Overview

overview

10

Static

static

10

2024-08-08.zip

windows10-1703-x64

1

0163684970...64.exe

windows10-1703-x64

8

0581756a65...1b.exe

windows10-1703-x64

3

06fcfd75f4...40.exe

windows10-1703-x64

6

083b02e212...c7.exe

windows10-1703-x64

3

087a3b8725...c9.jar

windows10-1703-x64

7

08c7fb6067...a2.exe

windows10-1703-x64

3

0e85d0a9fc...50.exe

windows10-1703-x64

6

0f1b66752d...9d.exe

windows10-1703-x64

3

0f2abe41f4...70.exe

windows10-1703-x64

10

0f8a6d8705...e5.exe

windows10-1703-x64

10

1026da21d9...42.exe

windows10-1703-x64

10

109927ded1...91.exe

windows10-1703-x64

6

15c71b616f...79.exe

windows10-1703-x64

10

17b5394a5c...70.exe

windows10-1703-x64

10

1873c4b2bd...d4.exe

windows10-1703-x64

10

19efe1624f...3c.exe

windows10-1703-x64

10

1de0ce90e5...f7.vbe

windows10-1703-x64

1

1e6ad08c5e...5f.exe

windows10-1703-x64

10

1f7cedbe04...4c.exe

windows10-1703-x64

10

22586df437...62.exe

windows10-1703-x64

10

29f90a4f62...e6.xls

windows10-1703-x64

1

2b34ad054e...da.exe

windows10-1703-x64

10

2bb032333f...2c.exe

windows10-1703-x64

3

2bda6048a8...dc.exe

windows10-1703-x64

7

2c7da6690b...6a.exe

windows10-1703-x64

4

2caf283566...2e.exe

windows10-1703-x64

10

300d87987d...45.exe

windows10-1703-x64

7

353a75d0ad...a5.exe

windows10-1703-x64

7

391ac1ceed...57.exe

windows10-1703-x64

7

d4cb60a0e9...01.hta

windows10-1703-x64

10

e0fa6d69b2...1e.msi

windows10-1703-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-08-08.zip

  • Size

    317.5MB

  • Sample

    240810-wd2dtszgmj

  • MD5

    85ac6069e426c9d919819e4ad6efd66d

  • SHA1

    c41290af86fabc83eac3874ced2a945a85fe1924

  • SHA256

    b50bbb4b93fd8ef7a2876b3743dfda6945e9011f406e71b41897244b0b836467

  • SHA512

    784e87502ef8a7b4c3b0a59587559a28fe578d8fc25d1717a33d7edd024801a3a48713ab2f7ba14e79d3f58467c2b5c3efcddbddd5be95d5062e076b08cf0ca0

  • SSDEEP

    6291456:0e+75q8uDORFfBuNVkOMjdqWGTTFQwOTnLAU5vWONNMpjh5jC23x7K:0JVVl7z7jMWGT3oT5vWeNMtjC23xG

Score
10/10
agentteslaasyncratdcratlummamiraiphorphiexredlinestealccr1cr2defaultcollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerkeyloggerpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

redline

C2

185.215.113.67:21405

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808
Mutex

gY12qkvJtnRz

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/
Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
Attributes
  • mutex

    x88767657x

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    cp8nl.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#

Extracted

Family

lumma

Extracted

Family

lumma

C2

https://clearrypalsidn.shop/api

https://tenntysjuxmz.shop/api

https://sulphurhsum.shop/api

Extracted

Family

stealc

Botnet

cr1

C2

http://45.152.114.50

Attributes
  • url_path

    /587ec30955d49a9c.php

Extracted

Family

stealc

Botnet

cr2

C2

http://45.152.115.116

Attributes
  • url_path

    /587ec30955d49a9c.php

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.orchidexports.biz
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    WFnE1S3uxpnc

Targets

    • Target

      2024-08-08.zip

    • Size

      317.5MB

    • MD5

      85ac6069e426c9d919819e4ad6efd66d

    • SHA1

      c41290af86fabc83eac3874ced2a945a85fe1924

    • SHA256

      b50bbb4b93fd8ef7a2876b3743dfda6945e9011f406e71b41897244b0b836467

    • SHA512

      784e87502ef8a7b4c3b0a59587559a28fe578d8fc25d1717a33d7edd024801a3a48713ab2f7ba14e79d3f58467c2b5c3efcddbddd5be95d5062e076b08cf0ca0

