General
-
Target
32x (2024-07-15).zip
-
Size
20.2MB
-
Sample
240715-kmwn6axfpr
-
MD5
05543d62dd8e652936165c212ca0980a
-
SHA1
f0c13e272c06cc945891d3508e341c1b5550a8e9
-
SHA256
bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf
-
SHA512
3cae5f69d3a7beffcb357b668b00a2223d3e616eb29564ed978138c80d9245af3ef77d78a86365039e745d430dac6d8e0a75d683c38f45024a6c9193bebc70ee
-
SSDEEP
393216:8rniuKDJ1KA/oaXpBbD3QRDqeyNrQ/MR50eaJ92Bc0bU4BVzjfBzGct9/ug5Hd3w:8rOJsA/dBb7Qg3rQ0Q0TUcBzj/ugNd3w
Malware Config
Extracted
stealc
hello
http://85.28.47.70
-
url_path
/570d5d5e8678366c.php
Extracted
xworm
schools-copper.gl.at.ply.gg:14154
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot6887301557:AAE2e7AcjyzPeaHQb_2XBthrT3TTCKt7jCs/sendMessage?chat_id=7045481276
Extracted
redline
6951125327
https://t.me/+7Lir0e4Gw381MDhi*https://steamcommunity.com/profiles/76561199038841443
Extracted
asyncrat
0.5.7B
Default
82.65.19.134:4443
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
remcos
RemoteHost
192.3.64.149:2888
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7Q1GRN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
Protocol: ftp- Host:
ftp.libreriagandhi.cl - Port:
21 - Username:
[email protected] - Password:
x6p2^m#1#~+O
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.libreriagandhi.cl - Port:
21 - Username:
[email protected] - Password:
x6p2^m#1#~+O
Extracted
smokeloader
pub1
Extracted
formbook
4.1
45er
depotpulsa.com
k2bilbao.online
bb4uoficial.com
rwc666.club
us-pservice.cyou
tricegottreats.com
zsystems.pro
qudouyin6.com
sfumaturedamore.net
pcetyy.icu
notbokin.online
beqprod.tech
flipbuilding.com
errormitigationzoo.com
zj5u603.xyz
jezzatravel.com
zmdniavysyi.shop
quinnsteele.com
522334.com
outdoorshopping.net
Extracted
stealc
default
http://85.28.47.101
-
url_path
/f3ee98d7eec07fb9.php
Targets
-
-
Target
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
-
Size
1.3MB
-
MD5
73d006e33d8eda033e684c07b15c53ad
-
SHA1
e3e0a09b37beee1e19d5a6b9fd5322f906f4493d
-
SHA256
0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160
-
SHA512
1b2822a9f568783a6064194c21e4147ffb10c1a0c3ca00f586f3306cf7b5d0bee39af5dad5a78f720d75c09b0b71d44c75d05d9b432b1159915977006e9252db
-
SSDEEP
24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaKi4Tivd32MUMh9ZzU2Fk1gn5:dh+ZkldoPK8YaKi4mrUUZbk1I
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
-
Size
161KB
-
MD5
855da30648c0d4f4e2497470ece750bf
-
SHA1
4f45dae1b578ddd47a0d62b59e5fbc9a4f11e58a
-
SHA256
08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65
-
SHA512
948b66613c1e494e445a8fb7eff553345385ca0cd468c500397ea7c3bd02bc6163930759b057f98c9245c118205e0166023fee4e13135ef677947619d184d393
-
SSDEEP
3072:/9gyPX977bb+Vnh9N47rL74qBlslaubyAWEktPZsZ:/yMZPb+Vnh9CLtkauehEkf
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
-
