Overview

overview

10

Static

static

10

0297bbb0f0...ee.exe

windows10-2004-x64

3

15aeb8380c...71.exe

windows10-2004-x64

10

1820a0542f...34.dll

windows10-2004-x64

10

1df11bc19a...ad.exe

windows10-2004-x64

7

22934e006b...e7.exe

windows10-2004-x64

3

24989d884f...b7.exe

windows10-2004-x64

10

2828fabf39...65.dll

windows10-2004-x64

1

32b0fbaf95...08.exe

windows10-2004-x64

10

4bf2dace8a...d7.exe

windows10-2004-x64

10

55d03f9954...44.dll

windows10-2004-x64

10

5e58e3818a...cb.exe

windows10-2004-x64

10

611cf2be67...47.exe

windows10-2004-x64

10

654e574fb4...01.exe

windows10-2004-x64

3

6f4ac0da34...a5.exe

windows10-2004-x64

9

7109e67cf6...58.exe

windows10-2004-x64

10

71e2483b2d...4e.dll

windows10-2004-x64

3

79fb1d00ef...00.exe

windows10-2004-x64

1

7ef9667e73...98.exe

windows10-2004-x64

1

8264e723a4...9d.exe

windows10-2004-x64

3

8427f4aaf2...96.exe

windows10-2004-x64

6

863c612734...af.exe

windows10-2004-x64

3

91eab57eaf...d8.exe

windows10-2004-x64

10

942263c895...38.exe

windows10-2004-x64

10

95193266e3...fc.exe

windows10-2004-x64

1

99db2e7287...4e.exe

windows10-2004-x64

10

Resubmissions

04-10-2024 16:44

241004-t8yv3syhpd 10

27-09-2024 16:54

240927-vepkzsvbre 10

27-09-2024 16:44

240927-t86wpavard 10

04-08-2024 18:04

240804-wnq1vawbpg 10

03-08-2024 17:26

240803-vzvbzazekn 10

03-08-2024 16:14

240803-tpp4tsshqa 10

03-08-2024 15:52

240803-tbarzsseqc 10

31-07-2024 19:40

240731-ydk3yszdpq 10

31-07-2024 10:53

240731-my145atfmf 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New folder (8).7z

  • Size

    17.6MB

  • Sample

    240731-my145atfmf

  • MD5

    be23bf21f50efe03646c00428769da08

  • SHA1

    588f68a1f66ee0c689104d9096415b9070838827

  • SHA256

    0e06e9585cc9db33ee999ca4de668ab64ef6e9fa928ae6541b2f1ec68ff09da8

  • SHA512

    b3850d8b79c88e5a1ac7d2855f5b03b08c3392629f041474a997f4c9d71e321c24b9a2c5dad79e8fa6a1bb94648a30808dfa37dbb61e1348fd221594beeda8aa

  • SSDEEP

    393216:gTZqJOaXIZoQGPISZpx/0iw+lT+6uxC2JxpG25Bbm:gsJd7ISLW+t+6mCOTdm

Score
10/10
danabotdjvuicedidlokibotsmokeloaderstormkittytrickbotwellmess26833085704top14816777478881910897067backdoorbankercollectioncredential_accessdiscoveryevasionloaderpersistenceprivilege_escalationransomwarespywarestealerthemidatrojanupx

Malware Config

Extracted

Family

icedid

Botnet

2683308570

C2

funnymemos.shop

trythisshop.club

shopoholics.best

buytheone.best
Attributes
  • auth_var

    1

  • url_path

    /audio/

Extracted

Family

wellmess

C2

http://178.211.39.6:80

https://141.98.212.55:121
rsa_privkey.plain
rsa_pubkey.plain
rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

