Overview

overview

10

Static

static

10

0297bbb0f0...ee.exe

windows10-1703-x64

3

15aeb8380c...71.exe

windows10-1703-x64

10

1820a0542f...34.dll

windows10-1703-x64

10

1df11bc19a...ad.exe

windows10-1703-x64

7

22934e006b...e7.exe

windows10-1703-x64

3

24989d884f...b7.exe

windows10-1703-x64

10

2828fabf39...65.dll

windows10-1703-x64

1

32b0fbaf95...08.exe

windows10-1703-x64

10

4bf2dace8a...d7.exe

windows10-1703-x64

10

55d03f9954...44.dll

windows10-1703-x64

10

5e58e3818a...cb.exe

windows10-1703-x64

10

611cf2be67...47.exe

windows10-1703-x64

10

654e574fb4...01.exe

windows10-1703-x64

3

6f4ac0da34...a5.exe

windows10-1703-x64

9

$PLUGINSDI...em.dll

windows10-1703-x64

3

$PLUGINSDIR/UAC.dll

windows10-1703-x64

3

$PLUGINSDI...fo.dll

windows10-1703-x64

3

$PLUGINSDI...gs.dll

windows10-1703-x64

3

$PROGRAMFI...it.dll

windows10-1703-x64

3

$PROGRAMFI...ge.dll

windows10-1703-x64

3

$PROGRAMFI...er.dll

windows10-1703-x64

3

7109e67cf6...58.exe

windows10-1703-x64

10

71e2483b2d...4e.dll

windows10-1703-x64

10

79fb1d00ef...00.exe

windows10-1703-x64

1

7ef9667e73...98.exe

windows10-1703-x64

1

8264e723a4...9d.exe

windows10-1703-x64

3

8427f4aaf2...96.exe

windows10-1703-x64

6

863c612734...af.exe

windows10-1703-x64

3

91eab57eaf...d8.exe

windows10-1703-x64

10

942263c895...38.exe

windows10-1703-x64

10

95193266e3...fc.exe

windows10-1703-x64

1

99db2e7287...4e.exe

windows10-1703-x64

10

Resubmissions

04-10-2024 16:44

241004-t8yv3syhpd 10

27-09-2024 16:54

240927-vepkzsvbre 10

27-09-2024 16:44

240927-t86wpavard 10

04-08-2024 18:04

240804-wnq1vawbpg 10

03-08-2024 17:26

240803-vzvbzazekn 10

03-08-2024 16:14

240803-tpp4tsshqa 10

03-08-2024 15:52

240803-tbarzsseqc 10

31-07-2024 19:40

240731-ydk3yszdpq 10

31-07-2024 10:53

240731-my145atfmf 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New folder (8).7z

  • Size

    17.6MB

  • Sample

    240731-ydk3yszdpq

  • MD5

    be23bf21f50efe03646c00428769da08

  • SHA1

    588f68a1f66ee0c689104d9096415b9070838827

  • SHA256

    0e06e9585cc9db33ee999ca4de668ab64ef6e9fa928ae6541b2f1ec68ff09da8

  • SHA512

    b3850d8b79c88e5a1ac7d2855f5b03b08c3392629f041474a997f4c9d71e321c24b9a2c5dad79e8fa6a1bb94648a30808dfa37dbb61e1348fd221594beeda8aa

  • SSDEEP

    393216:gTZqJOaXIZoQGPISZpx/0iw+lT+6uxC2JxpG25Bbm:gsJd7ISLW+t+6mCOTdm

Score
10/10
danabotdjvuicedidlokibotqakbotsmokeloaderstormkittytrickbotwellmess26833085704top148tr02160742751216777478881910897067backdoorbankercollectioncredential_accessdiscoveryevasionloaderpersistenceprivilege_escalationransomwarespywarestealerthemidatrojanupx

