agenttesla

Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

06-08-2024 13:01

06-08-2024 12:52

06-08-2024 12:29

06-08-2024 12:26

Sharing

Copy URL

Twitter E-mail

General

Target

silly.zip
Size

20.2MB
Sample

240806-p3672stdkg
MD5

e6223205e5424612c074648b87487e31
SHA1

25d6ce1b0c91a5cdd1a5127537dce9c68c008a95
SHA256

3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19
SHA512

9d6561386ff20c51eab8c3579a5fa64dba38914912ee41f4b00e0f322935c082f48320b6e1d5f96e1ab67c04c5736cda9ea1b874a9d5e34fa876b1b64dd2f3e6
SSDEEP

393216:OuLfnQ/LwLbzfsnoUH46mHGquJZgh98gTOm7RGP4x11QtD2s:nLfYLYHsnbl6vnObEI6s

Malware Config

Extracted

Family

stealc

Botnet

hello

http://85.28.47.70

Attributes

url_path
/570d5d5e8678366c.php

Extracted

Family

xworm

schools-copper.gl.at.ply.gg:14154

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe
telegram
https://api.telegram.org/bot6887301557:AAE2e7AcjyzPeaHQb_2XBthrT3TTCKt7jCs/sendMessage?chat_id=7045481276

Extracted

Family

redline

Botnet

6951125327

https://t.me/+7Lir0e4Gw381MDhi

https://steamcommunity.com/profiles/76561199038841443

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

82.65.19.134:4443

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bonnyriggdentalsurgery.com.au
Port:
587
Username:
[email protected]
Password:
Sages101*
Email To:
[email protected]

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

remcos

Botnet

RemoteHost

192.3.64.149:2888

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7Q1GRN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note

~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C55477D9CC42DDB5E >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!

URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Extracted

Family

stealc

Botnet

default

http://85.28.47.101

Attributes

url_path
/f3ee98d7eec07fb9.php

Targets

- Target
  
  1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
- Size
  
  678KB
- MD5
  
  c229261d7e8c8524dd25f7bc58edddf8
- SHA1
  
  781d106f3aa60c392f039968ae45c53f78890871
- SHA256
  
  0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd
- SHA512
  
  be05a39499b86bfcb30725fd277502f026b29b205bb657d8303b55d9b8e0ae6d4bfb507153d77229871df32d4608a5b8b3bdb1e783f12db2541e48a73fd2891c
- SSDEEP
  
  12288:8S2iNbczDLej8zhAA3Crp4mIjYBTBIE5Vmmah9di01DRzqICQlzCDmXPIPe:8S1ZcXh9IuMZBIEHlg9s01D71lzCDmXS
Score

10^/10

agenttesla credential_access discovery execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
- Size
  
  1.3MB
- MD5
  
  73d006e33d8eda033e684c07b15c53ad
- SHA1
  
  e3e0a09b37beee1e19d5a6b9fd5322f906f4493d
- SHA256
  
  0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160
- SHA512
  
  1b2822a9f568783a6064194c21e4147ffb10c1a0c3ca00f586f3306cf7b5d0bee39af5dad5a78f720d75c09b0b71d44c75d05d9b432b1159915977006e9252db
- SSDEEP
  
  24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaKi4Tivd32MUMh9ZzU2Fk1gn5:dh+ZkldoPK8YaKi4mrUUZbk1I
Score

10^/10

remcos remotehost discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
- Size
  
  161KB
- MD5
  
  855da30648c0d4f4e2497470ece750bf
- SHA1
  
  4f45dae1b578ddd47a0d62b59e5fbc9a4f11e58a
- SHA256
  
  08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65
- SHA512
  
  948b66613c1e494e445a8fb7eff553345385ca0cd468c500397ea7c3bd02bc6163930759b057f98c9245c118205e0166023fee4e13135ef677947619d184d393
- SSDEEP
  
  3072:/9gyPX977bb+Vnh9N47rL74qBlslaubyAWEktPZsZ:/yMZPb+Vnh9CLtkauehEkf
Score

10^/10

stealc hello discovery stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
behavioral3
- Target
  
  1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
- Size
  
  389KB
- MD5
  
  35a50d146a389289bf8cf8ae60c9e785
- SHA1
  
  eb94502d25789eb86dc160c2bc9be4b4a64131bd
- SHA256
  
  0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791
- SHA512
  
  9bfe09f5165fd43579d87f229ba4a17cc8af8d7fc50ed629de3ec93e1b8d94d9c6aac17f7a429b401f332623cef2178f0d0f1930b674cf1061d24225e5427ada
- SSDEEP
  