icedid

Campaign

1677747888

C2

jeliskvosh.com

Extracted

Family

lokibot

C2

http://becharnise.ir/fa11/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

trickbot

Version

100019

Botnet

top148

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Extracted

Family

icedid

Extracted

Family

djvu

C2

http://astdg.top/nddddhsspen6/get.php

http://asvb.top/nddddhsspen6/get.php
Attributes
  • extension

    .gujd

  • offline_id

    NcBG8wI6Q1WFhUNlCRyjmrWGeGew2vvCKtJgKot1

  • payload_url

    http://securebiz.org/dl/build2.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mNr1oio2P6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0316ewgfDd

rsa_pubkey.plain
rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

danabot

Botnet

4

C2

23.229.29.48:443

152.89.247.31:443

192.119.110.73:443

192.236.192.201:443
Attributes
  • embedded_hash

    6AD9FE4F9E491E785665E0D144F61DAB

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain
rsa_privkey.plain

Extracted

Family

icedid

Campaign

1910897067

C2

epicprotovir.download

Targets

    • Target

      0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee.exe

    • Size

      2KB

    • MD5

      4a6ac8d48c9793c0c852a6ac93ba2002

    • SHA1

      cdc7a9cf8ee36099c823779ac2dd8ffe3a84d723

    • SHA256

      0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee

    • SHA512

      3aacced9817519ae31ed2bc4cf4063b2eb0a1c9e9addbcb9e08b3431f519ca0a8a6a8962e1039835a48e50cb52cd08d21cad642a66822c288d2b0a88541c361e

    Score
    3/10
    discovery
    behavioral1

    • Target

      15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71.exe

    • Size

      150KB

    • MD5

      022f5345cfab4ef75476ffc7f708fcfe

    • SHA1

      81802b0a5f738b7333a60eece96441c1bca19792

    • SHA256

      15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71

    • SHA512

      6595ef6e3e0b65afd0a4f7d5bd5650466a4299df8284180b48ff0e30a537a42616a98c530fa4d39fdbe30eb1cc6c72fd749a98551890a0b488f04fd164b49f53

    • SSDEEP

      1536:YyuipsAiJm4cJI7CweL+eX9kEnOCGzJoQL2VwEeYIsUE4KvVf+boJPtgm4qeYwqN:FlpYU6vqXRPE2VyYIsf4K9ffFSqe72

    Score
    10/10
    smokeloaderbackdoordiscoverytrojan
    behavioral2

    • Target

      1820a0542f5950fd92ffa787cf09377a14d0fb42f0fa7419366090a5771a5f34.exe

    • Size

      38KB

    • MD5

      a4017c06209e16b8f47fcf6e5845aba9

    • SHA1

      66d99a1cc92ed316e0d7a2ab6df466c289154ec3

    • SHA256

      1820a0542f5950fd92ffa787cf09377a14d0fb42f0fa7419366090a5771a5f34

    • SHA512

      52e4df915b3cb6eb60a3f37874b0d8a14646ffadb9aa621cf8ea3fb04b5cbb4250fb9cec3a2ed8722a7eae4b600836b5b7bf72e53e297e464fb844096a9b2f5e

    • SSDEEP

      768:tojIJWP0znqX60+KU6nCVUO2gTjZSXulSJ474fLv/zkSf2Vz:NnqXn+YoQ+lu474zo

    Score
    10/10
    icedid1910897067bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid
    behavioral3

    • Target

      1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad.exe

    • Size

      1.3MB

    • MD5

      9344afc63753cd5e2ee0ff9aed43dc56

    • SHA1

      ee1fa399ace734c33b77c62b6fb010219580448f

    • SHA256

      1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad

    • SHA512

      6434c212a85180c1af00f5c5fa081a6a6ab66f5633edb74e130a7b9d754a6a65dc973f5e820f6f57a43956c276dbf3721021d1e9bb53fa79ac51ed8cb23f4090

