agenttesla

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Sharing

Copy URL

Twitter E-mail

General

Target

Archive.zip
Size

25.8MB
Sample

240904-afvheascla
MD5

83671dbfab2418604f11993fdc392094
SHA1

5386d1fb94ec2974736a4d8895a2218855ffda69
SHA256

60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f
SHA512

9cf982c9b2949f05ea4ab7d27b369924334cb9f8a0b85c374cf08ac059281ecf96c97088bb983f74033a1a8fba01f09c2f3f41ae3a60e7c79db8b6312edd5138
SSDEEP

786432:+r/Da8WA3C5BENmtAWzdVTkvq+GY8NEXcJap4DFEME/:4/W8WAS5BENmtZ1kvq+GYi8pw+T

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/2jTT3Lnj

Extracted

Family

revengerat

Botnet

system

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

lumma

https://whispedwoodmoodsksl.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Extracted

Credentials

Protocol: smtp
Host:
mail.pro-powersourcing.com
Port:
587
Username:
[email protected]
Password:
china1977

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi

Attributes

build
300869
exe_type
loader

Extracted

Family

gozi

Botnet

86920224

https://sibelikinciel.xyz

Attributes

build
300869
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Extracted

Family

danabot

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Targets

- Target
  
  Archive.zip
- Size
  
  25.8MB
- MD5
  
  83671dbfab2418604f11993fdc392094
- SHA1
  
  5386d1fb94ec2974736a4d8895a2218855ffda69
- SHA256
  
  60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f
- SHA512
  
  9cf982c9b2949f05ea4ab7d27b369924334cb9f8a0b85c374cf08ac059281ecf96c97088bb983f74033a1a8fba01f09c2f3f41ae3a60e7c79db8b6312edd5138
- SSDEEP
  
  786432:+r/Da8WA3C5BENmtAWzdVTkvq+GY8NEXcJap4DFEME/:4/W8WAS5BENmtZ1kvq+GYi8pw+T
Score

1^/10
behavioral1
- Target
  
  Dropper/Berbew.exe
- Size
  
  109KB
- MD5
  
  331d4664aaa1e426075838bac0ba0e80
- SHA1
  
  b5825947ed101a498fadd55ed128172773f014e3
- SHA256
  
  90a4b2cba38cde1495721ebc965e888440e212585cb565acf18b6216631d13d1
- SHA512
  
  9da4eb7b4fee5956f9ad0444c362fb884295d0a8e087ee7f6ed5d3f9e54422730f8c75553edf6ebf57435f2588e9045573f23879d2d8ec1d3843d80c75cd91ec
- SSDEEP
  
  3072:vZYeP+XEYkuuHbJ9GLCqwzBu1DjHLMVDqqkSpR:vPUk3J9Cwtu1DjrFqhz
Score

10^/10

discovery persistence
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Executes dropped EXE
- Drops file in System32 directory
behavioral2
- Target
  
  Dropper/Phorphiex.exe
- Size
  
  143KB
- MD5
  
  b034e2a7cd76b757b7c62ce514b378b4
- SHA1
  
  27d15f36cb5e3338a19a7f6441ece58439f830f2
- SHA256
  
  90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac
- SHA512
  
  1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385
- SSDEEP
  
  3072:VMb/kbqjO/3FxV8l8wiEXHPV9r99rWhzAxH7wpjv4z:VMxo3Z8BvV9rL6h2H7wJ4
Score

10^/10

phorphiex discovery evasion loader persistence trojan upx worm
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral3
- Target
  
  out.upx
- Size
  
  266KB
- MD5
  
  d501947d4aa37f0b20d0280027f88d7a
- SHA1
  
  d4d0e6c07e2d0148b7ae9894470b6a861670bcc4
- SHA256
  
  7f12d8502c88112a227dd460e61a24f5c363f4bb8fec0f72ed432ead21842fb6
- SHA512
  
  0540d023841600687769c998f268f14c058e30e97224cec05de1a9942a55d2fa71697e80e55511e4be7d65154a8ddd103058dcca6f80b6e53f505d0acf3269aa
- SSDEEP
  
