Overview

overview

10

Static

static

10

7_zip_installer.exe

windows7-x64

8

CHOCORAT.exe

windows7-x64

10

ChrisMessage.exe

windows7-x64

1

Free Porn.exe

windows7-x64

1

Gay Porn Mailer.exe

windows7-x64

1

GottaWork.exe

windows7-x64

PleaseWork.exe

windows7-x64

THING.exe

windows7-x64

7

Technoturn...AT.exe

windows7-x64

1

Verified by Visa.exe

windows7-x64

10

abwsx1.exe

windows7-x64

7

eee.exe

windows7-x64

1

hypno.exe

windows7-x64

8

mbam-setup...00.exe

windows7-x64

8

molesto.exe

windows7-x64

1

runme.exe

windows7-x64

7

setup.exe

windows7-x64

3

sevgi.exe

windows7-x64

6

shrek.exe

windows7-x64

8

upnp.exe

windows7-x64

7

virus.exe

windows7-x64

10

vmdestroyer.exe

windows7-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CollabVM (FTP Partial).rar

  • Size

    78.8MB

  • Sample

    240704-wkvjvstcnc

  • MD5

    96d1b4d815e96b67b29d157715b3c074

  • SHA1

    ae3f969933414b5e901d1df5576c51ae47dc1af4

  • SHA256

    c8a496dcf94d5d246dec0747f139957709b63412f48d9a1591ca5e771a988636

  • SHA512

    ed5ce8952830e696a76583af4e4b5b685656fb13384b9e73774756774d08c1cb054a427cf6ce954cf28fb04ddf07279e95a22c9e37bb31ff7d12a703238ad4d5

  • SSDEEP

    1572864:po7MwiiwnO+khwOPqPACWqc+ZmdClkU6gyxXFaDrOegXCkgO/k/+WwOg:YMXZNOPqPQlCGnx1qrOegXdpk/+TOg

Score
10/10
metasploitnanocoreorcusquasarbackdoordiscoveryevasionkeyloggerpersistenceprivilege_escalationspywarestealertrojanupx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

70.177.68.141:30005

127.0.0.1:30005
Mutex

6d38efcc-c3ca-4519-9a65-962ebb7a84ff

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2017-09-02T04:47:37.850801436Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    30005

  • default_group

    iC Scammer Baited

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    6d38efcc-c3ca-4519-9a65-962ebb7a84ff

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    70.177.68.141

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.75.128:4444

Targets

    • Target

      7_zip_installer.exe

    • Size

      120KB

    • MD5

      6500ecbc6246ef726e41a910226eeb70

    • SHA1

      63a0db918620989f0520cdaca658c842d3449d4a

    • SHA256

      a95da033c563c411be8f49f91584e111e702d1221fdfc22d44dd12d5fe0ef934

    • SHA512

      4e5e1b20c8f62304816bf86c53568d0b97e06f82143e8b1020a404c4f2b46026894946b5075aa1b21dd124b96be692a2b0053229688ca2b1d7ac83acd2e1f65b

    • SSDEEP

      1536:j8mBfI1/Rx3iQDiA1lKFPqmg368mVFIN2CfLMERcu4CX/BSmnnnnnZ/ihnPOLvOV:jE70aPKY1ga2CfApEkmnnnnnZ/iUvV8

    Score
    8/10
    evasion

    • Disables Task Manager via registry modification

      evasion
    behavioral1

    • Target

      CHOCORAT.exe

    • Size

      690KB

    • MD5

      01eb0af08528a0ea0e9497a3b6152e06

    • SHA1

      0ccc8c1d222c5b3975844155edebc34136704dbe

    • SHA256

      576e11eee6d61199ea29fbb0106867913c2e4f22822eb3806df3076ebd15f7d6

    • SHA512

      e30511c2c8fad9cb39ff43c6021ca8b0136c27bf1b0c08d5dad2b37e5268373b371a2965cab9cd86530a41862988b21aa28fc28ed201bf07c95012c5121f976c

    • SSDEEP

      6144:CaaXMzUmOZoq2ZeiOwAbPQiMtCNeI8MyllmjbO:Rachq1wcQPtzM6snO

    Score
    10/10
    quasarpersistencespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral2

