Overview

overview

10

Static

static

3

3763170476...92.exe

windows10-2004-x64

10

a00f993805...f5.exe

windows10-2004-x64

6

a27aa292f9...96.exe

windows10-2004-x64

10

a3960e88c7...c6.exe

windows10-2004-x64

8

b1adee00a1...f4.exe

windows10-2004-x64

10

b9c037384e...e3.exe

windows10-2004-x64

10

c0592acd47...d2.exe

windows10-2004-x64

1

c14987c4c6...03.exe

windows10-2004-x64

10

c203192bf3...c1.exe

windows10-2004-x64

3

cf2652dc2a...c4.dll

windows10-2004-x64

10

d2ba18358b...17.exe

windows10-2004-x64

3

d6b7cb431b...74.exe

windows10-2004-x64

8

db246897a0...b0.exe

windows10-2004-x64

3

df16940f38...e0.exe

windows10-2004-x64

10

e39833949c...ab.exe

windows10-2004-x64

10

e98170984c...66.dll

windows10-2004-x64

1

ea2a2d0b59...cd.exe

windows10-2004-x64

10

eaffdf51b1...f1.exe

windows10-2004-x64

10

eda6bb813c...f9.exe

windows10-2004-x64

10

f4f625c6ec...fc.exe

windows10-2004-x64

10

f72762cd37...ac.exe

windows10-2004-x64

10

fce3d69b9c...e2.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New folder (8).zip

  • Size

    21.0MB

  • Sample

    240731-my2qnayhnp

  • MD5

    35d55708eef9043a13ee72bef013bee4

  • SHA1

    523c2fd21756859226a5c27192f01a358d351bc9

  • SHA256

    9608129701213f7565040f385e8c263d0daaa01ce31dcc7f95a7584c7bf4ad44

  • SHA512

    d84a1e35e5830dd5bad6213696d868a593e54923234b9145d257863fd984ace92887b557d3e5d3a58cdcad698e2477313a2c80fd46697ec4e8fadd5fa6c7217a

  • SSDEEP

    393216:J0DMSfJRrD+sKqId0lWebF57QQ+u+FP8g8iO0BkE9UK/WpCvEuTX:aMe1+rqzPx+VFniK/WpCvESX

Score
10/10
cryptbotdanabotdjvuicedidlokibotqakbotsmokeloadertrickbot4pub2rob129tr16327307512539295706agilenetbackdoorbankercollectioncredential_accessdefense_evasiondiscoveryevasionloaderpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

djvu

C2

http://jfus.top/nddddhsspen6/get.php

http://astdg.top/nddddhsspen6/get.php

http://jfes.top/nddddhsspen6/get.php
Attributes
  • extension

    .rejg

  • offline_id

    ffMYeEIl8VXTNtDFDB8XTask2PZgkOrOTmhHKet1

  • payload_url

    http://jfus.top/files/penelop/updatewin1.exe

    http://jfus.top/files/penelop/updatewin2.exe

    http://jfus.top/files/penelop/updatewin.exe

    http://jfus.top/files/penelop/3.exe

    http://jfus.top/files/penelop/4.exe

    http://jfus.top/files/penelop/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-t9u4WFnEtN Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0295Sirj

rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

23.106.122.139:443
Attributes
  • embedded_hash

    0FA95F120D6EB149A5D48E36BC76879D

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Extracted

Family

trickbot

Version

100019

Botnet

rob129

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

icedid

Campaign

2539295706

C2

endofyour.ink

Extracted

Family

lokibot

C2

http://bouquetltd.xyz/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://kovachevpress.com/docsx/five/fre.php

Targets

    • Target

      3763170476b8a4c3cb592cbea6c4471ba2ea2463db9f7839fda502ef0a06b092.exe

    • Size

      831KB

    • MD5

      06cc2c58b35393afd830c6d37d22f4e2

    • SHA1

      f4abeeb4441b7842101c5f907881179cc938f9c7

    • SHA256

      3763170476b8a4c3cb592cbea6c4471ba2ea2463db9f7839fda502ef0a06b092

    • SHA512

      fc866e39af2d7ddde6e3d6ffd2935077ae20d407aea84ec2e3cfd80f4974719b042408bbc6b1a33b7ab25967119d482098c88f03e867cf9afc61e31d94d03f4c

