Overview

overview

10

Static

static

10

[DemonArch...fb.exe

windows7-x64

1

[DemonArch...4e.exe

windows7-x64

7

[DemonArch...86.exe

windows7-x64

[DemonArch...1e.exe

windows7-x64

10

[DemonArch...a6.exe

windows7-x64

7

[DemonArch...a8.exe

windows7-x64

1

[DemonArch...4b.exe

windows7-x64

3

[DemonArch...6b.dll

windows7-x64

1

[DemonArch...23.exe

windows7-x64

8

[DemonArch...38.exe

windows7-x64

10

[DemonArch...94.exe

windows7-x64

10

[DemonArch...03.exe

windows7-x64

5

[DemonArch...96.exe

windows7-x64

10

[DemonArch...f0.dll

windows7-x64

3

[DemonArch...4c.exe

windows7-x64

10

[DemonArch...b3.exe

windows7-x64

1

[DemonArch...44.exe

windows7-x64

[DemonArch...13.exe

windows7-x64

1

[DemonArch...22.exe

windows7-x64

10

[DemonArch...7e.exe

windows7-x64

1

[DemonArch...73.exe

windows7-x64

10

[DemonArch...94.exe

windows7-x64

10

[DemonArch...f6.exe

windows7-x64

[DemonArch...b6.exe

windows7-x64

1

[DemonArch...84.exe

windows7-x64

1

[DemonArch...a0.exe

windows7-x64

10

[DemonArch...9e.exe

windows7-x64

[DemonArch...f2.exe

windows7-x64

[DemonArch...f4.exe

windows7-x64

3

[DemonArch...c8.dll

windows7-x64

1

[DemonArch...85.dll

windows7-x64

10

[DemonArch...71.exe

windows7-x64

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pepsi (5).rar

  • Size

    71.8MB

  • Sample

    240704-vv7rhazenr

  • MD5

    f5f163cbcc1e6c5dc86e9df0daa0f200

  • SHA1

    2dfdfabd15e90a09e64dedce5fdea5f3529cbbfb

  • SHA256

    e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

  • SHA512

    895048370d6fa90f1b842e1fd087d26f58da81d288ef344a5a412409c394222a3da9f89e19260b83a7634dd7c923ffd0bd339e4cff6da5a8ef4786ace6719e1d

  • SSDEEP

    1572864:4eXLeXak7DEoGipeXAeXUdeXoJAku3eXgb/BJ3/8XZPawDyXt3FYH:4eber7DEodewekdeFku3eQb/H+Zyx3Fu

Score
10/10
blackmoonfloxifprivateloaderramnitriseprosalitybackdoorbankercollectiondiscoveryevasionloaderpersistenceprivilege_escalationspywarestealerthemidatrojanupxvmprotectworm

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.me.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    RICHARD205lord

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      [DemonArchives]560184b003e9c461fdfa4ab15cd3b6fb.exe

    • Size

      2.7MB

    • MD5

      560184b003e9c461fdfa4ab15cd3b6fb

    • SHA1

      d5942a70638c8be40a102040cfff3e4c5876cc39

    • SHA256

      8e88627b7d4c51579375158edddee346226753522d4c5019a3ad60601f1b2029

    • SHA512

      e368a0a56795b9904911a277ce54565232a6fc469a3972e0f9a94475408bbd737d17e561e4cdb94fab42680fae3b33827e3c2173066418f2075f6fecf98a1705

    • SSDEEP

      49152:/78tM7axvZ28c9EPqLBYSVkwiwm79m0EJ:/kM7ahZ29ESNt

    Score
    1/10
    behavioral1

    • Target

      [DemonArchives]58b00f133ec3b7efa68faf94233d594e.exe

    • Size

      3.6MB

    • MD5

      58b00f133ec3b7efa68faf94233d594e

    • SHA1

      b4d6b9e52f3da97420e8ce576a741156b34d540c

    • SHA256

      1657edd67f181f75fe6a5f29c2cbdb7a617a8cb0e30b16ca2ed5bff7c7e22e0f

    • SHA512

      2ebc0af6e7858eeccd33e78193cdaf3bab173b8e5f29ce975ce4f25baafe23d0b0de561bfdbfa330f590935eaedc2aa5dadbd66dbe2df82b0f945352e0d4150d