    • Target

      ChrisMessage.exe

    • Size

      522KB

    • MD5

      93d9cb69f5aa657a50540a188af1df96

    • SHA1

      52e91f10558fca335e36cf4495cbac9be4cc8723

    • SHA256

      754634f783c063e33abefeb2c231bd1450d853dbddc918f54946341ca56a8d8e

    • SHA512

      d7a02562a26529d53cd7b1b3610fb36bbd210fda429b3e601fb1cec62a490d1a76fc511292f4368f8e437776006f2e693b64ae80d09b164fb6ed0982038c77f2

    • SSDEEP

      12288:rbK/wwCN1SYuDyPPhwvowtQjhdOcOSqo2NxNA9K:rAwtDSTahwgwtLcO7o8xNA9K

    Score
    1/10
    behavioral3

    • Target

      Free Porn.exe

    • Size

      12KB

    • MD5

      137860d1b5feb9398ab44431f89d91cb

    • SHA1

      456279aefa02cc3eaac1e2bd6534e86742608da5

    • SHA256

      fe625188da34d9b6551ce1c34627cefd1a3e4da78f1dacc9442d04bd0ea944b0

    • SHA512

      058466f7d3604df1e01f5a4e89402582091fb30225bb7a004b8bd1b89adcc17d3321be273378aba8fe44faf09b7846706ff6be9de635c95b3db4f85934e812eb

    • SSDEEP

      48:KrMqTVH79ACs5jJLIb3zPlRVCyXLhG7erSRycGaPqw0+EvWK2:kMGVw3eD1EeGRBDE92

    Score
    1/10
    behavioral4

    • Target

      Gay Porn Mailer.exe

    • Size

      20KB

    • MD5

      4b3bf38438172474c9b3e3096d572282

    • SHA1

      e127f1217d0fd39ee1c6f8d40aa6a3fb480a4845

    • SHA256

      ae23c8ef1b6f0106c344867ca48101e1c94834e4e2b667879eb99aef0e4cbcf1

    • SHA512

      37f31c756ecaf70fb3a8a82ed7bb5e6779534e4003c6c30d93efcc33fd3d2d5c9085c0741ce6e63249029b8b7923ca490507ae881afa9e1d975af781485c1d2b

    • SSDEEP

      192:lS7AyNUDyW/MyTqVLEBFvchOIPxlflID94/mZEE:UNTSRaL6vcPPxlflID94/yP

    Score
    1/10
    behavioral5

    • Target

      GottaWork.exe

    • Size

      768KB

    • MD5

      cf82dbe41481472594ae9420f622cc0f

    • SHA1

      9e98c8ad6d5d7a804cec2a15a8c9b4a830d59e90

    • SHA256

      f511e2862b0aa03dc74abd4babdb7b17ed0c447e8d8e249b8d1a48db27dbbea7

    • SHA512

      2fdd1b47329a7c63a6f6b75c98227bb7d6226fe3959179a1dd474c960fee3de9c2361ddf82b412ef01b5cb63e26796dc7e3db95ae6d44a853f302209bb6582fa

    • SSDEEP

      12288:AfAVutoEzPRxyjqu7dG1lFlWcYT70pxnnaaoawG3ssPeOCPrZNrI0AilFEvxHvB4:cfM4MROxnFl3ssPeXrZlI0AilFEvxHK

    Score
    1/10
    behavioral6

    • Target

      PleaseWork.exe

    • Size

      768KB

    • MD5

      7ecfc33112992eed678a27c38ea2d6c2

    • SHA1

      85e3668a1e4ca0497d97344a10eeefad59e45a20

    • SHA256

      07df9e00f1228a1c7dc61ba6767fb7e04ed21242e6fd9690c7cb268bff22c162

    • SHA512

      6e75f687cae62a0c52352570e3ca401398e28b127190734ca3befecf62cde468bfe969ebfc6e8d5b29d8d35abad5d7123679fc4305c1d78badc4c9c302e9a765

    • SSDEEP

      12288:pfAVutoEzPRxyjqu7dG1lFlWcYT70pxnnaaoawG3ssPeOC2rZNrI0AilFEvxHvB4:zfM4MROxnFl3ssPe+rZlI0AilFEvxHK