    • SSDEEP

      6291456:0e+75q8uDORFfBuNVkOMjdqWGTTFQwOTnLAU5vWONNMpjh5jC23x7K:0JVVl7z7jMWGT3oT5vWeNMtjC23xG

    Score
    1/10
    behavioral1

    • Target

      01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64.exe

    • Size

      744KB

    • MD5

      afd781a3ff93fa20591585f48f23327d

    • SHA1

      83b647908d9c163f310aec54685ccbd99a2ec9c5

    • SHA256

      01636849700a046589f6e2b58ca6b02ec108fd20534973f83737f1749af16e64

    • SHA512

      d51644dc80d7a96251e53c1a0e6596880e0741d7c01acd6f4a22abb47c5091e88442b3f724a61ea536931d79893a222877978cf2203e1c42d238ea2ed1afb7dd

    • SSDEEP

      12288:uawNzhMvp5ZhDcvUVgrhulPhOxwEctMNBXCTspa2af/3K196wbl7zXXVHXccrKmm:5Eho15SrUI1qkpof/3EPblzXlMcrcEA

    Score
    8/10
    discoveryexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      0581756a656ace2e7d164b1f66846e9d079755bd7a5cead72e73b53ab534531b.exe

    • Size

      205KB

    • MD5

      de219cb5f5073be86d74f4bee29d9e79

    • SHA1

      649067f9e029a2c051e3789d7140e026ab5473a2

    • SHA256

      0581756a656ace2e7d164b1f66846e9d079755bd7a5cead72e73b53ab534531b

    • SHA512

      b1904394d148fa382553bdbc913124cf87a92649614b5c134bf54b2e85f692179b98ed69487afba51d20ee4c7ac0ff236f85eaf20ff91099a9c3ecc2c105457d

    • SSDEEP

      768:lfGgTViahszDO2fGgTViahszDOUYq0YOafGgTViahszDO3efGgTViahszDO:F4WsOK4WsOUYq0YOW4WsOS4WsO

    Score
    3/10
    discovery
    behavioral3

    • Target

      06fcfd75f456e542f161dc3e74b1c7ccc52e6cded909f5f06e00c847e5bedf40.exe

    • Size

      1.7MB

    • MD5

      2602189f4866124a6c0fd1d96b469294

    • SHA1

      7b8d4281f21fb812b59bd81b363ca5e77085632d

    • SHA256

      06fcfd75f456e542f161dc3e74b1c7ccc52e6cded909f5f06e00c847e5bedf40

    • SHA512

      b0c7ea3dd733495f1f7295277abefdb24bcc58860256ed598fdbb0464554eced7cfa741b51ef725a26349486a3bc7f954f6fae4f16ea809a1a2bd6c58adcef18

    • SSDEEP

      24576:i1VOinuCZ5XggevDaU74o7IhjY48s20MVc8DijpemisHrFcsIQ/iSpODiTFA:ONg/gjP8N0Scbjrp0Q/LYDiTF

    Score
    6/10

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral4

    • Target

      083b02e21246fa17ee9ac50eab39033abd920274259ad848df9eb412d4350ec7.exe

    • Size

      464KB

    • MD5

      f1899b878b9fecb9d2ddd9362ce6db03

    • SHA1

      63cf0106bb8fd4976b64337aa58758da09d1a69f

    • SHA256

      083b02e21246fa17ee9ac50eab39033abd920274259ad848df9eb412d4350ec7

    • SHA512

      5732f9c5a08cb67e44a0479bfcbfffa3e02a5e37abdf3ebc3371b783b91e0f2d652168ad0ee13f1214ea6a6fd20953539b845f94f22944a055bb4798702ecfc0