Malware Config

Extracted

Family

icedid

Botnet

2683308570

C2

funnymemos.shop

trythisshop.club

shopoholics.best

buytheone.best
Attributes
  • auth_var

    1

  • url_path

    /audio/

Extracted

Family

wellmess

C2

http://178.211.39.6:80

https://141.98.212.55:121
rsa_privkey.plain
rsa_pubkey.plain
rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

icedid

Campaign

1677747888

C2

jeliskvosh.com

Extracted

Family

lokibot

C2

http://becharnise.ir/fa11/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

trickbot

Version

100019

Botnet

top148

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Extracted

Family

qakbot

Version

401.62

Botnet

tr02

Campaign

1607427512

C2

73.32.115.251:443

161.199.180.159:443

185.163.221.77:2222

197.161.154.132:443

105.198.236.99:443

83.196.50.197:2222

96.225.88.23:443

156.222.27.207:995

81.214.126.173:2222

83.110.13.182:2222

85.121.42.12:443

67.82.244.199:2222

172.87.157.235:3389

86.176.133.145:2222

72.186.1.237:443

80.11.5.65:2222

94.59.236.155:995

81.150.181.168:2222

184.98.97.227:995

149.28.101.90:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

icedid

Campaign

1910897067

C2

epicprotovir.download

Extracted

Family

djvu

C2

http://astdg.top/nddddhsspen6/get.php

http://asvb.top/nddddhsspen6/get.php
Attributes
  • extension

    .gujd

  • offline_id

    NcBG8wI6Q1WFhUNlCRyjmrWGeGew2vvCKtJgKot1

  • payload_url

    http://securebiz.org/dl/build2.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mNr1oio2P6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0316ewgfDd

rsa_pubkey.plain
rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

danabot

Botnet

4

C2

23.229.29.48:443

152.89.247.31:443

192.119.110.73:443

192.236.192.201:443
Attributes
  • embedded_hash

    6AD9FE4F9E491E785665E0D144F61DAB

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain
rsa_privkey.plain

Targets

    • Target

      0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee.exe

    • Size

      2KB

    • MD5

      4a6ac8d48c9793c0c852a6ac93ba2002

    • SHA1

      cdc7a9cf8ee36099c823779ac2dd8ffe3a84d723

    • SHA256

      0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee

    • SHA512

      3aacced9817519ae31ed2bc4cf4063b2eb0a1c9e9addbcb9e08b3431f519ca0a8a6a8962e1039835a48e50cb52cd08d21cad642a66822c288d2b0a88541c361e

    Score
    3/10
    discovery
    behavioral1

    • Target

      15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71.exe

    • Size

      150KB

    • MD5

      022f5345cfab4ef75476ffc7f708fcfe

    • SHA1

      81802b0a5f738b7333a60eece96441c1bca19792

    • SHA256

      15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71

    • SHA512

      6595ef6e3e0b65afd0a4f7d5bd5650466a4299df8284180b48ff0e30a537a42616a98c530fa4d39fdbe30eb1cc6c72fd749a98551890a0b488f04fd164b49f53

    • SSDEEP

      1536:YyuipsAiJm4cJI7CweL+eX9kEnOCGzJoQL2VwEeYIsUE4KvVf+boJPtgm4qeYwqN:FlpYU6vqXRPE2VyYIsf4K9ffFSqe72

    Score
    10/10
    smokeloaderbackdoordiscoverytrojan
    behavioral2

    • Target

      1820a0542f5950fd92ffa787cf09377a14d0fb42f0fa7419366090a5771a5f34.exe

    • Size

      38KB

    • MD5

      a4017c06209e16b8f47fcf6e5845aba9

    • SHA1

      66d99a1cc92ed316e0d7a2ab6df466c289154ec3

    • SHA256

      1820a0542f5950fd92ffa787cf09377a14d0fb42f0fa7419366090a5771a5f34

    • SHA512

      52e4df915b3cb6eb60a3f37874b0d8a14646ffadb9aa621cf8ea3fb04b5cbb4250fb9cec3a2ed8722a7eae4b600836b5b7bf72e53e297e464fb844096a9b2f5e

    • SSDEEP

      768:tojIJWP0znqX60+KU6nCVUO2gTjZSXulSJ474fLv/zkSf2Vz:NnqXn+YoQ+lu474zo

    Score
    10/10
    icedid1910897067bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid
    behavioral3