    Score
    1/10
    behavioral7

    • Target

      THING.EXE

    • Size

      58.9MB

    • MD5

      0f7b5b1d8676a68d60371c9c79f5e8de

    • SHA1

      a07aa8146600e092c9cf90dba10e3ad822689329

    • SHA256

      2b8024b6eb8f088dd539b4cea48765e5efb7a7f70708334b3172e54359c28437

    • SHA512

      49d56ec265980728583813f641b1b3bdc2efa60060011348cf0e7942a4e1e2ac3006ecaf82e755ac3960275d767a53a3e01d9521bafc979c8caaa47db5ecea37

    • SSDEEP

      1572864:R4AVBjIQSzQe3cf7xOCHKYrLn+XxdjrALIjOqWY99n5o+tEeE:RJVBIbzQe3u7KYrCDS9299n573E

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral8

    • Target

      Technoturnover's RAT.exe

    • Size

      6.5MB

    • MD5

      ab8dd193d1279b0e39abc21a372c475b

    • SHA1

      b465fcd3c81cd130868b4dda5ea2247306c9fa3b

    • SHA256

      c6e2f465f16efbabd1a78b2b1edcc164e09c24557e25b07975d9da91c2592add

    • SHA512

      dd15bd4f3da2ac6266b3ea8ed866afaf2831cc73c8c56ec0d55c0415d1c6edfb1d8a15e022b902d9ce14df26790bddfb384b5b812e6f67b6ba95d1b0b82722fb

    • SSDEEP

      196608:HW6b7+e6aPh7zSPmU4XpPslhVj7Z5XxHKbwqQ:tb7d57zSPT49slZqE

    Score
    1/10
    behavioral9

    • Target

      Verified by Visa.exe

    • Size

      203KB

    • MD5

      317acdfc40a1101e24581e36cbedf08b

    • SHA1

      18a4e6f44f5e40602e9a667ee0563ee344858c16

    • SHA256

      05e59171a19c97bf2fa9dead4de20645fc41cf9fcbd59fc014cdc7a571c185d3

    • SHA512

      5edaa32431dee3dc02c1d3b559ecc6984258876e9307bbaf367c9b1fb80fefee2ba11d46f6f1bedc9aee2481a0d8b904b6e66f909d759b50b94d3a8d05cf4c52

    • SSDEEP

      6144:ULV6Bta6dtJmakIM5+72k3q7jrVGxP23GqRNL:ULV6BtpmkPq7jRKP23XL

    Score
    10/10
    nanocoreevasionkeyloggerpersistencespywarestealertrojan
    behavioral10

    • Target

      abwsx1.exe

    • Size

      2.1MB

    • MD5

      ee2a9d044a6a108da64db29a4056c4fb

    • SHA1

      1da144f56f10697cf258fb1a52cea29e5ccf7c8e

    • SHA256

      349fb7ff31d01e246881dd9b269b54c07ade4fa288b8c29965c5186311a49684

    • SHA512

      f67d973de3224b6319f485db9fe53d2552b9a56b47643dd1d8816fbe2973974f3132210a6c09f880fa444eec28308d8bd0c04c10cbec8d2438438669270165a1

    • SSDEEP

      49152:7PiViEE2f7RtawbEfpzYqCfzfNKoFUP8lDrD3GDUgS5:G8D237SM9eElCDjS5

    Score
    7/10
    discoverypersistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral11

    • Target

      eee.exe

    • Size

      3KB

    • MD5

      7423bea3e3909868bfac4a3470f7b1d0

    • SHA1

      896028e56556dfc44e9acb8a543cbd097afe9c0a

    • SHA256

      cd2ebff97713b069c0c39a5cd482be2d0e4546b68da718000a8353025ffe45e5

    • SHA512

      44578fcc34f0e2fae17aa2b7eb1b37cdd7ce1283dbfbac18061284ea9058d3adf80e754d1644c3ce70371d9dd1e422b4143c467c0ab8b769bc8043e2dd024654

    Score
    1/10
    behavioral12

    • Target

      hypno.exe

    • Size

      867KB

    • MD5

      d5b1d3d2b7a94a95ae09f5e25e3fdc28

    • SHA1

      9c6aed952277f1b0d5b8a95233326988442f2ed9

    • SHA256

      9a1cba95c631ba10afe33167928ccdaf2f8cde644d79212d36e63a815d711c8a

    • SHA512

      0a282ed2b893569233f72d93f78168749959df577bb84e326ce3596a87ba25a6107b8c39070699628c7a403a3094daa573d27e9b5dd540db095640b84940dccf