Size
389KB
-
MD5
35a50d146a389289bf8cf8ae60c9e785
-
SHA1
eb94502d25789eb86dc160c2bc9be4b4a64131bd
-
SHA256
0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791
-
SHA512
9bfe09f5165fd43579d87f229ba4a17cc8af8d7fc50ed629de3ec93e1b8d94d9c6aac17f7a429b401f332623cef2178f0d0f1930b674cf1061d24225e5427ada
-
SSDEEP
6144:blwLkykiFkeLnCUcx/IcoN6OpMW6rTBwEBKI7MUYbuYg785zg2di8DEO:bRiFHnC5m2TB+I70678dXi8DEO
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
-
Size
146KB
-
MD5
2357ecbcf3b566c76c839daf7ecf2681
-
SHA1
89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58
-
SHA256
0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305
-
SHA512
bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401
-
SSDEEP
3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU
Score10/10-
Renames multiple (648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
-
Size
1.0MB
-
MD5
631e3c5465349fdfd6fc2fbe9c15cf65
-
SHA1
af9e5b3d8ca4b6c64b69876b9cad6a18476f0168
-
SHA256
25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f
-
SHA512
31c6c58a5ec3d26e67a20f46df689fcfe69e90dffeaa36183630cc2cfa20d7fc07e19efe551f65f9606e435e26e2daf50b2275ee4b1cd7ab6b3641bef1552b93
-
SSDEEP
24576:GAHnh+eWsN3skA4RV1Hom2KXMmHasvktOpBS5:hh+ZkldoPK8Yasvkt+2
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
-
Size
338KB
-
MD5
6f1e400bcf79c773832b3ca2aab94d3d
-
SHA1
8a1724e7f0df1b8bb22413751908b76f72498121
-
SHA256
2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c
-
SHA512
2459d2e2b39987ebcf635a2867b67d8b5ae7c865157fe1ad32513fb0dcae0d226532d2416d4fc23c347add8a9d741ba3d15e662c3e2a01cf316046b1fab1254a
-
SSDEEP
6144:mY1jumalKcYdvkMEdRE29UHYOhQWr6vSuwgeBNsCri5rg/73LM+L2di8bEO:maEKc+kMcIOauwgeBPi5rgz3L4i8bEO
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
-
Size
338KB
-
MD5
d5ad720fa67bbce2d11544ad3c211424
-
SHA1
e9f63402b2eaabbdcc6cb5ec95e328f9620cd170
-
SHA256
2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e
-
SHA512
d8a8ae60abec80b7cfd7c9b9bc19d2f2594d1ecee0a28cf9a2f545afc7ef0ee59ca7a073edb8415f006662ed2095f9f3c190abed5023b81e094724c04ba153c6
-
SSDEEP
6144:RY1jkmalKcYdvkMEdRE29UHYOhQWr3y/7qpKfQmhapjXFISRn2di8bEO:RcEKc+kMcI+IKImcFISAi8bEO
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
-
Size
3.3MB
-
MD5
7cdff219ccaaa4c4d67448e9e812f2de
-
SHA1
a063103f177df84c90f0054d0f2adcae6f1885af
-
SHA256
39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82
-
SHA512
5986b98ac4ff98da5188b8d5ee53400a4a3bd7dfe3de70471b090c3c3d751f550f7ebd3757554e5976b069c1da1cc1cb69808504ac97987ae42e5152f72408e5
-
SSDEEP
49152:/5dVwPaFHTTgkAAn2IQ39y9rRF8v72yEh72yEE72yE72y5:RdW4lQw5RF8T
Score10/10-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
-
Size
487KB
-
MD5
f451292bbe0b4c16d244c251105de16a
-
SHA1
a527d277ccc25ad97ae64fb76767f1e2cda66ff2
-
SHA256
3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a