    • Target

      1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad.exe

    • Size

      1.3MB

    • MD5

      9344afc63753cd5e2ee0ff9aed43dc56

    • SHA1

      ee1fa399ace734c33b77c62b6fb010219580448f

    • SHA256

      1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad

    • SHA512

      6434c212a85180c1af00f5c5fa081a6a6ab66f5633edb74e130a7b9d754a6a65dc973f5e820f6f57a43956c276dbf3721021d1e9bb53fa79ac51ed8cb23f4090

    • SSDEEP

      24576:/U1v3pE+zO9mBt2bdm3EHVXkNA80Jl5IzCxWWDrSBkian7X5:/Qv74bdm3EHEA8UIzm8aj5

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral4

    • Target

      22934e006b3f1b8225c51a93ce0acaa1874c4f1dc895fa1664bdf16b0065d2e7.exe

    • Size

      2KB

    • MD5

      af8ae6c1f2859cc139cd176a6656a855

    • SHA1

      161e2d577b418eaa94bf1959a634956b75d7922b

    • SHA256

      22934e006b3f1b8225c51a93ce0acaa1874c4f1dc895fa1664bdf16b0065d2e7

    • SHA512

      a80672ea1f49ebaeaf5b850377ee346e7953bf6379a79db91b826ba2249a66424b0f1be189351dc86088ff9efd72142a46f6d4bff2c5dc7271a4db22c10bcd1e

    Score
    3/10
    discovery
    behavioral5

    • Target

      24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe

    • Size

      1.2MB

    • MD5

      39ae3110dc8ee4239811f2a1083e675e

    • SHA1

      f235ea35b4a408a052ec5bc93310adb77b52ecbc

    • SHA256

      24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7

    • SHA512

      cee1b9804a3a3d4f033d8076f66ffd6021a0b017a7588b96749d319d382056847d26aedc2f1fa5b7140c01697407da3c2873d59c78044376b083bc8f0c8494ee

    • SSDEEP

      24576:aG4NAckBXt2Uj3WTNWIcXuDTPyYaOnuhZiOASiN0A:O0shOeDjzagumObiN

    Score
    10/10
    danabot4bankerdiscoverytrojan

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot Loader Component

    • Blocklisted process makes network request

    • Loads dropped DLL

    behavioral6

    • Target

      2828fabf3937d88b85183664c9019c4639776ba7c2322f48e4957108ef07ed65.exe

    • Size

      179KB

    • MD5

      69828a3d5c60eb466c3a62f3389f6f87

    • SHA1

      7b9526f82448d0a1fb59a8125d1de55e3a166d72

    • SHA256

      2828fabf3937d88b85183664c9019c4639776ba7c2322f48e4957108ef07ed65

    • SHA512

      ce8818f78b62453fb56fcaf98efa7bc52068f7ddf915e1df6841f33a39aff6bd7c60692af16ea361cdf15b3cc79787e4a39bb6648faffc3eaac10ce886b45d5f

    • SSDEEP

      3072:uq3W3hXSPA5aodE8pn6kTDnlBtx6Qg9+Fh3SslsR/dLcEZD6zs:uIuXSPA5aWpn6kTDnjzjFm/1Z+4

    Score
    1/10
    behavioral7

    • Target

      32b0fbaf95fefcc9b89243be8721625592fc9ed92d76a48cab263898fd3d5c08.exe

    • Size

      844KB

    • MD5

      a6f049a056e37a65280ddfe17f689b50

    • SHA1

      479e08954d4d58b643ada84da280bd01c71e779a

    • SHA256

      32b0fbaf95fefcc9b89243be8721625592fc9ed92d76a48cab263898fd3d5c08

    • SHA512

      f7effb9a12c0723ed336117e3399940d4fe9e3682eec18cdf19cf074dab27d2ce8b1c14d30f1e3e26b5883732f8b970477a32ca4c12fe36a8fa3bc452586511b

    • SSDEEP

      24576:40bAk9PkFMVNgsbj6d2dXrpcpZBWGyDs1lwBUeF:PEGNgsnHDIZB/yDseB

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Renames multiple (125) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      4bf2dace8a23551a3cd374a14b68cef6185aa18f9148dac8bf77f19f734d3ad7.exe