    • SSDEEP

      12288:aOxsURfqsG+WTYp/XRYW8Bfa3Hj7I5YAk2aYQ5U+L1YKY7Xo:aOxsURfFATYH8By3HICl5

    Score
    3/10
    discovery
    behavioral5

    • Target

      087a3b87252a021f6f3696f496d4fd890f28fc31735d8f850aa1184ed7bf59c9.jar

    • Size

      275KB

    • MD5

      37d9c9c214040d54e8d7219b851ca3f2

    • SHA1

      ea8f7ea6f0e3dd53d06c8fc4b7a956ec0642051f

    • SHA256

      087a3b87252a021f6f3696f496d4fd890f28fc31735d8f850aa1184ed7bf59c9

    • SHA512

      668b42f6f187232bdccf65714904d5e0e64ac792d7264262dc50fe4d5e42149b3b433a5020c0c2460c8ee4e4df4b33122545319c352ceee1577be09cf3b4530e

    • SSDEEP

      384:jx+mssvoys0HC4bKgOA1lZJXk0oHA/lpk7TcADrKL1VR3Im:jjs+aoCPbA1rJXuH+2EADrcd3

    Score
    7/10
    discovery

    • Drops startup file

    • Modifies file permissions

      discovery

    • Enumerates processes with tasklist

      discovery
    behavioral6

    • Target

      08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2.exe

    • Size

      6.1MB

    • MD5

      4864a55cff27f686023456a22371e790

    • SHA1

      6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

    • SHA256

      08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

    • SHA512

      4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

    • SSDEEP

      98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz

    Score
    3/10
    discovery
    behavioral7

    • Target

      0e85d0a9fcf30f823c43e697f99cf61743ef1d29228e160f19005e343f2a5b50.exe

    • Size

      550KB

    • MD5

      f004176cb0a58af018acc7b3ee4398af

    • SHA1

      4fc9105afcbefcdfc0dbff01c5fc3ee8cc45ef75

    • SHA256

      0e85d0a9fcf30f823c43e697f99cf61743ef1d29228e160f19005e343f2a5b50

    • SHA512

      42f73084adda1175edc7587ca119501b0040a42cd99418a16d57329d0c88b1a03e66c231d0fb8c5111d7104153d31040dd1ab47e3fc1ef9041b0a711e8354eb0

    • SSDEEP

      6144:EPww4FehRKMT22sHO54gFbq1gXbMyxe8Z8ly1+QHGMY9JWaOKhlbA9NI9gZbCdpe:Ne5+8bYyxe8F1bHGPWaphL6Z+DQb

    Score
    6/10
    persistence
    behavioral8

    • Target

      0f1b66752dea36f9ad237a452b4bfb2950ab3ce90fcd920c6708f69ee8ce8c9d.exe

    • Size

      1.1MB

    • MD5

      5444f6771ca6bc2d6c00ef880dcf87dd

    • SHA1

      0fef60618fe22146841c47901381b8774f853b93

    • SHA256

      0f1b66752dea36f9ad237a452b4bfb2950ab3ce90fcd920c6708f69ee8ce8c9d

    • SHA512

      a5a4ecc1cef52a9bc3c258e00a3941c950e1d7818507d786b057f4aa4d983662b9501f3b6ba9e65468371f7a403f6e4d355e1e740c284b7791b577208207695d

    • SSDEEP

      24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8aqaS/ZAG:ETvC/MTQYxsWR7aqFG

    Score
    3/10
    discovery
    behavioral9

    • Target

      0f2abe41f47c8287b81f6f5be7983b8486b298d7121bbc8435ccd334a5f7ce70.exe

    • Size

      1.1MB

    • MD5

      9e8e1d4c0c7b764e6f95bb9c85ab49a5

    • SHA1

      594a1768d8ce4e063e49b2592ae8b4c8dccdad64

    • SHA256

      0f2abe41f47c8287b81f6f5be7983b8486b298d7121bbc8435ccd334a5f7ce70

    • SHA512

      3b101383bbf5c032f711ce7dcc340f57feb7222e61a997999f211a7c554420323b4526b4b25b6a7f71e5cdda053a4177949feb5b4e30a312f788e4734410cca0

    • SSDEEP

      24576:jqDEvCTbMWu7rQYlBQcBiT6rprG8aOD01IX9ma9mt:jTvC/MTQYxsWR7aOD0W9J

    Score
    10/10
    agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan
    behavioral10