-
SHA512
d53a9cd31a3a98eb88af0c5454007adf8c897db53b6518a9f0c019af0bdcb906bf9fbca616b5ee03d7adfa397a16af06bbfbbbf36d15b89fdf3b96fb79fd439a
-
SSDEEP
6144:MNDD+bHpEiGXQ4rnc+UI73whSk7MIhWI3tf5Jx/R7ZCe7w4uoVLdaPYZHuW31bZ+:MNncp0jUI73F0DhHbbzCMwI11b
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
-
Size
731KB
-
MD5
bd1050f3642d22733a30cd101f591713
-
SHA1
5a6553bea21e2df2307ed5c843072bcb023566be
-
SHA256
3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671
-
SHA512
6cc19b1df105d9f4e76c39f7be79c9a5a42fdb338a8b56b1d16e1343221e36552344fc30aa8c2bf4d48781694a412dcddb5858a36c643706bc778b0b8cc59883
-
SSDEEP
12288:tmoDWx2PQfRcudR5C3T+Lc7vaVs95ucinaj13Tp8K2:tHawMR9/gDR5yrQx2K2
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
-
Size
109KB
-
MD5
2da5e6b97759d3537cbd23e9fdb2b770
-
SHA1
cabbf38051fa6657e28a12dee92042e44d8b72cb
-
SHA256
4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5
-
SHA512
7ea710ed16326bd0841f403c9db260a20dfec5f22fe2fd85970d51764e612c4a495a7c9abec6999dc8e1a7134656a4d65994c8f4cc138bb353b43a7be9b1698b
-
SSDEEP
1536:jr7WmLwJll8imS4qZyNRMCuCDGSLf0Rc/cVjpnrRWKkystINby+xXm8lMwGHG6w:jmdyGSLfIFtnrRKysYyMWvpm6w
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
-
Size
1.2MB
-
MD5
dd831eb4a822421a497990d84a0fd578
-
SHA1
aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b
-
SHA256
4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95
-
SHA512
5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e
-
SSDEEP
24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
-
Size
719KB
-
MD5
a7d3bd55656bdc04c270315d083b59c1
-
SHA1
a76453791867e4aaf4cd0551b70e52ced80b3fab
-
SHA256
5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33
-
SHA512
9233bbbbaed1bafaa296ae332713d0374594443dea06df83ebc9934ae0341ac7366a91c47cdd9b0877313ad1bbbf9b747f34e7cf75a1a21816463791cfdea861
-
SSDEEP
12288:wY2iNiw9WMA4snu2lpaSgsDLRK8RP8dSWhdWyGLiOkV2IPePH:wY1UnH4olpaSgsDlK2PKSWnWyqiJ2q
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
-
Size
765KB
-
MD5
a8e583583122cff4ea57a3062bb4aa3f
-
SHA1
b4a4bee8dbc966624f43273a500aa0ec1bbf1790
-
SHA256
68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4
-
SHA512
3c1205a23cb737ab7d81377672954e55e3adae6858bb1ba1eaae80669ef8957487090cacf2fdb6377c9bdf0cf7af27ede3e788f1dd767ded7d16aea484ca6d91
-
SSDEEP
12288:6WgLNqLMg5tqimUsu8l5hs4PShE9EZnuKFqik7/6VVu+mvd789LjQg6xOVw:vgLNqLMJimUsu8lw4PShgOuKFqizgduE
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
-
Size
2.1MB
-
MD5
ab6ca8e3d0c7967c6372a96334e6bb19
-
SHA1
58a2142787ffae164d4c78d97102ff652fecfc86
-
SHA256
6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5
-
SHA512
a50b4935510a1e6a7100b8eaed8301c8436138960c0932e54d7b59e79da3a0e60b702ccde2388b9c2d6f70d1cff8143bb055e0382b7af6d9788f498f2773c445
-
SSDEEP
49152:6aUQl+AM2inT6xlAT78y5hIl8JZ7a07xznKMj5RyXE1ID1u17:nLIAM2uumTIft+xznKMj58aIxu17