    • Size

      787KB

    • MD5

      0b862b9c889d4bdc6f0bac7d702d8753

    • SHA1

      fdc030df123e6e6a712cbc960a2e7c63266bf040

    • SHA256

      4bf2dace8a23551a3cd374a14b68cef6185aa18f9148dac8bf77f19f734d3ad7

    • SHA512

      4f7284a625b4909f9a0d80023c1dbfe3ed2de8a14fdf9a5bd3687d7e2fb21e265ee6cca613e4e6c8cab35f806501b155e6ed70a11530eb1cc78dbc38b22d3e8b

    • SSDEEP

      24576:reKt4RjnJ+wWEr55fRue+cfxiskJM0BPA:rORdGA55fkcJinM0BI

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Renames multiple (141) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      55d03f9954e35d8bce3fbd084d909744b3719310bac7c359cda87e7831cc1344.exe

    • Size

      231KB

    • MD5

      ee28a178e3aacfa1398ca74a9bc1822e

    • SHA1

      193bc249bac79c0a195e736c62de5ec16e5ef38d

    • SHA256

      55d03f9954e35d8bce3fbd084d909744b3719310bac7c359cda87e7831cc1344

    • SHA512

      3f0dbbbda0cba4a32fe49fd7941d3fa640a8b7aeec56a3f584d519593de68e4acf8036c651cd469e386a32c5465521035dccebb6f3732f7893be552803d48353

    • SSDEEP

      3072:ktkuGh43+xNkZ4I0+NFS1I74Y61cyJDz/+6BjbkJuWg349uoZaOG/mf3vfUgrfQj:FMZ4P+NEc4zYgV9QFhP0grf0dd

    Score
    10/10
    icedid1677747888bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid
    behavioral10

    • Target

      5e58e3818a1b7a5c46fab0a1400f7ccd88f088a782bb9c9f229f5e835e57aecb.exe

    • Size

      865KB

    • MD5

      aeccd0447a233ab8f7de5d7df28e9331

    • SHA1

      c9dbaac42e30413f8cdb6ef09cf90ca75d0137a7

    • SHA256

      5e58e3818a1b7a5c46fab0a1400f7ccd88f088a782bb9c9f229f5e835e57aecb

    • SHA512

      44bcb72760eacb7c69b30b2835043f11fa47e3c950afc795286317645d92925cc1c7884bd611b4f0df2b74750949401e377c6d4fe5741926a0f720ddf99ca40e

    • SSDEEP

      24576:EejP2Qq5NJf5osyeT2DiqkRD73mOcohh:/jYNp5PTZqkRn3mz

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      611cf2be6752c173be1328ea47cc8ea736bc3bda9030da617390b23afa955b47.exe

    • Size

      280KB

    • MD5

      284b061036a1e367e41c00235d1b5e6f

    • SHA1

      f6277c4d7a39427e7c86a3f9040729d6b17aff65

    • SHA256

      611cf2be6752c173be1328ea47cc8ea736bc3bda9030da617390b23afa955b47

    • SHA512

      21733f5d5953a07021536928842bce4be637235b7c1578fa0096c53a546614ecbc172f0e500fddf2611acd2dba94b13152fb1eff75efb0666342183c0f6627c6

    • SSDEEP

      6144:x6DKNllJ4Uc/gqXKq8+RigIWU+Ydm0UAtXbe9bu:sDKNlAUcBaq8+RnWm0UA9b

    Score
    10/10
    stormkittycredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral12

    • Target

      654e574fb479af0a9f8d277ed12f2d86681b76b4cfe63d7c9e774f5144be8801.exe

    • Size

      8KB

    • MD5

      096a19cd1460c87f343444a4740327c2

    • SHA1

      0f55409dbc70927548c2d351185408f7615ee47c

    • SHA256

      654e574fb479af0a9f8d277ed12f2d86681b76b4cfe63d7c9e774f5144be8801

    • SHA512

      259552c2bd72062aa531ea9dac59b6411b64d735c01197dbf0e2943cc8a9ddc37eb1e0be9f22118a48bead99f57a237f9bb986f8ceafc67ed463f9c00a6587bf