    • Target

      0f8a6d8705eba15b8958bd7984d9c46f1f5510790249b3fa330740a626ef45e5.exe

    • Size

      764KB

    • MD5

      ea00fd3c8906587af2bbbf69f308dfca

    • SHA1

      8bc51253c0666c671fb4d706e886a29a009f637d

    • SHA256

      0f8a6d8705eba15b8958bd7984d9c46f1f5510790249b3fa330740a626ef45e5

    • SHA512

      b832d246aaac79725470b40b3cec213fdca398aa1bae53fdf634c1894e2ca36665f1ac8e0d18b4a6541dc84eed94e620fe6e894cb3f2d1d1918786cca854992c

    • SSDEEP

      12288:hB2hxs2Lps1Ok7MipO5smUUgrujfkqiLhtWklNoZHDhVg5USwFrZv:fEq2upLduAqilCZHHg5UHZv

    Score
    10/10
    agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      1026da21d95ab9bc3a5dff5163d8029ea6ca3413e586272074105e4727ab1342.exe

    • Size

      3.6MB

    • MD5

      4cf736359926f19077a4c21300613900

    • SHA1

      ccadc053294ab749b8588e96d970b2b9f68673eb

    • SHA256

      1026da21d95ab9bc3a5dff5163d8029ea6ca3413e586272074105e4727ab1342

    • SHA512

      f06470ccf1777ae0b4dbf1fb55af6804178bb18bd92eb2da5d091acdadc93206ab94358698bf272353462cc56cee9a5453b0f8a251f989805a55ce76190dc64b

    • SSDEEP

      98304:ubzJfmjiWIkSsHIDR6ToISNCEVmC0LyZG7:ulmjPZSsoYoISNV0BLI2

    Score
    10/10
    dcratcredential_accessdiscoveryevasioninfostealerratspywarestealertrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral12

    • Target

      109927ded1c6f8ce79192bc804efab8f52e6924d16476236eef82a1631349d91.exe

    • Size

      1.7MB

    • MD5

      5291819cffda955482db05ca0d125105

    • SHA1

      56bdf44e4a0715a72b2a0c4a91008818079a75a2

    • SHA256

      109927ded1c6f8ce79192bc804efab8f52e6924d16476236eef82a1631349d91

    • SHA512

      aeb6454dd48e1aa2d983f8a0f9664e481f096899a094917e72e1b170d5a2b05a505ea3753c69529bda5a23ed1ac4bd2832fe1d7ff4794a43ca0ed4f5159ade68

    • SSDEEP

      24576:x15wx9NIUJ3vND1SZeMmhUyzsDtZh4hZNvvjfxYIsoET5OKs8T0LA3wAZSPIn:FgNvXSZ2KvhCjxYboElOKs8hwhI

    Score
    6/10

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral13

    • Target

      15c71b616f8ff314907e2e9f15601adc81529f6129acd67751bf7d16b4d52479.exe

    • Size

      3.6MB

    • MD5

      ea4d0c345eec97f8ec7174b210798a56

    • SHA1

      875a231b305de4a687da940242010c209b8bf684

    • SHA256

      15c71b616f8ff314907e2e9f15601adc81529f6129acd67751bf7d16b4d52479

    • SHA512

      d769673e7701265992de547de0a00315776cb98d50daf321ca4a62a058dc7f478de877ee2a4a9b93b5829b6b202d5108a860645bac9f4050f232a99853496aac

    • SSDEEP

      98304:WixXe3NTpepQyhMEJ8yicxqg+Gykyk2W995GSgUUR44SO:tYhpepQuDXxD+GV5GSgUi4y

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma
    behavioral14

    • Target

      17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770.exe

    • Size

      930KB

    • MD5

      fdaef04ff6e9175a3a4918e83470903a

    • SHA1

      7cbe102ac7da79cb47adbe3d63c0206983a2fa67

    • SHA256

      17b5394a5cea17aa14672179b10eb87f650675bbabb6bbf12e5cb62916c62770

    • SHA512

      e5810b5029c4c4b4ed7e724bf060e52179a5e6c59829adc92fd824088289a22926732925fb105efb716a5fc107d68ad09bd6d6cadf8d69fd29fb64e367531acb

