Overview

overview

10

Static

static

10

[DemonArch...f3.exe

windows7-x64

10

[DemonArch...5e.exe

windows7-x64

10

[DemonArch...a8.exe

windows7-x64

10

[DemonArch...55.exe

windows7-x64

[DemonArch...9c.exe

windows7-x64

8

[DemonArch...ac.exe

windows7-x64

10

[DemonArch...0f.exe

windows7-x64

10

[DemonArch...94.exe

windows7-x64

10

[DemonArch...7e.exe

windows7-x64

8

[DemonArch...5a.exe

windows7-x64

1

[DemonArch...c4.exe

windows7-x64

[DemonArch...f3.exe

windows7-x64

10

[DemonArch...8f.exe

windows7-x64

10

[DemonArch...85.exe

windows7-x64

10

[DemonArch...92.exe

windows7-x64

9

[DemonArch...5b.exe

windows7-x64

10

[DemonArch...59.exe

windows7-x64

7

[DemonArch...0f.exe

windows7-x64

10

[DemonArch...61.exe

windows7-x64

10

[DemonArch...16.exe

windows7-x64

10

[DemonArch...23.exe

windows7-x64

[DemonArch...6d.exe

windows7-x64

10

[DemonArch...af.exe

windows7-x64

10

[DemonArch...5c.exe

windows7-x64

10

[DemonArch...52.exe

windows7-x64

10

[DemonArch...af.exe

windows7-x64

10

[DemonArch...fa.exe

windows7-x64

10

[DemonArch...f1.exe

windows7-x64

7

[DemonArch...7b.exe

windows7-x64

10

[DemonArch...02.exe

windows7-x64

10

[DemonArch...80.exe

windows7-x64

[DemonArch...c8.exe

windows7-x64

8

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pepsi (5).rar

  • Size

    71.8MB

  • Sample

    240704-vxyavazeql

  • MD5

    f5f163cbcc1e6c5dc86e9df0daa0f200

  • SHA1

    2dfdfabd15e90a09e64dedce5fdea5f3529cbbfb

  • SHA256

    e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

  • SHA512

    895048370d6fa90f1b842e1fd087d26f58da81d288ef344a5a412409c394222a3da9f89e19260b83a7634dd7c923ffd0bd339e4cff6da5a8ef4786ace6719e1d

  • SSDEEP

    1572864:4eXLeXak7DEoGipeXAeXUdeXoJAku3eXgb/BJ3/8XZPawDyXt3FYH:4eber7DEodewekdeFku3eQb/H+Zyx3Fu

Score
10/10
blackmoonprivateloaderredlineriseprosalitysmokeloaderhordabackdoorcollectiondiscoveryevasioninfostealerloaderpersistenceprivilege_escalationspywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.me.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    RICHARD205lord

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Targets

    • Target

      [DemonArchives]01be7be288126004a6b6013cfa9630f3.exe

    • Size

      2.0MB

    • MD5

      01be7be288126004a6b6013cfa9630f3

    • SHA1

      3deb89a1e4a358eb0fd221eb5cbe8ed85704e7ec

    • SHA256

      6284a2f1d801c9d5c426b98da1c753b49eb8ce2baba7e94131f2f6d8fcdba629

    • SHA512

      cffc1d1accdcebb48385f0caac440fbe243b9eb96a090c994e8f198b6d7c66845e59b7b0278b9bddad724749e5ea4868ac255a8d5cd240118b270490d39d6938

    • SSDEEP

      24576:woQDcLfDdGsJm1OVmfihmevP3r9jKB3nwPg:woQDcLPmA

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1

    • Target

      [DemonArchives]02352cbf001e9c8176a5b7d381ef9b5e.exe

    • Size

      2.3MB

    • MD5

      02352cbf001e9c8176a5b7d381ef9b5e

    • SHA1

      c075327a3aa7034d18dd06076189940f62eb56de

    • SHA256

      d7af9b28e9e01df60dac5c4f9f952a569ec8a358a1c5787b48a810fc20aae9a4

    • SHA512

      eaf18b5b9d849cd230e2ab11da3decdc65ada315e65037db605bdd7d2ffb3f588a18215efd3c95ae3abef4a60afe29f0d153d3f6a326413503d4f77117dc9b0b

