Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    00b9b6cf27deeda8de99d1719ef724808afa92080026df8dd17159be8ea420f7.exe

  • Size

    879KB

  • MD5

    af466faccd8bbab030d12caf7b16ea61

  • SHA1

    e18711fe226d39fe182c45ea1a15ccc587980b67

  • SHA256

    00b9b6cf27deeda8de99d1719ef724808afa92080026df8dd17159be8ea420f7

  • SHA512

    2599b3b6db13c14e36bc24980da5457c8788624050ad727d2b1d8975b6405e1a6dfee9829a849900edcc7cc831b69604cce9e6e7e0080835e426df343a1d6e64

  • SSDEEP

    12288:D+of7uHr7XLo+U90C447TmTWCsNWGHBm++WDzLGfWCayErUUxmptN:Dr7uH3vu0B4OWZxPDnG5ErUn

  Score

  3^/10

  discovery
  behavioral1

• • Target

    05500734fe07ac2b5bc89aa12b090203c4b74851cb0d62bd388f27ec6d6caa81.exe

  • Size

    15KB

  • MD5

    32915fef0066f3a580ae9389d83e195f

  • SHA1

    e000d59d91a6039c28a628ec436f680f41e8ffec

  • SHA256

    05500734fe07ac2b5bc89aa12b090203c4b74851cb0d62bd388f27ec6d6caa81

  • SHA512

    57d43daac4bc5d550bed9724dc8c2041111dba3f3a52fca7b688e3d6b64267c34c537b8045d974e007412f504aeb3428f571c360b053faff7c040c4bc235cbd8

  • SSDEEP

    192:F7r4fe9FV9wQw0XJ58CWuVmcmLQ4k8Md0QiyIWNMrXRkf1ZdDjgXFk3AaDvFmv:FAfe7wQw+4Cc84ZM6eIkf1Z1jgXKHC

  Score

  1^/10
  behavioral2

• • Target

    0b75e2fadffc45dff940e58f5b6f8d99832426bb880f432f98d853308b29c9c5.exe

  • Size

    355KB

  • MD5

    ff4c98aae03f63b8256dd765e99f5934

  • SHA1

    db774f2c4a2ed02f42effd6016e6ee7b8ae5cfde

  • SHA256

    0b75e2fadffc45dff940e58f5b6f8d99832426bb880f432f98d853308b29c9c5

  • SHA512

    eea1f000945adf51217d3b3e6faaa947c683de5c278ce0c7870360d959d65347804b563853d32ce2d49bd6fb0567c9d0d065ee561bb4b16d66af1bbd98197c1d

  • SSDEEP

    6144:wlZzOaQGDj25OFco79+ITkBXkHQYfrF1aK0FAbw1lZzOR0x0k5kPFOM+11c5K9b:YZTP2kioZD1rUxPZA0x/ksB9b

  Score

  8^/10

  discoverypersistenceupx

  • Drops file in Drivers directory

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral3

• • Target

    0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe

  • Size

    9.4MB

  • MD5

    813b749967045532f86e6442447bcd8b

  • SHA1

    8d0615e7f7ba672a3fc94c05a9451f9d08797af7

  • SHA256

    0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464

  • SHA512

    47c16f403ab33ebb9e59c7c3a053dc29d0d654174d2be9153966ad9fc873e641f34ab44c7e38fb4c6fd376b384d4e1da0dacafb384e9abb1c7eb92cb32533877

  • SSDEEP

    24576:GYx7SFGwWG8/Ad5kybgeK8uQY2ZqR7NlaDbTxnVhv2MMLdGIhJ:IFFbK8q2ZhDbTNv2MuV

  Score

  10^/10

  dcratdiscoveryinfostealerrat

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral4

• • Target

    1760c5727e5568d3b18a1cbf0d50c311613699af8233c96fb3eee197f438ce9c.exe

  • Size

    28KB

  • MD5

    e26570922a9373c1f3a06f647ddd10a4

  • SHA1

    e0f6853e39e0b9fbcb3062bb7e15b8734b9df9f3

  • SHA256

    1760c5727e5568d3b18a1cbf0d50c311613699af8233c96fb3eee197f438ce9c

  • SHA512

    e17a8c1ca8aa6c65106831086f203736b7bdd92c54d2487f381f7d7303a5f3852859935ef55a913dd8856c6015a5f9414308430ae1ff4b5690743025f8ff4c70

