Extracted

• • Target

    get fucked.exe

  • Size

    10.2MB

  • MD5

    cb15c5a967ef9f97520336419ba91964

  • SHA1

    7fc921d591e357108c64da40f8646841517cbc91

  • SHA256

    69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591

  • SHA512

    f692a0f845a2be87ae06b8bce8553c9b8061f9e9e2a9a60bca5ff603f11d4a09edf16c3023a717878ca4d528e586c192aa669f5cb7f21a4e301fe23382b16a62

  • SSDEEP

    196608:zJxxbGXkwODPzMsVerPYVnN/SMFm0ICteEroXxRzlxZV3Gu5D4S26cSEqCS3JUl5:jxZgPYVnNSMhInEroX714S2IlpUlNWax

  Score

  10^/10

  berbewcobaltstrikemodiloaderquasarxmrigxwormaspackv2backdoordefense_evasiondiscoveryevasionexecutionmacrominerpersistencepyinstallerratspywaretrojanupxxlm

  • Adds autorun key to be loaded by Explorer.exe on startup

    persistence

  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew

  • Cobalt Strike reflective loader

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike

  • Detect Xworm Payload

  • Disables service(s)

    evasionexecution

  • Malicious RTF document (CVE-2017-0199)

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • ModiLoader Second Stage

  • XMRig Miner payload

    miner

  • Suspicious Office macro

    Office document equipped with 4.0 macros.

    macroxlm

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  • Enumerates processes with tasklist

    discovery
  behavioral1