    • SSDEEP

      98304:QmsibDMe6xxPjY/3zLiVOgyZbfMVjOuF5wdxo:QmDELPjY/0CfGjBGU

    Score
    7/10

    • Loads dropped DLL

    behavioral2

    • Target

      [DemonArchives]627ba000cff6d43aa031da4020d15186.exe

    • Size

      3.2MB

    • MD5

      627ba000cff6d43aa031da4020d15186

    • SHA1

      c684318ec6ca4eee71611a521d16ec0ad908c4c7

    • SHA256

      cf60af57de06e340faf7c53c4a74dc239d276a6424729d112f467e90419eed7a

    • SHA512

      b23b635a22e4fc8d1f7ec37165ff93d80d7f42c65becf260065ab82960dffc3afe5a0ae2e16ce2172902b0a3d577b29cf16977a4de561c51550e41029ebab271

    • SSDEEP

      49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQt:r56utgpPFotBER/mQt

    Score
    1/10
    behavioral3

    • Target

      [DemonArchives]68d0fb679004d3c27c9efa840010881e.exe

    • Size

      1.9MB

    • MD5

      68d0fb679004d3c27c9efa840010881e

    • SHA1

      02afd4c3b8699c5108b95bcb6eb5dd2293dce4a9

    • SHA256

      4115fafda97c7ca9ecb38c57231bc0fda1c78bdd9eec797fe7bb9b76e7071bc2

    • SHA512

      68353560b414e798775c0d2df9fbf84b6ffad75a84c7805217c8304351cd99dd20e8a2a5c795662dd8b6ce8f6971d3d85948331bf659ab4e3a67789b49079a5c

    • SSDEEP

      24576:jNIVyeNIVy2jU3NIVyeNIVy2jUQNIVyeNIVy2jU3NIVyeNIVy2jUO:6yjByjUyjByjH

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral4

    • Target

      [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe

    • Size

      2.6MB

    • MD5

      6a1fe8f4fbbc726b6ee093b2688a33a6

    • SHA1

      90259529d74b39d95a10c57d175622662f880295

    • SHA256

      4b48bb56e58eb299e508228e91dbc466ac1fc5948e5975d400b89dca0e1c334b

    • SHA512

      3a478f2d252f1203e173f0e5ff138ad1efd10b01cac22f3fab8d38895d4c767fd57f6fa9443f254e362e636f2ea12d914fbcb2db0f4b54f3e89ca58bc45720eb

    • SSDEEP

      49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBZ9w4Se:+R0pI/IQlUoMPdmpSpR4

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      [DemonArchives]6bc2fcef470b064c9bd339c7e2553ea8.exe

    • Size

      1.9MB

    • MD5

      6bc2fcef470b064c9bd339c7e2553ea8

    • SHA1

      a3ed1cd3a4049d0a5ec507b2ffc3b55b0fd174cd

    • SHA256

      721424782041dcb5ce0d561a08c0b4c5f831576be1d881633b94ba2c35374b89

    • SHA512

      ba7e46fd5b267b76c8f16e5414c59fcb6ed771476b574b7c698f723846c19b5f11abe90270f85ca72b89d06a41caf762b3a4ab3fed913cd9d6ad7298902609de

    • SSDEEP

      24576:QaXSBBIz25q9T2QKxDFkJHT6yfmBwS4DBgsDL3fGQNc0yYdErPnAQ59FIny:nYqgaSsgsfE7nAQ59FIn