    • SSDEEP

      24576:/U1v3pE+zO9mBt2bdm3EHVXkNA80Jl5IzCxWWDrSBkian7X5:/Qv74bdm3EHEA8UIzm8aj5

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral4

    • Target

      22934e006b3f1b8225c51a93ce0acaa1874c4f1dc895fa1664bdf16b0065d2e7.exe

    • Size

      2KB

    • MD5

      af8ae6c1f2859cc139cd176a6656a855

    • SHA1

      161e2d577b418eaa94bf1959a634956b75d7922b

    • SHA256

      22934e006b3f1b8225c51a93ce0acaa1874c4f1dc895fa1664bdf16b0065d2e7

    • SHA512

      a80672ea1f49ebaeaf5b850377ee346e7953bf6379a79db91b826ba2249a66424b0f1be189351dc86088ff9efd72142a46f6d4bff2c5dc7271a4db22c10bcd1e

    Score
    3/10
    discovery
    behavioral5

    • Target

      24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe

    • Size

      1.2MB

    • MD5

      39ae3110dc8ee4239811f2a1083e675e

    • SHA1

      f235ea35b4a408a052ec5bc93310adb77b52ecbc

    • SHA256

      24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7

    • SHA512

      cee1b9804a3a3d4f033d8076f66ffd6021a0b017a7588b96749d319d382056847d26aedc2f1fa5b7140c01697407da3c2873d59c78044376b083bc8f0c8494ee

    • SSDEEP

      24576:aG4NAckBXt2Uj3WTNWIcXuDTPyYaOnuhZiOASiN0A:O0shOeDjzagumObiN

    Score
    10/10
    danabot4bankerdiscoverytrojan

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot Loader Component

    • Blocklisted process makes network request

    • Loads dropped DLL

    behavioral6

    • Target

      2828fabf3937d88b85183664c9019c4639776ba7c2322f48e4957108ef07ed65.exe

    • Size

      179KB

    • MD5

      69828a3d5c60eb466c3a62f3389f6f87

    • SHA1

      7b9526f82448d0a1fb59a8125d1de55e3a166d72

    • SHA256

      2828fabf3937d88b85183664c9019c4639776ba7c2322f48e4957108ef07ed65

    • SHA512

      ce8818f78b62453fb56fcaf98efa7bc52068f7ddf915e1df6841f33a39aff6bd7c60692af16ea361cdf15b3cc79787e4a39bb6648faffc3eaac10ce886b45d5f

    • SSDEEP

      3072:uq3W3hXSPA5aodE8pn6kTDnlBtx6Qg9+Fh3SslsR/dLcEZD6zs:uIuXSPA5aWpn6kTDnjzjFm/1Z+4

    Score
    1/10
    behavioral7

    • Target

      32b0fbaf95fefcc9b89243be8721625592fc9ed92d76a48cab263898fd3d5c08.exe

    • Size

      844KB

    • MD5

      a6f049a056e37a65280ddfe17f689b50

    • SHA1

      479e08954d4d58b643ada84da280bd01c71e779a

    • SHA256

      32b0fbaf95fefcc9b89243be8721625592fc9ed92d76a48cab263898fd3d5c08

    • SHA512

      f7effb9a12c0723ed336117e3399940d4fe9e3682eec18cdf19cf074dab27d2ce8b1c14d30f1e3e26b5883732f8b970477a32ca4c12fe36a8fa3bc452586511b

    • SSDEEP

      24576:40bAk9PkFMVNgsbj6d2dXrpcpZBWGyDs1lwBUeF:PEGNgsnHDIZB/yDseB

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      4bf2dace8a23551a3cd374a14b68cef6185aa18f9148dac8bf77f19f734d3ad7.exe

    • Size

      787KB

    • MD5

      0b862b9c889d4bdc6f0bac7d702d8753

    • SHA1

      fdc030df123e6e6a712cbc960a2e7c63266bf040

    • SHA256

      4bf2dace8a23551a3cd374a14b68cef6185aa18f9148dac8bf77f19f734d3ad7

    • SHA512

      4f7284a625b4909f9a0d80023c1dbfe3ed2de8a14fdf9a5bd3687d7e2fb21e265ee6cca613e4e6c8cab35f806501b155e6ed70a11530eb1cc78dbc38b22d3e8b