    • SSDEEP

      12288:aw1CY4ZqwXfGMjsuTVr4Tyj0j2tVTmK0biPL5Gl4UoxLlmMCvbGu3XHMPm:CYuqwXTj/rky1tCiPL5GElmMwHsu

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      a00f9938052cd7987d8740671ba12f61cde995601edb75b63d7347e48b552bf5.exe

    • Size

      4.8MB

    • MD5

      1465bc7865deeee6741356446d2c0f20

    • SHA1

      cadc620129f0f6759fc683972030f927e622e6aa

    • SHA256

      a00f9938052cd7987d8740671ba12f61cde995601edb75b63d7347e48b552bf5

    • SHA512

      01133cd5397cfb54b242136d74e1fa37d51401c062d0b266162c27d4e3e10d7dcbabd53ff3c96984655185608b734d863803b00b821c58b7450858db2ad790b0

    • SSDEEP

      49152:9Khi5Oz2EvGudLBfcjaGmNKBx2DDPScALwzt8ngBBas20nRdXuS5g+Au8P:GyEvGudN2mNwd6baZMS+A/

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    behavioral2

    • Target

      a27aa292f9978f85dd0fcf599491efea6abf80223d4ce4baaf56789f870c9196.exe

    • Size

      288KB

    • MD5

      f32cb49ff554b7ef003605ac8b2f0227

    • SHA1

      79d24998d91d215f67552fe100deabbbe47cd59e

    • SHA256

      a27aa292f9978f85dd0fcf599491efea6abf80223d4ce4baaf56789f870c9196

    • SHA512

      c78dc5f89c2b32cb0887b7d55ab07c4f1c275b36f844d38e67abeb1613cddc0bf093d3521e5944aa873d4c20354391623e49226d2d5e729b323942f28677b034

    • SSDEEP

      3072:tJbvlzyr2Pp95wU+3J2foPh64t+daj9+lEjrDgV6Qk99qE7XAy:/v9I2hnw/3J2fEv+AZ+lsX

    Score
    10/10
    lokibotagilenetdiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe

    • Size

      1.2MB

    • MD5

      351781e9708914f6ad166bb3b932ffe1

    • SHA1

      bce99eb27b677455ba33cd7d9fac544013be4efc

    • SHA256

      a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6

    • SHA512

      459c75ce17b642ad15ebf27378437a2af4318f7c77de92de7b6f9c86c91d842c47e27b29211f43c8fb7833800fd14a5126c40e23678960413da7cc99d1377cda

    • SSDEEP

      24576:ZBT1ZpcNUoktiPzcWgyuhpuwvq8qLduQgfbZi9jnv5Hz:D1ZpTUPohTvq8qLBgjZsjNz

    Score
    8/10
    discoverypersistence

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral4

    • Target

      b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe

    • Size

      1.3MB

    • MD5

      ab514dc1ce046921ffd95c5c7797b496

    • SHA1

      4899afe80086a97c1825b37ae34e55af0945042b

    • SHA256

      b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4

    • SHA512

      171e9c2c86f3b899547513ce1e6a1aca827158975d587af103262f2610838cf893f7755d14d04b6bbcb17be290273331c35cb285315c224f2a92f9f22e6b9c7c

    • SSDEEP

      24576:OQLny3OiG7O5fWcmCM4jBg0nWDqVXF1/Vz897cDH6WboJVIb90I8Yls:OQLy3Z5ecmCMqhnllLNgIHjbiIb9O