    Score
    1/10
    behavioral6

    • Target

      [DemonArchives]6bf80d8b5b235df5efb621da1dd61b4b.exe

    • Size

      3.1MB

    • MD5

      6bf80d8b5b235df5efb621da1dd61b4b

    • SHA1

      31bb07c8ae91192c8dd8043fb33904487960ac79

    • SHA256

      6e345caf993ad3a5669fbf61e8cc89f171e4042e63669a1c2a224580fa0d3c5d

    • SHA512

      ee67391300302429c1875d2e9334e363e65b2b06a97e7e041b8bbc4fd28ee7b99f2ce68541b8f51037a2cd5a98b14a50c46765083c2715ae9a39447ba496d9a9

    • SSDEEP

      24576:3P1USAnbTVavm6UUsDX+a0YLkvuNdolPpNI:3Je6UUsDv9dGI

    Score
    3/10
    behavioral7

    • Target

      [DemonArchives]6e102d15d6af7c43d43141e9d2a1206b.exe

    • Size

      2.1MB

    • MD5

      6e102d15d6af7c43d43141e9d2a1206b

    • SHA1

      a2c8da5e6f961860543edcc83525039412b751e0

    • SHA256

      2c9aca84ed7396d9e0d9bdd7cf3c474a4f92439c407b1da7a5f836f79e77a965

    • SHA512

      234fb605e3fbe7eaf32ea3b807364a080f064cf7be2e56e9c4999380f7b617f7847430e5895e158c3f7e64e446acef6aa5e142bf288a4ba43b6fb498bbc91660

    • SSDEEP

      49152:zHLIQgREe4/q7cpao9/PRyBzMS4nd89ZcmO2:zrI9RE5cO/P2zMSp9LO

    Score
    1/10
    behavioral8

    • Target

      [DemonArchives]6e4f9763c17ea31c3d1406eabd7db423.exe

    • Size

      2.3MB

    • MD5

      6e4f9763c17ea31c3d1406eabd7db423

    • SHA1

      caf959265772132720570fba49b4c40e29a29db3

    • SHA256

      f71bf8405ccbdf8b1e8e0b2ef50ec7b71675dc452ad942f578503e11a58089df

    • SHA512

      018d53cb8c0c56da2cdd6a0f2c3bb5ab786e51a6171f1739234474e8f42f0b52e608c949198ad68bdee21f4d6060c28f6b91a464674d42f0dabc5d1e893c7c7a

    • SSDEEP

      49152:AE13D8c4GG/jfKCfGgc1LCfm7BI/3NtTS/:JHo/OKGF1j7BIPNtT2

    Score
    8/10
    persistenceupx

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral9

    • Target

      [DemonArchives]720d7d1deff763aee99bcc266f96b238.exe

    • Size

      1.9MB

    • MD5

      720d7d1deff763aee99bcc266f96b238

    • SHA1

      a7e29f0ef19512ad914ba5b8c5ab4a40ba65e17a

    • SHA256

      2ace67a29cd7b627181c58874b33459ccb2a2bb543492c46ef34c74905953057

    • SHA512

      b18391970db917f1d586098aa60b55e942e630cf144b2f153989c654b41f9609257fcf5e1c6320d13de4a9df03dd43c6d7a2cdaeef55c922333a840e5583b75b

    • SSDEEP

      24576:yNIVyeNIVy2jUpsQUNIVyeNIVy2jU0qNIVyeNIVy2jUpsQUNIVyeNIVy2jUO:NyjcbLyjRyjcbLyjH

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral10

    • Target

      [DemonArchives]7a8bde6d1942443bdbf09e610eb1b794.exe

    • Size

      2.5MB

    • MD5

      7a8bde6d1942443bdbf09e610eb1b794

    • SHA1

      a8df45ba7bd1e298d3316f835f2ab0ce7bc25777

    • SHA256

      77658f9e6d7b6d68c1bfc54bd4a11e1342667703c10e2154112713e25d987bc0

    • SHA512

      dcc60d789fcf4ac36be5d5d3f6d4df71cbe722f6f846023692e2c09d970e248598b751f5ffc933d87ad9fbdb31cd2bef4fb19894ea9d3a839bb6dd6211ed02f7

