Extracted

Extracted

Extracted

• • Target

    x.exe

  • Size

    11.6MB

  • MD5

    b70e25d81a43083343ef6b7c0ef8f8f1

  • SHA1

    fa752c62bbb7dd3b8074b6d479a03299f903768f

  • SHA256

    391ea76992d59b0b366f6cb36a46aef9132cde2c201d37385a82dcbac68b4bac

  • SHA512

    c7d6c03ad4ce4843336128ab034840e5a13c7dc0cfd8d8612af2118c89c3571471ed7834d8cd708f709253fbdb0c9c9a0f0659c4aa53ec1249ea91a1556d7c36

  • SSDEEP

    196608:Vwnv86gV1rbQQOOl2szsHFUK2r7UyTAdQmR8dA6li8Qnf2ODjMnGydScSEPVrBO8:0WV9hZ2YsHFUK2JAdQJlqF3MnG3tOVr5

  Score

  10^/10

  berbewblackmooncobaltstrikegh0stratmimikatzmydoomneshtaramnitrenamersalitytrickboturelasxmrigaspackv2backdoorbankerdiscoveryevasionexecutionminerpersistenceratspywarestealertrojanupxworm

  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon

  • Cobalt Strike reflective loader

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike

  • Detect Blackmoon payload

  • Detect Neshta payload

  • Detects MyDoom family

  • Detects Renamer worm.

    Renamer aka Grename is worm written in Delphi.

  • Gh0st RAT payload

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit

  • Renamer, Grenam

    Renamer aka Grenam is a worm written in Delphi.

    wormrenamer

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • mimikatz is an open source tool to dump credentials on Windows

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Stops running service(s)

    evasionexecution

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery

  • Power Settings

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1