    Score
    10/10
    trickbotbankerdefense_evasiondiscoverypersistencetrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

      defense_evasion

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe

    • Size

      4.5MB

    • MD5

      57afe7c6eae81f93e3e6a085b6bd7961

    • SHA1

      6af9bb4cb10f0d765cf87b71f5dcfa3c5d7d61f6

    • SHA256

      b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3

    • SHA512

      ebd7a6029b72385d1667fa1013241dfeac19fedf2ccf1303b22105126e5de490f39af4e5a2f3dbaba462b919560fb8a421f3228c49bfb8bc569d9f8c16c40665

    • SSDEEP

      98304:O/KyGgrf/TiG4GR0msmwCiYZHImJyS5qGWxpPr2C9rPZ:MZGgrf6GRFn3a/Sw7pPnrP

    Score
    10/10
    cryptbotcredential_accessdiscoveryevasionspywarestealer

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral6

    • Target

      c0592acd4714d89c4f9e10ef0b2a9b4a7f0a445f24fb5212781fd47ca7d34dd2.exe

    • Size

      339KB

    • MD5

      2ddfb16e5ef63907a7c210ace44fb975

    • SHA1

      b73a8d82db903d029fbc4e679e5aac06058f88e2

    • SHA256

      c0592acd4714d89c4f9e10ef0b2a9b4a7f0a445f24fb5212781fd47ca7d34dd2

    • SHA512

      f12c43731682129626dcb8e1e2e2dbe05174207ecd1c507839f00bea21d88fbc128989e10c337776cb3527aca6687a78274a02f7581d5b6692f25e73212074f0

    • SSDEEP

      6144:hWG/GM9boN2yLkfhQ2ycl7T4WqClgUJYe1S33JFgqyIef2yhE:/N9kN2y52ycBTHgzR5FgtIC2yhE

    Score
    1/10
    behavioral7

    • Target

      c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103.exe

    • Size

      818KB

    • MD5

      ae9a4663030ecd41b764cc839cb1e67f

    • SHA1

      370d203085ef0465a81bfb4c82d4019beecefb13

    • SHA256

      c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103

    • SHA512

      488f9e5146a12768b1b0f3297b5f8b7487d1f1aef2ba6fd9427ba873c7ab39e2ea34495b09bb458d7d395ccdc38d7cb9163740730026d82c7c52290e5007938a

    • SSDEEP

      12288:fl2fjVNefHfMxT3J6uUA0HdQrXZo3zJA0adehtX24kJwdoXhHNswzAHnFw7w/QnO:Yb8/fJAKkX6jJFa8tXTkJbSrFbEiR

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral8

    • Target

      c203192bf329f099fddebfc57a7a258b974550e0b51a81115c9980aff02fe6c1.exe

    • Size

      709KB

    • MD5

      ae6c8780931b088abe4f6a1fcd0c5510

    • SHA1

      fb349392eb590424bb48e5279bca264ea007312e

    • SHA256

      c203192bf329f099fddebfc57a7a258b974550e0b51a81115c9980aff02fe6c1

    • SHA512

      9752204938ad009ead5f0d9fd4a30145de0a997607c838cef2bb9df9cb9f614d0fd7ef39b7714ca0790ed1bec61b616c34f27723ce79a06c63839115549eb030

    • SSDEEP

      12288:tYv3bkaNR1J9ybToLdkMjJnL/MAp2k9U0mYZJH/C:S/guR1JYSvNLUtk9UpmY

    Score
    3/10
    discovery
    behavioral9

    • Target

      cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4.exe

    • Size

      327KB

    • MD5

      296474dfc42b6c053f354be7e1be151e

    • SHA1

      138ad810a0dfc8216ea5f71b1d2e00f667dc3b16

    • SHA256

      cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4

    • SHA512

      d7750203a565bdb6f11b52aaee117e662f1ae0bd2ef505537a04cdd5b6a39a222f3f3591bf879809acd082527bc291cb139ec37a41355228bafb1502830308a3

    • SSDEEP

      6144:R60vBQcV0PPspp3Ke/QVCY9/Ob9ho+JVxfTPAKxu9755fu2v4ibqXtWXC1:R7A8TJPNPp84NibIt1