    • SSDEEP

      49152:CYhLIsUWnzD6H4to9mVefnCQ8wGVy6H2FXa2kjcCHJ3:zhI/WnzDlo9e6n0rCq2EJ3

    Score
    10/10
    discoveryevasionpersistence

    • Modifies WinLogon for persistence

      persistence

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral11

    • Target

      [DemonArchives]7da028810a703bb926d39a9b4ba50703.exe

    • Size

      2.0MB

    • MD5

      7da028810a703bb926d39a9b4ba50703

    • SHA1

      ebc3de3c3bed8dcc0a0de4266f0c8a2cb8c6e068

    • SHA256

      d67fa434ccc64c56a6b24405a105a93cba65b9c67dbb6f2eb1227f702d9f4a56

    • SHA512

      4cd53c53297502678c668a58b48f9abce5a52ee0f0202f5dbdb81eae22b8e14107c02a8a4701af8ed22cdd841a7049c6a6a6f218e1e633af830f626a7a7bd71f

    • SSDEEP

      24576:1c/8X0MLRBKQq44gNC2chI9YzHnOQDFC1ivbMcB9S9ADQDdUtP1gf8g3By9R7dUU:MMLRBQ49NCtuYzH7ZHu8Qqtaf8gu

    Score
    5/10

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral12

    • Target

      [DemonArchives]7e020e96f43c40b26aa7f880ad0f8a96.exe

    • Size

      3.0MB

    • MD5

      7e020e96f43c40b26aa7f880ad0f8a96

    • SHA1

      aa5b15e6fefc819a061b27be11002eecf4d2e018

    • SHA256

      6ce3e78e052fea66207749cf98376e2ff2ba7e8191a2efbdde6a9614722bda6f

    • SHA512

      efa3ff506eea68013933164d977b3e6836a6983dbda8c742e96c6379b96d4af05f38c45d01ffd4f817c7b7d010ac8eb42794a574d4128478811072a553e0c17a

    • SSDEEP

      49152:SANMxixIxIxIxixIxsxIxixIxlHxIxixIxsxIxixIxIxIxixIxsxIxixIx:HMxixIxIxIxixIxsxIxixIxlHxIxixIT

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral13

    • Target

      [DemonArchives]81759dd56bd4387d02cb20d44422c8f0.exe

    • Size

      3.4MB

    • MD5

      81759dd56bd4387d02cb20d44422c8f0

    • SHA1

      c5370c67c62235633099f6d03e6dcd8ffeffb1c9

    • SHA256

      0e05ade34195343acbdaeb531023395f2368d203bcf208ee9b5f65f82cde147c

    • SHA512

      43adc5f0b7c48ba5df025a77de3a70425c2ca0cf7f3048b8924523c5dace9b25bedd06f4deee9b4b0cb0d1a9c01e1e55addf2f77bd118bafcd1161bb0d2e03d7

    • SSDEEP

      49152:uUGZZ+sHaEJvMK797dcpzs/OfNkZMDgCctUZ1Q9yQkxYf64ACwT/MJh8lmgDDejb:6Z+sHFEKwpI/e6MDEt197hMwsMgbOS

    Score
    3/10
    behavioral14

    • Target

      [DemonArchives]853a559e0dcb25ab9605685ec776224c.exe

    • Size

      1.9MB

    • MD5

      853a559e0dcb25ab9605685ec776224c

    • SHA1

      c2547e02024a59dbf726bf6bc03b1cd29c7565c9

    • SHA256

      1d63f406d5735152484a975a6aa536758f0cca2f890c04db8bc2cd2c372393fd

    • SHA512

      c1b5617e56ce8683a5bc70103af3eba0eef29bda57e0393944bfb25ae392bf401789d95b7071be2880ede13955f4560ab082ed7406f601bf65be99e1220e1c8a

    • SSDEEP

      49152:93mTOafM0CwkXdPY/eTwTvSYRvMpZwCBtqtMibzqarNS+qn3:duLfM0C9CKYG7wCBtqtZbear0j

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      [DemonArchives]887a4917f4af1126d489a4f4d56b2eb3.exe

