Resubmissions
10-10-2024 02:19
241010-crx4sazhnm 10General
-
Target
Samples - 10-09-2024.zip
-
Size
657.9MB
-
Sample
241010-crx4sazhnm
-
MD5
8f0ebe280a00d6626ff94ecb6bea8f9c
-
SHA1
a09ed820a4c0f472b59fa9ad79aa9853872f4ef0
-
SHA256
2af29a5f99c8ab0654dbece76b2e046f66703a4ae8b4ffa9b4071f9aa74523d7
-
SHA512
0c87e400d0ed9ff3d599d73426f5a78442f1d068bebee6f9d980f393e22b829406f442844be880a6ca32da31c9db5681460418951ec77ce9e54c821f65bc9181
-
SSDEEP
12582912:QDpYMAQ+5izNQCv9n1Rxri2sWBM9797piBW2MFRYZtMJLbvyz6tIMtJGim7:QVYFQ+5izN3Jip9pIBWf/QkbM6tPW7
Malware Config
Extracted
njrat
hakim32.ddns.net:2000
Extracted
xworm
several-co.gl.at.ply.gg:57690
22.ip.gl.ply.gg:41501
position-fax.gl.at.ply.gg:9999
nature-homeless.gl.at.ply.gg:41038
127.0.0.1:1093
75.216.18.223:1093
127.0.0.1:55213
21.ip.gl.ply.gg:55213
-
Install_directory
%AppData%
-
install_file
WinRar.exe
Extracted
lumma
https://commisionipwn.shop/api
https://stitchmiscpaew.shop/api
https://ignoracndwko.shop/api
https://grassemenwji.shop/api
https://charistmatwio.shop/api
https://basedsymsotp.shop/api
https://complainnykso.shop/api
https://preachstrwnwjw.shop/api
https://faillymoodkywko.shop/api
https://proffoduwnuq.shop/api
https://caffegclasiqwp.shop/api
https://stamppreewntnq.shop/api
https://stagedchheiqwo.shop/api
https://millyscroqwp.shop/api
https://evoliutwoqm.shop/api
https://condedqpwqm.shop/api
https://traineiwnqo.shop/api
https://locatedblsoqp.shop/api
https://cutesliprpepo.shop/api
Extracted
xworm
5.0
147.50.240.203:7000
every-cg.gl.at.ply.gg:5872
outside-sand.gl.at.ply.gg:31300
ethankush.duckdns.org:4545
103.216.158.119:7000
X0ZQBFW2mJiaVxWi
-
Install_directory
%ProgramData%
-
install_file
XClient.exe
Extracted
njrat
im523
farter
0.tcp.eu.ngrok.io:10472
6b90c9f607e615fb2ec10658187bc2eb
-
reg_key
6b90c9f607e615fb2ec10658187bc2eb
-
splitter
|'|'|
Extracted
amadey
4.41
ec08f7
http://185.215.113.26
-
install_dir
054fdc5f70
-
install_file
Hkbsse.exe
-
strings_key
783c46f70668d3eed42e83c9f00fc0f5
-
url_paths
/Dem7kTu/index.php
Extracted
nanocore
1.2.2.0
c2.dsn.ovh:53896
2e24933e-9f34-41fd-9ddb-c8311a52094c
-
activate_away_mode
true
-
backup_connection_host
c2.dsn.ovh
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-05-17T18:07:40.839572436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
53896
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2e24933e-9f34-41fd-9ddb-c8311a52094c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
c2.dsn.ovh
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
metasploit
windows/reverse_tcp
89.197.154.116:7810
Extracted
rhadamanthys
https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7
Extracted
44caliber
https://discord.com/api/webhooks/1280107935317495880/Q8mmvXU6Bc1Q-R-2e0aAMsbedaMqyt0txCOBc8XSsTRNeUIepUtoX2DE4a6MxP9SzEFB
Extracted
remcos
RemoteHost
rcmpx.duckdns.org:57870
rcmax.duckdns.org:57870
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Google.exe
-
copy_folder
Google
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%WinDir%\System32