    • SSDEEP

      24576:reKt4RjnJ+wWEr55fRue+cfxiskJM0BPA:rORdGA55fkcJinM0BI

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      55d03f9954e35d8bce3fbd084d909744b3719310bac7c359cda87e7831cc1344.exe

    • Size

      231KB

    • MD5

      ee28a178e3aacfa1398ca74a9bc1822e

    • SHA1

      193bc249bac79c0a195e736c62de5ec16e5ef38d

    • SHA256

      55d03f9954e35d8bce3fbd084d909744b3719310bac7c359cda87e7831cc1344

    • SHA512

      3f0dbbbda0cba4a32fe49fd7941d3fa640a8b7aeec56a3f584d519593de68e4acf8036c651cd469e386a32c5465521035dccebb6f3732f7893be552803d48353

    • SSDEEP

      3072:ktkuGh43+xNkZ4I0+NFS1I74Y61cyJDz/+6BjbkJuWg349uoZaOG/mf3vfUgrfQj:FMZ4P+NEc4zYgV9QFhP0grf0dd

    Score
    10/10
    icedid1677747888bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid
    behavioral10

    • Target

      5e58e3818a1b7a5c46fab0a1400f7ccd88f088a782bb9c9f229f5e835e57aecb.exe

    • Size

      865KB

    • MD5

      aeccd0447a233ab8f7de5d7df28e9331

    • SHA1

      c9dbaac42e30413f8cdb6ef09cf90ca75d0137a7

    • SHA256

      5e58e3818a1b7a5c46fab0a1400f7ccd88f088a782bb9c9f229f5e835e57aecb

    • SHA512

      44bcb72760eacb7c69b30b2835043f11fa47e3c950afc795286317645d92925cc1c7884bd611b4f0df2b74750949401e377c6d4fe5741926a0f720ddf99ca40e

    • SSDEEP

      24576:EejP2Qq5NJf5osyeT2DiqkRD73mOcohh:/jYNp5PTZqkRn3mz

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      611cf2be6752c173be1328ea47cc8ea736bc3bda9030da617390b23afa955b47.exe

    • Size

      280KB

    • MD5

      284b061036a1e367e41c00235d1b5e6f

    • SHA1

      f6277c4d7a39427e7c86a3f9040729d6b17aff65

    • SHA256

      611cf2be6752c173be1328ea47cc8ea736bc3bda9030da617390b23afa955b47

    • SHA512

      21733f5d5953a07021536928842bce4be637235b7c1578fa0096c53a546614ecbc172f0e500fddf2611acd2dba94b13152fb1eff75efb0666342183c0f6627c6

    • SSDEEP

      6144:x6DKNllJ4Uc/gqXKq8+RigIWU+Ydm0UAtXbe9bu:sDKNlAUcBaq8+RnWm0UA9b

    Score
    10/10
    stormkittycredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral12

    • Target

      654e574fb479af0a9f8d277ed12f2d86681b76b4cfe63d7c9e774f5144be8801.exe

    • Size

      8KB

    • MD5

      096a19cd1460c87f343444a4740327c2

    • SHA1

      0f55409dbc70927548c2d351185408f7615ee47c

    • SHA256

      654e574fb479af0a9f8d277ed12f2d86681b76b4cfe63d7c9e774f5144be8801

    • SHA512

      259552c2bd72062aa531ea9dac59b6411b64d735c01197dbf0e2943cc8a9ddc37eb1e0be9f22118a48bead99f57a237f9bb986f8ceafc67ed463f9c00a6587bf

    • SSDEEP

      192:/G6OThBwj6k8TqLUh5wCb3py+g2O9Cung9C:/G9hNxh5Zp1i9Cun

    Score
    3/10
    discovery
    behavioral13

    • Target

      6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5.exe

    • Size

      3.0MB

    • MD5

      07ab47ba492cb4ce3b9255ecbfb543f7

    • SHA1

      b86f8aeddddd245f0198ad92ff6cee605cbe1d4e

    • SHA256

      6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5

    • SHA512

      0f161c751011070eca63baf0d544e35adfb7ae23c7bef6ef21684d93ee81d88fa0a83f5f1cc7be10e5a31c2012711298e599e4264d13f6607c9ce7abc8c5ad3a