    • SSDEEP

      192:/G6OThBwj6k8TqLUh5wCb3py+g2O9Cung9C:/G9hNxh5Zp1i9Cun

    Score
    3/10
    discovery
    behavioral13

    • Target

      6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5.exe

    • Size

      3.0MB

    • MD5

      07ab47ba492cb4ce3b9255ecbfb543f7

    • SHA1

      b86f8aeddddd245f0198ad92ff6cee605cbe1d4e

    • SHA256

      6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5

    • SHA512

      0f161c751011070eca63baf0d544e35adfb7ae23c7bef6ef21684d93ee81d88fa0a83f5f1cc7be10e5a31c2012711298e599e4264d13f6607c9ce7abc8c5ad3a

    • SSDEEP

      49152:fb1ZTEb66GZQJAaYqh3owdV+xYtb/Khu0Ar51hRzEHgR8wfXhxld4sl9O3/TvHv0:5ZQ+6uQhYEom+mtkQ1hRwH2X9i/vFO

    Score
    9/10
    discoveryevasionpersistencethemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral14

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      bf712f32249029466fa86756f5546950

    • SHA1

      75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    • SHA256

      7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    • SHA512

      13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    • SSDEEP

      192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/

    Score
    3/10
    discovery
    behavioral15

    • Target

      $PLUGINSDIR/UAC.dll

    • Size

      14KB

    • MD5

      adb29e6b186daa765dc750128649b63d

    • SHA1

      160cbdc4cb0ac2c142d361df138c537aa7e708c9

    • SHA256

      2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    • SHA512

      b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    • SSDEEP

      192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs

    Score
    3/10
    discovery
    behavioral16

    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      c7ce0e47c83525983fd2c4c9566b4aad

    • SHA1

      38b7ad7bb32ffae35540fce373b8a671878dc54e

    • SHA256

      6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

    • SHA512

      ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

    Score
    3/10
    discovery
    behavioral17

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      4ccc4a742d4423f2f0ed744fd9c81f63

    • SHA1

      704f00a1acc327fd879cf75fc90d0b8f927c36bc

    • SHA256

      416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

    • SHA512

      790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

    • SSDEEP

      192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi

    Score
    3/10
    discovery
    behavioral18

    • Target

      $PROGRAMFILES/foler/olader/acledit.dll

    • Size

      8KB

    • MD5

      8d96cb171b4138f43a754317be9e982c

    • SHA1

      3c2975e7904486f39be0455a63afaa063064a93e

    • SHA256

      727b96dca0363f7cd5767f94bf72e0655ef1d00f44b27d496deb733eb32be12b

    • SHA512

      ab58bd28169042d9502f64410e78aa41d219753d998ad5309699c57b50ce343b50aeb42dda8ef6a52f8057dcd1bc2b4b6e0de52819285dd3517ba3fa032e6ee3

    • SSDEEP

      192:peH8gcV+GQqYTBBBAkvyMQ0F3OWYTWPGP:YH8gcV+GQqyAMD0WYTWPq

    Score
    3/10
    discovery
    behavioral19

    • Target

      $PROGRAMFILES/foler/olader/acppage.dll

    • Size

      45KB

    • MD5

      290075961dd4856211078377d14942c8

    • SHA1

      ad7f6dfd89a253daa70d5bbb46e819dae7eb3f61

    • SHA256

      949fd56c5a63d3f1c20769bc2285ac5517c4ca84250c807f18247a2d93efc1a4

    • SHA512

      b431198324315e172fafb062fce93c5d5b18e691150e5e26dec30f150622c38ce4342b9e9f5d4d847860a55e7fb75411bb8765a0f0ae87c99e0dc30f1bc42854

