Static task
static1
Behavioral task
behavioral1
Sample
Windows 7 x64-000008.vmdk
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Windows 7 x64-000008.vmdk
Resource
win10v2004-20240611-en
General
-
Target
Windows 7 x64-000008.vmdk
-
Size
387.1MB
-
MD5
3a620b8bf0012bb9903129b83ea86bd2
-
SHA1
e4ec9d6fcdcca77ff5dbb0c8e5983da73788a9a2
-
SHA256
e1d963b95b58056f2bc2ccddad4482df16c8a147f8a2bcbcc104d672fe104886
-
SHA512
21275ffad6c86c8bb68bac19ab7ed9e0b3653d479a9ebd775bf2efa04e9799ec8a8fc4a59cb0c63fd796dfe754ed2387fd152bb984aa30d5fccaa6b24b64c2ee
-
SSDEEP
3145728:tDFaInFN9a31Cs/rJdmcrfKJd8vxdOxzZIV5VUnXAY:LzsR/rJdvQd8vXMZIzynF
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
888rat family
-
Android 888 RAT payload 1 IoCs
Processes:
resource yara_rule sample family_888rat -
Ardamax family
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule sample family_ardamax -
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule sample disable_win_def -
Detected SUNBURST backdoor 1 IoCs
SUNBURST is a backdoor for the SolarWinds Orion platform with extensive capabilities.
Processes:
resource yara_rule sample family_sunburst -
GoldBackdoor payload 1 IoCs
Processes:
resource yara_rule sample family_goldbackdoor -
Goldbackdoor family
-
Guloader family
-
Guloader payload 1 IoCs
Processes:
resource yara_rule sample family_guloader -
Processes:
resource yara_rule sample m00nd3v_logger -
M00nd3v_logger family
-
Matiex Main payload 1 IoCs
Processes:
resource yara_rule sample family_matiex -
Matiex family
-
Metasploit family
-
NetFilter Dropper 1 IoCs
Processes:
resource yara_rule sample netfilter_dropper -
Netfilter family
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule sample family_snakekeylogger -
Snakekeylogger family
-
Sunburst family
-
XMRig Miner payload 1 IoCs
Processes:
resource yara_rule sample xmrig -
Xmrig family
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule sample agile_net -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule sample pdf_with_link_action -
Office document contains embedded OLE objects 1 IoCs
Detected embedded OLE objects in Office documents.
Processes:
resource yara_rule sample office_ole_embedded
Files
-
Windows 7 x64-000008.vmdk