  • SSDEEP

    384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNQ05:Dv8IRRdsxq1DjJcqf8

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral5

• • Target

    1fe99fb7c527a90826896e695f23e712375358df3c7aa9163af6b96d872a9f81.exe

  • Size

    21KB

  • MD5

    26b8bc40d95b979e1e708a9f843242ad

  • SHA1

    229284e8cb74bbfae647eb160e4188bda3e50721

  • SHA256

    1fe99fb7c527a90826896e695f23e712375358df3c7aa9163af6b96d872a9f81

  • SHA512

    e53fb1b351f47227c1568718c99cc78048507518ac823cebccddebdc630845f9c972a746036f67d416275bdb1667d298ddd6a0fd4e0fea4dc096d7c2cfcf0625

  • SSDEEP

    384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzU4ek+:SCIqdH/k1ZVcT194jp44eD

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral6

• • Target

    23361735678f37d77510b22306c727a987f84c87143bb0062f3d76413c36fc98.exe

  • Size

    21KB

  • MD5

    3f122d9a0b7a9f1aa8c973d170ee8d55

  • SHA1

    3fb032e1a7a3a9cc5ce0d5f03fbb7f74a063ce39

  • SHA256

    23361735678f37d77510b22306c727a987f84c87143bb0062f3d76413c36fc98

  • SHA512

    25b3db24d20482476e07e29bcee1e231e106d1ec8e36bc390960085595816268ced9c6d392ee21e48c0643801e14c4bb88e1d006fc35467a1abf7b66a423fad4

  • SSDEEP

    384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzUEBI:SCIqdH/k1ZVcT194jp4ES

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral7

• • Target

    2522b83852588bc0f7f620f9b4fe3a9337b9608be335d3958d190275f333df03.exe

  • Size

    49KB

  • MD5

    d4aae2114968c886660e4cbf1c694160

  • SHA1

    c5b6d1ccc5f238686f3be7bfff44c9b612d74efb

  • SHA256

    2522b83852588bc0f7f620f9b4fe3a9337b9608be335d3958d190275f333df03

  • SHA512

    69d0c95abcb789b5e638e826c0b827634fb076248c659b1d2d62741383a62510d6ad6b1e6c16ea1a2ab7f2ac271ba56958e0f070def4a33c6bcaacba848c8395

  • SSDEEP

    768:nqQ07c92/EyTAYtxqfGNC0klI7C8ycYlI5P194jp49w404LY:n87wc1aGNC0klI7CPpIFa69wAY

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral8

• • Target

    2af6bc16f25822d6d2f1429bc15f3d47f6c0bcb026ba387249d173fc753919b2.exe

  • Size

    22KB

  • MD5

    44fad0089dd3b0b481f30486646fd3f0

  • SHA1

    54a3e4359bedeba0d8747e2bc7e94ebbd48feef3

  • SHA256

    2af6bc16f25822d6d2f1429bc15f3d47f6c0bcb026ba387249d173fc753919b2

  • SHA512

    7137de8a76aa91bc921a7334dde182eaa786a42bc5dc7369e9265f9226ea52bedf003e8ba707f297d880828daa5f1183233d985cb98e371eb711c2523a1a0acc

  • SSDEEP

    384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzUIegaC3:SCIqdH/k1ZVcT194jp4IegaC3

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral9

• • Target

    3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

  • Size

    41KB

  • MD5

    3e67d212278e1af5be913d236399fcf6

  • SHA1

    f993125ed4af1de6a551a6e0843a6d124cd46f27

  • SHA256

    3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464

  • SHA512

    f7e6394c9f9fdd6a03c72aaece5b4911cb821680a632f94b622b12d94cff9873d93b2c6604016524bdab4dd6e4b70b532c440f6b296138677be19e078ad23ec7

  • SSDEEP

    768:/eMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09sy:/q5VwWDjDkdTRqHFOn8tIbbeYiuZIFSl

  Score

  8^/10

  discoverypersistencespywarestealer

  • Drops file in Drivers directory

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  behavioral10

• • Target

    3db846a796caa001666df8f7cae709fff02f984711b0e70e0e79c457d631b4e5.exe

  • Size

    41KB

  • MD5

    b1f6a4cc592f3c9f7d4b69c02ac74d11

  • SHA1

    db2db17c1d3e2c4f3a45aad9215cc77ed455ffcc

  • SHA256

    3db846a796caa001666df8f7cae709fff02f984711b0e70e0e79c457d631b4e5

  • SHA512

    66c3d5cb3c9bf13604748853797e4c1a1eae13d52cdf43f16da0b1b180ad0c10102a2935d4d6bd0549f6e48427c0181cbb07f1ee664274727dff0cc61e5075c5

