Extracted

Extracted

Extracted

• • Target

    DoomRat.exe

  • Size

    13.1MB

  • MD5

    6edaf9dbb1f9426909264824021cba05

  • SHA1

    24bd6481d35ec036a487d3da299f6ce3b417a511

  • SHA256

    e7723e324e357744eff9f182753e352845687e6fd3d1e9ee8eb6655fe8283cd4

  • SHA512

    9deaf0c6dfe74e3f155798bd66830e0dbbc9cc4d389518ae64b64712a78780e728a4c613c60775a1afd52216299f91f77c7609693f6a7631da39b607a3734d28

  • SSDEEP

    393216:uGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:5FQZ2YwUlJn1QtIm28Inpzo

  Score

  10^/10

  berbewgandcrabgh0stratlatentbotmodiloadermydoomneshtaponysalitybackdoorcredential_accessdiscoveryevasionpersistenceransomwareratspywarestealertrojanupxworm

  • Adds autorun key to be loaded by Explorer.exe on startup

    persistence

  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew

  • Detect Neshta payload

  • Detects MyDoom family

  • GandCrab payload

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab

  • Gh0st RAT payload

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Modifies firewall policy service

    evasion

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • ModiLoader First Stage

  • ModiLoader Second Stage

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1