Overview
overview
10Static
static
10Dropper/Berbew.exe
windows7-x64
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows7-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows7-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows7-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows7-x64
7RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows7-x64
10Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows7-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows7-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows7-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows7-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows7-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows7-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows7-x64
10Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows7-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows7-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10General
-
Target
Archive.zip
-
Size
25.8MB
-
Sample
240903-ws828asgnm
-
MD5
83671dbfab2418604f11993fdc392094
-
SHA1
5386d1fb94ec2974736a4d8895a2218855ffda69
-
SHA256
60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f
-
SHA512
9cf982c9b2949f05ea4ab7d27b369924334cb9f8a0b85c374cf08ac059281ecf96c97088bb983f74033a1a8fba01f09c2f3f41ae3a60e7c79db8b6312edd5138
-
SSDEEP
786432:+r/Da8WA3C5BENmtAWzdVTkvq+GY8NEXcJap4DFEME/:4/W8WAS5BENmtZ1kvq+GYi8pw+T
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
RAT/31.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
RAT/XClient.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
RAT/XClient.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
RAT/file.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
RAT/file.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Ransomware/Client-2.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Ransomware/criticalupdate01.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Ransomware/default.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Ransomware/default.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Stealers/Azorult.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Stealers/BlackMoon.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Stealers/Dridex.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
Stealers/lumma.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
Stealers/lumma.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
Trojan/BetaBot.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
Trojan/SmokeLoader.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/2jTT3Lnj
Extracted
revengerat
system
yj233.e1.luyouxia.net:20645
RV_MUTEX-GeVqDyMpzZJHO
Extracted
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
hakbit
Extracted
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
hakbit
Extracted
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
Extracted
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Extracted
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Extracted
C:\Program Files\Crashpad\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Extracted
azorult
http://195.245.112.115/index.php
Extracted
lumma
https://whispedwoodmoodsksl.shop/api
https://acceptabledcooeprs.shop/api
https://obsceneclassyjuwks.shop/api
https://zippyfinickysofwps.shop/api
https://miniaturefinerninewjs.shop/api
https://plaintediousidowsko.shop/api
https://sweetsquarediaslw.shop/api
https://holicisticscrarws.shop/api
https://boredimperissvieos.shop/api
Extracted
formbook
4.0
w9z
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
fisioservice.com
tesla-magnumopus.com
cocodrilodigital.com
pinegrovesg.com
traveladventureswithme.com
hebitaixin.com
golphysi.com
gayjeans.com
quickhire.expert
randomviews1.com
eatatnobu.com
topmabati.com
mediaupside.com
spillerakademi.com
thebowtie.store
sensomaticloadcell.com
turismodemadrid.net
yuhe89.com
wernerkrug.com