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral11

• • Target

    493813116f32ad6f455676cd54e32a2167ece845038202614cbb49e126f5afdc.exe

  • Size

    21KB

  • MD5

    fd6deb4cda087d7a60b6b28104fad84b

  • SHA1

    6826e88b55a2794f9ea72c86bb9cfd084fe2aee9

  • SHA256

    493813116f32ad6f455676cd54e32a2167ece845038202614cbb49e126f5afdc

  • SHA512

    afa16663956ffa8d50d7a6622c7cb01d9b01f83c1ef21dfce1eeffc8cc217499e7a78bcea952b59c501caa71b3aaa5b2c144ed30529685efb55266678eb18dc3

  • SSDEEP

    384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzUMO2:SCIqdH/k1ZVcT194jp4N2

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral12

• • Target

    4d61a61265cdd942cff973609170529eaf19579b5d17e64deccbd6f6f1fdfa08.exe

  • Size

    29KB

  • MD5

    0d14590170f35263c0e3f0e0e1594720

  • SHA1

    21414e31724eb95408a4031a0c0508b2a12260e7

  • SHA256

    4d61a61265cdd942cff973609170529eaf19579b5d17e64deccbd6f6f1fdfa08

  • SHA512

    76e6fbd04c08b749b46ce1499e15ad58d7bb8d0c20db0a0fae54001f973aaa73e961cf80558c090d31d7f69918562c519c01c2cb441548feca63cea37792aa3c

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/V:AEwVs+0jNDY1qi/qt

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral13

• • Target

    510827ce687ad00545a1726c25a00f65e7d685b7dcd857fc6f11a0392feee5c5.exe

  • Size

    28KB

  • MD5

    6cdec3ccff3c2a0c2602bc89443f865f

  • SHA1

    cf7ac47ec2e5b261786c9c11d30a09050bf459be

  • SHA256

    510827ce687ad00545a1726c25a00f65e7d685b7dcd857fc6f11a0392feee5c5

  • SHA512

    c97f74a3486b1018c2413473a82ca9d1f777c05993c4b3da4adca0006165107c2ecd14251f77e3cfcd8ea3949f64332e35e43648426f750aad8eb597f87370bb

  • SSDEEP

    384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNanRiEMnY:Dv8IRRdsxq1DjJcqfFRn4Y

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral14

• • Target

    5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe

  • Size

    41KB

  • MD5

    64276638075d3cab665966be7f366682

  • SHA1

    3fb9c599d5dc9188332b4a9c0f1262c07ee24699

  • SHA256

    5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a

  • SHA512

    1bbd7440a14f8651ef4433cdda3a48071024838688f8ff88a0688cf56f28854232446f655731a44d1f02f1e572697e132f06c92dfa170825433154042be02826

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral15

• • Target

    6c37d14d5ad674e4c0fa8df0a999be6b27399936c9ff16f7fb30b802addb7b4c.exe

  • Size

    28KB

  • MD5

    e5128ece1b9916a6df7cd56d66c193c2

  • SHA1

    c99f687b182f3dee71e8434360595832ea431075

  • SHA256

    6c37d14d5ad674e4c0fa8df0a999be6b27399936c9ff16f7fb30b802addb7b4c

  • SHA512

    67b9166f33c78140ce2259df9a7bae92e6cae066b7f54cb0ebdec183ef1ffaf958f6cd24b0bb01e2b6a302fb73e9c5c057554c825e1496ef3b679e77dd7715af

  • SSDEEP

    384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNHS6e:Dv8IRRdsxq1DjJcqfH

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral16

• • Target

    6c3c9af653a28977257ce971ed701b1b893cdf67d5c57baa44a9d76c28675dc3.exe

  • Size

    21KB

  • MD5

    41a7ddd957c89fc7d20b60fbb7526198

  • SHA1

    2b3575ced3fb5227c1b21cb5a5d70de6ee20ac5e

  • SHA256

    6c3c9af653a28977257ce971ed701b1b893cdf67d5c57baa44a9d76c28675dc3

  • SHA512

    c97c733c37423269eefff67c66caf04317dbcfb8dc678cae18b265f9cde57ff0677c93cceaa0cda05e70daa3446d507538f1db9b37a30078568542a8cf67bec5

