Extracted

Extracted

Extracted

• • Target

    Dispam.exe

  • Size

    12.1MB

  • MD5

    a89b5a734cced64ae3cc202bdfac8759

  • SHA1

    81a4254491dd554a5113f63ad7849d93cc30d3d7

  • SHA256

    fd111c335073ae9b9f33d1f3e348bcbc46dd0b90de333156c2dbbee62412374b

  • SHA512

    68ac8b1e4739fb444f1ef055015455094a3c768c84e96279996a11a9e1a4e7ae2192acb862cd896844c01cbed24e3fc0868fa8891d4806a46e70e2e3e2175e73

  • SSDEEP

    393216:0GV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:TYQZ2YwUlJn1QtIm28IKzo

  Score

  10^/10

  berbewblackmooncobaltstrikeemotetgh0stratmodiloadermydoomneshtaxmrigxwormepoch3backdoorbankerdefense_evasiondiscoveryevasionexecutionminerpersistenceransomwareratspywaretrojanupxworm

  • Adds autorun key to be loaded by Explorer.exe on startup

    persistence

  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon

  • Cobalt Strike reflective loader

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike

  • Detect Blackmoon payload

  • Detect Neshta payload

  • Detect Xworm Payload

  • Detects MyDoom family

  • Disables service(s)

    evasionexecution

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet

  • Gh0st RAT payload

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Emotet payload

    Detects Emotet payload in memory.

    trojanbanker

  • ModiLoader Second Stage

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Stops running service(s)

    evasionexecution

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  behavioral1behavioral2