    • SSDEEP

      49152:fb1ZTEb66GZQJAaYqh3owdV+xYtb/Khu0Ar51hRzEHgR8wfXhxld4sl9O3/TvHv0:5ZQ+6uQhYEom+mtkQ1hRwH2X9i/vFO

    Score
    9/10
    discoveryevasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral14

    • Target

      7109e67cf655b41ff88903bf1e70cc4efa3e537a38df7df90d8a3ff95c4cab58.exe

    • Size

      708KB

    • MD5

      6e9fa4e2f22ce3d1a0484820964ca208

    • SHA1

      6c5434cd4cc9305cdba85999f57df405d5a1dfa1

    • SHA256

      7109e67cf655b41ff88903bf1e70cc4efa3e537a38df7df90d8a3ff95c4cab58

    • SHA512

      5d0516f13c317290e94065da227a8fe93ddb79b7eb89a10e1515259dd48dc8736333ffc93fd458dfd96ef29ddf41a81dd1b135bdd313a41da3d43504b9b0c000

    • SSDEEP

      12288:VE3SNI+zn1K4hsDMsaoUqZQdfcYKKhTXYcGK:NNI+g4ZPWQCxKhTIC

    Score
    10/10
    trickbottop148bankerdiscoverytrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot
    behavioral15

    • Target

      71e2483b2d36765651132c9c1f935784a2008a91159b0ee3bbfb94193d0d644e.exe

    • Size

      402KB

    • MD5

      74d8ec87fcc6d4fb65dea95cbf0b7ed0

    • SHA1

      0907206e93cbf8492e673c59855965bb6bd9d6aa

    • SHA256

      71e2483b2d36765651132c9c1f935784a2008a91159b0ee3bbfb94193d0d644e

    • SHA512

      5fff54384cf81a4fb2b27b25bd574630b85dbf8d1b9a9f94188720e92ee3ba8e9ed0e921922e2bba29748a2d5892330faa3780595c6977ae645170e94fb5438b

    • SSDEEP

      6144:jI80K7rRaixyrkYTj4tO8eptRnyFWo2NZTLmdJdWqF83kdE0WPQ2:N0K7rRaUuTj/8eC6H8JZZdE3

    Score
    3/10
    discovery
    behavioral16

    • Target

      79fb1d00ef9d85e958a17fd331b23dec507e4f2e2c150fd580d0668b84d29d00.exe

    • Size

      5.9MB

    • MD5

      f97d9e4da358b905fb068bcc044573be

    • SHA1

      00905551c0db6102a02ae65c7e202b94e987cb86

    • SHA256

      79fb1d00ef9d85e958a17fd331b23dec507e4f2e2c150fd580d0668b84d29d00

    • SHA512

      4936ca488024d81f84192b8ab7bec4500eb4ef71d61d3e4862e8b140f9e887120c9d671882ed442cd1d7699fe4c1235ef90172c0d619be720ef24e842fa3cdc8

    • SSDEEP

      49152:7raLTtbKnm4Rqa1Dy1J9EJIaGNxRHxIZuDufzGo4Mrbf460DHVwggVJm4I6pMT63:Pal+FYa1KyJIaGNPRauDo5PA60tA6/i

    Score
    1/10
    behavioral17

    • Target

      7ef9667e73b84b6a031e28b6279e04cd8abe82d69cd836043a7cfe0978cb8a98.exe

    • Size

      2.3MB

    • MD5

      bd12b3601bd72416d9520e41963125ea

    • SHA1

      de0ce050117639effbce198f6e3d5f72c1978352

    • SHA256

      7ef9667e73b84b6a031e28b6279e04cd8abe82d69cd836043a7cfe0978cb8a98

    • SHA512

      999dafe0d27d36ddb36591563769a6ae0f7c17c4f1bb25bbe448e6c675639ecd67a3822c206e121bd552a90342e5d2c694a1548e8da840a8f27052e347816336