    • SSDEEP

      768:ppb1tuabwj1WVIlaFKuIJJPclXkxAc5J9UaXotuM5Uqw2mom:Uj1WelaFczPclwYtuM6qw2

    Score
    3/10
    discovery
    behavioral20

    • Target

      $PROGRAMFILES/foler/olader/adprovider.dll

    • Size

      48KB

    • MD5

      f981199c82a40cf638d313c4498ecab9

    • SHA1

      9f2ba1092a90b048aaf51304d139018e13144f3b

    • SHA256

      338287ddb5fdbf0f7540dac8ae8a3f02643f7b45f3b401a9dfa6447e39043049

    • SHA512

      09b33588e58c50036614e0fa26ccd8d94ae810f63d95c8464ae74cb9169f4ddcbcd8c019d656cd313ed65f8bb92b9782cf319866ce2a9ba1c003bd62a1bed171

    • SSDEEP

      768:Amge8Q4UsMhIrA1pifdlIGHmizKO6EjjKRyGlqesRtgjEDy:AG548IrA1pifdRHmizKiWRPlqPjy

    Score
    3/10
    discovery
    behavioral21

    • Target

      7109e67cf655b41ff88903bf1e70cc4efa3e537a38df7df90d8a3ff95c4cab58.exe

    • Size

      708KB

    • MD5

      6e9fa4e2f22ce3d1a0484820964ca208

    • SHA1

      6c5434cd4cc9305cdba85999f57df405d5a1dfa1

    • SHA256

      7109e67cf655b41ff88903bf1e70cc4efa3e537a38df7df90d8a3ff95c4cab58

    • SHA512

      5d0516f13c317290e94065da227a8fe93ddb79b7eb89a10e1515259dd48dc8736333ffc93fd458dfd96ef29ddf41a81dd1b135bdd313a41da3d43504b9b0c000

    • SSDEEP

      12288:VE3SNI+zn1K4hsDMsaoUqZQdfcYKKhTXYcGK:NNI+g4ZPWQCxKhTIC

    Score
    10/10
    trickbottop148bankerdiscoverytrojan

    • Contacts Bazar domain

      Uses Emercoin blockchain domains associated with Bazar backdoor/loader.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot
    behavioral22

    • Target

      71e2483b2d36765651132c9c1f935784a2008a91159b0ee3bbfb94193d0d644e.exe

    • Size

      402KB

    • MD5

      74d8ec87fcc6d4fb65dea95cbf0b7ed0

    • SHA1

      0907206e93cbf8492e673c59855965bb6bd9d6aa

    • SHA256

      71e2483b2d36765651132c9c1f935784a2008a91159b0ee3bbfb94193d0d644e

    • SHA512

      5fff54384cf81a4fb2b27b25bd574630b85dbf8d1b9a9f94188720e92ee3ba8e9ed0e921922e2bba29748a2d5892330faa3780595c6977ae645170e94fb5438b

    • SSDEEP

      6144:jI80K7rRaixyrkYTj4tO8eptRnyFWo2NZTLmdJdWqF83kdE0WPQ2:N0K7rRaUuTj/8eC6H8JZZdE3

    Score
    10/10
    qakbottr021607427512bankerdiscoverystealertrojan
    behavioral23

    • Target

      79fb1d00ef9d85e958a17fd331b23dec507e4f2e2c150fd580d0668b84d29d00.exe

    • Size

      5.9MB

    • MD5

      f97d9e4da358b905fb068bcc044573be

    • SHA1

      00905551c0db6102a02ae65c7e202b94e987cb86

    • SHA256

      79fb1d00ef9d85e958a17fd331b23dec507e4f2e2c150fd580d0668b84d29d00

    • SHA512

      4936ca488024d81f84192b8ab7bec4500eb4ef71d61d3e4862e8b140f9e887120c9d671882ed442cd1d7699fe4c1235ef90172c0d619be720ef24e842fa3cdc8

    • SSDEEP

      49152:7raLTtbKnm4Rqa1Dy1J9EJIaGNxRHxIZuDufzGo4Mrbf460DHVwggVJm4I6pMT63:Pal+FYa1KyJIaGNPRauDo5PA60tA6/i