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc$urG9345JRjuDjdGoH-CQ6FPI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Server
ansj.duckdns.org:35770
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
103.252.93.30:4449
jaxvjfwhmxamotc
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
redline
bundle
185.215.113.67:15206
Extracted
metasploit
windows/reverse_http
http://89.197.154.116:7810/OcNnXdRGRDqZ8Zjw_ynvOgo0ky3ixLdU3Q19VXn0S1ccub5LQxi5OlllvwysJj-6OLMZSYPDpt3UTf1NxcqJ2uJTX4QWv0maFHAx
http://89.197.154.116:7810/JRsIfcQhbfLWkdeQsEmgzwK5G11jeHPD5BsHTohTFnFpv53q_LcZ-LpdqZoJcLpBlbkfj3lvc-8-OpkAt2MDQuUaVBw6Df5TQVdzIQDPXc9BX9uZem_Zvrh6qqjSLbzfRxP3H_yzXDbk_Hiwa7kLD4fvcbAaix3ITXkIB2YbB8DjNvt65Mv_Ns-KnPQrODtwWTTM9JcY1ctfdIjMw-x72FSPw8uNpn
http://89.197.154.116:7810/sAF-Hb95OwOLTYpM7ZXwsQgEsvql3Gx6MJHfuQr8QdwRJXB7q4FYyI56qJG8zalB7qPf9Y2DgF4HohAo9zZHz5J6zulBUXtWgnGnggNFcsQikjL-e4grXzBikSLYainJD3tOK89zCOd7pp_0QdfoIKV-SRaleGy4oAkHR88EUwiPE3f6RWY6sd_-jrWrlj6IYEPUIMX_HdfnJMl8JutjGmpCb_ZVWaaX-Cv_abnB6xtSAMLOAGeP3lCuVD
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6706004956:AAHi06O7O8U_fUdqMr4fnu7ENp6SSG3o288/sendMessage?chat_id=6099718241
furniture-worried.gl.at.ply.gg:34886:1488
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
remcos
zynova
fishrmcupdate.duckdns.org:14645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-VZ0MX9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
xenorat
49.194.29.240
111.90.147.147
83.143.112.17
Xeno_rat_nd8912d
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
MicrosoftAudioService
Extracted
njrat
0.7d
HacKed
mohmoh002.ddns.net:5552
d922c61e0aecad1aa02e873c7d37cf0a
-
reg_key
d922c61e0aecad1aa02e873c7d37cf0a
-
splitter
|'|'|
Extracted
darkcomet
Sazan
8.tcp.eu.ngrok.io:27791
DC_MUTEX-D1SPNDG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
fKTZRKdv0Nij
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
QuickBooks
5.226.137.132:4449
jwgwlytcftwxrrxrhvr
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
5.0.5
Venom Clients
outside-sand.gl.at.ply.gg:31300
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Default
final-consequently.gl.at.ply.gg:10334
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
COM Surrogate.exe
-
install_folder
%AppData%
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
server
188.190.193.62:4449
werfqwerqwer
-
delay
1
-
install
true
-
install_file
cmd.exe
-
install_folder
%AppData%
Extracted
njrat
0.7d
Victim
hakim32.ddns.net:2000
0.tcp.eu.ngrok.io:11348
06b22b2a8c6c511de75528741425ba83
-
reg_key
06b22b2a8c6c511de75528741425ba83
-
splitter
|'|'|
Extracted
quasar
1.3.0.0
Server
qskv.duckdns.org:54790
QSR_MUTEX_6XfpSkPPY2I8TVLBjx
-
encryption_key
WCBFAOZJMKUgUzt9V3k6
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Google Client Startup
-
subdirectory
SubDir
Extracted
phorphiex
http://185.215.113.66/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB
MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q
4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3BiS1jaRpWtkqtfZGp9f1rXXts5DyUkaBX
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd
-
mutex