    • SSDEEP

      49152:kfn0QZ9e7GSUYBGE1siw4y9fvBfQZTowhO+8L0N:uHe7GH54yQVowh8L

    Score
    1/10
    behavioral18

    • Target

      8264e723a411381a9d837458ec39cbb36c8d582bcba14f7ed7fc45f8154c479d.exe

    • Size

      2KB

    • MD5

      6adff744d8522b6663dd71dcebc7f43e

    • SHA1

      8ebaedcd7e1b433bc1202ab6aafa5d1c9e7e492d

    • SHA256

      8264e723a411381a9d837458ec39cbb36c8d582bcba14f7ed7fc45f8154c479d

    • SHA512

      af43e11e159c0b34a61eed0f2b33c77974967a8c4237b935c19ea3b8286fdebfdf27f0b0f1ea1e64a835b753ed43e888b870c2f3c2352802486f7f4817f8f42c

    Score
    3/10
    discovery
    behavioral19

    • Target

      8427f4aaf255d36cf523ecd34f3023e23cb0ad1d5edacc5c96d1f70ff6b1b496.exe

    • Size

      856KB

    • MD5

      20bbb20ab9a373eb5134c977c7ffc05e

    • SHA1

      cff7c57d1eaf0730fd945501dd332dd8693605bb

    • SHA256

      8427f4aaf255d36cf523ecd34f3023e23cb0ad1d5edacc5c96d1f70ff6b1b496

    • SHA512

      fadd51df5524bc97e90e592107fa3a1d6f578e5534f9cf8b70b274651968525ee59b6ac647254c5123497fc889646ec5f228a49bd3e67fd73ecb4e68aabc38ae

    • SSDEEP

      24576:dAHnh+eWsN3skA4RV1Hom2KXMmHa8/bX5:8h+ZkldoPK8Ya81

    Score
    6/10
    discoverypersistence
    behavioral20

    • Target

      863c612734f5ff0ff0ea3fed7fd790dfb43c47eecdc1417bcd82c0ad866419af.exe

    • Size

      3KB

    • MD5

      463127c9a2b5eb1bca799aced10e4954

    • SHA1

      df78c1cca98d6f260f744a2b0639e1fff1c11a5e

    • SHA256

      863c612734f5ff0ff0ea3fed7fd790dfb43c47eecdc1417bcd82c0ad866419af

    • SHA512

      86c01a90941ad53e7d5c77b64c249bb0b4a69d9cc0f3e3971813464312a80ef6b06caef24cec9e9e194a25f0e667eafb445acbe9ce220830e4681312b498d9a4

    Score
    3/10
    discovery
    behavioral21

    • Target

      91eab57eaf00089ffd21329eb93e072c8eb7ed79e37c807f6db2859548c8b5d8.exe

    • Size

      3.6MB

    • MD5

      beef5daf51dadc2acdbccc37a73ccfec

    • SHA1

      1a49019a42f0a195828bf2a5e7b41013709cc8c9

    • SHA256

      91eab57eaf00089ffd21329eb93e072c8eb7ed79e37c807f6db2859548c8b5d8

    • SHA512

      f6021d968f28a2dbf25e58c0bd9b474662de542b9cdf9dc3454bc97ee30e23aa2bd754c455e6fc973f7cf4ead9ca5c9f186e0cb3f9f6dec1e2f9aa3b31f64580