    • SSDEEP

      24576:plzwyHNQcI5YGvm7gbi3Ziq+GYsROHzeGs2:pNw+eTvEhJ1OTB

    Score
    10/10
    discoveryevasionexecutiontrojan

    • UAC bypass

      evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      1873c4b2bde16da1d2e923d66d20eea2536bc824e5134b60f3df4b770edf72d4.exe

    • Size

      1.1MB

    • MD5

      0fa7c8c3f5212580c67415542c8c92e3

    • SHA1

      d7b41ede700ca1201e8fff8eb21b2d603b3280a0

    • SHA256

      1873c4b2bde16da1d2e923d66d20eea2536bc824e5134b60f3df4b770edf72d4

    • SHA512

      13a375d7f4a11212248767787a0deea751c28590f7cbfb233dd2230cc8c747aca5f55fb5decd2a2fe6342167590106f6136d8f0330e566efb060bb710b847dea

    • SSDEEP

      24576:hqDEvCTbMWu7rQYlBQcBiT6rprG8aBlnav:hTvC/MTQYxsWR7aBlna

    Score
    10/10
    agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan
    behavioral16

    • Target

      19efe1624f526c084e096431a4b1e5bf63c299351751fa0bf466106a99196d3c.exe

    • Size

      827KB

    • MD5

      6fa85ee085f3116d1300286649404c26

    • SHA1

      82537e484282db0d26eb890c4d2a04ff854a088f

    • SHA256

      19efe1624f526c084e096431a4b1e5bf63c299351751fa0bf466106a99196d3c

    • SHA512

      d17f6bb4e3bf9bfcd4e4265a94430a68bf178c518ba7174d7231a59f0927d21cf77986d38c9e86dc851cda76dc1b477bcf0be0a3a4a36e8a65d8fa43e6aa4e89

    • SSDEEP

      12288:l6oKQd2h6uX9vOWSAF9MgaBwbVQ5a3tbEzKlPFQErxTYeclv1CWX:Oxh6uXWzwBQ52jLxTY/X

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    behavioral17

    • Target

      1de0ce90e503e10f763f00b591d48973bb213d3979c517097b252881630257f7.vbe

    • Size

      12KB

    • MD5

      4152a2d074d5a6be14a2d53026b38046

    • SHA1

      9b2d92851f56449138626f2696e78f2372ef87f6

    • SHA256

      1de0ce90e503e10f763f00b591d48973bb213d3979c517097b252881630257f7

    • SHA512

      de6b63d37a94cde6a6babf909af52a63d189d046a9e160a98c27d64a31e4bc2768ed12a31b76f93d0a98be5d3e09ef5b830e8cea7adcd9d3725a9757de1d8b55

    • SSDEEP

      192:vVcUXIssSUHci9rEi43NIr+MJXgu/ALk41T8TF+OLLl3K:2UXIsspep3NqJwuIo41gTkOda

    Score
    1/10
    behavioral18

    • Target

      1e6ad08c5ed9b4fdbef86181e8cd01170fe9ec5615d9a37f90e7ea43bcad175f.exe

    • Size

      14.8MB

    • MD5

      fcab15617dadd8fc0434901b33c0193f

    • SHA1

      0689fff2810c13f8e3786fc1965792c92410693b

    • SHA256

      1e6ad08c5ed9b4fdbef86181e8cd01170fe9ec5615d9a37f90e7ea43bcad175f

    • SHA512

      62f202254baa9dfba73fb3e9ee7038307aee2f44c2060545b905310a65e4bdfb5cf1114f820ecfd9d477046e133c79d2ad77c710bf3d6314ccbc7b0f01c1c7dd

    • SSDEEP

      98304:kL/xvZwtkt4DDQZqMEKYihlLSE7Qe9RVnxFsy4wN:k0mZZqMEPihlL/0eBN

    Score
    10/10
    stealccr1discoverystealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      1f7cedbe04af43e29efdfecce0580ab826b577bd0d7c9f6db3d1c58a8eeffb4c.exe

    • Size

      1.8MB

    • MD5

      d5b82b62f9b6f43cc208d9ed4d3bc6b5

    • SHA1

      9d71f02f04b878e941cdf7f1ce853ffd71c925e4

    • SHA256

      1f7cedbe04af43e29efdfecce0580ab826b577bd0d7c9f6db3d1c58a8eeffb4c

    • SHA512

      b198535b54cb29e7c7d0aef3a8e2b4e78469409f4fce8a9eee76c7139f82f26ad7368a9e240d0c60a184a71e071e89a062e578572a9a459593b778780efdad81

