Extracted

Extracted

Extracted

Extracted

• • Target

    RatAlerts.exe

  • Size

    36.7MB

  • MD5

    f921e16ca321bbe2e490f036f8b99c74

  • SHA1

    6e25638b340ba77f3e467bbbdc27c48209e193af

  • SHA256

    6b1700a3961f46120afdf3c5e027556682badcae0015503d533c9f808f214ddc

  • SHA512

    04492839ccaeeddc9090b7f6c6458294540bb3e2589108a3c459ae87a11c6cabe6548d80805f37b8bd43616d3645afdabe8b95b9f37c85c06f5c87b137a10274

  • SSDEEP

    786432:pjE3Qtst8rW8WZ2YwUlJAdQ/2j6+s7LWB75zuXVgM3MGYS2fAMJLjvZ:a3QtIoWlZ2mlq62qHWB75ilZMGJ24MRN

  Score

  10^/10

  berbewformbookgh0stratmetasploitneshtaramnitsalityumbralvobfuswarzoneratxtremeratxwormbackdoorbankerdefense_evasiondiscoveryexecutioninfostealerpersistencepyinstallerratspywarestealertrojanupxworm

  • Adds autorun key to be loaded by Explorer.exe on startup

    persistence

  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew

  • Detect Neshta payload

  • Detect Umbral payload

  • Detect XtremeRAT payload

  • Detect Xworm Payload

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook

  • Gh0st RAT payload

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Vobfus

    A widespread worm which spreads via network drives and removable media.

    wormvobfus

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Formbook payload

    rat

  • Warzone RAT payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Uses the VBS compiler for execution

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  behavioral1

• • Target

    magic.pyc

  • Size

    6KB

  • MD5

    b2f3b8c51fc212840a568109668723fb

  • SHA1

    43011f5d1c9d0d7171ee9bc02a544a0e908fa3cb

  • SHA256

    944ef230c959dd122599f0c355c8fd319bbdb2dc95a0d9ea8e6012918a04af03

  • SHA512

    4414ba510bded7a55898ca3f74b124c88053b7f100807deb64e7d7a476c085ce168f539fad240d297a7a1aa536c12b81175021368061c0007602131b9baef63d

  • SSDEEP

    96:+G1i96z2ziW5SSUKBccccc3cc2yY1FyowsrnSzjWfagsfaeKjJZgbhWYdFlj+8:EbDVvccccc3cc2t1rEGavfancb/bj+8

  Score

  3^/10
  behavioral2