Extracted

• • Target

    RNSM00411.7z

  • Size

    32.5MB

  • MD5

    96bfb62905f39619b7b785f8099c90c7

  • SHA1

    31259c5c39795fea53fa028c77f4cf4bf15a729b

  • SHA256

    ced8995052eb04eaa76fabfe606a380258bf803cc4b93202f135055663e3001d

  • SHA512

    7a6a32de9b60531472ab5cc485de10a783fe3ff8fb636e0aa5a02bc16d58e62121ccfcfbb82fc995153151a77480dc6cf8a0972358a2ed1fd02cbe391de89805

  • SSDEEP

    393216:/b8jdwLefLCFCsbafJ/PCYRcei2yDNyJtUMNouhGwhU4AJ1r0J+mhoEhN:T+bLGCsbgzfOJMeuhaJQh7hN

  Score

  10^/10

  banloadcrimsonratgandcrabagilenetaspackv2backdoorcredential_accessdiscoverydownloaderdropperevasionpersistenceprivilege_escalationransomwareratspywarestealerthemidatrojan

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload

  • Banload family

    banload

  • CrimsonRAT main payload

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • Crimsonrat family

    crimsonrat

  • GandCrab payload

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab

  • Gandcrab family

    gandcrab

  • Modifies WinLogon for persistence

    persistence

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Renames multiple (55) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Modifies Windows Firewall

    evasion

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Executes dropped EXE

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of SetThreadContext

  behavioral1