General

  • Target

    Windows 7 x64-000008.vmdk

  • Size

    387.1MB

  • MD5

    3a620b8bf0012bb9903129b83ea86bd2

  • SHA1

    e4ec9d6fcdcca77ff5dbb0c8e5983da73788a9a2

  • SHA256

    e1d963b95b58056f2bc2ccddad4482df16c8a147f8a2bcbcc104d672fe104886

  • SHA512

    21275ffad6c86c8bb68bac19ab7ed9e0b3653d479a9ebd775bf2efa04e9799ec8a8fc4a59cb0c63fd796dfe754ed2387fd152bb984aa30d5fccaa6b24b64c2ee

  • SSDEEP

    3145728:tDFaInFN9a31Cs/rJdmcrfKJd8vxdOxzZIV5VUnXAY:LzsR/rJdvQd8vXMZIzynF

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

  • 888rat family
  • Android 888 RAT payload 1 IoCs
  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detected SUNBURST backdoor 1 IoCs

    SUNBURST is a backdoor for the SolarWinds Orion platform with extensive capabilities.

  • GoldBackdoor payload 1 IoCs
  • Goldbackdoor family
  • Guloader family
  • Guloader payload 1 IoCs
  • M00nD3v Logger payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

  • M00nd3v_logger family
  • Matiex Main payload 1 IoCs
  • Matiex family
  • Metasploit family
  • NetFilter Dropper 1 IoCs
  • Netfilter family
  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
  • Sunburst family
  • XMRig Miner payload 1 IoCs
  • Xmrig family
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

  • Office document contains embedded OLE objects 1 IoCs

    Detected embedded OLE objects in Office documents.

Files

  • Windows 7 x64-000008.vmdk