    • SSDEEP

      49152:7igTG+g+h6dvrBV1gerPxHxmbuio8g3Qy0HyNtK35KOdSTG+g+h6dvrBV1gerPxe:ugk7k4k

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral2

    • Target

      [DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe

    • Size

      3.2MB

    • MD5

      02fa60c2391dc09e9a0b748a9d89c6a8

    • SHA1

      fc1526f8934529b2fe696285c7316c154531f59c

    • SHA256

      baf667a97bb14317f4410d6975849300190949707f7a4878aeb6fdb0a821e422

    • SHA512

      ba058d15bea9be683a4f0baebca181e6271c4b056ff5aa84ed076e8689fef115c0c34f4b51cb5e3a33f8c0f92c277c77fe3e94bc625e1d4f24188c4089029fed

    • SSDEEP

      98304:8LmuHlBFLPj3JStuv40ar7zrbDlsa2VIlPWYv1NTPKnllYUugy:kHlBFLPj3JStuv40ar7zrbDlsa2VIlPH

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral3

    • Target

      [DemonArchives]04a8e202d70a574213680cdb7c82fb55.exe

    • Size

      3.6MB

    • MD5

      04a8e202d70a574213680cdb7c82fb55

    • SHA1

      2bd25a97f9f42d65d9a8ed877f3b81498b2803dc

    • SHA256

      7c2f549e6bef7b3b2132fc94b9e7831aa19cbda9b050440ab22ae20cb3e0f487

    • SHA512

      42e18de9c0295eec8a4ef45c0480bb43a2dfb1f7613323afd01ecef6e18c7ff66c48a4baeb08b12bc1c077f42abf70b33b10383674b148b4f384aefb495749d0

    • SSDEEP

      49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2SfcjkQ:r56utgpPFotBER/mQl

    Score
    1/10
    behavioral4

    • Target

      [DemonArchives]05e82b287218043df6c8560cd0e2719c.exe

    • Size

      3.7MB

    • MD5

      05e82b287218043df6c8560cd0e2719c

    • SHA1

      518aa65ddc31221ffb86c08284cc09cce822ca61

    • SHA256

      6f69f5987484255099267987682ef6a3c38d58bdb835f259e0752c326ccde922

    • SHA512

      255b3b1d65131a1ae6c05f0fd1b028a91b1ac8dbad2a9714af64dcb2568342b1fc9a0e9e6fc939b63cd43c3527658d411c64f49be740e092134639b01f0d5746

    • SSDEEP

      98304:ypuxOhnkR+NK/jlEGsfVN6O4I0eD3t29t4qIYmcArc:ypuxqxNK5EG2VN6NI0eDdgtjnArc

    Score
    8/10
    persistenceprivilege_escalationvmprotect

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral5

    • Target

      [DemonArchives]07fe5f7c673e5faa200611f9cb716aac.exe

    • Size

      1.9MB

    • MD5

      07fe5f7c673e5faa200611f9cb716aac

    • SHA1

      1648f68c3312ce8111b923eb4b63837e474c2119

    • SHA256

      654a3f684bcaa6fc2675881f44fd995d3e10b9ebcc4c6e695d0286b343e0ec02

    • SHA512

      fa1106986aa2b655391321c6fdc2766daa1df4b1f1a3c34727cc9b23a7d77b2c58e0a8da4e10498c7e591e7db000e1fa2d23823c64a93314503f48b1166c089e

    • SSDEEP

      12288:XDMkrQ/Ng1/Nmr/Ng1/Nblt01PBExKN4P6IfKTLR+6CwUkEoILClt01PBExKN4PN:XDMElks/6HnEpelks/6HnEpnAc

