Extracted

Extracted

Extracted

Extracted

• • Target

    P0lko.exe

  • Size

    58.8MB

  • MD5

    92324704460069685d278b419076e962

  • SHA1

    5c89b31ee9e989d455433e5441eafea5c6a8d208

  • SHA256

    39273dc31814624c3e37db9b826fcabce650612235f830d720284eccc472362d

  • SHA512

    347ce3fd432fc548c075e5ffd62c3355511ffa987d52e2e3f01cda04e3b43a7a2bfbd076347293fe66b6ad9d062c67457134b5d21f444ce7623a1866a84a657d

  • SSDEEP

    1572864:8LOrJXzVj0mz3uu2etPQiWmoh8rEf8CQG2Y:8LqJXBj0kuu3IDmnrEAY

  Score

  10^/10

  agentteslacobaltstrikelummamodiloaderraccoonxmrig2ca5558c9ec8037d24a611513d7bd076aspackv2backdoorbootkitcredential_accessdiscoveryevasionexecutionkeyloggerminerpersistencespywarestealertrojanupx

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Cobalt Strike reflective loader

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon

  • Raccoon Stealer V2 payload

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • ModiLoader Second Stage

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Manipulates Digital Signatures

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks for any installed AV software in registry

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1