    Score
    1/10
    behavioral24

    • Target

      7ef9667e73b84b6a031e28b6279e04cd8abe82d69cd836043a7cfe0978cb8a98.exe

    • Size

      2.3MB

    • MD5

      bd12b3601bd72416d9520e41963125ea

    • SHA1

      de0ce050117639effbce198f6e3d5f72c1978352

    • SHA256

      7ef9667e73b84b6a031e28b6279e04cd8abe82d69cd836043a7cfe0978cb8a98

    • SHA512

      999dafe0d27d36ddb36591563769a6ae0f7c17c4f1bb25bbe448e6c675639ecd67a3822c206e121bd552a90342e5d2c694a1548e8da840a8f27052e347816336

    • SSDEEP

      49152:kfn0QZ9e7GSUYBGE1siw4y9fvBfQZTowhO+8L0N:uHe7GH54yQVowh8L

    Score
    1/10
    behavioral25

    • Target

      8264e723a411381a9d837458ec39cbb36c8d582bcba14f7ed7fc45f8154c479d.exe

    • Size

      2KB

    • MD5

      6adff744d8522b6663dd71dcebc7f43e

    • SHA1

      8ebaedcd7e1b433bc1202ab6aafa5d1c9e7e492d

    • SHA256

      8264e723a411381a9d837458ec39cbb36c8d582bcba14f7ed7fc45f8154c479d

    • SHA512

      af43e11e159c0b34a61eed0f2b33c77974967a8c4237b935c19ea3b8286fdebfdf27f0b0f1ea1e64a835b753ed43e888b870c2f3c2352802486f7f4817f8f42c

    Score
    3/10
    discovery
    behavioral26

    • Target

      8427f4aaf255d36cf523ecd34f3023e23cb0ad1d5edacc5c96d1f70ff6b1b496.exe

    • Size

      856KB

    • MD5

      20bbb20ab9a373eb5134c977c7ffc05e

    • SHA1

      cff7c57d1eaf0730fd945501dd332dd8693605bb

    • SHA256

      8427f4aaf255d36cf523ecd34f3023e23cb0ad1d5edacc5c96d1f70ff6b1b496

    • SHA512

      fadd51df5524bc97e90e592107fa3a1d6f578e5534f9cf8b70b274651968525ee59b6ac647254c5123497fc889646ec5f228a49bd3e67fd73ecb4e68aabc38ae

    • SSDEEP

      24576:dAHnh+eWsN3skA4RV1Hom2KXMmHa8/bX5:8h+ZkldoPK8Ya81

    Score
    6/10
    discoverypersistence
    behavioral27

    • Target

      863c612734f5ff0ff0ea3fed7fd790dfb43c47eecdc1417bcd82c0ad866419af.exe

    • Size

      3KB

    • MD5

      463127c9a2b5eb1bca799aced10e4954

    • SHA1

      df78c1cca98d6f260f744a2b0639e1fff1c11a5e

    • SHA256

      863c612734f5ff0ff0ea3fed7fd790dfb43c47eecdc1417bcd82c0ad866419af

    • SHA512

      86c01a90941ad53e7d5c77b64c249bb0b4a69d9cc0f3e3971813464312a80ef6b06caef24cec9e9e194a25f0e667eafb445acbe9ce220830e4681312b498d9a4

    Score
    3/10
    discovery
    behavioral28

    • Target

      91eab57eaf00089ffd21329eb93e072c8eb7ed79e37c807f6db2859548c8b5d8.exe

    • Size

      3.6MB

    • MD5

      beef5daf51dadc2acdbccc37a73ccfec

    • SHA1

      1a49019a42f0a195828bf2a5e7b41013709cc8c9

    • SHA256

      91eab57eaf00089ffd21329eb93e072c8eb7ed79e37c807f6db2859548c8b5d8

    • SHA512

      f6021d968f28a2dbf25e58c0bd9b474662de542b9cdf9dc3454bc97ee30e23aa2bd754c455e6fc973f7cf4ead9ca5c9f186e0cb3f9f6dec1e2f9aa3b31f64580

    • SSDEEP

      98304:qbkDpLr5n9Ov7NCnsAAS7QG0owscxF7ZLN:q2pA7NksAASUqwsOLN

    Score
    10/10
    stormkittycredential_accessdiscoveryevasionspywarestealerthemidatrojan