    • SSDEEP

      12288:oF1EJDCYEMZFtI4YYXvCtFhibtTtbosKQQo:oqgMztIrYXvOybdtbDKQ3

    Score
    10/10
    discoveryevasionexecutionpersistencetrojan

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      22586df4379d432c8e5d2d852bbecf70558da09f77ec0f7ac46d28e4928a7462.exe

    • Size

      14.7MB

    • MD5

      6c9af9a9264648fa9aecb9f1f2356c4d

    • SHA1

      1f40d4ab078c27ce050a592f0feaab898cb0d7b7

    • SHA256

      22586df4379d432c8e5d2d852bbecf70558da09f77ec0f7ac46d28e4928a7462

    • SHA512

      b45dd30f34870efc2a7d3ba438948b26b2c9493c0e2d0c35fe1a7f36bc30cfb1ea2cbf5312dc5be813940104caa2183da99de8122657196982c4f14ce85b38dc

    • SSDEEP

      98304:ElVtDt58vQB25/keKP9YHRU+NCDc7eahBF52Ez9tOfbPXFZblNOurIpjCcjftHga:qSvQBI/keJ6eUcKah7djOfb/HyDpbV

    Score
    10/10
    stealccr2discoverystealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Suspicious use of SetThreadContext

    behavioral21

    • Target

      29f90a4f6266e43e668b41187ef4e8c2acdfccab8a8c898e64349a5432081ce6.xlsx

    • Size

      311KB

    • MD5

      4ece96fcc5af372091e1f928a6492a1c

    • SHA1

      d04331288712b3e255072da9cd1654d15d7f05c7

    • SHA256

      29f90a4f6266e43e668b41187ef4e8c2acdfccab8a8c898e64349a5432081ce6

    • SHA512

      d32d6ae4ee8ebbf0effea0563a2d276de33609404e1557d95fd75dce16460b11355cd7b9ec5b62b712ec5f205e358cf66fdc3c9aa1f124880f99637daeba71cc

    • SSDEEP

      6144:/j9MGSIdefkPcoQUlKDfqGVl07J77G1hHzzQOCos0004OMUM:/j9MGSIdefkPjlKDSmlW6vTzDW04e

    Score
    1/10
    behavioral22

    • Target

      2b34ad054e9dde8cbc0abfbe1379a7f0343cb32d92f3411ec2c2ff02ae5673da.exe

    • Size

      1.2MB

    • MD5

      66586f95954cb8312b27b30e54de85fb

    • SHA1

      915d491b8db930ee10b6cde8794cbcee301d2779

    • SHA256

      2b34ad054e9dde8cbc0abfbe1379a7f0343cb32d92f3411ec2c2ff02ae5673da

    • SHA512

      58b6769a3e95306eed970861fd37b4f2f5c336779948c591250ae853fee3dfda693ef96fff6062057da6d14c354fc541305972fe90180734b3963d7d8bbc55cf

    • SSDEEP

      24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8avWCQRBGzYJUPWM+fk2m8L:5TvC/MTQYxsWR7avWbBGzrZIJm

    Score
    10/10
    collectioncredential_accessdiscoverystealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral23

    • Target

      2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c.exe

    • Size

      1.2MB

    • MD5

      6bf88fc25bf35ecfa3f0bc1564e3e24d

    • SHA1

      bca6855c8e3842b0cfb94318cc0244dbc2a08e44

    • SHA256

      2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c

    • SHA512

      c8ce4d6e000199ed1940d12ca349de028305b4b516e485ddec24a062d1c6e34202853fff37acdc34d94705a5b5556fb4f084e54fafe0ee91bc96aa3ee40233a7

    • SSDEEP

      24576:SqDEvCTbMWu7rQYlBQcBiT6rprG8aHrDWs2iF3tyipz:STvC/MTQYxsWR7aHMinyA

    Score
    3/10
    discovery
    behavioral24

    • Target

      2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe

    • Size

      750KB

    • MD5

      01bb109640de25e5052b991261824f1c

    • SHA1

      e539fb8e8a9cb6b5b7c11b8de3a782ede04de2dd

    • SHA256

      2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc

    • SHA512

      e2d6607a0eb500da7f5c8a98028d89d0c1e290642c5033072507b2de0bec711ba7e299cd29ce4965c03ae739c9c86620697ff009deee39528b1cbc5225758563