cdpogo.net
dannynhois.com
realestatestructureddata.com
matewhereareyou.net
laimeibei.ltd
sw328.com
lmwworks.net
xtremefish.com
tonerias.com
dsooneclinicianexpert.com
281clara.com
smmcommunity.net
dreamneeds.info
twocraft.com
yasasiite.salon
advk8qi.top
drabist.com
europartnersplus.com
saltbgone.com
teslaoceanic.info
bestmedicationstore.com
buynewcartab.live
prospect.money
viebrocks.com
transportationhappy.com
worstig.com
Extracted
gozi
-
build
300869
-
exe_type
loader
Extracted
gozi
86920224
https://sibelikinciel.xyz
-
build
300869
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
Extracted
danabot
92.204.160.54
2.56.213.179
45.153.186.47
93.115.21.29
185.45.193.50
193.34.166.247
Extracted
formbook
4.1
i0qi
mytakeawaybox.com
goutaihuo.com
kuzey.site
uppertenpiercings.amsterdam
honeygrandpa.com
jenniferabramslaw.com
ncarian.com
heavilymeditatedhouston.com
gsbjyzx.com
akisanblog.com
taoyuanreed.com
jasperrvservices.com
yabbanet.com
myhealthfuldiet.com
flipdigitalcoins.com
toes.photos
shoottillyoumiss.com
maserental.com
smarteacher.net
hamdimagdeco.com
wuxifanggang.com
alamediationtraining.com
vfoe.team
kms-sp.com
gfidevfight.net
anomadbackpacker.com
21oms.us
australianseniorpreneur.com
valuereceipt.com
superbetbahis.com
rsrgoup.com
hoidonghuongkimson.com
parmedpharma.com
discoveryoverload.com
livetv247.win
jepekha.com
6o5ttvst.biz
netcorrespondents.com
cscycorp.com
emonkeygraphics.com
tillyaeva-lola.news
dgx9.com
jiucai5.com
justwoodsouthern.com
dentalexpertstraining.com
amazoncarpet.com
xsxnet.net
androidaso.com
jinhucai.com
wellnessitaly.store
clashrayalefreebies.com
wxvbill.com
quantun.network
allnaturalcbdshampton.com
mobo.technology
livinglifeawakened.com
canliarkadas.net
littlealohadaycare.com
wendyoei.com
kaz.site
puremind.info
queenscrossingneurosurgery.com
theworldexams.com
taptrips.com
joomlas123.com
Extracted
qakbot
324.141
spx129
1590734339
94.10.81.239:443
94.52.160.116:443
67.0.74.119:443
175.137.136.79:443
73.232.165.200:995
79.119.67.149:443
62.38.111.70:2222
108.58.9.238:993
216.110.249.252:2222
67.209.195.198:3389
84.247.55.190:443
96.37.137.42:443
94.176.220.76:2222
173.245.152.231:443
96.227.122.123:443
188.192.75.8:995
24.229.245.124:995
71.163.225.75:443
75.71.77.59:443
104.36.135.227:443
173.173.77.164:443
207.255.161.8:2222
68.39.177.147:995
178.193.33.121:2222
72.209.191.27:443
67.165.206.193:995
64.19.74.29:995
117.199.195.112:443
75.87.161.32:995
188.173.214.88:443
173.22.120.11:2222
96.41.93.96:443
86.125.210.26:443
24.10.42.174:443
47.201.1.210:443
69.92.54.95:995
24.202.42.48:2222
47.205.231.60:443
66.26.160.37:443
65.131.44.40:995
24.110.96.149:443
108.58.9.238:443
77.159.149.74:443
74.56.167.31:443
75.137.239.211:443
47.153.115.154:995
173.172.205.216:443
184.98.104.7:995
24.46.40.189:2222
98.115.138.61:443
35.142.12.163:2222
189.231.198.212:443
47.146.169.85:443
173.21.10.71:2222
24.42.14.241:443
188.27.6.170:443
89.137.77.237:443
5.13.99.38:995
93.113.90.128:443
72.179.242.236:0
73.210.114.187:443
80.240.26.178:443
85.186.141.62:995
81.103.144.77:443
98.4.227.199:443
24.122.228.88:443
150.143.128.70:2222
47.153.115.154:443
65.116.179.83:443
50.29.181.193:995
189.140.112.184:443
142.129.227.86:443
74.134.46.7:443
220.135.31.140:2222
172.78.87.180:443
24.201.79.208:2078
97.127.144.203:2222
100.4.173.223:443
59.124.10.133:443
89.43.108.19:443
216.163.4.91:443
67.83.54.76:2222
72.204.242.138:443
24.43.22.220:995
67.250.184.157:443
78.97.145.242:443
203.198.96.239:443
104.174.71.153:2222
24.28.183.107:995
197.160.20.211:443
79.117.161.67:21
82.76.239.193:443
69.246.151.5:443
78.96.192.26:443
216.201.162.158:995
108.21.107.203:443
107.2.148.99:443
189.236.218.181:443
75.110.250.89:443
211.24.72.253:443
207.255.161.8:443
162.154.223.73:443
50.104.186.71:443
100.38.123.22:443
96.18.240.158:443
108.183.200.239:443
173.187.170.190:443
100.40.48.96:443
71.80.66.107:443