dgh345rew
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Extracted
redline
185.196.9.26:6302
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.fosna.net - Port:
21 - Username:
[email protected] - Password:
u;4z3V.Iir1l
Extracted
vidar
https://t.me/afsgsdgqr4r
https://t.me/edm0d
https://steamcommunity.com/profiles/76561199768374681
https://t.me/fneogr
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Extracted
quasar
1.3.0.0
Office36
94.156.64.6:7283
QSR_MUTEX_jvYKL1Jk1Q2NTx58gc
-
encryption_key
LlEGluc1XmCcZfEs8y6n
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
Protocol: smtp- Host:
millenniumauto.org - Port:
587 - Username:
[email protected] - Password:
peterchia44844484
Extracted
vipkeylogger
Protocol: smtp- Host:
millenniumauto.org - Port:
587 - Username:
[email protected] - Password:
peterchia44844484 - Email To:
[email protected]
https://api.telegram.org/bot7045535067:AAFB6Qd5XE98Vho9iunrlrUC41JAx3FhGjY/sendMessage?chat_id=5916042829
Extracted
cryptbot
analforeverlovyu.top
thirtv13sb.top
fiftvd15sb.top
-
url_path
/v1/upload.php
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
185.203.241.68:40901
Targets
-
-
Target
Samples - 10-09-2024.zip
-
Size
657.9MB
-
MD5
8f0ebe280a00d6626ff94ecb6bea8f9c
-
SHA1
a09ed820a4c0f472b59fa9ad79aa9853872f4ef0
-
SHA256
2af29a5f99c8ab0654dbece76b2e046f66703a4ae8b4ffa9b4071f9aa74523d7
-
SHA512
0c87e400d0ed9ff3d599d73426f5a78442f1d068bebee6f9d980f393e22b829406f442844be880a6ca32da31c9db5681460418951ec77ce9e54c821f65bc9181
-
SSDEEP
12582912:QDpYMAQ+5izNQCv9n1Rxri2sWBM9797piBW2MFRYZtMJLbvyz6tIMtJGim7:QVYFQ+5izN3Jip9pIBWf/QkbM6tPW7
Score1/10 -
-
-
Target
Samples - 10-09-2024/4311121804332b647e02280a9c551c85c16a46f24f2d2107a9bdceaa8923afa1.exe
-
Size
6.3MB
-
MD5
cc70a5edd4a5a8db874c97d21119f59d
-
SHA1
4b1d7b51e875a4b6aa05967459e17ea0d3286f39
-
SHA256
4311121804332b647e02280a9c551c85c16a46f24f2d2107a9bdceaa8923afa1
-
SHA512
f2806d7988073539723708821f0246021a77724c992901282036f77bdb57ddf7e495644d7f00c6f96fd3aa0fa65e6142ed9e823c2cab1474d41ee5bc083b2268
-
SSDEEP
49152:fLoyz7eg9ZoHqhslHcVM665KHMSqhfDsdtQ6ll4NJzdeP03PeJXSA4QVit+g+5NH:fpUHcLMSFdtQsl4NNvauH3xfpjqX
Score10/10-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
-
-
Target
Samples - 10-09-2024/44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b.exe
-
Size
282KB
-
MD5
f31d21c664ded57509d1e2e1e2c73098
-
SHA1
58abbe186f2324eca451d3866b63ceeb924d3391
-
SHA256
44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b
-
SHA512
5aff27d9ffb0568072f52e51679bbd9cb3c063d7bb1c3fe658c10241b633a66738d6bd7ee2111e065a1b93098bdaa1e5da6b9b8d063fe3f1ff1de7d71d32aa53
-
SSDEEP
6144:GsbHGb3gHx2vdWxR5TjWfEvi3v+QwzmGEO:iPvoxR5WfEveSKGEO
Score10/10-
Detect Vidar Stealer
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/44f5ebb4facaba45274f08437a1f980bbbdb209cbd016ead76e4ec1afaca4dc2.exe
-
Size
2.3MB
-
MD5
7abbf9f2106c2dd1e69110c6c6b8dbc6
-
SHA1
05cf0a54c0e62d170b6ff9bb0108b70164a0e681
-
SHA256
44f5ebb4facaba45274f08437a1f980bbbdb209cbd016ead76e4ec1afaca4dc2
-
SHA512