  6144:kQq1GtUiiCWWipL2LNC1PL94LuAhLR94:k6WbpCLNaP54R3
Score

3^/10

discovery
behavioral4
- Target
  
  RAT/31.exe
- Size
  
  12.5MB
- MD5
  
  af8e86c5d4198549f6375df9378f983c
- SHA1
  
  7ab5ed449b891bd4899fba62d027a2cc26a05e6f
- SHA256
  
  7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
- SHA512
  
  137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
- SSDEEP
  
  393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r
Score

10^/10

agenttesla danabot dharma formbook gozi qakbot raccoon 86920224 w9z agilenet banker botnet collection credential_access cryptone defense_evasion discovery evasion execution impact keylogger packer persistence privilege_escalation ransomware rat rezer0 rm3 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- AgentTesla payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Renames multiple (440) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Looks for VMWare Tools registry key
  evasion
- System Binary Proxy Execution: InstallUtil
  Abuse InstallUtil to proxy execution of malicious code.
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral5
- Target
  
  RAT/XClient.exe
- Size
  
  172KB
- MD5
  
  75ba783757c5b61bd841afa136fc3eda
- SHA1
  
  8db9cda9508471a23f9b743027fa115e01bc1fe1
- SHA256
  
  75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a
- SHA512
  
  9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1
- SSDEEP
  
  1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral6
- Target
  
  RAT/file.exe
- Size
  
  101KB
- MD5
  
  88dbffbc0062b913cbddfde8249ef2f3
- SHA1
  
  e2534efda3080e7e5f3419c24ea663fe9d35b4cc
- SHA256
  
  275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
- SHA512
  
  036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
- SSDEEP
  
  1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS
Score

7^/10

persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral7
- Target
  
  Ransomware/Client-2.exe
- Size
  
  80KB
- MD5
  
  8152a3d0d76f7e968597f4f834fdfa9d
- SHA1
  
  c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
- SHA256
  
  69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
- SHA512
  
  eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
- SSDEEP
  
  1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0
Score

10^/10

hakbit credential_access discovery evasion execution ransomware spyware stealer
- Disables service(s)
  evasion execution
- Hakbit
  Ransomware which encrypts files using AES, first seen in November 2019.
  ransomware hakbit
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral8
- Target
  
  Ransomware/criticalupdate01.exe
- Size
  
  261KB
- MD5
  
  7d80230df68ccba871815d68f016c282
- SHA1
  
  e10874c6108a26ceedfc84f50881824462b5b6b6
- SHA256
  
  f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
- SHA512
  
  64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
- SSDEEP
  
  3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
Score

10^/10

fantom defense_evasion discovery evasion execution impact ransomware spyware stealer
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (4645) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral9
- Target
  
  Ransomware/default.exe
- Size
  
  211KB
- MD5
  
  f42abb7569dbc2ff5faa7e078cb71476
- SHA1
  
  04530a6165fc29ab536bab1be16f6b87c46288e6
- SHA256
  
  516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
- SHA512
  
  3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
- SSDEEP
  
  6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn
Score

10^/10

zeppelin discovery persistence ransomware
- Detects Zeppelin payload
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10
- Target
  
  Stealers/Azorult.exe
- Size
  
  10.6MB
- MD5
  
  5e25abc3a3ad181d2213e47fa36c4a37
- SHA1
  
  ba365097003860c8fb9d332f377e2f8103d220e0
- SHA256
  
  3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9
- SHA512
  
  676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681
- SSDEEP
  
  196608:Lj43l1SYnShCcjEtOsZ1MJWTqHkzNcWUU5QH7MiXBhxsns3qveh1DCJv/zdM:LGzUCcUOmKoTqH0N9UV7VxHsnpjXK
Score

10^/10

azorult rms aspackv2 defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation rat trojan upx
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Remote Service Session Hijacking: RDP Hijacking
  Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
  lateral_movement
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Boot or Logon Autostart Execution: Port Monitors
  Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
  persistence
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Server Software Component: Terminal Services DLL
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion execution
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- Password Policy Discovery
  Attempt to access detailed information about the password policy used within an enterprise network.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
  defense_evasion
behavioral11
- Target
  
  Stealers/BlackMoon.exe
- Size
  
  387KB
- MD5
  
  336efa7460c08e3d47f29121742eb010
- SHA1
  
  f41c36cd83879d170309dede056563d35741b87b
- SHA256
  
  e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e
- SHA512
  
  e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14
- SSDEEP
  
  12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo
Score

10^/10

blackmoon banker discovery trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral12
- Target
  
  Stealers/Dridex.exe
- Size
  
  1.2MB
- MD5
  
  304109f9a5c3726818b4c3668fdb71fd
- SHA1
  
  2eb804e205d15d314e7f67d503940f69f5dc2ef8
- SHA256
  
  af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
- SHA512
  
  cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
- SSDEEP
  
  24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm
Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan
- Dridex
  Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
  botnet dridex
- Dridex Shellcode
  Detects Dridex Payload shellcode injected in Explorer process.
  botnet payload
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral13
- Target
  