Score7/10-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
1/7021c9cba6c224272f01d04450c6c31c93857a21feacfa4295a878a4d7b04378.exe
-
Size
45KB
-
MD5
40d4750c85941ad0d82953d2804cc44b
-
SHA1
7df06a6ddef2b5a9bf627eec731420f72709d470
-
SHA256
7021c9cba6c224272f01d04450c6c31c93857a21feacfa4295a878a4d7b04378
-
SHA512
1f6206c82c01278a73c34cdb25027a822b4330629b5ff3c6da08b1102881a5adae99fd06aa1c3963a7c3a7a9321e450f57b3f789b023d9bb296005ef79315f98
-
SSDEEP
768:0uwCfTg46YbWUn8jjmo2qrrO5QyJ4PiNjPISzjbwgX3iRFwP+01tUbcRBDZqx:0uwCfTgp/2AO52iKS3b3XSRFwP+012bn
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
-
-
Target
1/752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060.exe
-
Size
2.2MB
-
MD5
d35a5aff7f4b4a1d20e1495732c5ca6d
-
SHA1
0573b56a43102c893a2a6c0ef61b870b575aeb97
-
SHA256
752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060
-
SHA512
c49d69553aa6287cc50b2d1e94b2a56cddc8882a44dcf832ae9f93e2972d44908141da776b44569f84ed85aee187ad06fe19a0a2af8c2bc425d6146e75816f4e
-
SSDEEP
12288:In7kekBhy2rOJFoqTrlSwkm9mQ90zsx2Hgum4Ff8jbvTfI3:FU2cTTX9990Qx2bFFfGbvzI3
Score10/10-
UAC bypass
-
Windows security bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/7c7cded8d1c0784881859ed03340d81c24ea9bf5d9972963cedf0e40b9856a0c.exe
-
Size
337KB
-
MD5
1aae19c81605bf0a5851e42e3574a83c
-
SHA1
ba91bcc371d24ba57458ba4a2aa82bc83447a129
-
SHA256
7c7cded8d1c0784881859ed03340d81c24ea9bf5d9972963cedf0e40b9856a0c
-
SHA512
8bcf76009e5503c598e2080dcfa9fb1e74783786dfc028ee4cbb066d79d2f4b22c9df962b6d89ea4429e23bccb9641574af3b03bc556d250295c236154b9dbc5
-
SSDEEP
3072:3i2YQ2pbPh1mJ8XrMg8Nwrppwbg0z3TH:38Q2pbJcJz/2Mgq3T
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
-
-
Target
1/97d29ffc3556069c807b5c0ae2e2b109ae329feafc912d64f8b7f437bea47d84.exe
-
Size
778KB
-
MD5
2ad173552c56070abfeaf09f29b60269
-
SHA1
5bd937b54ee178da4928d489108dfa5638fd62af
-
SHA256
97d29ffc3556069c807b5c0ae2e2b109ae329feafc912d64f8b7f437bea47d84
-
SHA512
a9cac300ade317a8f7b32c464ad2480fc6310bdc5bfad7d1e39daf959ee5052a6268cac2f1f28b98536146cd616a4b9d18225ab57fad18042f15be10a33c8a29
-
SSDEEP
12288:oLDlvpu2GkClIuRj26OQ4qAwWAMxB6PzNm0E7UHPkRdDTVVZ+ApP4C:EGkCxg6ONqvfzNm0EG8BxF4C
Score7/10-
Drops startup file
-
Executes dropped EXE
-
-
-
Target
1/a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
-
Size
1.2MB
-
MD5
81d3df03a7bfb9112626bdcedae6df90
-
SHA1
ba206887aa11de8e1b405e5a18bd04568e2b5693
-
SHA256
a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03
-
SHA512
7580b5dd5452afba147417685bf9d42816c7f32af9496e4f8dec519c0abbb9578206a5e432c1b884abaa0b9870c198b8d0c7d109b43590d95ea855bff6a59a13
-
SSDEEP
24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8aLS2Sbly7TWEPje:ETvC/MTQYxsWR7aLS2dW
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
1/ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