    • SSDEEP

      12288:DMYB9oY6c8IJpFL4KDESOsm0cVIgCJD1rTL:DMYzQczN4KDESPm0gIXDJTL

    Score
    8/10

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral13

    • Target

      mbam-setup-1.75.0.1300.exe

    • Size

      9.8MB

    • MD5

      683fdd3d773c58b262dc07cd0c6ce938

    • SHA1

      d0bc40ebc2a60e259aff000acc025f68ef62da7d

    • SHA256

      7efac5a2df9effd2b26de68163ad872d138082512d4403bbf1e1103722bb17bc

    • SHA512

      b608da4e3dd2bc45bcc5ae84b7989e1ca8b7f05262418be1a04d70af5be7561835a3b897e21911678ab4c7e2de88891b235ce163c947ce71f227479539fcd2cf

    • SSDEEP

      196608:5q5r20GmfsK9aoDKlE5xiKEsP/GfvUhWhyyvJ9ryBvX5NV3:52TGmxIKKKjivjv/hlh8vpP

    Score
    8/10
    discoverypersistenceprivilege_escalationspywarestealer

    • Drops file in Drivers directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral14

    • Target

      molesto.exe

    • Size

      253KB

    • MD5

      8b212a3d1b33635777e14cfb64f9707a

    • SHA1

      40607d6a34a4c99f907c3f0823fb08b103dd49ae

    • SHA256

      ae02f370c8fea8bf69779fc3fe485a3286e0596c0a92ca2ce7839cfd84fcd7c0

    • SHA512

      d62470ca0be97e19cba79464ae6adff957665823f05991e5df41bc753db104a607a22d61d5c70d784f4308c6e4803470e755f8630a052d82d5a7e9105547dea8

    • SSDEEP

      6144:wOpE+siBjkvY1Vs09SV2vnX14RaIH+v547IUBU93u1eiqe:wOkiBjkA1VsyRvnXMHoS7Ifedl

    Score
    1/10
    behavioral15

    • Target

      runme.exe

    • Size

      100KB

    • MD5

      b0feccddd78039aed7f1d68dae4d73d3

    • SHA1

      8fcffb3ae7af33b9b83af4c5acbb044f888eeabf

    • SHA256

      5714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6

    • SHA512

      b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d

    • SSDEEP

      1536:ThBfyxwMz14BSSQGRwmkwmGDAzGC6TaPAlbv/g:1BKxwMz14wSQGGUDAATaPAlbv/g

    Score
    7/10
    persistence

    • Modifies system executable filetype association

      persistence

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral16

    • Target

      setup.exe

    • Size

      7KB

    • MD5

      0b2808cbee4dc69262d8f665c03ad4c3

    • SHA1

      3db12c02b5ed3feaa0cae60189bad7d41f463c60

    • SHA256

      a7b8028746ec3702a243c8d11a227f22c57b113efe26e735558ad510ed1feb7f

    • SHA512

      87eb12c4b7e3428a9f51b79db89b5553a05dd51886d634d32d031f31208fef81a39de5419b42362a8c229da082088996b2ad7323508039160fb72fab80b2e969

    • SSDEEP

      192:ILjeoldaLiN+pSiSSa/VunlYJLLLTeHEdqHJ:ILjFdaLiwSSChPLTeHzH

    Score
    3/10
    behavioral17

    • Target

      sevgi.exe

    • Size

      389KB

    • MD5

      fee5f4cdd13ee7de37c507dc91c9e5bd

    • SHA1

      2b467b9b303a3de6eca5d8c74eb98eed23005b3a

    • SHA256

      d3d104146925611647eacccfc47196c953847c094541db268bde078dba063dd6

    • SHA512

      2098edca042403cfa849c45233f868470cfc90fe84f563ff2ac8853a3d763680798c4d4229594b97febcc415162bd29be5bdfb1a4e72a0e057d11ca3946fe02e