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral6

    • Target

      [DemonArchives]086b605fada00eaa39fca0581712f10f.exe

    • Size

      1.9MB

    • MD5

      086b605fada00eaa39fca0581712f10f

    • SHA1

      d328e557965072baf7586a9d8aaad36f84666398

    • SHA256

      4a52d88f2072ec553b00dd8def3089c4df2c320b502907b7c4e6fffed30e9786

    • SHA512

      1217e2fcce016667af561e9b753d96df41e007de1c22994887d81827dc801a4521f3fbb1d6198deb5ed4b39b7e9a104e239dcf36e4e76e9c2728447e79deb948

    • SSDEEP

      24576:vsxNIVyeNIVy2jU3NIVyeNIVy2jUQNIVyeNIVy2jU3NIVyeNIVy2jUO:vs0yjByjUyjByjH

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral7

    • Target

      [DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe

    • Size

      1.9MB

    • MD5

      09f326448c37d99a61bb064e68ac6b94

    • SHA1

      bf9a4dd86d4dde46adf3cc5f24465d83ae13830a

    • SHA256

      76e2ce48705ffc8abf38619d1ecaddbcb3ff580ce829b7a472359651461312fb

    • SHA512

      859934c79cdfdaecffb60f51f64b95e6c674fb4fa970629455e6747777dc0ead612a43041fb6b11b4493dc920e609acfdf440fdde4a8e892c7ab4466b5eb3d17

    • SSDEEP

      24576:xQXTNIVyeNIVy2jU3NIVyeNIVy2jUQNIVyeNIVy2jU3NIVyeNIVy2jUO:sqyjByjUyjByjH

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral8

    • Target

      [DemonArchives]0a47e2885329b83d82525cb438e57f7e.exe

    • Size

      2.1MB

    • MD5

      0a47e2885329b83d82525cb438e57f7e

    • SHA1

      29346b4b5fc87c307001673061149a0b87b56c5b

    • SHA256

      5d5e1582ff73932226faa633ebe171284d7f8ceef6642862e118ff377bd41b78

    • SHA512

      99dbf4cdb706849cafb7f30016ea0a3f9fff85b20e4813e92bad63d369d66231d59d7ca8220d361cf71baf1f22a2e67d09e442ee27627f30d80818d00cc6f595

    • SSDEEP

      49152:JEVUcGNLJpVCsGltfDZXUeSIo40DfOgBqT8kbrb41YM3wWOOEh/nFb:JE3GNmltKX4Of9BqT8Ob41YZW8/nFb

    Score
    8/10
    persistencespywarestealerupx

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      [DemonArchives]0d061414e840b27ea6109e573bd2165a.exe

    • Size

      3.6MB

    • MD5

      0d061414e840b27ea6109e573bd2165a

    • SHA1

      d6a3fe15975ae00c098cb8b68d17a9cc60cebbc3

    • SHA256

      8524bc4dd0f0c96a54ecd385715302cc4b96db96092321a568805728042368c1

    • SHA512

      34dec7f741fe2c75195660a0bd8f3d85dd62635e8176485bf909fb4b30452e79ab4da526aff09ed2f7738b94245b8c522e3132f8da7354c20aa33a22e5d67311

    • SSDEEP

      98304:QTdv1wdCKX41Kux8jFhUQcO5RfiEtybCFdgWRvjSP:QTdtwTIKuxAjf5Rf9tybCjXxQ

    Score
    1/10
    behavioral10

    • Target

      [DemonArchives]1192a915b81f1f7878472391f42cb6c4.exe

    • Size

      3.2MB

    • MD5

      1192a915b81f1f7878472391f42cb6c4

    • SHA1

      10f2bb56774a51fbfa63a41497757701690d2f2b

    • SHA256

      729b0354066516165ab1ca6e66e482e51dbbaa742ef22de1cadb2c32c6489249

    • SHA512

      aee8bf52fff61f4321fe3418ab3e36f52a51dee4fb52571eae2e7ae1ce35445e4d9c3dabb4859df20e007df556ccb0a4325705e40f166a176268debef1e6eda4