b577338b86d082f4f87e58342c54d5c2c80e17aa9bc983e558904aaaf8a23a6c780c5627e935c39bcabe63e3776310529f3066b06776a0f7869eff721a8bd3fd
-
SSDEEP
49152:tR3rKKPT0xXxBg7KNvBtFXTM6utS1vdPUGu5hOAxNMQwR:fLeFDMb8F2Gu/fzwR
Score1/10 -
-
-
Target
Samples - 10-09-2024/4529554d09a020003227f1d879f6e202604c5875b89b9c3088a32c65211182b5.exe
-
Size
63KB
-
MD5
e9154e60abc1de35568af297a19089c4
-
SHA1
229695bc5d602df1eab477e851f4db994701d91d
-
SHA256
4529554d09a020003227f1d879f6e202604c5875b89b9c3088a32c65211182b5
-
SHA512
64b7ed965059098a2eeb438d12d4bfa14fabecc42596d3586c726f44678b13a31b92c0cc834cf6688c12d41ec1ab770e207b218bb3c98223f3a700dde3be25c0
-
SSDEEP
1536:hmImx6tX2kNff4sKu+UYF2Ij85b5APCxiNJrQTGtx:hm9x6tmkN7Ku+UYFw5b5xyJG+x
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
-
-
Target
Samples - 10-09-2024/45aae4515b7076d25923730c3672cb9e8f462cf402828fd3eb2d3255d626df56.exe
-
Size
1.0MB
-
MD5
d96552352f1a07f3a15a7edeac9158fa
-
SHA1
874467ad9048f02dfcebc2415391f93854dfeeb6
-
SHA256
45aae4515b7076d25923730c3672cb9e8f462cf402828fd3eb2d3255d626df56
-
SHA512
eac4080aa9eac27327abecff4c1c2a6c92d1a573a3df1bdc10d2f6f3c39e96705911ec8c02245cb50bc59da5bb549025d7577bb10a66b2717f390b17d394c3fc
-
SSDEEP
24576:54lavt0LkLL9IMixoEgeaP6npT4Tl7zo7RG9kq9MmCS:Ikwkn9IMHeaPe5+7zARDaPCS
Score10/10-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/45b33888ddb2748434643e4811f156f1fc2a5d339d3577945d8c9e9d88c5ff57.exe
-
Size
647KB
-
MD5
aac8edf78f4b9da09f83ba0b14e1177f
-
SHA1
a8533ee99f9c5fadb5856647836c18198f956adb
-
SHA256
45b33888ddb2748434643e4811f156f1fc2a5d339d3577945d8c9e9d88c5ff57
-
SHA512
59a3df44f3d88d8741e2e8ba3bf433ad152b5a41280108202e3d081c73836ac29ba3c8887f15f53ebe9bcb36519b7b33eb3ce6b6d021a6b0112879464d4c081c
-
SSDEEP
12288:NvR56z+QWEx9aoqV246/GBUv9ms3ro1czCT0g3FTi/Xc/JcN7MflOLq:wiQjxUBVC/GBUv9ms3ro1GqG/SJcq
Score1/10 -
-
-
Target
Samples - 10-09-2024/45ba5f7c168cfa2a68d8f8d448ee037d35fca5dbb7e9d4deb55f8e0ba97ceacb.exe
-
Size
65KB
-
MD5
1b05b62bf3dde1043a12ed5dbb519d74
-
SHA1
5f690e12bb84951bdf0a0d3b8c146ec5dd9733e8
-
SHA256
45ba5f7c168cfa2a68d8f8d448ee037d35fca5dbb7e9d4deb55f8e0ba97ceacb
-
SHA512
3bfe4877a44b2212f3b6270e5f659d407e78f53cf3eedb7fd53c4a5512ef4d2c830eadc3f7f5bbe7b6ef8cb9a769f83cc92354f555b3a63738be3d382dcb3a46
-
SSDEEP
1536:pB7Pt7tBABpBYBhB3B5B5nNYwXl5Sa+WNr4YeBq+w:pB7F7tBABpBYBhB3B5B5nb15SgR+w
Score10/10-
Detects Obj3ctivity Stage1
Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.
-
Obj3ctivity, PXRECVOWEIWOEI
Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.
-
-
-
Target
Samples - 10-09-2024/46173d25c61f353cb1c5047b6108cae5d4eb30bf24e9981dfc94f78b85f92c69.exe
-
Size
73KB
-
MD5
27653cc5fe7648b0055edbf486cff863
-
SHA1
8afcabe5a089dd089431eb9ef15084019a50735a
-
SHA256
46173d25c61f353cb1c5047b6108cae5d4eb30bf24e9981dfc94f78b85f92c69
-
SHA512
05a766bb2a334ed099e1be65a6201eb984a4b8ad07134b9e8f19f101247c4f22194e1a45ad7b75f36af3702c33a248154974d960d5710c8916b967d251efc05e
-
SSDEEP
1536:LUUPcxVteCW7PMVee9VdQkhDIyH1bf/LEQzc33VclN:LUmcxV4x7PMVee9VdQgH1bfDEQylY
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
-
-
Target
Samples - 10-09-2024/462fafaa4badf6b5bba91bd555eb567db6be610a72d7efd8f039e9387924480c.exe
