Extracted

Extracted

• • Target

    BoatTuner Fixed-4644-1-0-1705794066.zip

  • Size

    3KB

  • MD5

    cf68c426ab75a4f8c161d664296a5b66

  • SHA1

    725e040db642920daebf737de056a7cec37fb6e2

  • SHA256

    f459f7494cc498deccb42f8bdfa371ee6e63f354c077f8523391a410af22bd5c

  • SHA512

    4be5aa44ea4d418712b2c28b10d513d3e885c6dec3728e6fe86b2ee48251ad24f77778f16f6e06e537d44f99e3a7c72d774f03f8ae49da656d8794a7fa3b3ef5

  Score

  10^/10

  discoverymodiloadernetwirerevengeratguestbotnetcredential_accessdefense_evasionevasionexecutionpersistenceprivilege_escalationransomwarespywarestealertrojan

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • ModiLoader First Stage

  • RevengeRat Executable

    stealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Disables Task Manager via registry modification

    evasion

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Uses the VBS compiler for execution

  • Abuse Elevation Control Mechanism: Bypass User Account Control

    UAC Bypass Attempt via SilentCleanup Task.

    defense_evasionprivilege_escalation

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Modifies WinLogon

    persistence

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    BoatTuner.dll

  • Size

    7KB

  • MD5

    7dc69476e86d6de726829ab2e022e3ab

  • SHA1

    d67a5a9b5050d0101c0735f88c5c546636e32f6d

  • SHA256

    34586faa91d68880b3a13d3ce5733746ffefa309fbd0fcebd26bd78bfe939ada

  • SHA512

    54301fd330df29e19e7cbc46530604e858db696774f1b90955ff47ba1dbf195ffd35163e792b2672013a7892b79299d3b79ee0c29d59987b6a066b00ded66d89

  • SSDEEP

    96:GAssaLAASzkUDPi3YxhxyOAXZ29H+P8j/GcemU5o6f:SbLAASz1xhDCZ2N+kDGcer2K

  Score

  1^/10
  behavioral3behavioral4

• • Target

    readme.txt

  • Size

    484B

  • MD5

    e803ce746bd34ffb322ab688285427a5

  • SHA1

    a3a6f86ce7b1900adb9ffee26f5826fc765108a0

  • SHA256

    af0c27edecb21fd8cd012f8b4571a91bd9011025d909b0b14975b87e3f078cc4

  • SHA512

    9e463ec20063b26653abf2a5d1b2a0ce5caa0c64e8317a5515070613221121399b51ae4a80700c497dbddf39a17a208aa6e7539561ce99b73e24fc55ba8f066c

  Score

  6^/10

  discovery

  • Legitimate hosting services abused for malware hosting/C2

  behavioral5behavioral6