    • SSDEEP

      12288:uh0vbB0rdv7/vGFJJu1Z7kjNfKWS4k5QVqNE8AknzmmtpTqJYQ:uhMt+v7/vGFJJunWSTj0YZFHQ

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral25

    • Target

      2c7da6690be26bd6b5ceea90b233fdd26589d7a72b2a62468903aba887e7ad6a.exe

    • Size

      3.5MB

    • MD5

      90c1778d45fd9aca9e21d708bea36d9d

    • SHA1

      65da9b19155c7654a4535ed387ef83642ee37da9

    • SHA256

      2c7da6690be26bd6b5ceea90b233fdd26589d7a72b2a62468903aba887e7ad6a

    • SHA512

      c7bd7aa7eb94bed5b7c8bba5796804e9d9e212c4a2d7e2723e1810a4f0b649f2cb4bb244756ed054698b76d178e0b55ff5952f43374e01e447d23dc9d2344f3c

    • SSDEEP

      98304:EObHw9D+w0/EplRULl9TNBcDZaAww+RpLB:EO7WbULHBBSsAcJB

    Score
    4/10
    discovery
    behavioral26

    • Target

      2caf283566656a13bf71f8ceac3c81f58a049c92a788368323b1ba25d872372e.exe

    • Size

      16.6MB

    • MD5

      dbad9356d002d6a733eb2725005707cc

    • SHA1

      653f16a4e4dc35be1c6cfde12e6194acb8893b6a

    • SHA256

      2caf283566656a13bf71f8ceac3c81f58a049c92a788368323b1ba25d872372e

    • SHA512

      fff7b794f0b8d6884bfeb329035fe5ce1a803b2c4aa21fd6842b66b3129776ee5b64ab2ba71f1d020a6050e0d3a52c04bfd0d8d84b353e201737c47ed6e10d8c

    • SSDEEP

      98304:pDjQINJwaP6MhwQBQTRWN7eslalwm6tDGKTeYzd4E1UEmW8w5kZnHvRngGag:VpiMhwoesFtHTF17kWLg

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral27

    • Target

      300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe

    • Size

      31.6MB

    • MD5

      0483ff2b9382e11b33f97b35e62d8d41

    • SHA1

      0a5b5081bdedd90b7a5183343dc4be720c01c80f

    • SHA256

      300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45

    • SHA512

      ed774140b89c712eccfdbcdaf06004382ff715c71f1a043897cdad48d8adeeac69e8dc3765029b432562a89644c109ff3993f60a6f53e7a3d9e8dc424508b9d5

    • SSDEEP

      786432:W9lzMRum1Qz0eoDr9NdkIvhlr4cGtMVsjVKmWRZc+BsVEVk:W9lzMRum1QQRzkIvhjuAfzsVEK

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral28

    • Target

      353a75d0ad34c89fbdd11ec9cc6f6ea302f5669c5c1326686f7d328e656d1ea5.exe

    • Size

      9.9MB

    • MD5

      62c272b7dac6fd147b572b0030a2c71d

    • SHA1

      f1a035be486143d307acd6e2d638e0fc51b7fcda

    • SHA256

      353a75d0ad34c89fbdd11ec9cc6f6ea302f5669c5c1326686f7d328e656d1ea5

    • SHA512

      7ce9f1919c55b659b396f446da79025c2f313921c5e0b5cbc37933a9e276fba17c68475a0956600a799252e01384f883ee0b8ed991ed7393b03c8c9d0b3ae38f

    • SSDEEP

      196608:6/oQxmgcsgIfIUpY2Q+dWGejXROJg/g6ZAQjyrDfPKMzWe1iEasMv22KWBgVkYTh:6/NmN/IwUDdzejXRPguAFrr6d22PgOYV