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral29

    • Target

      942263c89534d74459991db826caf2e9a187c074730f5c4f0f83f8c91e980e38.exe

    • Size

      732KB

    • MD5

      31b1fe0aacf5fcbced44e89252d1d4b8

    • SHA1

      3d56a02e23bbf2f6b3ac86db262391ccd2d06e5a

    • SHA256

      942263c89534d74459991db826caf2e9a187c074730f5c4f0f83f8c91e980e38

    • SHA512

      1b49741fab83d12bf0082c9ee070d999ab79860744322d755d7b5a53998ad6827d38306bb7d43763ae487ee64d451de5aec5aaab357422250174c4b8920add60

    • SSDEEP

      12288:UhR9WptAc/LnqJc0LYBlaql0OxymXkDptSwUlq1Y4I+hHfyc:u9gtAcWfLYbOcep+Uyc

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Renames multiple (152) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral30

    • Target

      95193266e37a3401a0becace6d41171ab2968ed5289d666043251d05552d02fc.exe

    • Size

      6.5MB

    • MD5

      d7817bc8fc539fba6388907223773546

    • SHA1

      505409528cec20ad4744513d83489b7025d23889

    • SHA256

      95193266e37a3401a0becace6d41171ab2968ed5289d666043251d05552d02fc

    • SHA512

      3f61fd9b1c534ad5a274d700e5ffcbd4901d1b449a49fb2f0c3b81aa0a997e9b6e2c77fa06470730bad3358f7be896a12dec5b6bab3b3a31e7a1d8907fb5e7eb

    • SSDEEP

      49152:D3/n2UcyKARqqRp+KrZs12ai17PgRNWPmfQpPmoFjPnMBFdk3Vk9WqWLNlBDszU:Lf2GTrRE4hPMopfMdk

    Score
    1/10
    behavioral31

    • Target

      99db2e72873b64451cbfb76b8402964eea1b84cf0fe9e326507673d5a534c04e.exe

    • Size

      1.1MB

    • MD5

      18e0d922bead757af754e54cc744eaa0

    • SHA1

      22a03fbc28e0dadf13e1ace67109b1dc3e91d0f5

    • SHA256

      99db2e72873b64451cbfb76b8402964eea1b84cf0fe9e326507673d5a534c04e

    • SHA512

      3f9d6ef04fbd56b1b26169c04f754ddca50f802e2dfbaa4344a82f6b724673de36c5b645ce97241eed35d5557ddaf27e20a7c699dfe1f3540010fe207df00f4f

    • SSDEEP

      24576:gQ8nt67av7QEet8tYFKOYZDcdW1PIe+W15X1d:4nt6+vUEetcC7Y5cdW1PIe+GZ

    Score
    10/10
    danabot4bankerdiscoverytrojan

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot Loader Component

    • Blocklisted process makes network request

    • Loads dropped DLL

    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

upxloader2683308570themidastormkittyicedidwellmess
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral3

icedid1910897067bankerloadertrojan
Score
10/10

behavioral4

upx
Score
7/10

behavioral5

discovery
Score
3/10

behavioral6

danabot4bankerdiscoverytrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

djvudiscoverypersistenceransomware
Score
10/10

behavioral9

djvudiscoverypersistenceransomware
Score
10/10

behavioral10

icedid1677747888bankerloadertrojan
Score
10/10

behavioral11

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan
Score
10/10

behavioral12

stormkittycredential_accessdiscoverypersistenceprivilege_escalationspywarestealer
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

discoveryevasionpersistencethemidatrojan
Score
9/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

trickbottop148bankerdiscoverytrojan
Score
10/10

behavioral23

qakbottr021607427512bankerdiscoverystealertrojan
Score
10/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

discovery
Score
3/10

behavioral27

discoverypersistence
Score
6/10

behavioral28

discovery
Score
3/10

behavioral29

stormkittycredential_accessdiscoveryevasionspywarestealerthemidatrojan
Score
10/10

behavioral30

djvudiscoverypersistenceransomware
Score
10/10

behavioral31

Score
1/10

behavioral32

danabot4bankerdiscoverytrojan
Score
10/10