Extracted

Extracted

Extracted

• • Target

    magic.exe

  • Size

    36.7MB

  • MD5

    f921e16ca321bbe2e490f036f8b99c74

  • SHA1

    6e25638b340ba77f3e467bbbdc27c48209e193af

  • SHA256

    6b1700a3961f46120afdf3c5e027556682badcae0015503d533c9f808f214ddc

  • SHA512

    04492839ccaeeddc9090b7f6c6458294540bb3e2589108a3c459ae87a11c6cabe6548d80805f37b8bd43616d3645afdabe8b95b9f37c85c06f5c87b137a10274

  • SSDEEP

    786432:pjE3Qtst8rW8WZ2YwUlJAdQ/2j6+s7LWB75zuXVgM3MGYS2fAMJLjvZ:a3QtIoWlZ2mlq62qHWB75ilZMGJ24MRN

  Score

  10^/10

  berbewblackmoondcratfloxifmetasploitmydoomsalityumbralvobfuswarzoneratxwormbackdoorbankerdefense_evasiondiscoveryexecutioninfostealerpersistenceratstealertrojanupxwormneconydxmrigevasionminer

  • Adds autorun key to be loaded by Explorer.exe on startup

    persistence

  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Detect Blackmoon payload

  • Detect Umbral payload

  • Detect Xworm Payload

  • Detects MyDoom family

  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    evasion

  • Modifies visibility of file extensions in Explorer

    evasion

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • UAC bypass

    evasiontrojan

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Vobfus

    A widespread worm which spreads via network drives and removable media.

    wormvobfus

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Windows security bypass

    evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Detects Floxif payload

    backdoor

  • Warzone RAT payload

    rat

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Disables RegEdit via registry modification

    evasion

  • Disables Task Manager via registry modification

    evasion

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Modifies system executable filetype association

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Uses the VBS compiler for execution

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    magic.pyc

  • Size

    6KB

  • MD5

    b2f3b8c51fc212840a568109668723fb

  • SHA1

    43011f5d1c9d0d7171ee9bc02a544a0e908fa3cb

  • SHA256

    944ef230c959dd122599f0c355c8fd319bbdb2dc95a0d9ea8e6012918a04af03

  • SHA512

    4414ba510bded7a55898ca3f74b124c88053b7f100807deb64e7d7a476c085ce168f539fad240d297a7a1aa536c12b81175021368061c0007602131b9baef63d

  • SSDEEP

    96:+G1i96z2ziW5SSUKBccccc3cc2yY1FyowsrnSzjWfagsfaeKjJZgbhWYdFlj+8:EbDVvccccc3cc2t1rEGavfancb/bj+8

  Score

  3^/10
  behavioral3behavioral4