  6144:blwLkykiFkeLnCUcx/IcoN6OpMW6rTBwEBKI7MUYbuYg785zg2di8DEO:bRiFHnC5m2TB+I70678dXi8DEO
Score

10^/10

stealc default discovery stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
- Size
  
  146KB
- MD5
  
  2357ecbcf3b566c76c839daf7ecf2681
- SHA1
  
  89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58
- SHA256
  
  0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305
- SHA512
  
  bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401
- SSDEEP
  
  3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU
Score

10^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (537) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral5
- Target
  
  1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
- Size
  
  1.0MB
- MD5
  
  631e3c5465349fdfd6fc2fbe9c15cf65
- SHA1
  
  af9e5b3d8ca4b6c64b69876b9cad6a18476f0168
- SHA256
  
  25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f
- SHA512
  
  31c6c58a5ec3d26e67a20f46df689fcfe69e90dffeaa36183630cc2cfa20d7fc07e19efe551f65f9606e435e26e2daf50b2275ee4b1cd7ab6b3641bef1552b93
- SSDEEP
  
  24576:GAHnh+eWsN3skA4RV1Hom2KXMmHasvktOpBS5:hh+ZkldoPK8Yasvkt+2
Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral6
- Target
  
  1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
- Size
  
  338KB
- MD5
  
  6f1e400bcf79c773832b3ca2aab94d3d
- SHA1
  
  8a1724e7f0df1b8bb22413751908b76f72498121
- SHA256
  
  2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c
- SHA512
  
  2459d2e2b39987ebcf635a2867b67d8b5ae7c865157fe1ad32513fb0dcae0d226532d2416d4fc23c347add8a9d741ba3d15e662c3e2a01cf316046b1fab1254a
- SSDEEP
  
  6144:mY1jumalKcYdvkMEdRE29UHYOhQWr6vSuwgeBNsCri5rg/73LM+L2di8bEO:maEKc+kMcIOauwgeBPi5rgz3L4i8bEO
Score

10^/10

redline 6951125327 discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral7
- Target
  
  1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
- Size
  
  338KB
- MD5
  
  d5ad720fa67bbce2d11544ad3c211424
- SHA1
  
  e9f63402b2eaabbdcc6cb5ec95e328f9620cd170
- SHA256
  
  2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e
- SHA512
  
  d8a8ae60abec80b7cfd7c9b9bc19d2f2594d1ecee0a28cf9a2f545afc7ef0ee59ca7a073edb8415f006662ed2095f9f3c190abed5023b81e094724c04ba153c6
- SSDEEP
  
  6144:RY1jkmalKcYdvkMEdRE29UHYOhQWr3y/7qpKfQmhapjXFISRn2di8bEO:RcEKc+kMcI+IKImcFISAi8bEO
Score

10^/10

redline 6951125327 discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral8
- Target
  
  1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
- Size
  
  3.3MB
- MD5
  
  7cdff219ccaaa4c4d67448e9e812f2de
- SHA1
  
  a063103f177df84c90f0054d0f2adcae6f1885af
- SHA256
  
  39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82
- SHA512
  
  5986b98ac4ff98da5188b8d5ee53400a4a3bd7dfe3de70471b090c3c3d751f550f7ebd3757554e5976b069c1da1cc1cb69808504ac97987ae42e5152f72408e5
- SSDEEP
  
  49152:/5dVwPaFHTTgkAAn2IQ39y9rRF8v72yEh72yEE72yE72y5:RdW4lQw5RF8T
Score

10^/10

babylonrat discovery trojan upx
- Babylon RAT
  Babylon RAT is remote access trojan written in C++.
  trojan babylonrat
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of SetThreadContext
behavioral9
- Target
  
  1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
- Size
  
  487KB
- MD5
  
  f451292bbe0b4c16d244c251105de16a
- SHA1
  
  a527d277ccc25ad97ae64fb76767f1e2cda66ff2
- SHA256
  
  3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a
- SHA512
  
  d53a9cd31a3a98eb88af0c5454007adf8c897db53b6518a9f0c019af0bdcb906bf9fbca616b5ee03d7adfa397a16af06bbfbbbf36d15b89fdf3b96fb79fd439a
- SSDEEP
  