-
Size
309KB
-
MD5
aef48935a52e050c0e9d6393382aeb79
-
SHA1
8f9a4ce1492cdee68f3dbf7f80236a46d88419ee
-
SHA256
462fafaa4badf6b5bba91bd555eb567db6be610a72d7efd8f039e9387924480c
-
SHA512
7ca44cf104ecbfa7365c29245fbc2b07db99a12a54dc47270bcd750585a71a0b79d792a4da544cf259f5518bef85b7caeee32ba9cc31d54cf262376cf801ccd5
-
SSDEEP
6144:NwG++eaJbORwph3LA0gYjml493ytId3UWmdcRVEcRIzHGx:mG++R4RwphbNJmwytYzmdcRacRsG
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/46936b0fef991d2d3ee9af2d07d2a90f0cc8260fa2ade9d661c197319798d89b.exe
-
Size
6KB
-
MD5
6db495d2874f31d414628a90796fe9ae
-
SHA1
1ffcc9311f37585d317e5b49d109d502c04f2dc3
-
SHA256
46936b0fef991d2d3ee9af2d07d2a90f0cc8260fa2ade9d661c197319798d89b
-
SHA512
714cc2c79e09b56465e9f1073eced51eb361316b68588b6eb88712966b38d96df308d3e680f94262da621a26009ce8a12429ca71fd037d055d54d21f3f13c3eb
-
SSDEEP
96:Ydwg5bxRi2DGttG7DPRuSNHWqUpENmDtzNt:SDv6ttGvjWqBoDH
Score1/10 -
-
-
Target
Samples - 10-09-2024/47cf5e11cfe6184962783d4a21d7d35cd057ec8ca299c8c5fe69673a03fe5364.exe
-
Size
808KB
-
MD5
399a552f01ece332d21fa849b03350f1
-
SHA1
ea04b7cc5bb9207001d6d6384ae3cc255483b98d
-
SHA256
47cf5e11cfe6184962783d4a21d7d35cd057ec8ca299c8c5fe69673a03fe5364
-
SHA512
961a01a0117731f233df72e308bde040013b5a7f01fd0428e37082397051e6af4d5e6572779ea7ec7210fceb7d2e3c20faf48c80986d7bf567c7a8cee5466807
-
SSDEEP
12288:ib2iNUf55k2851EhIAmjOlXSbvrvUnYIkgA9UKeGw2kUz4Tff6VayIbP2R//vQ0t:q1I5xrWjxbvroVieNcI36VaVjE/Q0wA
Score1/10 -
-
-
Target
Samples - 10-09-2024/49572fa3d9a71986235bda85410e9af9d4a6f087cc477e3813551a3789cdd148.exe
-
Size
6KB
-
MD5
70841d24441f2d5a190c6bb3a417f458
-
SHA1
d41370ddfbd8ff7cd9178c5bdcf818a30e041bba
-
SHA256
49572fa3d9a71986235bda85410e9af9d4a6f087cc477e3813551a3789cdd148
-
SHA512
6031d874b53fda86e9bdd6dc369bfdba5d0db65e02e70a3a5b22b2de7951ad27bfc332660228aac64b7e21a6f2a7d99933fb77449314d16fc7b245090267cd90
-
SSDEEP
96:/985Y2bxRi2DGttGkDPYrHWqUpENmDtzNt:l8rv6ttGKYWqBoDH
Score1/10 -
-
-
Target
Samples - 10-09-2024/499d69d5ab8ba263975d5780e3b639a2a8905c50f2a1379bf972889c3913add4.exe
-
Size
2.7MB
-
MD5
0c3dda927e649661441905cd181c7e70
-
SHA1
469bb0c2e694535b62cbd0def0eeb92b43948bea
-
SHA256
499d69d5ab8ba263975d5780e3b639a2a8905c50f2a1379bf972889c3913add4
-
SHA512
edeea381fcc54df4ec9197227b1719e048a6215eb5a015f4f122bcee465b0a968b1a811efab7e49dc04a548a0d04e34befee577f9b88567f9059c83dbd5d43f1
-
SSDEEP
49152:IFfXWgsVXeLERcq5a7C2mwXBLM40HR1DldPYcaifCR18Q:NOFMdHXBOca/18
Score1/10 -
-
-
Target
Samples - 10-09-2024/499df614b640e6e6531f32ceb3271d7d661f5256d49f57e9d360a4791d37943f.exe
-
Size
2.3MB
-
MD5
634121b2af66dd5433c1155702abc84c
-
SHA1
f3fd2a1800c4272bdf8209ff47e3703a4923e699
-
SHA256
499df614b640e6e6531f32ceb3271d7d661f5256d49f57e9d360a4791d37943f
-
SHA512
60786abdb281fe3f4fc4e242434fb280271684f13b683dc9cd32ac1a6e29ba496cea2c22ee1a82fa9dd6896f6530e9a0c07e2245ee35fc6100f7d684623bc805
-
SSDEEP
12288:tuEAmDY2kyLG/XModp1HmKwHfX7ZWezHiLfdHcWJWnVMaKo9Nip2IiUlbtgfXD70:cM9y3QvpHiLFcVVMaP9Nip7lbtgfT70
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
UAC bypass