    • Size

      3.1MB

    • MD5

      887a4917f4af1126d489a4f4d56b2eb3

    • SHA1

      454acac39210a764ebabb7bc4f8a262a94845bd5

    • SHA256

      68ccd579def495ebb77665b750e2dd67e91b977b563de5cfb0a0146327eae4a4

    • SHA512

      9e1fd80862f64024e59ac17fc90b8c337c292ff081c6779da0065cedaf49e0bd9fb432150dafa484fbb13b2b0f817330169774c078eb02f9ce08d084c2d06f83

    • SSDEEP

      49152:hP2p9uSRk7tZgdF0V1JzbWTAMccKBwcjJO2Wufe:hP2pgSR89zbWTAMvYwcjJO2x

    Score
    1/10
    behavioral16

    • Target

      [DemonArchives]8edcc9bf66c21c55cf482dcac1c18c44.exe

    • Size

      2.7MB

    • MD5

      8edcc9bf66c21c55cf482dcac1c18c44

    • SHA1

      22da0d47b55d53b5ffccf193a5c3050dabd23a4a

    • SHA256

      44031e3d2381522afb6b04c95e29483a6e7c6edea4f4d75421558e192a311940

    • SHA512

      40c6a5a2967211de427f816e5b0e31f47ec78925f74835dafbf9b3c72f41059a3087014a56ac5d99b91ac49f084a0951deb59d620f7668849f65629df2f4e0ae

    • SSDEEP

      49152:gjVgiG1hT8cm8U2zkpdt0n/s0YRZHPm4poP2UkCsPtcBI:gji7F84UJoE0YRZvm4pk2U/AmB

    Score
    1/10
    behavioral17

    • Target

      [DemonArchives]973465ab358797d8d056e4f04bda2513.exe

    • Size

      1.9MB

    • MD5

      973465ab358797d8d056e4f04bda2513

    • SHA1

      8d84cdebefd5cd9558950ee7c1283cdf4e1e1fb7

    • SHA256

      b0ee7f3c056cdf04e7a34ba7d969d9b2d6bf8f67a45901421ad9aafd71ed4a98

    • SHA512

      8384400cc19359599c10aad4d8e699880e30676101d063ed575fd100852a6967cf8adc8a7bffc173b8efa9532affff3fb22a470832a4beb0bf15ef53e0a38ba2

    • SSDEEP

      24576:NM66Tozerl1AjOdAxF5gHJkJ7FLxKjrhrhDAWKjDT5QkGHu2:N9zeoj7v5gHJk9F9q1DAWUuH

    Score
    1/10
    behavioral18

    • Target

      [DemonArchives]9a6f31f789128531e4c714e44915f822.exe

    • Size

      2.8MB

    • MD5

      9a6f31f789128531e4c714e44915f822

    • SHA1

      66f88cff672e3a720d26e2ca13716dddc3b4c30b

    • SHA256

      65b564b0afae6e283219303cc36a79d3d80118b238d17160de9b06e28b30527c

    • SHA512

      bea3af414c9ab1260497a48f5655c9a6213ce0d60d81db466684ed1e72c10e8813382a441518641283bd3cb10498983eacf72ec8874fc5ed4fce4607fe4ed37a

    • SSDEEP

      49152:t3A6snvQs0c3h8an7Ut3gmpDoIDOnLdqj8ZORR7cEiFBC81poNeaMRe6fTDArzW6:tc90UmpjDOnYj8ZeR7cEiFBCCpowfTDE

    Score
    10/10
    floxifbackdoorpersistenceprivilege_escalationtrojanupx

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

      backdoortrojanfloxif

    • Detects Floxif payload

      backdoor

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral19

    • Target

      [DemonArchives]9afac07fd6517652d6e659963db8b87e.exe

    • Size

      2.0MB

    • MD5

      9afac07fd6517652d6e659963db8b87e

    • SHA1

      096f2feaca7627048b901f8a376bb2b01b058971

    • SHA256

      cbda206fee3eef2681a1bbfc7d8fe2ca969a45a0659913e6c5c58c3786467d11

    • SHA512

      bd6cf83768c63ec4eb100a631b8a4717d303531e77d9638d2b16886793c25dd706983b1d146ceae41c66f48af35d4d3eb59d988450ee2bd8266f74cc3cf94bd3