    • SSDEEP

      49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQK:r56utgpPFotBER/mQK

    Score
    1/10
    behavioral11

    • Target

      [DemonArchives]14049d0a3afad0faa21ab1fff2e417f3.exe

    • Size

      3.2MB

    • MD5

      14049d0a3afad0faa21ab1fff2e417f3

    • SHA1

      327110d2fb2d0833ab5723c9b3657615bc39f2a2

    • SHA256

      ccf249dc0e5cb5877a315a8ae80c12f54e6e60fa12b4e4edcb18b290f1e6e116

    • SHA512

      177336d62b91263c93966782992acb96ecd4dd9dfff423a971b76c47c5a215985c73baa7bd0d1bcf8281b16625feabfd5b0e8da72adb0bb38db2b6c6befc051a

    • SSDEEP

      98304:+glBFLPj3JStuv40ar7zrbDlsa2VIlPWYv1NT/YUugy:NlBFLPj3JStuv40ar7zrbDlsa2VIlPWH

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral12

    • Target

      [DemonArchives]149dd5469233f52aa4287362ce85b88f.exe

    • Size

      3.4MB

    • MD5

      149dd5469233f52aa4287362ce85b88f

    • SHA1

      76e400eeadc0a4b9718458c9bfec8c87805e08d6

    • SHA256

      f453ce19f0738e25b443590281a4efc2b7b3aad8d4c6e208cdd5dcde96e48b73

    • SHA512

      8b7b3fbef4fcefd78e501b0aeaee81f4c97958bdf6e25e2d4264cbc3bb95598291cb96cfbb20ce99144cb896233bfdb178d47f2eee9546b2f046a0d9231f52dc

    • SSDEEP

      98304:51g9hwiqxU9N+pPrHf5dqt03USyIFoCKu9gF7G0RPKnllYUugy:51g9hwiqxU9N+pPrHf5dqt03USyIFoCu

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral13

    • Target

      [DemonArchives]1df7772347bfd34ecb1685a1ba69c285.exe

    • Size

      3.4MB

    • MD5

      1df7772347bfd34ecb1685a1ba69c285

    • SHA1

      5d1cb39f45e16396c3b1a37689abd0ab05395c19

    • SHA256

      2982676319f7b1823cb9fe19c9092278ca1968d03f1d9002e5a042b3e5ef2d08

    • SHA512

      7a272dc329a5fe7ccb665cc9be8140333b8bf92a20a3615b14bc791edb5c2bbd7a984bb021cb679f857db2461df7579f21603bacc197326dcb699b003c48c6f5

    • SSDEEP

      98304:i0YVP91v92W805IPSOdKgzEoxr157JT6zPKnllYUugy:PQ91v92W805IPSOdKgzEoxr157JT6z6Y

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral14

    • Target

      [DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe

    • Size

      2.9MB

    • MD5

      1e0dc068677f96c9da7f43cf4d4acd92

    • SHA1

      3380fbe838c36e7934c827f5d124d54062d57d2c

    • SHA256

      fe2ee4ca2b7147816a8ff12129d5b57334fa6eb45e545ac6fc2f9bd4b7c618d1

    • SHA512

      a5469ad819002d28d588d1a62f869cefe19590432c7416170a19d5b4ed96b7f7867622d17ad5f31e61e959ea13fa98c4054158f5df9c87144d685e5e3a667ca2

    • SSDEEP

      49152:0R+xVzz7guptUHuMKmSFGUgAI3kgYEL8S28UReDZdUoB/oissH4Rn3r3ZxCgSfZr:/igt2u7FGP7Ic+eD3nBjnYRnnnqES

    Score
    9/10
    evasionpersistenceprivilege_escalationthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral15