67.197.97.144:443
69.28.222.54:443
47.136.224.60:443
47.202.98.230:443
184.180.157.203:2222
104.221.4.11:2222
70.173.46.139:443
213.67.45.195:2222
71.31.160.43:22
189.159.113.190:995
98.148.177.77:443
98.116.62.242:443
68.4.137.211:443
108.227.161.27:995
173.187.103.35:443
117.216.185.86:443
75.132.35.60:443
98.219.77.197:443
24.43.22.220:443
207.255.161.8:2087
72.190.101.70:443
189.160.217.221:443
207.255.161.8:32102
24.226.137.154:443
66.222.88.126:995
108.58.9.238:995
1.40.42.4:443
47.152.210.233:443
72.45.14.185:443
82.127.193.151:2222
101.108.113.6:443
98.13.0.128:443
175.111.128.234:995
175.111.128.234:443
216.137.140.236:2222
24.191.214.43:2083
72.177.157.217:443
72.29.181.77:2078
203.106.195.139:443
98.114.185.3:443
Targets
-
-
Target
Dropper/Berbew.exe
-
Size
109KB
-
MD5
331d4664aaa1e426075838bac0ba0e80
-
SHA1
b5825947ed101a498fadd55ed128172773f014e3
-
SHA256
90a4b2cba38cde1495721ebc965e888440e212585cb565acf18b6216631d13d1
-
SHA512
9da4eb7b4fee5956f9ad0444c362fb884295d0a8e087ee7f6ed5d3f9e54422730f8c75553edf6ebf57435f2588e9045573f23879d2d8ec1d3843d80c75cd91ec
-
SSDEEP
3072:vZYeP+XEYkuuHbJ9GLCqwzBu1DjHLMVDqqkSpR:vPUk3J9Cwtu1DjrFqhz
Score10/10-
Adds autorun key to be loaded by Explorer.exe on startup
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
Dropper/Phorphiex.exe
-
Size
143KB
-
MD5
b034e2a7cd76b757b7c62ce514b378b4
-
SHA1
27d15f36cb5e3338a19a7f6441ece58439f830f2
-
SHA256
90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac
-
SHA512
1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385
-
SSDEEP
3072:VMb/kbqjO/3FxV8l8wiEXHPV9r99rWhzAxH7wpjv4z:VMxo3Z8BvV9rL6h2H7wJ4
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
RAT/31.exe
-
Size
12.5MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
-
SSDEEP
393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Raccoon Stealer V1 payload
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Formbook payload
-
Looks for VirtualBox Guest Additions in registry
-
Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
RAT/XClient.exe
-
Size
172KB
-
MD5
75ba783757c5b61bd841afa136fc3eda
-
SHA1
8db9cda9508471a23f9b743027fa115e01bc1fe1
-
SHA256
75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a
-
SHA512
9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1
-
SSDEEP
1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
RAT/file.exe
-
Size
101KB
-
MD5
88dbffbc0062b913cbddfde8249ef2f3
-
SHA1
e2534efda3080e7e5f3419c24ea663fe9d35b4cc
-
SHA256
275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
-
SHA512
036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
-
SSDEEP
1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS
Score7/10-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
-
-
Target
Ransomware/Client-2.exe
-
Size
80KB
-
MD5
8152a3d0d76f7e968597f4f834fdfa9d
-
SHA1
c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
-
SHA256
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
-
SHA512
eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
-
SSDEEP
1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Drops startup file
-
-
-
Target
Ransomware/criticalupdate01.exe
-
Size
261KB
-
MD5
7d80230df68ccba871815d68f016c282
-
SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6
-
SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
-
SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
SSDEEP
3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
-
Renames multiple (3053) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
Ransomware/default.exe
-
Size
211KB
-
MD5
f42abb7569dbc2ff5faa7e078cb71476
-
SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6
-
SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
-
SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
-
SSDEEP
6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Detects Zeppelin payload
-
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (7388) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Stealers/Azorult.exe