  • SSDEEP

    384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzULMc4:SCIqdH/k1ZVcT194jp4LMx

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral17

• • Target

    77186e57b2eeb3ed4b56cfe280d5eeea3155d9502217cda824600bc93d365320.exe

  • Size

    29KB

  • MD5

    4568631011aae49f42e185b46a1a30a5

  • SHA1

    d3e88e07f54ad778b774822bcf283accc22b529b

  • SHA256

    77186e57b2eeb3ed4b56cfe280d5eeea3155d9502217cda824600bc93d365320

  • SHA512

    fc673b7013b9d291258579c18e0466e4e3e6de1fff73900fb3f87ff275aa0064e36620b7774880bbef14ad4e5e968ea46c0ef47484f260468f263cc6d1832cd1

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/p:AEwVs+0jNDY1qi/qh

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral18

• • Target

    7bca70a81cc9e1067e99e313802a4cc095f79bbc3a1aa86b7b3b9eabf3748e61.exe

  • Size

    29KB

  • MD5

    18e2d2d193f1b5e2fe2cec1f6b4c5c38

  • SHA1

    5c9e2ecd155da2d8822187398d58febd1044a1e4

  • SHA256

    7bca70a81cc9e1067e99e313802a4cc095f79bbc3a1aa86b7b3b9eabf3748e61

  • SHA512

    3a961ff5d823450134acc34fb984bd5105fcf02c65692ee5fc7273c6de9fc64185cc548ea1de6d5622d6985e754943a4b4d235458eb41bef469027e6b11a35ba

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/9:AEwVs+0jNDY1qi/q1

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral19

• • Target

    8e934dcd46eb57d42712d097deab6ce00ef1ce2db87d03f8d3d8e8c10da7e088.exe

  • Size

    45KB

  • MD5

    3aa484f942ddfeff67d043fafb9877bb

  • SHA1

    966cbc5b018d94b1797ad5d506ca4d3cb639eca7

  • SHA256

    8e934dcd46eb57d42712d097deab6ce00ef1ce2db87d03f8d3d8e8c10da7e088

  • SHA512

    9356aa0648b93558e0e3af85a9d08449f63c4e6675f82feed9b386425fcbcb7e391b2dfbc114055d0d2b779407b40074f7083205b194c0fa460e99ba8b635612

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral20

• • Target

    9a75c8e353df060ec927ada5990402b57764275f2a860d9cf500a661ec3de060.exe

  • Size

    41KB

  • MD5

    cdc7a9e456810fd6d0a5f9129c633c03

  • SHA1

    3fd75d798773bbb29b26a4c9b9c0635ff52fee57

  • SHA256

    9a75c8e353df060ec927ada5990402b57764275f2a860d9cf500a661ec3de060

  • SHA512

    635346ea4d4c29618469e2aac76e12280e89d44b3fc22e1b522608a5c2352337d20745116e85bcf96e592261d5adb460e1bae8ae2a41e27e0a32298567462c11

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral21

• • Target

    9e067453f09c5cbfa4c5a74fe3e70d7d8e66a25057e6c35240dce5a40ec31bf3.exe

  • Size

    28KB

  • MD5

    f64e4d13a57ae222768b792b2c16158d

  • SHA1

    5a0878beb5a8a464f71629f560b8ac12473776e7

  • SHA256

    9e067453f09c5cbfa4c5a74fe3e70d7d8e66a25057e6c35240dce5a40ec31bf3

  • SHA512

    e9bab92bb7df9414f531b579449c72fd911c9cc0e59809cb6105ef8bdd3cc7818e5626ef57159a7362a82e7cdbfbe2a0f58839e0167a696d3217e622143925a1

  • SSDEEP

    384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN7F57Oz:Dv8IRRdsxq1DjJcqfAJOz

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral22

• • Target

    Mydoom Ransomwares/1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

  • Size

    127KB

  • MD5

    93a7ed73f2245a1f043b74e724705f54

  • SHA1

    6b97b4cd5d44e607540b841081f68b7755ce59f5

  • SHA256

    1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406

  • SHA512

    ab1d5999d7bdeb0a2d93a7476cbcace92971417d45a7459fbe294ed66d0466f0e121a68fe9ade89c3c71d4afab3b81b94aaaeabc99e6f02f79c307acbf574090