-
Windows security bypass
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Windows security modification
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/4a16685ec6d408bafc872fac39012bb670ff7bba818a7af9f7dd411a383869dd.exe
-
Size
283KB
-
MD5
257eb69581fd80827932ed434d32470f
-
SHA1
ef7f9f0b82f45fc93ca503f4eadd8e423bc94887
-
SHA256
4a16685ec6d408bafc872fac39012bb670ff7bba818a7af9f7dd411a383869dd
-
SHA512
2eb0f6cc296748dc15925881a6e8a5895be4639095cb2996e740512caba44022c8a3ef39c821f1ad048de2c2eb7b10a9e673a9e0f1667e0e64640ec31a1ee1e0
-
SSDEEP
6144:tQs0+jmxNThrvyoRUp4B1Pw3A0FWAtMql3EBdA9bPCp0uUfStm5zXT4htP6VYdWe:M+jOFxvVQ4rPw3A+WAtr3EPknfS9PKS3
Score10/10-
Detect Vidar Stealer
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/4ac2ddb4fa2d1917ae491b5ac623e7ebf23e5e34667c63e5acd433cc6696c23d.exe
-
Size
3.3MB
-
MD5
3c9cf0b38226e2a7f0191a0130536859
-
SHA1
87d531257a15e18b50fa341bce9ac3c5a71ba80d
-
SHA256
4ac2ddb4fa2d1917ae491b5ac623e7ebf23e5e34667c63e5acd433cc6696c23d
-
SHA512
ad6bc0c26b6adbb7ead5db17fb4fd4285bcfd623531f41ad6ae31e97a1e760a59f36de05eab0e298e0892fea03d4a4c2ae389d90036c784edb44e61d7a8161d2
-
SSDEEP
49152:uGmcpg5vS+c8OorsMzNRK6v1hFXefh0iMB+0b+N/uyVbVihyXYuIS:t0vfxoEe6vHFXgh5cb+NhqlS
Score10/10-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
Samples - 10-09-2024/4acf2f8eeb71da00b6b5356b63c472157b7e0936f1f7b8f5a06aa295482319fd.exe
-
Size
895KB
-
MD5
3a7af8198a80e2c90488ac8353a5cbd1
-
SHA1
a25c03255a2178a23dd99de6dc7adf07db1b609d
-
SHA256
4acf2f8eeb71da00b6b5356b63c472157b7e0936f1f7b8f5a06aa295482319fd
-
SHA512
4bf648e551aa9576d959977d3d4c61ef4cabe96148943a9cc8948a9e4fbc8ed5f29ed2d491f19f6a92ad81d26fe993063c7662821d78f681635dc16339a533f4
-
SSDEEP
12288:sVTrUvSi+mnJCxAAyb8jL9BMBkP4ZVBIPZWM0O3qo/8X33IjWIWWFM:sVTrUvemJGyYjLWBIhWM0kqWwIWWFM
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/4ad7e405f5bcbfdf1cc163212428a779fa7d890a46500f579103333722986aa1.exe
-
Size
1.1MB
-
MD5
0e8400261ded364942e181c231de2714
-
SHA1
b51b56f184cc735dc182dbb899590a8ba28b7470
-
SHA256
4ad7e405f5bcbfdf1cc163212428a779fa7d890a46500f579103333722986aa1
-
SHA512
ec9a5f36b85515942830c460d2efdbc3cb036e93442978b94980e2c22230b192c318026e1975ac71639c50f1df2b9d9083412d65a9e5f790dcd0cb30e74f8aec
-
SSDEEP
12288:8bwsVQ6KbKr5vLQtRp7zGxFpYbcxddTLcf9ALuj2hm2k8UWu9FgHNeOU:Ccz+rep7zGxFpXddncfcGUhlJ8f
Score10/10-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/4b6be11fd5704e5489c7911c1659f1bb7f9901e2d5c70c2f8f126512071093cc.exe
-
Size
6.3MB
-
MD5
d033249a79f6c6296cd62fe03a185acd
-
SHA1
b481dd69262bf6423ce909d7d8777368fbfdf369
-
SHA256
4b6be11fd5704e5489c7911c1659f1bb7f9901e2d5c70c2f8f126512071093cc
-
SHA512
d7ebb63c82f16177400a6aecbdac514a205264722cfb45b643f74231209ee3b8df7813663711b5efe3287ed180e810ac74370244c7308e6e18e76e095d37b657
-
SSDEEP
49152:lwlwpSGtoLZftvEe/imXDh+VkeK29ZfarzEDNUyXNmGYrK9JI+Nop:LIqoLdtce6mTh+VXKGIVyxAOop
Score10/10-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
-
-
Target
Samples - 10-09-2024/4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351.exe
-
Size
1.9MB
-
MD5
b8aa70ed9243f5aa9c8dd45e8b6c01e7