  6144:MNDD+bHpEiGXQ4rnc+UI73whSk7MIhWI3tf5Jx/R7ZCe7w4uoVLdaPYZHuW31bZ+:MNncp0jUI73F0DhHbbzCMwI11b
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10
- Target
  
  1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
- Size
  
  731KB
- MD5
  
  bd1050f3642d22733a30cd101f591713
- SHA1
  
  5a6553bea21e2df2307ed5c843072bcb023566be
- SHA256
  
  3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671
- SHA512
  
  6cc19b1df105d9f4e76c39f7be79c9a5a42fdb338a8b56b1d16e1343221e36552344fc30aa8c2bf4d48781694a412dcddb5858a36c643706bc778b0b8cc59883
- SSDEEP
  
  12288:tmoDWx2PQfRcudR5C3T+Lc7vaVs95ucinaj13Tp8K2:tHawMR9/gDR5yrQx2K2
Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral11
- Target
  
  1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
- Size
  
  109KB
- MD5
  
  2da5e6b97759d3537cbd23e9fdb2b770
- SHA1
  
  cabbf38051fa6657e28a12dee92042e44d8b72cb
- SHA256
  
  4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5
- SHA512
  
  7ea710ed16326bd0841f403c9db260a20dfec5f22fe2fd85970d51764e612c4a495a7c9abec6999dc8e1a7134656a4d65994c8f4cc138bb353b43a7be9b1698b
- SSDEEP
  
  1536:jr7WmLwJll8imS4qZyNRMCuCDGSLf0Rc/cVjpnrRWKkystINby+xXm8lMwGHG6w:jmdyGSLfIFtnrRKysYyMWvpm6w
Score

10^/10

redline 6951125327 discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral12
- Target
  
  1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
- Size
  
  1.2MB
- MD5
  
  dd831eb4a822421a497990d84a0fd578
- SHA1
  
  aa7ee9cd7fcdb6e0f15c57f6f99c83c320480f3b
- SHA256
  
  4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95
- SHA512
  
  5a894b58d5d6b3a6abedb687caa16c06344d87b6d8e5bfb39d5b9806a7b51f3003e3ae83871683d086a760ea987a42bff511d4cb4d723a9e52744ea8aaf9b73e
- SSDEEP
  
  24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aLY2Sbly7TWEPje:4TvC/MTQYxsWR7aLY2dW
Score

3^/10

discovery
behavioral13
- Target
  
  1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
- Size
  
  719KB
- MD5
  
  a7d3bd55656bdc04c270315d083b59c1
- SHA1
  
  a76453791867e4aaf4cd0551b70e52ced80b3fab
- SHA256
  
  5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33
- SHA512
  
  9233bbbbaed1bafaa296ae332713d0374594443dea06df83ebc9934ae0341ac7366a91c47cdd9b0877313ad1bbbf9b747f34e7cf75a1a21816463791cfdea861
- SSDEEP
  
  12288:wY2iNiw9WMA4snu2lpaSgsDLRK8RP8dSWhdWyGLiOkV2IPePH:wY1UnH4olpaSgsDlK2PKSWnWyqiJ2q
Score

5^/10

discovery
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
- Size
  
  765KB
- MD5
  
  a8e583583122cff4ea57a3062bb4aa3f
- SHA1
  
  b4a4bee8dbc966624f43273a500aa0ec1bbf1790
- SHA256
  
  68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4
- SHA512
  
  3c1205a23cb737ab7d81377672954e55e3adae6858bb1ba1eaae80669ef8957487090cacf2fdb6377c9bdf0cf7af27ede3e788f1dd767ded7d16aea484ca6d91
- SSDEEP
  
  12288:6WgLNqLMg5tqimUsu8l5hs4PShE9EZnuKFqik7/6VVu+mvd789LjQg6xOVw:vgLNqLMJimUsu8lw4PShgOuKFqizgduE
Score

10^/10

redline 6951125327 discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral15
- Target
  
  1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
- Size
  
  2.1MB
- MD5
  
  ab6ca8e3d0c7967c6372a96334e6bb19
- SHA1
  
  58a2142787ffae164d4c78d97102ff652fecfc86
- SHA256
  
  6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5
- SHA512
  
  a50b4935510a1e6a7100b8eaed8301c8436138960c0932e54d7b59e79da3a0e60b702ccde2388b9c2d6f70d1cff8143bb055e0382b7af6d9788f498f2773c445
- SSDEEP
  