  • SSDEEP

    3072:bhADm5OPINYUsx0Ki6uA9bKHtBdQex7Coy5q5l:bhAcO7xhjuA9bQQzq

  Score

  10^/10

  discoveryevasionexecutionransomware

  • Disables service(s)

    evasionexecution

  • Renames multiple (224) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Blocklisted process makes network request

  • Deletes itself

  • Drops startup file

  • Drops desktop.ini file(s)

  behavioral23

• • Target

    Mydoom Ransomwares/1fb613ee3b0e7f96f5dea029aae31b86340b0724e88f84a76b386af84d1cf95c.exe

  • Size

    27KB

  • MD5

    4ae2e5156253fbeed2c6f13a066c98a1

  • SHA1

    db318de72c2cdda1822999441d23b91e933a772b

  • SHA256

    1fb613ee3b0e7f96f5dea029aae31b86340b0724e88f84a76b386af84d1cf95c

  • SHA512

    c00c1c47e4cffaa3078885bbca42e6663bb478ec33b5b742c752412b204af55bf94008868264d0b03279339017732330e64c52d3b20f55e347194f65f2147be2

  • SSDEEP

    384:XLNAZPBVp/L9Z1oQEDQVbfANpC78rMNAtpDkjvr+jfXNIRXrrahrBDBkHqd7gasb:XCZ5jz9YQEMb4KN2ywrFuHeJsyO

  Score

  10^/10

  credential_accessdiscoverypersistenceransomwarespywarestealer

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral24

• • Target

    Mydoom Ransomwares/5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe

  • Size

    100KB

  • MD5

    7fdd3bf8886199e8336f95c88bcaa49a

  • SHA1

    77e2019093379de4d5de07dbcf5893831c9bb7ec

  • SHA256

    5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc

  • SHA512

    9d774eca21fb33f26991cf20f0f6a2f0bce56aa4cc3d17fd769e0bb767ca400cd5c8dd64bb62db23bf5bc112b91b1a26db7bf2f9d85993cb990be5113e527a40

  • SSDEEP

    1536:1zmSA404oATJVPHEMXMxa6CO3/k/hdXVyczH+95DfFFjfuEnm:1zxEYsZaLhdlo95DfFFjfuCm

  Score

  10^/10

  discoveryevasionexecutionpersistenceprivilege_escalationransomware

  • Disables service(s)

    evasionexecution

  • Renames multiple (242) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Modifies Windows Firewall

    evasion

  • Deletes itself

  • Drops startup file

  • Modifies file permissions

    discovery

  • Modifies WinLogon

    persistence

  • Network Service Discovery

    Attempt to gather information on host's network.

    discovery
  behavioral25

• • Target

    Mydoom Ransomwares/84ee7e5c055fd25204ca4969940292b03da9d45b5048cbb7f7ba8528b88a2859.exe

  • Size

    492KB

  • MD5

    63acb0fc42adddeefed36db5b1ad61bb

  • SHA1

    7ffe0a6043397f55fd794971cac56a79fc564c0a

  • SHA256

    84ee7e5c055fd25204ca4969940292b03da9d45b5048cbb7f7ba8528b88a2859

  • SHA512

    91787551107a0c013b3c5c35b9cb51f5880403a9f8dc3370f3392aba8b37fe210eda82a8bbd474f1d6ad73e969a8d6c2962278a9f0d595c8842269c27142c4c0

  • SSDEEP

    12288:rDA4+Z/YWwIQx+E6uI4+Z/YWvt8OW/9mZ4+QwQaNdmrlTT6zncVUJ7vn:wo9UPgTT6DN

  Score

  10^/10

  defense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwaretrojan

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Disables Task Manager via registry modification

    evasion

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware
  behavioral26

• • Target

    Mydoom Ransomwares/cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe

  • Size

    1.9MB

  • MD5

    f09a781eeb97acf68c8c1783e76c29e6

  • SHA1

    ec2b7eebfcbf263424ae194817060eac44c380c7

  • SHA256

    cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64

  • SHA512

    972fc4759d344c3eab157fe8bb345596592895ab9d27546961a93047142e8236dd876f3449a9f60dd5eb93a54035dcd3d7c8d70d468e3233341bfa4d674cfa64