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral29

    • Target

      391ac1ceedd3c960f32890f834a86ba1570ee5a0cc12dcef1714d43bb29fc457.exe

    • Size

      893KB

    • MD5

      c0a1ffbe408f92e743f0727ca8947da8

    • SHA1

      6b3b87020dfa6b838fb3585853226ba507148c1a

    • SHA256

      391ac1ceedd3c960f32890f834a86ba1570ee5a0cc12dcef1714d43bb29fc457

    • SHA512

      9fc0aca36a9a57a2c0864400835439511ad062004a1976b0337757b5937f7ca42085358dcc9ad6ae40d577dc923b3bae5983ff52de58e178b5a21c2797f57597

    • SSDEEP

      24576:PiUmSB/o5d1ubcv5W2AFUNxWG+qJn7/7SktB6L:P/mU/ohubcvM2AVPmXSP

    Score
    7/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral30

    • Target

      d4cb60a0e93c856f642f862e51cf4af34f626c8d1e1b995b5e9dfb3e72db1101.hta

    • Size

      152KB

    • MD5

      f904e8a5141b08f3f8e2121459f539fe

    • SHA1

      56a3a5f48e339964c13c3c66fc08081763fa22ce

    • SHA256

      d4cb60a0e93c856f642f862e51cf4af34f626c8d1e1b995b5e9dfb3e72db1101

    • SHA512

      d5a02d2f891318c5926ffd67f0bc20e7dc964a10434a9a1d04769688bacc0535b13a86e5b35073c59b6945bf70fdaff5bc34cf6eb0afdaa1c8ede30fab4197dc

    • SSDEEP

      768:tZ6A3yXNA0AGAzUGq4Lcl64c/9tB2KCgFPBh1VQiXAZO:t7

    Score
    10/10
    agentteslacredential_accessdefense_evasiondiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral31

    • Target

      e0fa6d69b26f18cfdef3bd930d067eca476b3d2cb78d14bec88f05ae87d25b1e.msi

    • Size

      18.0MB

    • MD5

      6d7878a7e0a19655f118dc7143b601db

    • SHA1

      4c439efe22e99fe21ade50cf115baf3b710db0fa

    • SHA256

      e0fa6d69b26f18cfdef3bd930d067eca476b3d2cb78d14bec88f05ae87d25b1e

    • SHA512

      54020a29d792b5c57a2dd83f43998248703079c0e36306631d10005c77a8301f770dcadccaef31c48600ace2a86b90be617b5ac5bd383d97c9b8c8a3921e976e

    • SSDEEP

      393216:UN/bZNw7oDqYT2XiU5XZPcX7c498R/KkHX:0br9Ta/PAc4oKk

    Score
    6/10
    discoverypersistenceprivilege_escalation

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

6
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

4
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

upxratdefaultmiraidcratredlineasyncratphorphiex
Score
10/10

behavioral1

Score
1/10

behavioral2

discoveryexecution
Score
8/10

behavioral3

discovery
Score
3/10

behavioral4

Score
6/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
7/10

behavioral7

discovery
Score
3/10

behavioral8

persistence
Score
6/10

behavioral9

discovery
Score
3/10

behavioral10

agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral11

agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral12

dcratcredential_accessdiscoveryevasioninfostealerratspywarestealertrojan
Score
10/10

behavioral13

Score
6/10

behavioral14

lummadiscoverystealer
Score
10/10

behavioral15

discoveryevasionexecutiontrojan
Score
10/10

behavioral16

agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral17

dcratinfostealerrat
Score
10/10

behavioral18

Score
1/10

behavioral19

stealccr1discoverystealer
Score
10/10

behavioral20

discoveryevasionexecutionpersistencetrojan
Score
10/10

behavioral21

stealccr2discoverystealer
Score
10/10

behavioral22

Score
1/10

behavioral23

collectioncredential_accessdiscoverystealer
Score
10/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
7/10

behavioral26

discovery
Score
4/10

behavioral27

lummadiscoverystealer
Score
10/10

behavioral28

discovery
Score
7/10

behavioral29

Score
7/10

behavioral30

discoveryupx
Score
7/10

behavioral31

agentteslacredential_accessdefense_evasiondiscoveryexecutionkeyloggerspywarestealertrojan
Score
10/10

behavioral32

discoverypersistenceprivilege_escalation
Score
6/10