    • SSDEEP

      6144:NSxmRtRSaY4CHNRnjzyy/hzRMfa2sjQrFJMUOfwJSB9qbhWh:NSxmRthTwn1vMjZrFWtwJSca

    Score
    6/10
    persistence
    behavioral18

    • Target

      shrek.exe

    • Size

      1.3MB

    • MD5

      95462c3241a0da037ed1dddfbefb3212

    • SHA1

      2fc2bdbb697e8738fd8e310868fc7f10efcadd31

    • SHA256

      24cb8619b1e699e2a85aba8d2690e5649e9de525f7967676823f397c9c8e5da8

    • SHA512

      8deafbce2397061abfa73c70b4be0c96d5cddf7d43cfedd86f6a3539d260548207db21b9b55c6bbdce9fc4902e8ab5e1f383f0285b0a66fb7360d6d5adf9e1d7

    • SSDEEP

      24576:ICdxte/80jYLT3U1jfsWarVlDuNb+5KpcFaQ:Bw80cTsjkWarXuNbKD

    Score
    8/10

    • Blocklisted process makes network request

    behavioral19

    • Target

      upnp.exe

    • Size

      12KB

    • MD5

      13804f8dc4e72ba103d5e34de895c9db

    • SHA1

      03d7a0500ccb2fef3222ed1eb55f2cbedbb8b8c5

    • SHA256

      da659d8c05cfcb5f0abe167191665359123643000d12140836c28d204294ceb6

    • SHA512

      9abb98795a1b1c142c50c7c110966b4249972de5b1f40445b27d70c3127140b0ddaaada1d92297e96ffd71177b12cd87749953ffdcf6e5da7803b9f9527d7652

    • SSDEEP

      192:NfPZyzqwizgU1sxCa49gqiVpEu6Tg/g7mj2D4VClx1RZ2UHnpoDkBTVh:N3Zyz8gCda49gTFJ/g7mY2CLtHnCDk/

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral20

    • Target

      virus.exe

    • Size

      72KB

    • MD5

      f6059fd02286a28725bbf32da112096c

    • SHA1

      9b7d4c3ef9d2a0feb11ad6389000fee0eecd5275

    • SHA256

      628271669a0d2d8579cbe23128e1df7bcfa52f791f8caa597236a6bb031a6233

    • SHA512

      0f5d3307a7122a345a5e4fc1e386523bb4b9a348cf39f28942bcbb1a9765847ddc9ff6dd54c8c3e5852314f9dfd02b199115511e7a310dd79c1811651fd348f8

    • SSDEEP

      1536:IteXQFYyXi4XYcFyaV8bK+vmO6V1eVOMb+KR0Nc8QsJq39:AeAnXXY28bCJwOe0Nc8QsC9

    Score
    10/10
    metasploitbackdoortrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit
    behavioral21

    • Target

      vmdestroyer.exe

    • Size

      723KB

    • MD5

      de7a4bbcaa7cfd08acc6868c59a11577

    • SHA1

      ef84be5b53a77fd9bb8ab5d000f72f8c9c0a7291

    • SHA256

      16636e50367a0ec90607ba0d1bccc31c08b9dc4cd104c1a77982a201b4d135e7

    • SHA512

      e7272017c817ac8aa1c6aa87261d571ded274aea4f0550264eda7f10a1681a0300b61420f3c3b549fec564b707f3a86122e38941690d99fa26c16c6e351ed00b

    • SSDEEP

      12288:JozGdX0M4ornOmZIzfMwHHQmRROXKTHVVlXPmu5OA4Kp:J4GHnhIzOaZVloA4Kp

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral22

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

6
T1547

Registry Run Keys / Startup Folder

6
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

6
T1547

Registry Run Keys / Startup Folder

6
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

10
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

11
T1082

Query Registry

5
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

upxquasarorcusnanocoremetasploit
Score
10/10

behavioral1

evasion
Score
8/10

behavioral2

quasarpersistencespywaretrojan
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
7/10

behavioral9

Score
1/10

behavioral10

nanocoreevasionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral11

discoverypersistence
Score
7/10

behavioral12

Score
1/10

behavioral13

Score
8/10

behavioral14

discoverypersistenceprivilege_escalationspywarestealer
Score
8/10

behavioral15

Score
1/10

behavioral16

persistence
Score
7/10

behavioral17

Score
3/10

behavioral18

persistence
Score
6/10

behavioral19

Score
8/10

behavioral20

upx
Score
7/10

behavioral21

metasploitbackdoortrojan
Score
10/10

behavioral22

upx
Score
7/10