-
Size
10.6MB
-
MD5
5e25abc3a3ad181d2213e47fa36c4a37
-
SHA1
ba365097003860c8fb9d332f377e2f8103d220e0
-
SHA256
3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9
-
SHA512
676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681
-
SSDEEP
196608:Lj43l1SYnShCcjEtOsZ1MJWTqHkzNcWUU5QH7MiXBhxsns3qveh1DCJv/zdM:LGzUCcUOmKoTqH0N9UV7VxHsnpjXK
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies visiblity of hidden/system files in Explorer
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Blocklisted process makes network request
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Password Policy Discovery
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
-
-
Target
Stealers/BlackMoon.exe
-
Size
387KB
-
MD5
336efa7460c08e3d47f29121742eb010
-
SHA1
f41c36cd83879d170309dede056563d35741b87b
-
SHA256
e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e
-
SHA512
e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14
-
SSDEEP
12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo
-
Detect Blackmoon payload
-
Executes dropped EXE
-
-
-
Target
Stealers/Dridex.exe
-
Size
1.2MB
-
MD5
304109f9a5c3726818b4c3668fdb71fd
-
SHA1
2eb804e205d15d314e7f67d503940f69f5dc2ef8
-
SHA256
af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
-
SHA512
cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
-
SSDEEP
24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
Stealers/Masslogger/mouse_2.exe
-
Size
984KB
-
MD5
af8ab92992ccc4cc6a637953836edf93
-
SHA1
ac17c77cae31fdfeb618b0083285ba869baf29fc
-
SHA256
03968a3a5a7a880feefca31686fcfbed445080a0c06eda2b6d623757179b782c
-
SHA512
9dc3bdfe45f9333d62ef3b0aaf3860a9ef1e94ced02ed0437d3ac2f96b3b9aacf6e621703f13d62f356bd50dec84cc3a3dc787a8a14c9ce0ceeed9ff63c45ad2
-
SSDEEP
24576:iNg+tKkEYA7Gmvv/HGsvPw9vz/DrELE7VUH:0g4K7YA7vvRMbcLa
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Stealers/lumma.exe
-
Size
311KB
-
MD5
33753bbc9a828b7be03eab11ef15d1f0
-
SHA1
dc2ffad4ab05bab6fcd9f0258d2071bdac910283
-
SHA256
7d2cacef8fc24cd30f6b0596abaf37342f85ab1d8b6b0ccf01ad1bdb79317d92
-
SHA512
06c529a8ad0991a3304c83df13093ade5dd37156709d863265703fc6ed23b6dd4519ecb15c08f1badc2d85870fb91912f177183453e63119a1f48641686a0465
-
SSDEEP
6144:gZBeWp7SFZn5ZkolpkR/rwaYyJXiICeTB:gZBVpmFZPOJJXih2B
-
-
-
Target
Trojan/BetaBot.exe
-
Size
609KB
-
MD5
347d7700eb4a4537df6bb7492ca21702
-
SHA1
983189dab4b523e19f8efd35eee4d7d43d84aca2
-
SHA256
a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
-
SHA512
5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
SSDEEP
12288:Y71ezsKspcx7aSekHeX/BoVrWyrl/XYUx58wT7tRw:IYzsDyAS/HeyWql/XYUz8wTDw
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service
-
ModiLoader Second Stage
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Trojan/SmokeLoader.exe
-
Size
251KB
-
MD5
924aa6c26f6f43e0893a40728eac3b32
-
SHA1
baa9b4c895b09d315ed747b3bd087f4583aa84fc
-
SHA256
30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
-
SHA512
3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
-
SSDEEP
6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF
Score10/10-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Scripting
1System Services
2Service Execution
2Windows Management Instrumentation
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
5Windows Service
5Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
5Windows Service
5Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
7Disable or Modify System Firewall
2Disable or Modify Tools
4Indicator Removal
4Clear Persistence
2File Deletion
2Modify Registry
15Scripting
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Password Policy Discovery
1Peripheral Device Discovery
3Permission Groups Discovery
1Local Groups
1Query Registry
10Remote System Discovery
1System Information Discovery
10System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
2