  Stealers/Masslogger/mouse_2.exe
- Size
  
  984KB
- MD5
  
  af8ab92992ccc4cc6a637953836edf93
- SHA1
  
  ac17c77cae31fdfeb618b0083285ba869baf29fc
- SHA256
  
  03968a3a5a7a880feefca31686fcfbed445080a0c06eda2b6d623757179b782c
- SHA512
  
  9dc3bdfe45f9333d62ef3b0aaf3860a9ef1e94ced02ed0437d3ac2f96b3b9aacf6e621703f13d62f356bd50dec84cc3a3dc787a8a14c9ce0ceeed9ff63c45ad2
- SSDEEP
  
  24576:iNg+tKkEYA7Gmvv/HGsvPw9vz/DrELE7VUH:0g4K7YA7vvRMbcLa
Score

10^/10

masslogger collection credential_access discovery rezer0 spyware stealer
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  Stealers/lumma.exe
- Size
  
  311KB
- MD5
  
  33753bbc9a828b7be03eab11ef15d1f0
- SHA1
  
  dc2ffad4ab05bab6fcd9f0258d2071bdac910283
- SHA256
  
  7d2cacef8fc24cd30f6b0596abaf37342f85ab1d8b6b0ccf01ad1bdb79317d92
- SHA512
  
  06c529a8ad0991a3304c83df13093ade5dd37156709d863265703fc6ed23b6dd4519ecb15c08f1badc2d85870fb91912f177183453e63119a1f48641686a0465
- SSDEEP
  
  6144:gZBeWp7SFZn5ZkolpkR/rwaYyJXiICeTB:gZBVpmFZPOJJXih2B
Score

10^/10

lumma discovery stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
behavioral15
- Target
  
  Trojan/BetaBot.exe
- Size
  
  609KB
- MD5
  
  347d7700eb4a4537df6bb7492ca21702
- SHA1
  
  983189dab4b523e19f8efd35eee4d7d43d84aca2
- SHA256
  
  a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
- SHA512
  
  5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
- SSDEEP
  
  12288:Y71ezsKspcx7aSekHeX/BoVrWyrl/XYUx58wT7tRw:IYzsDyAS/HeyWql/XYUz8wTDw
Score

10^/10

betabot modiloader backdoor botnet defense_evasion discovery evasion persistence trojan
- BetaBot
  Beta Bot is a Trojan that infects computers and disables Antivirus.
  trojan backdoor botnet betabot
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies firewall policy service
  evasion
- ModiLoader Second Stage
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Indicator Removal: Clear Persistence
  remove IFEO.
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral16
- Target
  
  Trojan/SmokeLoader.exe
- Size
  
  251KB
- MD5
  
  924aa6c26f6f43e0893a40728eac3b32
- SHA1
  
  baa9b4c895b09d315ed747b3bd087f4583aa84fc
- SHA256
  
  30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
- SHA512
  
  3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
- SSDEEP
  
  6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF
Score

10^/10

smokeloader backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral17

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Port Monitors

T1547.010

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Port Monitors

T1547.010

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry

T1112

Scripting

T1064

System Binary Proxy Execution

T1218

InstallUtil

T1218.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Service Stop

T1489

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Drops file in System32 directory

Phorphiex, Phorpiex

Windows security bypass

Executes dropped EXE

UPX packed file

Windows security modification

Adds Run key to start application

Danabot

Danabot x86 payload

Dharma

Formbook

Gozi

Qakbot/Qbot

Raccoon

Raccoon Stealer V1 payload

AgentTesla payload

Credentials from Password Stores: Credentials from Web Browsers

CryptOne packer

Deletes shadow copies

Formbook payload

Looks for VirtualBox Guest Additions in registry

ReZer0 packer

Renames multiple (440) files with added filename extension

Adds policy Run key to start application

Blocklisted process makes network request

Disables Task Manager via registry modification

Drops file in Drivers directory

Looks for VMWare Tools registry key

System Binary Proxy Execution: InstallUtil

Checks BIOS information in registry

Checks QEMU agent file

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Obfuscated with Agile.Net obfuscator

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Uses the VBS compiler for execution

Accesses Microsoft Outlook profiles

Adds Run key to start application

Drops desktop.ini file(s)

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Drops startup file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Uses the VBS compiler for execution

Adds Run key to start application

Disables service(s)

Hakbit

Credentials from Password Stores: Credentials from Web Browsers