    Score
    10/10
    qakbottr1632730751bankerdiscoveryevasionstealertrojan
    behavioral10

    • Target

      d2ba18358b1edbac5cdb875761367ce6f88ef0e61d749357a259988d15d1bc17.exe

    • Size

      5.9MB

    • MD5

      de84d306ca9d35321f98a6d26fc35275

    • SHA1

      195fbff2221ada0100e794edfd9b93ad0c11ff59

    • SHA256

      d2ba18358b1edbac5cdb875761367ce6f88ef0e61d749357a259988d15d1bc17

    • SHA512

      ee500b459a0a15dad50e6c5d52854dffe79aac1c3da1dc504639fefc5c5b7005b9cd47422a3b16c20bf06a40619ff8cb883995e23d77b902dc242fc69d588c96

    • SSDEEP

      98304:IISMexDp8w3R+loGKSybggVzJwSvpHXMn4Wgi1I0y2qQ1:KHCy0IbvpH8nd91Xy2qU

    Score
    3/10
    discovery
    behavioral11

    • Target

      d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe

    • Size

      1.1MB

    • MD5

      5a4f537ffd75be93484d34543127898c

    • SHA1

      3b70254cce9cfcae221637c00610c6a7543f0272

    • SHA256

      d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74

    • SHA512

      871b2c0ab547ac8e8dd38f6500fd59a190cc04f53282a2eee77641d2e5139c9788aa40cd9dc4ae8bccfc2be04fadb7ce20f3f36592b660a404d93972d90c1a87

    • SSDEEP

      24576:wx4tQdKLXCSDZGQQi8h+GT7cVhn6hxEx1FATbticaqKd:wx4tx1oh+G7cv6hOSicaqe

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral12

    • Target

      db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0.exe

    • Size

      3KB

    • MD5

      172da997f8be4c8d0318a322c8ee806e

    • SHA1

      224d3e925800815e792af3a28f8d2dffb9c21e70

    • SHA256

      db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0

    • SHA512

      75e85d44f076dee7505389284609ab4b138d676d777e3ebfe37e11053b293b7f5d91cfb66a4304539fb41c91db74c79ec93d262cbe1e908ffd5f530be4475ca4

    Score
    3/10
    discovery
    behavioral13

    • Target

      df16940f38135c9dfa808b7f19348339deca912fe54331b2dd739decdf37d9e0.exe

    • Size

      1.7MB

    • MD5

      5fc6c8be8a7b7e71f529c1cc118de457

    • SHA1

      7187578b50928cf0abfe29ba5d6046dbf784f23e

    • SHA256

      df16940f38135c9dfa808b7f19348339deca912fe54331b2dd739decdf37d9e0

    • SHA512

      25be5dce7f39f4067e4ba20ff5f10462dd24baba60e76c764a0d5e69665d307f310d9b6c07e9c8046523979b6fbd55464497019522179c33ea2457f64d420569

    • SSDEEP

      49152:YzSJz8xNeu3kIamNwIIos8/OtH+b/pZb3:Ea4xAu0IaM5s8sH+b/

    Score
    10/10
    danabot4bankerdiscoverytrojan

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Loads dropped DLL

    behavioral14

    • Target

      e39833949c41ebb2bcc53a374f17491536b1dda70e53700b19fa53f04bf695ab.exe

    • Size

      364KB

    • MD5

      03328209b7e90eb369be9ea61e397fce

    • SHA1

      fb7832147581b7a0edd01db88bb381b028802eab

    • SHA256

      e39833949c41ebb2bcc53a374f17491536b1dda70e53700b19fa53f04bf695ab

    • SHA512

      560ecdedc039d4f261323f9985b49374075b065aa0448047c96fc59b0195b0a65ac3a008f21c3ec3c31c175de249ffa19d59f762264a9272eab3486e9bd874dd

    • SSDEEP

      6144:CB8ByNfLHaa7hrsFVgbtpGVeUQJIjuixao4JSNnSHC0GC:CB8sLzhOVgbtpCxuQJ6S6C0G

    Score
    10/10
    trickbotrob129bankerdiscoverytrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot
    behavioral15