  49152:6aUQl+AM2inT6xlAT78y5hIl8JZ7a07xznKMj5RyXE1ID1u17:nLIAM2uumTIft+xznKMj58aIxu17
Score

7^/10

discovery persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral16
- Target
  
  1/7021c9cba6c224272f01d04450c6c31c93857a21feacfa4295a878a4d7b04378.exe
- Size
  
  45KB
- MD5
  
  40d4750c85941ad0d82953d2804cc44b
- SHA1
  
  7df06a6ddef2b5a9bf627eec731420f72709d470
- SHA256
  
  7021c9cba6c224272f01d04450c6c31c93857a21feacfa4295a878a4d7b04378
- SHA512
  
  1f6206c82c01278a73c34cdb25027a822b4330629b5ff3c6da08b1102881a5adae99fd06aa1c3963a7c3a7a9321e450f57b3f789b023d9bb296005ef79315f98
- SSDEEP
  
  768:0uwCfTg46YbWUn8jjmo2qrrO5QyJ4PiNjPISzjbwgX3iRFwP+01tUbcRBDZqx:0uwCfTgp/2AO52iKS3b3XSRFwP+012bn
Score

10^/10

asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
behavioral17
- Target
  
  1/752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060.exe
- Size
  
  2.2MB
- MD5
  
  d35a5aff7f4b4a1d20e1495732c5ca6d
- SHA1
  
  0573b56a43102c893a2a6c0ef61b870b575aeb97
- SHA256
  
  752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060
- SHA512
  
  c49d69553aa6287cc50b2d1e94b2a56cddc8882a44dcf832ae9f93e2972d44908141da776b44569f84ed85aee187ad06fe19a0a2af8c2bc425d6146e75816f4e
- SSDEEP
  
  12288:In7kekBhy2rOJFoqTrlSwkm9mQ90zsx2Hgum4Ff8jbvTfI3:FU2cTTX9990Qx2bFFfGbvzI3
Score

10^/10

collection credential_access discovery evasion execution stealer trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral18
- Target
  
  1/7c7cded8d1c0784881859ed03340d81c24ea9bf5d9972963cedf0e40b9856a0c.exe
- Size
  
  337KB
- MD5
  
  1aae19c81605bf0a5851e42e3574a83c
- SHA1
  
  ba91bcc371d24ba57458ba4a2aa82bc83447a129
- SHA256
  
  7c7cded8d1c0784881859ed03340d81c24ea9bf5d9972963cedf0e40b9856a0c
- SHA512
  
  8bcf76009e5503c598e2080dcfa9fb1e74783786dfc028ee4cbb066d79d2f4b22c9df962b6d89ea4429e23bccb9641574af3b03bc556d250295c236154b9dbc5
- SSDEEP
  
  3072:3i2YQ2pbPh1mJ8XrMg8Nwrppwbg0z3TH:38Q2pbJcJz/2Mgq3T
Score

10^/10

smokeloader pub1 backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
behavioral19
- Target
  
  1/97d29ffc3556069c807b5c0ae2e2b109ae329feafc912d64f8b7f437bea47d84.exe
- Size
  
  778KB
- MD5
  
  2ad173552c56070abfeaf09f29b60269
- SHA1
  
  5bd937b54ee178da4928d489108dfa5638fd62af
- SHA256
  
  97d29ffc3556069c807b5c0ae2e2b109ae329feafc912d64f8b7f437bea47d84
- SHA512
  
  a9cac300ade317a8f7b32c464ad2480fc6310bdc5bfad7d1e39daf959ee5052a6268cac2f1f28b98536146cd616a4b9d18225ab57fad18042f15be10a33c8a29
- SSDEEP
  
  12288:oLDlvpu2GkClIuRj26OQ4qAwWAMxB6PzNm0E7UHPkRdDTVVZ+ApP4C:EGkCxg6ONqvfzNm0EG8BxF4C
Score

7^/10

discovery
- Drops startup file
behavioral20
- Target
  
  1/a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
- Size
  
  1.2MB
- MD5
  
  81d3df03a7bfb9112626bdcedae6df90
- SHA1
  
  ba206887aa11de8e1b405e5a18bd04568e2b5693
- SHA256
  
  a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03
- SHA512
  
  7580b5dd5452afba147417685bf9d42816c7f32af9496e4f8dec519c0abbb9578206a5e432c1b884abaa0b9870c198b8d0c7d109b43590d95ea855bff6a59a13
- SSDEEP
  