    • Target

      [DemonArchives]1ee7f65b0c08c4ff7e1047c14851575b.exe

    • Size

      3.2MB

    • MD5

      1ee7f65b0c08c4ff7e1047c14851575b

    • SHA1

      4618734882bad9ad327ebd50ced94766714cd627

    • SHA256

      6a564c103937df452db9e5ad9d0b5ac1c6c49040a822e20491d3281fed7c667d

    • SHA512

      a1c750bd3274711d402c6b6ecec4e65ad3745d2487eb96f240b45dda5201bb7f08ca0a3d67ee5eeb20faf31f4c61cb79577074c06e48f9303a0614a7f758a513

    • SSDEEP

      98304:ZlBFLPj3JStuv40ar7zrbDlsa2VIlPWYv1NTPYnllYUugy:ZlBFLPj3JStuv40ar7zrbDlsa2VIlPWI

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral16

    • Target

      [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe

    • Size

      2.6MB

    • MD5

      1fa9dbcc19fb2ae5cd344f559e95b759

    • SHA1

      f13b4f9508a41bfb44e8df8cf1e5ad43b2df36cf

    • SHA256

      4ddb27297b45d0195877d13b68bbd36471be74f72e93fcddd7f92c9fba9e94c2

    • SHA512

      0fd4ce9f507cf431fc579c33c88a1779f2b2df7bb78781ac0282a9fab7313972af3f8991b69f753d232143a2cda81ff8aec3ba533c7e59b8a856b2c3b2079595

    • SSDEEP

      24576:5nWYXDaHMv6CorjqnyPQGzh0JONZejOuC+e4mOzrvxiI3ENyesg/jHLxQVIxX6L/:tl1vqjdPQRw/D4mizA0dizLrB51v6

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral17

    • Target

      [DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe

    • Size

      2.5MB

    • MD5

      227f3ff19943a0e8c1b26a563246280f

    • SHA1

      fe1ac18c76386fc9ce0a6ff7e6514f1d03848d1b

    • SHA256

      7d10721692eb8300431b9c707bca16cf2de75990a6714172f7be096e5ebc666f

    • SHA512

      f359bbbb6c6a5dbeea4d871c446507775a94d11e00011cf240fbcb09966215e853ce655db25a188d3c790dc34c3b847c45df76e666083d35390be0f73561725f

    • SSDEEP

      24576:UVgsaDZgQjGkwlks/6HnEpFsaK2cWfVaw0HBFhWof/0o8:UVnaDZvjG0DnNaK2SQU0o

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral18

    • Target

      [DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe

    • Size

      3.2MB

    • MD5

      2353c3f467be78e36e934caf5f3c3b61

    • SHA1

      a70e019d5d6ff33803f313a057163f08a4aa6d80

    • SHA256

      c193a4570ffc3edd6762764d06225d56268367aa8ff0feb2f8d0f17f4ee16195

    • SHA512

      078a9b68dea33fe3848ad39a38b07f0a94a455add594ad615eee20270a862dae451073e724245d302f33e55675e5f81a439d2df2c7ee3120ac75be905d8ad9e2

    • SSDEEP

      98304:6lBFLPj3JStuv40ar7zrbDlsa2VIlPWYv1NTPKnllYUugy:6lBFLPj3JStuv40ar7zrbDlsa2VIlPW+

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral19

    • Target

      [DemonArchives]26add802e0e75416385317658b116216.exe

    • Size

      1.9MB

    • MD5

      26add802e0e75416385317658b116216

    • SHA1

      7d999a17e92439d8e73430ad6dc6ac0960f209b8

    • SHA256

      46ba5c1be77bbcaa2db4c6f43d62ed72ec6f122c109ae927632a7051751ec263

    • SHA512

      d0dc67d179f02b3cd133adf84ca560a3f2420f9303d5a60dcdb1028f101dca04408969eb36824b2f68fcd0b41b723f55849846473b98bdbaf06426b3e103e3f8

    • SSDEEP

      49152:paSHFaZRBEYyqmS2DiHPKQgmZUnaUgpC7jvha51N:paSHFaZRBEYyqmS2DiHPKQgmZ0aUgUjY

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral20

    • Target

      [DemonArchives]2bf9e607accd325cfb734cd594b00723.exe

    • Size

      3.7MB

    • MD5

      2bf9e607accd325cfb734cd594b00723

    • SHA1

      e87b5b46ec69b4e69247d8a76216a5586e402dee

    • SHA256

      513a3fcd8bad4ba8d24ffcc09b97f3635c77cc02d6de8a0171a1cc51e5332942

    • SHA512

      b6b44019e354fb28e32a2609219d61d3870f6e86fb0eafc433a93f21bfc24a4314eb28e5c8391223641cf2c0a18f88045c55747147a7e359eaf009e34e4dcb5c

    • SSDEEP

      49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2w:r56utgpPFotBER/mQ32w

    Score
    1/10
    behavioral21

    • Target

      [DemonArchives]3825817f6028f26ff0b5cd748559286d.exe

    • Size

      2.5MB

    • MD5

      3825817f6028f26ff0b5cd748559286d

    • SHA1

      b6daaaac0bd28b11a8ff38aa446b131a0e2ec15b

    • SHA256

      570c04532b048842ba34ea751b9e584464103b77cf9fe3b9c4306477629e464a

    • SHA512

      1cc30a7e5add9ef0ac54ff6fc0847b79fcbc6e8b7e94540e10c4167ba05cf08b9e99f7c79794a9c6b803c8d8ce54246c60f976b103d94a105c0594c97eb200d7

    • SSDEEP

      49152:brhD5QMFJoa/PMG171WCwYU1tHbevvZ2P/huOiQ4LjwOb3dJSd8vr06:b55QTEPMGp0/huOiRLjwOb3dBb

    Score
    10/10
    salitybackdoorupx

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral22

    • Target

      [DemonArchives]3e70eabf850c2134ac1acd815a2a90af.exe

    • Size

      3.4MB

    • MD5

      3e70eabf850c2134ac1acd815a2a90af

    • SHA1

      d8f3401effa025db6c7e3851273f5ba22318fc06

    • SHA256

      eb9bd6bfab84ddc9a5bc60cd425608c2b8643895b5d5c033b94ab5082f94e4e7

    • SHA512

      70625fc637fd3e966a0b0de5c563d356e3bdf11f6af68d9574a7ac915450881bad50112e5a592d46e6aef7351258a75149e5a57145d0e48fb1e59a0571973048

    • SSDEEP

      98304:tVP91v92W805IPSOdKgzEoxr157JT6zPKnllYUugy:D91v92W805IPSOdKgzEoxr157JT6z6Y

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral23

    • Target

      [DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe

    • Size

      2.6MB

    • MD5

      41637d74a16e50cafe6cb72974a1cf5c

    • SHA1

      95b4811b5736d7cfba9c71936ecd300ac01336a2

    • SHA256

      9699dda8767ce5afbe2f0130b816b99cb3a35eb6654ab08af65c4c48d95a60c0

    • SHA512

      e6506e549d00cfcbc08e0625b22f3cfe4cd906b5a3750a45cc452918d8494909064534a796f9ff16ea892b6f45224fa50891709c81efc1a33ebe2ca1f0067885

    • SSDEEP

      24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4ea:ObCjPKNqQEfsw43qtmVfq4r

    Score
    10/10
    collectiondiscoverypersistencespywarestealerupx

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral24

    • Target

      [DemonArchives]42971155e95ad8ace7b6fc53d70fb952.exe

    • Size

      2.3MB

    • MD5

      42971155e95ad8ace7b6fc53d70fb952

    • SHA1

      ce4b54b604f7bbae2524bf53fef92c2f60f82656

    • SHA256

      e11d599fd72ad8e339c517202d97986b1c07af6444e1b4a0c7d89b7bbda937a1

    • SHA512

      8924d5a1fbbb364eaa39817250257ae71ad827d9995d49085e35140ab2346b8098db0e77163cc50a4946128351b32dd202881f55cb552985bc1c56f5082644cd

    • SSDEEP

      49152:icjGiCymFeMBTyRF2dEKsLkGrRsIKoeu8iKEZU+ToWdHK+jUdIGKuYzKZ:fjGi4EYVdyzuowSZjTo+HrLt

    Score
    10/10
    privateloaderredlineriseprosmokeloaderhordabackdoorinfostealerloaderpersistencestealertrojan

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral25

    • Target

      [DemonArchives]47522f57257b441811cf5f87c9118faf.exe

    • Size

      2.0MB

    • MD5

      47522f57257b441811cf5f87c9118faf

    • SHA1

      297ae8c514806fc2fcf3426a6d7070f90ea202b7

    • SHA256

      b71f4a6acf933f897aea0d03b7b65993cecc51bea0a4b1b199a3300cf6a043a4

    • SHA512

      8e27673a3e6541f3baa70bd619082dad99435c12519ce4ca9aee38a5b1eb7632d50d180bbdffd6b4f2830c323e454a069c31e244e193465405fbb3554e147d3e

    • SSDEEP

      24576:FatQDcLfDdGsJm1OVmfihmevP3r9jKB3nwPg:+QDcLPmA

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral26

    • Target

      [DemonArchives]4782545d269557614be88caef0383cfa.exe

    • Size

      3.6MB

    • MD5

      4782545d269557614be88caef0383cfa

    • SHA1

      10479d9441844be18d8245f263d2ab378ffc0ea5

    • SHA256

      2ccd6c32ea649fa786fa587381b5931e022b473e80612a675cdf716e517ddc23

    • SHA512

      85190663d6cf823bb3b1a01ba0bcbe71d349ee116e6dd3c858b18ba13272c8c86b113760fc6cfeb70509f16ad4447e1431aa021de19626eae6d927c7c0aa3fbf

    • SSDEEP

      24576:C66X1q5h3q5hkntq5hU6X1q5h3q5h52q5h3q5hL6X1q5h3q5hM5Dgq5h3q5hL6X3:P6Gn9646KI6BbazR0vD

    Score
    10/10
    persistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral27

    • Target

      [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe

    • Size

      3.7MB

    • MD5

      4bed82d2182d95951a4dd3b090868cf1

    • SHA1

      0f72d100c5030fae1258c9cde8a2b447dac50030

    • SHA256

      f92f9a9950c0af5708121ca2ae9f029844ca129ada544fb592cee918dea8a209

    • SHA512

      cedff70bbee2fc1f428f74676cde80e0b5b1846bfd19f9e411e10507c1f1b31458541fc1fea8cc631d716fdeaf7528158613f4a31c8b1b18a512b25d6b3966ad

    • SSDEEP

      98304:+R0pI/IQlUoMPdmpSpt4ADtnkgvNWlw6:+R0pIAQhMPdmC5n9klR

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral28

    • Target

      [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe

    • Size

      2.3MB

    • MD5

      4c1ca9436c971190f7082f5c108a007b

    • SHA1

      a0470142078e03bf83169e552a64cfab44e78161

    • SHA256

      09e2c5ca4563ed428e6605eb913334e0d6b5d54a71a78430f7e2ab04ee019f18

    • SHA512

      c8cec318444354e8629d605f6848550aeceed2b1c20c5dc7c6dc0d0115b42a5d9925ae970e799c8c383ca48d71f3a7626196c21ed3b211d81a8216d601d58ef4

    • SSDEEP

      49152:VtRTbTA8wMrztXdpuBkGZ+PyZAsQmPrx7tAwi2x8xp:9bTA8wMrz9mBrZ+PxsQmPrx7ty2x8v

    Score
    10/10
    persistence

    • Modifies WinLogon for persistence

      persistence

    • Drops file in System32 directory

    behavioral29

    • Target

      [DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe

    • Size

      2.6MB

    • MD5

      4fd60e9aed5ab9ed5326da37806b2502

    • SHA1

      bbffbcbceaf31eff56d803039219dd27582b87cc

    • SHA256

      f3815cc44c53d6a66adf4900df0a52cf3a7bbe2eafeb0f54ff2085b4f8705afe

    • SHA512

      00f1f034c709377f79a2940662064721b0f4e608f88bce3fc6b22296fe6ca2ca1b4cf445b98e3ed9ae269a53915e3d114051a4a26a0ddcce546344d37b946092