  • SSDEEP

    49152:jL7kITp6hTJEfHdQ2+Sd3KmkZt1EOS09VE8zbRfc7id4oPg:YITpmafy2+S5KmkZt1EOSP8zdfc7i5P

  Score

  10^/10

  dharmacredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerupx

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (313) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Drops file in System32 directory

  behavioral27

• • Target

    Mydoom Ransomwares/dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe

  • Size

    1.8MB

  • MD5

    057aad993a3ef50f6b3ca2db37cb928a

  • SHA1

    a57592be641738c86c85308ef68148181249bc0b

  • SHA256

    dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876

  • SHA512

    87c89027d60f80e99c526584fa093620b3f099151170362424ad78f5e4d7184bd9f2d627ec8463ca202127835f435dd4f85bf2b0d9351593c688855f0bbaffbb

  • SSDEEP

    49152:BY/3BNLViG5jQWArXncSxhBfV7xLE1t+XgWJz5qtAj6R:BwgG5MWMX7h8+Uw

  Score

  10^/10

  satancryptorzebrocybackdoorcredential_accessdefense_evasiondiscoveryransomwarespywarestealertrojanupx

  • SatanCryptor

    Golang ransomware first seen in early 2020.

    ransomwaresatancryptor

  • Zebrocy

    Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.

    trojanbackdoorzebrocy

  • Zebrocy Go Variant

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral28

• • Target

    a9a89ed0d139fbc436794f5d3a8e58c547247039d8c86767b1e2f2bce40e390f.exe

  • Size

    41KB

  • MD5

    ec9e58951bf3e0ff91c5f86cae637dc4

  • SHA1

    8f2e5fce00e3f5265deabaa71a9243d1b936395c

  • SHA256

    a9a89ed0d139fbc436794f5d3a8e58c547247039d8c86767b1e2f2bce40e390f

  • SHA512

    466d31863ee8d7765b436f75588da017b095ac66f86deb8dff41fc2349de456da8dbb59bec863c4a754fc68a210ad8e1c578d968312c9ea0595d4aab7fb2f0a5

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral29

• • Target

    b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe

  • Size

    41KB

  • MD5

    2f0ded84c37387024cd7145bd7e64e88

  • SHA1

    61803770a6bdf2aafb3f7efcc3c135d63ddd55b5

  • SHA256

    b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695

  • SHA512

    efe39f1abf0c1ae5662c95bdcc7022e5982069e7656860356643eabf4a567639136125294dfd3ecbde72e0853e886a88b5d085d8c757c7b63f67cb000b510848

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral30

• • Target

    c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe

  • Size

    856KB

  • MD5

    733766ff5495f04d82744291993eb69e

  • SHA1

    2830778313fd7fccc6c8129d419b1757368078fd

  • SHA256

    c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef

  • SHA512

    cf3bf548e743894888ba3ea191a289f09d9f36215e1306aa21e61f0ea81473eec6df01a6e7f05f9251ecb9cc71c654934a53d4916c4152bf8fa4a95119e98cf2

  • SSDEEP

    12288:0zqKbHTadreUv6e2faqsW8lEsbjwepi8K2cE4b5wxH5/uek6JA6QfmpFiMtMv7u3:yPaFnCec8vj1p7pc5bQZ/uesmoqt7jF

  Score

  8^/10

  bootkitdiscoverypersistenceupx

  • Server Software Component: Terminal Services DLL

    persistence

  • Sets service image path in registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral31

• • Target

    c45a330cf80c33977658649596d4867301e928381c5fc37ec3edabfad2251324.exe

  • Size

    29KB

  • MD5

    5b4833161897a50ab4688e2990d1d24b

  • SHA1

    0a04dd46bca64169511b4bcdc8ea36eb8ad55012

  • SHA256

    c45a330cf80c33977658649596d4867301e928381c5fc37ec3edabfad2251324

  • SHA512

    df87dacc161a583dbc060ddc60868476ba5a864021644da643475a93805229a633eb8f0ade738f2512e05b7ec3c8647d877bc4658beb475bd6b0347568caaf5e

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/l:AEwVs+0jNDY1qi/qN

  Score

  10^/10

  mydoomdiscoverypersistencespywarestealerupxworm

  • Detects MyDoom family

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery
  behavioral32