    • SSDEEP

      98304:qbkDpLr5n9Ov7NCnsAAS7QG0owscxF7ZLN:q2pA7NksAASUqwsOLN

    Score
    10/10
    icedidstormkittybankercredential_accessdiscoveryevasionloaderspywarestealerthemidatrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • IcedID Second Stage Loader

      loader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral22

    • Target

      942263c89534d74459991db826caf2e9a187c074730f5c4f0f83f8c91e980e38.exe

    • Size

      732KB

    • MD5

      31b1fe0aacf5fcbced44e89252d1d4b8

    • SHA1

      3d56a02e23bbf2f6b3ac86db262391ccd2d06e5a

    • SHA256

      942263c89534d74459991db826caf2e9a187c074730f5c4f0f83f8c91e980e38

    • SHA512

      1b49741fab83d12bf0082c9ee070d999ab79860744322d755d7b5a53998ad6827d38306bb7d43763ae487ee64d451de5aec5aaab357422250174c4b8920add60

    • SSDEEP

      12288:UhR9WptAc/LnqJc0LYBlaql0OxymXkDptSwUlq1Y4I+hHfyc:u9gtAcWfLYbOcep+Uyc

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral23

    • Target

      95193266e37a3401a0becace6d41171ab2968ed5289d666043251d05552d02fc.exe

    • Size

      6.5MB

    • MD5

      d7817bc8fc539fba6388907223773546

    • SHA1

      505409528cec20ad4744513d83489b7025d23889

    • SHA256

      95193266e37a3401a0becace6d41171ab2968ed5289d666043251d05552d02fc

    • SHA512

      3f61fd9b1c534ad5a274d700e5ffcbd4901d1b449a49fb2f0c3b81aa0a997e9b6e2c77fa06470730bad3358f7be896a12dec5b6bab3b3a31e7a1d8907fb5e7eb

    • SSDEEP

      49152:D3/n2UcyKARqqRp+KrZs12ai17PgRNWPmfQpPmoFjPnMBFdk3Vk9WqWLNlBDszU:Lf2GTrRE4hPMopfMdk

    Score
    1/10
    behavioral24

    • Target

      99db2e72873b64451cbfb76b8402964eea1b84cf0fe9e326507673d5a534c04e.exe

    • Size

      1.1MB

    • MD5

      18e0d922bead757af754e54cc744eaa0

    • SHA1

      22a03fbc28e0dadf13e1ace67109b1dc3e91d0f5

    • SHA256

      99db2e72873b64451cbfb76b8402964eea1b84cf0fe9e326507673d5a534c04e

    • SHA512

      3f9d6ef04fbd56b1b26169c04f754ddca50f802e2dfbaa4344a82f6b724673de36c5b645ce97241eed35d5557ddaf27e20a7c699dfe1f3540010fe207df00f4f

    • SSDEEP

      24576:gQ8nt67av7QEet8tYFKOYZDcdW1PIe+W15X1d:4nt6+vUEetcC7Y5cdW1PIe+GZ

    Score
    10/10
    danabot4bankerdiscoverytrojan

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot Loader Component

    • Blocklisted process makes network request

    • Loads dropped DLL

    behavioral25

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

upxloader2683308570themidastormkittyicedidwellmess
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral3

icedid1910897067bankerloadertrojan
Score
10/10

behavioral4

upx
Score
7/10

behavioral5

discovery
Score
3/10

behavioral6

danabot4bankerdiscoverytrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

djvudiscoverypersistenceransomware
Score
10/10

behavioral9

djvudiscoverypersistenceransomware
Score
10/10

behavioral10

icedid1677747888bankerloadertrojan
Score
10/10

behavioral11

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan
Score
10/10

behavioral12

stormkittycredential_accessdiscoverypersistenceprivilege_escalationspywarestealer
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

discoveryevasionthemidatrojan
Score
9/10

behavioral15

trickbottop148bankerdiscoverytrojan
Score
10/10

behavioral16

discovery
Score
3/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

discovery
Score
3/10

behavioral20

discoverypersistence
Score
6/10

behavioral21

discovery
Score
3/10

behavioral22

icedidstormkittybankercredential_accessdiscoveryevasionloaderspywarestealerthemidatrojan
Score
10/10

behavioral23

djvudiscoverypersistenceransomware
Score
10/10

behavioral24

Score
1/10

behavioral25

danabot4bankerdiscoverytrojan
Score
10/10