-
SHA1
8d871a1d93cc069413563d42dad3f098f4ac5e5d
-
SHA256
4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351
-
SHA512
d2db111500ba7bc55f0913f888a38ba7b3986c2439fc0abd0ccd7feb4d4ac0d7863edb28c903ccb78c1f59e8eb29cbc4132ab2977560c2a5c21f089bb5ca72a7
-
SSDEEP
49152:dbmZsvFi8eKtbbrI5E6OmK0ETDZns1X/A4kAK:dbmZs9btb3IS6OBZs1vA4p
Score10/10-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
-
-
Target
Samples - 10-09-2024/4d0b50e69d551bf15ec0a44c8471f8766ca5b98bd3b462c3bf0e976c76c1308b.exe
-
Size
5.9MB
-
MD5
535a840121f23c3f10abd00891dce6e6
-
SHA1
ff4c5ccd4c1f5ef53a6ae2fb8b0a5ecf3ebfbfad
-
SHA256
4d0b50e69d551bf15ec0a44c8471f8766ca5b98bd3b462c3bf0e976c76c1308b
-
SHA512
00d5d58c2cf1eb4752a7b487fff428eb8c6f6c32bd8ba76cbb452d48549196c13bd7171918e90be060d0c88e55421b4023b8f88cd8d5abc06b18836da88abbdd
-
SSDEEP
49152:916jZg1DvQtV6sqFefM6xK5u3z+pSV4x9BLZmU6X9KpLbQQ4oda133/9kpjVfNzI:iji1SBqFebRz+hK
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/4e20a0aa3d323c0a1aa676c7eb3656cdd34cb69da614b4dc8aa946f5bcb2be39.exe
-
Size
283KB
-
MD5
84354d3c9965d9a0878596e347a34f39
-
SHA1
f8e6d9f00d72f6f023e8d793462b7bb90cc31583
-
SHA256
4e20a0aa3d323c0a1aa676c7eb3656cdd34cb69da614b4dc8aa946f5bcb2be39
-
SHA512
2356ba4867985b609e1727f2a4877649f6c1b415d089dcef22c695baa42d3051cb6fb799eb7056ca75301a1aba47e71354e5051868f5bda04a62932a3ef72ad3
-
SSDEEP
6144:S6JmCTAAGH0Jd9KZxnLlIak8/nPIO02s9F8oBNvAd9GzKeXOvEO:7mCTAAkY905yagO0D0OAH4KNEO
Score10/10-
Detect Vidar Stealer
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/4e2c78a6bef2caef536cf00c467a54a7081adc8118e7741043e243c0eb4843d0.exe
-
Size
1.5MB
-
MD5
1ac8fb5ee2cea350e46ecc78bf7d1c46
-
SHA1
c055bb5046a718c9838a4c453e1e36d1c3941db2
-
SHA256
4e2c78a6bef2caef536cf00c467a54a7081adc8118e7741043e243c0eb4843d0
-
SHA512
69709e8c87495cc4c22af599dd9915b2ab2212632b308bc0d0a2b09b76f8df35059651135ac9b28634869d977b14c8ccc206e0aa446208c90dfd15ca1e07c17e
-
SSDEEP
24576:84lavt0LkLL9IMixoEgeaLthteKjX06Pzh71lKEzkAg5q9MmCS:Lkwkn9IMHeajAKDfPz5PSFaPCS
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/4e3b746d859d34f64c28a2079f76f84d3c46b65907f52cb3da7d0ddd2c0dc875.exe
-
Size
6KB
-
MD5
132e5fff7dc00cd7a37e5561fa252410
-
SHA1
172c22d0212b053607c8c176f4bd1ca8ee6193e1
-
SHA256
4e3b746d859d34f64c28a2079f76f84d3c46b65907f52cb3da7d0ddd2c0dc875
-
SHA512
5e70ea13564496ddd868c368f8e5c871c37ed00c2254672be132127fb7943e51903a9f402ada802e09c6890cace426733f61f4c2e56ddbe79d52d794c38606af
-
SSDEEP
96:/8DQDiQF9UV045KWaxQZ+ctjHAIKAu4zBpOkgVlJzNt:/8cDiQrUDALxw55HAIRzrOkW5
Score3/10 -
-
-
Target
Samples - 10-09-2024/4eae876a9c21fadb647a6fe14c83272189ace267ebed4b320c73da14e095dec7.exe
-
Size
1006KB
-
MD5
37b648dd5db4e4a1215a06592d1e5470
-
SHA1
492ac542b1b883b8f7befd8025eb4bd498681cc6
-
SHA256
4eae876a9c21fadb647a6fe14c83272189ace267ebed4b320c73da14e095dec7
-
SHA512
ab943d5843c714c4052e96c159f6d04abbbdf285a784c7c00beb980ddcb9eab5ef35eed770c0a6a344f26fb500aff07cb86bdc7dfba3fe0ec32062524a868e6b
-
SSDEEP
12288:Wtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNDPPpHrYUTFgbtNCTqS9ZmPvKZ:Wtb20pkaCqT5TBWgNjVY0uzPU