  24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8aLS2Sbly7TWEPje:ETvC/MTQYxsWR7aLS2dW
Score

3^/10

discovery
behavioral21
- Target
  
  1/ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
- Size
  
  5.7MB
- MD5
  
  40a22356fd06bc9a4fd4ddedf5286666
- SHA1
  
  32ee28a964557f6e1effd28ed8c91328e7698e23
- SHA256
  
  ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474
- SHA512
  
  d67256c51af065f58e7d037387cba7fdde6b55b0e10f24572bb039033a406450b079d32e62450570202305ffee2991b9c6fc74ce72bae48217c984c9cbcfeb97
- SSDEEP
  
  98304:NLIAMmuuNkfUo2EwVPBh4i02bt+xznOywv+r4oYIxu1i2e56SM2F9jE37HethOKd:WyNkfr29VPBhh0p5ngve4lIQe5UM9jqK
Score

7^/10

discovery persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral22
- Target
  
  1/b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6.exe
- Size
  
  808KB
- MD5
  
  4ac882ebdbc1431cdd3ab45e1712ada1
- SHA1
  
  b871304fd060b700fd66ce0c87014ec955d12979
- SHA256
  
  b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6
- SHA512
  
  f3ff8d00849289436b723bc48c14113e51b583955d7f69870458d7b7d72ba214ad531d601a950b247f43325a610fd15cd6584008fd842a29c1dd0804ee2e6f98
- SSDEEP
  
  24576:65MOrT+F0sIE9JqsC6mVFyCsffzMS6pcsP9Qtce0TBs/lPsoCyEbDb7Br5oANn90:+bjnS
Score

8^/10

persistence
- Sets service image path in registry
  persistence
behavioral23
- Target
  
  1/b2a1d168dc4234e687d0969b6a1901ac7e69c0d4bb72a1a4c76ba67fa6a14f9d.bat
- Size
  
  2KB
- MD5
  
  1f6a683461594803fd6dc17f376ca209
- SHA1
  
  82d0627379b0ff73279122bcf2d40db15eb83483
- SHA256
  
  b2a1d168dc4234e687d0969b6a1901ac7e69c0d4bb72a1a4c76ba67fa6a14f9d
- SHA512
  
  ceb192ba7afbd9c7308098abff5f83e824ca0d28c9077271abf6e048cc0f161d0db798fba5463d5598f1428e0505fa1a9dd0ae81e74f91abb8873c7693a7cc49
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral24
- Target
  
  1/bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd.exe
- Size
  
  759KB
- MD5
  
  3da3fb16927c47114ad0bb865c08467c
- SHA1
  
  b1d7037b0347bd9c8c215270166b0bcd46b8f8eb
- SHA256
  
  bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd
- SHA512
  
  7aa677f24ef99ca32ad114fe8b95a444716b37a27f40e67b76abeb124d6e0364206a1e2fa373f3792b4684fae479a66d9653d30e5bdfecf8889cbf70aa6e71ab
- SSDEEP
  
  12288:reUDWx2PQf9TtNBY2JgD9WFtJ0m1+Xeb4/E5xdHKcWA6H4J2jqo/ZoM7+SdvKWny:rzawM9TJY3MbJ1gXRUzHKJNH4wnxotc4
Score

8^/10

discovery execution persistence privilege_escalation
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral25
- Target
  
  1/c8e5a24a6d2fa68d7976457a19576b381e6211202500af5280b0f3b256446bf5.bat
- Size
  
  2KB
- MD5
  
  5617370486b7ded0ad8cf5ca9fc69e06
- SHA1
  
  3baa1dab061a9cb6a329dc72e3e35fa3829341fa
- SHA256
  
  c8e5a24a6d2fa68d7976457a19576b381e6211202500af5280b0f3b256446bf5
- SHA512
  
  a4a5d99cf5d1b3bed3819f24d297f5283107880d5c51010a11aed2d5f4545d9f52c648fcbc3f6d884f71d1cc1217a67dbae722cfc36baa65d4ca0e0948163772
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral26
- Target
  
  1/c9736cdc4ade9fddb9b293e0366f182f972154d98169b58e532b7905c310bf97.exe
- Size
  
  541KB
- MD5
  
  fc55407cc82612103c5971dca1837d6b
- SHA1
  
  01efa90009900c64c846b7ac716dea3c5f97c4e8
- SHA256
  
  c9736cdc4ade9fddb9b293e0366f182f972154d98169b58e532b7905c310bf97
- SHA512
  
  08edfa8f06459ae170ea444664776e57836bd6142721d8df663776051c8c6dab98f7c8902848ed08e4311a858d95eb38d0df13208f8e0144a2fa9fa1a90c0240
- SSDEEP
  