    • SSDEEP

      24576:b1+sVkv7R7As9Fcm9KKjm/kexgSIWnJKD+XgzDyDWK/DcgwkbY5At6duBB88FRvM:h+s4RhFcrgBHD+XgPExNbY8BRFx9i

    Score
    1/10
    behavioral20

    • Target

      [DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe

    • Size

      2.6MB

    • MD5

      a367e7069b0df249dbcd93f02f05a573

    • SHA1

      bb9ae315e19ce9dce6cede2268c25c78d01c178a

    • SHA256

      3b2b8b58a5a92c1a6d3a7d68d06661f39757cda0337d46164dc77aeace68adba

    • SHA512

      9427c4cd8d705cae43389f36fa90526c6df7805dc2a718c6d009769948cea7ce728c5ca2efd49a47d1ad2308fd4bb3c3c1ebad64c03e0e3206dd1b36c59ef5c2

    • SSDEEP

      24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4eS:ObCjPKNqQEfsw43qtmVfq47

    Score
    10/10
    collectiondiscoverypersistencespywarestealerupx

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral21

    • Target

      [DemonArchives]a410ac0c141ebeb019661a692020fb94.exe

    • Size

      2.0MB

    • MD5

      a410ac0c141ebeb019661a692020fb94

    • SHA1

      c1a15b45965cec3af05f293732dd1e17e8019fd6

    • SHA256

      e8bebdfd7ed37e122a12b9f3181a368c6836326bbcd14491359ed1f4d4532077

    • SHA512

      789f080f3dd5660bda645bdec52b57552e97737b9c33618f8881835a827ac3217e176c63acd44f35196639904dd03b1a6da39eeb7f7a0ddb6b7ae29dbf59add8

    • SSDEEP

      12288:KhtQBpnchWcZoObfOS+9YGc3l1+RobUCmf2bx3zBX3yF+EKFhDzP3UZ9xE9jKB3y:2QDcLfDdGOVmfihmevP3r9jKB3nwPg

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral22

    • Target

      [DemonArchives]a62aacc19cac89138571eec242bcd4f6.exe

    • Size

      2.5MB

    • MD5

      a62aacc19cac89138571eec242bcd4f6

    • SHA1

      dd5da6366f12f89aa1f9a8002a70f4e4fefb077a

    • SHA256

      4d42d8e1ffbd0a4acf7599209f8ea96d23610909ee1c68539e6c8eac33f9f810

    • SHA512

      f06fa15fdd608028794aad8bfad9c3869f797278553034324b14cfd32db0bd5470433e0ef754fc6a783118d5c001f1f0757035faa88af1f23376dc67cd432f46

    • SSDEEP

      49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+9pW:r56utgpPFotBER/u

    Score
    1/10
    behavioral23

    • Target

      [DemonArchives]a7f2bf63baba5ffe2b5e76ab67d25bb6.exe

    • Size

      3.6MB

    • MD5

      a7f2bf63baba5ffe2b5e76ab67d25bb6

    • SHA1

      f5c123658b3a1cec2a8296e1d1cd27578d2ea300

    • SHA256

      2666d4bdbffeb02c6a9fb0772d88434fa8bae1ea0e4c5dffde4f18cd97521855

    • SHA512

      7f4d1583118b076955e741e15ceb8e449aabd59bb8c56060cc4170579c6be9560c39c946c60af7caaae37b4d030963aade929f4c175e1682adc075da125b7d55

    • SSDEEP

      24576:MsSj+tScZdWS3sVGVyWj4XAB1gGxLKbSe5H27gUX9byX5v1xyZUJyWqsmsWSgfbU:JS6shQ19y3C+oW+RljsRl

    Score
    1/10
    behavioral24

    • Target

      [DemonArchives]a9ea383aca2b60aece3a27c899e3f784.exe

    • Size

      2.9MB

    • MD5

      a9ea383aca2b60aece3a27c899e3f784

    • SHA1

      c4dab4fe9fb74be994569e41e70ce41c5d4236f4

    • SHA256

      2b63d5b2cb8c4bfcfe0d4f9eecafc18273f9d1c9c01fbfe07ac564401c25e262

    • SHA512

      e785e4e9af0c92acfbd132ba68efa2045a9b9b838d6325382e252ff9d9c33aaf663f3310099762e807a46c873ed01a543ab8c027818f71532e3ddba7aaf29cb5

    • SSDEEP

      49152:6jqYAIus5fqghJoaP6DaZaI0F/sjzXNYd/SD4HVlhX6QzTKHYZ5+:6j2s91oaP6DaQI2/sjzXadKD4hX6gTKS

    Score
    1/10
    behavioral25

    • Target

      [DemonArchives]ad9972de71fbca864e9303a043d203a0.exe

    • Size

      3.2MB

    • MD5

      ad9972de71fbca864e9303a043d203a0

    • SHA1

      924980e5c246e20c221362a4618124fc32022cc4

    • SHA256

      d3195d37f49af72c44a4a5806aebf555ed972581f1453be49a03e17efc5e703a

    • SHA512

      18ee630eafed111852e199982d2da2cf40cc4f3b30b8b054f733f4635079be5063bbc3efd97dc261618e4b07350e0568d8e049e2b9fd728723d2f1dd87ac7c5d

    • SSDEEP

      98304:SlBFLPj3JStuv40ar7zrbDlsa2VIlPWYv1NT/YUugy:SlBFLPj3JStuv40ar7zrbDlsa2VIlPWH

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral26

    • Target

      [DemonArchives]adefb3d586e8f74af30155d21ac5fc9e.exe

    • Size

      3.6MB

    • MD5

      adefb3d586e8f74af30155d21ac5fc9e

    • SHA1

      ca477d84215e4219209f4028cddd191a305d9d60

    • SHA256

      1f80df1bf715c8f045f4bda81e8956cc756bb65e48677dd9d36e288c1bc76856

    • SHA512

      610b2360f5f2c95bc5e19cfd8a9e5576db1c1c772a05b8f06d57e822d39d03a19f3629be52fa9852df304acb6594664d90362e259daee762891c17528c82784e

    • SSDEEP

      49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2SfcVB7:r56utgpPFotBER/mQh

    Score
    1/10
    behavioral27

    • Target

      [DemonArchives]b00c6b1b2a79fc9c57f97d16d58d00f2.exe

    • Size

      3.6MB

    • MD5

      b00c6b1b2a79fc9c57f97d16d58d00f2

    • SHA1

      e864646d29557454eef8b7b01449a0b499dfe9e4

    • SHA256

      11874a4c4f42d0310e7df053ee5b8c007d91fdf4a62d164aa4759043d4a845e4

    • SHA512

      fbb3e8c44163337f8fe45e18637ac70edd377041f7f2a7960029a7ae57325bbd817e86111d7b79e585a3ee1406d56e6c56c89ef916978b319cb307365152ab4a

    • SSDEEP

      49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2Sfc34:r56utgpPFotBER/mQO

    Score
    1/10
    behavioral28

    • Target

      [DemonArchives]b2d7c4f62aa3abc7e398981d5c280af4.exe

    • Size

      2.0MB

    • MD5

      b2d7c4f62aa3abc7e398981d5c280af4

    • SHA1

      40bd1c5946f16366ab8c62f4cd6f2a055c7345e5

    • SHA256

      42c5ef415e8ec3092b5fda2b3b3b26d79570e6b8615ca1cc2dc36c5b726eba5f

    • SHA512

      b17c217d26b9e0417b2c267cc8237e9d397cf28063e0718b5f0555f5d17b6fe25132e0afa646d4ba627c9f6413981ec7bd11270af0b5dc81eb95def53f4a0a3e

