1.23.0.0/scripts/client/gui/mods/mod_a.pyc

  • Size

    114KB

  • MD5

    a2f3ded45da8870e93e5d2186dab27e8

  • SHA1

    3f8e0cddecc3827b33ec02cd78d192c18f1ddf82

  • SHA256

    fc19237a4e9ae65829dbde384ce0de2c78b22d9577384dded9d4cde569a12742

  • SHA512

    438621491061c7f14f59c48d0d2fdd637a17c058df13417e21d660d81632dbb826a6144032f6f9192ab9bb0afb46b8f6cf3982879dc9942261c2538dbd17187c

  • SSDEEP

    3072:k6BVH7SBjeSCbupKVfG2yQJ23J+Svsy9k/TukuPMh:zrbKeWmDyQ+13kOPMh

  Score

  3^/10
  behavioral5

• • Target

    setup.exe

  • Size

    785.0MB

  • MD5

    640e910d06ebab4b066a696ba0e78b55

  • SHA1

    534e97d66e68eab6fa916fabe05beaef822b56e8

  • SHA256

    9b5e9a1b37be8612f14d52bd6a1bfbb850a05164d677738bcf6ea41c1a1c97a6

  • SHA512

    9dd5f8b06e675912e53833e4cc7a77ab06a3e25d7e23c907f351e715011c1096baaed0e8a1dd5ec56d69124988fb1bce082ee3cda3b5b70ee301fedb56b01177

  • SSDEEP

    98304:rO0hNxrp27xGHwGZpRiE5ygmAfrjQxuN7:rOUnQAHwipRtw1ol

  Score

  10^/10

  privateloaderevasionloader

  • Modifies firewall policy service

    evasion

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Drops file in System32 directory

  behavioral6