    • SSDEEP

      24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4eu:ObCjPKNqQEfsw43qtmVfq4b

    Score
    10/10
    collectiondiscoverypersistencespywarestealerupx

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral30

    • Target

      [DemonArchives]550ad0e50316dfca7c0bfd14f9060880.exe

    • Size

      3.6MB

    • MD5

      550ad0e50316dfca7c0bfd14f9060880

    • SHA1

      94c4c2f6b645b550ef1d2eb389da6dcb8fed3391

    • SHA256

      d7e184ac0de2497ec2cb431efb285fe2f22e5bb53ad18b8b3b267a17fd769104

    • SHA512

      2f6f77dca04efac8b63b3bc3d5c9d7202b43fc47efc7c7c3b0fd414f2f1bc4515c9141e1e3b199263537fc0c14abe070b6f844f124e7bfba06afae6a53795adb

    • SSDEEP

      49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2Sfc4vwEn:r56utgpPFotBER/mQG

    Score
    1/10
    behavioral31

    • Target

      [DemonArchives]55a0c8c7e6c8b2be4ebd164d43e746c8.exe

    • Size

      1.9MB

    • MD5

      55a0c8c7e6c8b2be4ebd164d43e746c8

    • SHA1

      151a6ebb2706eef6cef9fbc51a5d959bb7b14cb0

    • SHA256

      d3bbd8f6427e98b303c5a447acc3a98d6229369d096fbb77609de87cdff88d63

    • SHA512

      db6f6beb20eb74b8da5e36e1758d8dde900eb1ce839ad4769691ef08f2e14b7f678530d306e14e123fa203eef6b373426445162b5c4ccb901dcd1e229ce2f098

    • SSDEEP

      49152:hE13D8c4GG/jfKCfGgv58UunQ7M+lFVhSekhg:0Ho/OKG2un9gFrSeL

    Score
    8/10
    persistenceupx

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

6
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

4
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

vmprotectupxthemidablackmoon
Score
10/10

behavioral1

persistence
Score
10/10

behavioral2

persistence
Score
10/10

behavioral3

persistence
Score
10/10

behavioral4

Score
1/10

behavioral5

persistenceprivilege_escalationvmprotect
Score
8/10

behavioral6

persistence
Score
10/10

behavioral7

persistence
Score
10/10

behavioral8

persistence
Score
10/10

behavioral9

persistencespywarestealerupx
Score
8/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

persistence
Score
10/10

behavioral13

persistence
Score
10/10

behavioral14

persistence
Score
10/10

behavioral15

evasionpersistenceprivilege_escalationthemidatrojan
Score
9/10

behavioral16

persistence
Score
10/10

behavioral17

Score
7/10

behavioral18

persistence
Score
10/10

behavioral19

persistence
Score
10/10

behavioral20

persistence
Score
10/10

behavioral21

Score
1/10

behavioral22

salitybackdoorupx
Score
10/10

behavioral23

persistence
Score
10/10

behavioral24

collectiondiscoverypersistencespywarestealerupx
Score
10/10

behavioral25

privateloaderredlineriseprosmokeloaderhordabackdoorinfostealerloaderpersistencestealertrojan
Score
10/10

behavioral26

persistence
Score
10/10

behavioral27

persistence
Score
10/10

behavioral28

persistence
Score
7/10

behavioral29

persistence
Score
10/10

behavioral30

collectiondiscoverypersistencespywarestealerupx
Score
10/10

behavioral31

Score
1/10

behavioral32

persistenceupx
Score
8/10