Score5/10-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
Samples - 10-09-2024/4ed6d72fef68c583439e803871226e76588ce6436d10362011b21763e0ccf176.exe
-
Size
313KB
-
MD5
11506bb939332f58920d0a3c8ad1c5c2
-
SHA1
84a51f6e540a74df7cba44454d162fdaefebc0e5
-
SHA256
4ed6d72fef68c583439e803871226e76588ce6436d10362011b21763e0ccf176
-
SHA512
ae52f9c23d8602f5d0124690ba271725b6c05abe96fc653c6fd9e701931c4b06c7ba085b3731866367d28f3013c01ba902f200a4ab7451ae162cfa6a7356450a
-
SSDEEP
6144:bcpDFLyc58oYip9to/FgQmfy0uOlxyRyr2Y7ND6:bADY08oYip9tot2rlwRyy+
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe
-
Size
1.3MB
-
MD5
ff70a1f34a79565782615cafd20b1b4c
-
SHA1
580f98f22de58ae61168687a27b1ce82a2d6c4ef
-
SHA256
4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc
-
SHA512
3a38f06464dc1dccd5f700dd408f9fe1df8ec1e01006e8ddf6234e8cdde7c41ef18ac763b3a01ddc21226eb91c61c7feed2b9105bbb490388274ba90343f01d6
-
SSDEEP
24576:tt882ZnrOFvTaphaPKlvwPfzUMLAPw2Eqi/b2fdQMwnk9ZL96/hpyzm:DPFvTGhvlvorUMQBEq62fdZwGpE66
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
Samples - 10-09-2024/4f432ba1da38c64c9298fb2c2a0271c06dc333fb66e7f2b6deebf1ec6782c6b9.exe
-
Size
3.1MB
-
MD5
4c78207e0eb0dfe35135ed10641c2546
-
SHA1
12e9baced4a47f2ce202107112771ffeb635d408
-
SHA256
4f432ba1da38c64c9298fb2c2a0271c06dc333fb66e7f2b6deebf1ec6782c6b9
-
SHA512
f1e552235a1d0656232d65eeec31a4a4c8c0a61f4176f88bb8fd157a4e35aa07ece0ebcb178d9f1c9ab6f087917455e4cdd35b894ab120f450284a392fcf3815
-
SSDEEP
49152:j0jGTtCtHLcQ0ywF3mje3ZgjwGZpCsy8wSQHo5MSlYo4axkjiHPLRcP1cA6URmR/:IctCiQNwlmjyZgxkjiHjRQcAm
Score3/10 -
-
-
Target
Samples - 10-09-2024/4fa525bb40e57606312d30bcc45e697e6c92e9826e4ece20a5f74af64c22a5f7.exe
-
Size
276KB
-
MD5
5faa0d271f7442557523543cd7296e26
-
SHA1
a3d693c1a55da15d1aa80356ac9a7c10b52d7a5c
-
SHA256
4fa525bb40e57606312d30bcc45e697e6c92e9826e4ece20a5f74af64c22a5f7
-
SHA512
bfddced6d5d836a8cd12d789919049a8f5ae13ae43fd16a704913bb37d3255c10c972044769db2b8deeacc9533c04cd00f4da0170dff8e9807770024dd768c0e
-
SSDEEP
6144:pvXHS+aC0rY4knoxbWbG9TJFZ/RtgpaIQc0ACyA:pfS+anrfknoxbWbGjFZkamrA
Score3/10 -
-
-
Target
Samples - 10-09-2024/5030cfa10a9c06fbe2182aea828e449850e49c9f437c17e5bf8f7b634c48cd2b.exe
-
Size
237KB
-
MD5
88b8bbe04b53e4af857cd1c032968c94
-
SHA1
5035a95cbc760d88400fd825acd9c2f0333365b4
-
SHA256
5030cfa10a9c06fbe2182aea828e449850e49c9f437c17e5bf8f7b634c48cd2b
-
SHA512
51d6f87780300e130d215f9efaff50bbe6c20a40cf4de86b59150057bbb151875a89b2b2cc166ec82a5dea32cb1c81f04dc006bcc3478232b92af7bb7d291007
-
SSDEEP
6144:E6rXw4sJkRugl24Qz3v1PSfVtu+5I5WVdF0:E6HsJIudNS9tT5y+X0
Score3/10 -
-
-
Target
Samples - 10-09-2024/504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822.exe
-
Size
304KB
-
MD5
30daa686c1f31cc4833bd3d7283d8cdc
-
SHA1
70f74571fafe1b359cfe9ce739c3752e35d16cf5
-
SHA256
504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822
-
SHA512
9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9
-
SSDEEP
3072:Gq6EgY6iwrUjpgcDwPddU3417TAYtAliUpcZqf7D349eqiOLibBOp:dqY6inwPwo17TAkA1pcZqf7DIHL
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2