-
Size
5.7MB
-
MD5
40a22356fd06bc9a4fd4ddedf5286666
-
SHA1
32ee28a964557f6e1effd28ed8c91328e7698e23
-
SHA256
ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474
-
SHA512
d67256c51af065f58e7d037387cba7fdde6b55b0e10f24572bb039033a406450b079d32e62450570202305ffee2991b9c6fc74ce72bae48217c984c9cbcfeb97
-
SSDEEP
98304:NLIAMmuuNkfUo2EwVPBh4i02bt+xznOywv+r4oYIxu1i2e56SM2F9jE37HethOKd:WyNkfr29VPBhh0p5ngve4lIQe5UM9jqK
Score7/10-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
1/b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6.exe
-
Size
808KB
-
MD5
4ac882ebdbc1431cdd3ab45e1712ada1
-
SHA1
b871304fd060b700fd66ce0c87014ec955d12979
-
SHA256
b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6
-
SHA512
f3ff8d00849289436b723bc48c14113e51b583955d7f69870458d7b7d72ba214ad531d601a950b247f43325a610fd15cd6584008fd842a29c1dd0804ee2e6f98
-
SSDEEP
24576:65MOrT+F0sIE9JqsC6mVFyCsffzMS6pcsP9Qtce0TBs/lPsoCyEbDb7Br5oANn90:+bjnS
Score8/10-
Sets service image path in registry
-
-
-
Target
1/b2a1d168dc4234e687d0969b6a1901ac7e69c0d4bb72a1a4c76ba67fa6a14f9d.bat
-
Size
2KB
-
MD5
1f6a683461594803fd6dc17f376ca209
-
SHA1
82d0627379b0ff73279122bcf2d40db15eb83483
-
SHA256
b2a1d168dc4234e687d0969b6a1901ac7e69c0d4bb72a1a4c76ba67fa6a14f9d
-
SHA512
ceb192ba7afbd9c7308098abff5f83e824ca0d28c9077271abf6e048cc0f161d0db798fba5463d5598f1428e0505fa1a9dd0ae81e74f91abb8873c7693a7cc49
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
1/bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd.exe
-
Size
759KB
-
MD5
3da3fb16927c47114ad0bb865c08467c
-
SHA1
b1d7037b0347bd9c8c215270166b0bcd46b8f8eb
-
SHA256
bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd
-
SHA512
7aa677f24ef99ca32ad114fe8b95a444716b37a27f40e67b76abeb124d6e0364206a1e2fa373f3792b4684fae479a66d9653d30e5bdfecf8889cbf70aa6e71ab
-
SSDEEP
12288:reUDWx2PQf9TtNBY2JgD9WFtJ0m1+Xeb4/E5xdHKcWA6H4J2jqo/ZoM7+SdvKWny:rzawM9TJY3MbJ1gXRUzHKJNH4wnxotc4
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
1/c8e5a24a6d2fa68d7976457a19576b381e6211202500af5280b0f3b256446bf5.bat
-
Size
2KB
-
MD5
5617370486b7ded0ad8cf5ca9fc69e06
-
SHA1
3baa1dab061a9cb6a329dc72e3e35fa3829341fa
-
SHA256
c8e5a24a6d2fa68d7976457a19576b381e6211202500af5280b0f3b256446bf5
-
SHA512
a4a5d99cf5d1b3bed3819f24d297f5283107880d5c51010a11aed2d5f4545d9f52c648fcbc3f6d884f71d1cc1217a67dbae722cfc36baa65d4ca0e0948163772
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
1/c9736cdc4ade9fddb9b293e0366f182f972154d98169b58e532b7905c310bf97.exe
-
Size
541KB
-
MD5
fc55407cc82612103c5971dca1837d6b
-
SHA1
01efa90009900c64c846b7ac716dea3c5f97c4e8
-
SHA256
c9736cdc4ade9fddb9b293e0366f182f972154d98169b58e532b7905c310bf97
-
SHA512
08edfa8f06459ae170ea444664776e57836bd6142721d8df663776051c8c6dab98f7c8902848ed08e4311a858d95eb38d0df13208f8e0144a2fa9fa1a90c0240
-
SSDEEP