    • Target

      e98170984c87aa1b92df230ef020557cad5afa4cf6815f7cbd764a70a1323b66.exe

    • Size

      179KB

    • MD5

      406c7180fdf423c0e99b72c45f175bf0

    • SHA1

      231c198e62a71120104351a7a18268f65c75ff3b

    • SHA256

      e98170984c87aa1b92df230ef020557cad5afa4cf6815f7cbd764a70a1323b66

    • SHA512

      12f0bd2f24c867c9af1a037349e40e59714e2f079d62d859930d7cbb64853f27e65026fff8ab129730f0834e1f707bdc8ed4fbe510fd2be11104e5866b6bfa95

    • SSDEEP

      3072:uq3W3hXSPA5aodE8pn6kTDnlBtx6Qg9+Fh3SslsR/dLcEZD6zi:uIuXSPA5aWpn6kTDnjzjFm/1Z+e

    Score
    1/10
    behavioral16

    • Target

      ea2a2d0b594f527f391abdf595d5f93424d9121dc292ff458362bff765bff2cd.exe

    • Size

      244KB

    • MD5

      1f45148595dd5c401bc8c0d150a74cbc

    • SHA1

      a53b57b67512d4151c4a5d06dac512643da21be7

    • SHA256

      ea2a2d0b594f527f391abdf595d5f93424d9121dc292ff458362bff765bff2cd

    • SHA512

      c810db3b5dfa70f14425fb411c3bd35ad6c23d3fe3bcf03b604bf51033bf22aecba6bc61bd0ade06228b8b4c82d0a595e105a3ff3a3c2399a741c21c4c14906a

    • SSDEEP

      3072:/dTQbbg5wTza51NrtMTVG6WTvPhsZVggjcGkNIVqI/sxkgaBCh0pZa9uD6VdyhkZ:/hwT0jUVPVb7ITsqXigaXwVfZ

    Score
    10/10
    smokeloaderpub2backdoordiscoverytrojan
    behavioral17

    • Target

      eaffdf51b17ef1b7b7bf01ab6e8c2dce61a3dbd875b368e06a6d3b95e100c6f1.exe

    • Size

      741KB

    • MD5

      ff37dbded7b1aca2b45edefa43c3a118

    • SHA1

      4d6134569c11ee02713d1b6cbb480951063c26d1

    • SHA256

      eaffdf51b17ef1b7b7bf01ab6e8c2dce61a3dbd875b368e06a6d3b95e100c6f1

    • SHA512

      71d7ba2a15196abc3ca0e6dfe088e4f921ef2b91f390042c2ac17fbbf817403160ae0c4e199ca829dc335c49dc2b9907ee10656f18a1c1c8e4acc0c541787160

    • SSDEEP

      12288:OYVkl4tUskGpkAQwC5ewwHnbb9gTn0RWNJ73rJVDkeKZm:OY64W9GpklwJbb+0RWNR7mZm

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      eda6bb813cee36866a58cc01b6c928484e8751e3c442ec9739f798aeb8e453f9.exe

    • Size

      1.2MB

    • MD5

      4526907573a050a8585a1cb03e926e81

    • SHA1

      e8992a283f9f37dec617b305db2790d9112d3a20

    • SHA256

      eda6bb813cee36866a58cc01b6c928484e8751e3c442ec9739f798aeb8e453f9

    • SHA512

      b359d4d4e2406f708ab728807e1f6ef2bfa1011a88c8878e67ccbd17f85a5e06c4db831c2d066dce51ab265ed15c9ad2461bfad17d7f60a25dc9dd818daa1d45

    • SSDEEP

      24576:ZD0Ejqw95oEKe3UyVlViimjKaH1S2uK7SPFL3EOGTWqG5QVEzAJ24GOy2i5b8+Dq:d0be3UyVlVFmjKaH1S237SPFL3EOGTWi