    • SSDEEP

      24576:C7zQDcLfDdGOVmfihmevP3r9jKB3nwPg:C7zQDcLZmA

    Score
    3/10
    behavioral29

    • Target

      [DemonArchives]c30111080c9e6acc70dd86ff97188ac8.exe

    • Size

      2.2MB

    • MD5

      c30111080c9e6acc70dd86ff97188ac8

    • SHA1

      5c02b64493debdbf0da3f4c6be86ea5ba46610a4

    • SHA256

      581453bd1c1814aa96e9bab6d447a564ad5bb585ffdf663e9587bb680f594699

    • SHA512

      619ea5ac1ad905f9466cf9c96ac9bf1057dd0499ab4bb17bf9b2d4c249daad2a2d806dc070f4d56bf684c6065a87e8e39f453d2126186aae6d998fa877bce1da

    • SSDEEP

      49152:TJd0OM5Fym/AgJTYM97tQjFozL19wNa/Wgw:VCOM5bJqjFKp9JWgw

    Score
    1/10
    behavioral30

    • Target

      [DemonArchives]ddc0d08019efa4cc5f2a39de99cc0a85.exe

    • Size

      1.9MB

    • MD5

      ddc0d08019efa4cc5f2a39de99cc0a85

    • SHA1

      2935aa4ad7e2a8c3687659a84f943b27ef9bddb9

    • SHA256

      8db48baa9134fa85bdee0a3786cf27e12a2c031997ae2f19d0e996203a05fb00

    • SHA512

      230d5f8596763f691d8367015f5a2d7ec3b8c5a04167958851bc6b684ff032f784403ea6cd74c2bbfb1b24cb491b2a1fab1ade5a323c43d663c4957d00a03eda

    • SSDEEP

      24576:w7IY7a9IRCRqRPkHQo411810cNScGKJydXTZDwmzRMo3DP7x5nbiQjXYvJ:wIY5RMHMf810Knor5zqo3zNJuQjE

    Score
    10/10
    ramnitsalitybackdoorbankerevasionpersistencespywarestealertrojanupxworm

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral31

    • Target

      [DemonArchives]e28fe1917c5ffe9a3062ee369087f971.exe

    • Size

      2.0MB

    • MD5

      e28fe1917c5ffe9a3062ee369087f971

    • SHA1

      e4a5d0ab1539d0e8f1bbf127bb5aea59ea8186f9

    • SHA256

      b5ebf7c7d8e17217824f0006e60608519c4bf3206d3cf019f354f2600056289d

    • SHA512

      f7d40c29dae506bb42ae194bab1b83a60bdc07a70d153c572f039e7bda0be1465e21188188953a15eee597da92f9cab027a1b6d1c89ea0f9990e344deb16617a

    • SSDEEP

      12288:/DuMGthdz4jySwB7AEd+I9qYFnjOUSmmdcpGEmXbH95YT0vpHB+Jyy9avN:buMCkRw+EnROWk96ypHB+Yp

    Score
    1/10
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Modify Registry

12
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

vmprotectupxthemidablackmoon
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
7/10

behavioral3

Score
1/10

behavioral4

persistence
Score
10/10

behavioral5

persistence
Score
7/10

behavioral6

Score
1/10

behavioral7

Score
3/10

behavioral8

Score
1/10

behavioral9

persistenceupx
Score
8/10

behavioral10

persistence
Score
10/10

behavioral11

discoveryevasionpersistence
Score
10/10

behavioral12

Score
5/10

behavioral13

persistence
Score
10/10

behavioral14

Score
3/10

behavioral15

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

floxifbackdoorpersistenceprivilege_escalationtrojanupx
Score
10/10

behavioral20

Score
1/10

behavioral21

collectiondiscoverypersistencespywarestealerupx
Score
10/10

behavioral22

persistence
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

persistence
Score
10/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
3/10

behavioral30

Score
1/10

behavioral31

ramnitsalitybackdoorbankerevasionpersistencespywarestealertrojanupxworm
Score
10/10

behavioral32

Score
1/10