12288:WDkS/CNT9fM913qbLd+cUQj5X7JPKmdE9s4Jr:WDEc9tqb5akVPHE93N
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Loads dropped DLL
-
-
-
Target
1/d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0.exe
-
Size
691KB
-
MD5
c2ae4fdb661a151be4876289ed7f8261
-
SHA1
f8fbb8b8ddb55aacc20449ff2bd5d671e4cbb9fa
-
SHA256
d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0
-
SHA512
2642eac12e6a42fbd503621871802da278e0c68a4678675ddbe71f66d7a2b7d0ed8a22640c13d153ea63bcb33f7f13ae32eaa3e444fc451c64a1839d8cc91c89
-
SSDEEP
12288:luCDWx2PQfnESfZ0nl+xD4u1JW31MlxwXY5oMY3tQMmVHMe3+L4Ull0l8fkR:/awMnESR0nl+Z9OSXwXuoaVse3+sCie6
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0.exe
-
Size
34KB
-
MD5
19aff0a43f80919a6113020d3ff38300
-
SHA1
f0db6e0967c534fa0326c9db009d0f22e0112a6b
-
SHA256
de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0
-
SHA512
bbd6b4fdf3aea24aa66b6e17b778596c86260f76b7d0502fe5339dc198d30c4314d18eb8121ec07995ea86d461c9bf0985c436b3c65b0001b357305a1e457e27
-
SSDEEP
768:TLlw6CpA/0H9QoiMLD7aBzE/BMR35hUJtwjxI1VFA:TZMgu9QFM7x/BOpCExI7FA
Score1/10 -
-
-
Target
1/e886016e48bf0e3cd100d627678f345743509fd5f57f3c9b182f2833352bd451.exe
-
Size
338KB
-
MD5
f5607d12bfd66fa6205cfd6b078e8080
-
SHA1
2c4f15f916b1dea8b76ebb06468e1700a2122b78
-
SHA256
e886016e48bf0e3cd100d627678f345743509fd5f57f3c9b182f2833352bd451
-
SHA512
74df2af255a0d0e6802ab13ffa2f44b26ed11d2bd4388d7659214ab42c5daa2319e1a924af4e8418e294678ee27508e908ac43becc544a8a7fa05cfccb230e94
-
SSDEEP
6144:uwTSx/BpP+AegMMtRvu3LqBOkQWr3Yf0aldxZsakM2di8MEO:uJpP6gMEhEfjldxZei8MEO
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
1/f0f496eccc61594c53ded581b6683a77072f607ab018ec0a770a0aa7c7f45ff4.bat
-
Size
2KB
-
MD5
e86739a5ddb407e0c60f9521728cf418
-
SHA1
b6e2b6c70f3b09f7c12b4d8a83563e79a1745a23
-
SHA256
f0f496eccc61594c53ded581b6683a77072f607ab018ec0a770a0aa7c7f45ff4
-
SHA512
7d64d83aea215f0a0321d9d938c17bfcdcfa6d8f9c3aabce69067cdfffe1dbae0cc7da4425d5abfeee24cdf3efe0320df132a2c7564be80d30fc85eabad7434f
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
1/f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe
-
Size
146KB
-
MD5
314275168bf7958219662a242dbfe8a7
-
SHA1
d629032d9d8f491d133ee26a230c393335d7ad74
-
SHA256
f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23
-
SHA512
b5246db461ee78d622a33a758b3d178208b88e0b9e98185f17ee95f2fbbcf66b1059afece1dd5b586d01587bc01662491a6baab208b9836d4b4b9efc55f14c2f
-
SSDEEP
3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUSx:V6gDBGpvEByocWeauV2gvzwUA
Score10/10-
Renames multiple (636) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Scripting
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Accessibility Features
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Accessibility Features
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
8Scripting
1