    Score
    10/10
    icedid2539295706bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid
    behavioral19

    • Target

      f4f625c6ec130389122077c9650b1c195a7793a173a621416cea8622c14405fc.exe

    • Size

      232KB

    • MD5

      37b6a0a0b3ee21d33fcdd3cea388e67f

    • SHA1

      236eb8ab28cce563bcb05c38e051d418f237a725

    • SHA256

      f4f625c6ec130389122077c9650b1c195a7793a173a621416cea8622c14405fc

    • SHA512

      d3f087a9a1101d1450fc037be5debd9ef679ee8c3e93749e1d4b7dcba4a306bcf4e9c9a7dea7a3768f07f7b3534e84a5ccb9ed9bc13136370391859c26877447

    • SSDEEP

      3072:HGxKfv13piX2VAFNMxJcm9HqzniJNbIseUs/G5H+CNf4/AWaSkSJu98vd:Zv13pi0AFN0rEniJNbIseUsSIADG8el

    Score
    10/10
    smokeloaderbackdoordiscoverytrojan
    behavioral20

    • Target

      f72762cd37962e6fc7a65ae4c414589694aef8794e6d1fa8060f270f069bf1ac.exe

    • Size

      361KB

    • MD5

      676eaaeafc78460c8df4076a0fa0ecca

    • SHA1

      0044164a395dc98db4f84b8b4dddd09523d6e3cb

    • SHA256

      f72762cd37962e6fc7a65ae4c414589694aef8794e6d1fa8060f270f069bf1ac

    • SHA512

      30ccd6e4907437d753bfbf69009103d213e18b34e082e48e16a1b202e6f8347e7b53d34ff66d432b8b17df04a249807bdd133fc935ad78ab5c26fda2dd3a2b03

    • SSDEEP

      6144:Q3R8WqcFhifodXpk5wkmyNkjsM5PRwQlRlZDYTVFEeBGtrDn0OH:Q3R8Wqczjk5aJ6ZBGtD00

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral21

    • Target

      fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exe

    • Size

      2KB

    • MD5

      0fd2355a4674cd4a70f9b1f422ab984c

    • SHA1

      d41bdbf1a226c4c9be075ae02f138de257a89d5b

    • SHA256

      fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2

    • SHA512

      69c87b9f0235f6850ff7463674fdeff0c7d20075e33efe3e6d960606d199ff3d6696e4523e658e003ecf80731d82b91d3264a7225ce59ef45cbc3476e46a89c6

    Score
    3/10
    discovery
    behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

1
T1140

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Subvert Trust Controls

2
T1553

Install Root Certificate

1
T1553.004

SIP and Trust Provider Hijacking

1
T1553.003

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

7
T1012

Remote System Discovery

1
T1018

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

djvudiscoverypersistenceransomware
Score
10/10

behavioral2

Score
6/10

behavioral3

lokibotagilenetdiscoveryspywarestealertrojan
Score
10/10

behavioral4

discoverypersistence
Score
8/10

behavioral5

trickbotbankerdefense_evasiondiscoverypersistencetrojan
Score
10/10

behavioral6

cryptbotcredential_accessdiscoveryevasionspywarestealer
Score
10/10

behavioral7

Score
1/10

behavioral8

djvudiscoverypersistenceransomware
Score
10/10

behavioral9

discovery
Score
3/10

behavioral10

qakbottr1632730751bankerdiscoveryevasionstealertrojan
Score
10/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
8/10

behavioral13

discovery
Score
3/10

behavioral14

danabot4bankerdiscoverytrojan
Score
10/10

behavioral15

trickbotrob129bankerdiscoverytrojan
Score
10/10

behavioral16

Score
1/10

behavioral17

smokeloaderpub2backdoordiscoverytrojan
Score
10/10

behavioral18

djvudiscoverypersistenceransomware
Score
10/10

behavioral19

icedid2539295706bankerloadertrojan
Score
10/10

behavioral20

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral21

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan
Score
10/10

behavioral22

discovery
Score
3/10