  12288:WDkS/CNT9fM913qbLd+cUQj5X7JPKmdE9s4Jr:WDEc9tqb5akVPHE93N
Score

8^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Loads dropped DLL
behavioral27
- Target
  
  1/d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0.exe
- Size
  
  691KB
- MD5
  
  c2ae4fdb661a151be4876289ed7f8261
- SHA1
  
  f8fbb8b8ddb55aacc20449ff2bd5d671e4cbb9fa
- SHA256
  
  d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0
- SHA512
  
  2642eac12e6a42fbd503621871802da278e0c68a4678675ddbe71f66d7a2b7d0ed8a22640c13d153ea63bcb33f7f13ae32eaa3e444fc451c64a1839d8cc91c89
- SSDEEP
  
  12288:luCDWx2PQfnESfZ0nl+xD4u1JW31MlxwXY5oMY3tQMmVHMe3+L4Ull0l8fkR:/awMnESR0nl+Z9OSXwXuoaVse3+sCie6
Score

10^/10

formbook 45er discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Suspicious use of SetThreadContext
behavioral28
- Target
  
  1/de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0.exe
- Size
  
  34KB
- MD5
  
  19aff0a43f80919a6113020d3ff38300
- SHA1
  
  f0db6e0967c534fa0326c9db009d0f22e0112a6b
- SHA256
  
  de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0
- SHA512
  
  bbd6b4fdf3aea24aa66b6e17b778596c86260f76b7d0502fe5339dc198d30c4314d18eb8121ec07995ea86d461c9bf0985c436b3c65b0001b357305a1e457e27
- SSDEEP
  
  768:TLlw6CpA/0H9QoiMLD7aBzE/BMR35hUJtwjxI1VFA:TZMgu9QFM7x/BOpCExI7FA
Score

3^/10

discovery
behavioral29
- Target
  
  1/e886016e48bf0e3cd100d627678f345743509fd5f57f3c9b182f2833352bd451.exe
- Size
  
  338KB
- MD5
  
  f5607d12bfd66fa6205cfd6b078e8080
- SHA1
  
  2c4f15f916b1dea8b76ebb06468e1700a2122b78
- SHA256
  
  e886016e48bf0e3cd100d627678f345743509fd5f57f3c9b182f2833352bd451
- SHA512
  
  74df2af255a0d0e6802ab13ffa2f44b26ed11d2bd4388d7659214ab42c5daa2319e1a924af4e8418e294678ee27508e908ac43becc544a8a7fa05cfccb230e94
- SSDEEP
  
  6144:uwTSx/BpP+AegMMtRvu3LqBOkQWr3Yf0aldxZsakM2di8MEO:uJpP6gMEhEfjldxZei8MEO
Score

10^/10

redline 6951125327 discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral30
- Target
  
  1/f0f496eccc61594c53ded581b6683a77072f607ab018ec0a770a0aa7c7f45ff4.bat
- Size
  
  2KB
- MD5
  
  e86739a5ddb407e0c60f9521728cf418
- SHA1
  
  b6e2b6c70f3b09f7c12b4d8a83563e79a1745a23
- SHA256
  
  f0f496eccc61594c53ded581b6683a77072f607ab018ec0a770a0aa7c7f45ff4
- SHA512
  
  7d64d83aea215f0a0321d9d938c17bfcdcfa6d8f9c3aabce69067cdfffe1dbae0cc7da4425d5abfeee24cdf3efe0320df132a2c7564be80d30fc85eabad7434f
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral31
- Target
  
  1/f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe
- Size
  
  146KB
- MD5
  
  314275168bf7958219662a242dbfe8a7
- SHA1
  
  d629032d9d8f491d133ee26a230c393335d7ad74
- SHA256
  
  f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23
- SHA512
  
  b5246db461ee78d622a33a758b3d178208b88e0b9e98185f17ee95f2fbbcf66b1059afece1dd5b586d01587bc01662491a6baab208b9836d4b4b9efc55f14c2f
- SSDEEP
  
  3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUSx:V6gDBGpvEByocWeauV2gvzwUA
Score

10^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (569) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral32