Extracted

Extracted

• • Target

    RNSM00390.7z

  • Size

    22.2MB

  • MD5

    be01234d4d2719248cc7bfd2db5399f8

  • SHA1

    30c4a2a41aa45b23d8ea01e547c0e7287b9ba256

  • SHA256

    eaf4667ec6da80010831e61c49a8035dbf36a94ee99297848d3e673d15de52e5

  • SHA512

    71d1fae415f5cb1bedeab41d51f5f8d116f1fa692beaf841e729050482b36647b425a8ac6b0e5ff8d3ad3dbe4d34d8133e06188281be416c9213253d35eaac57

  • SSDEEP

    393216:bKwuR608VMFPJzP7sJSUgNyLNDcqt6/FGuEro0Y912PnhKMZTcc:N0D7sNBNuFfEM4PPoc

  Score

  10^/10

  avaddonazorultgandcrabhiveratwarzoneratxmrigbackdoordefense_evasiondiscoveryevasionexecutioninfostealerminerpersistenceransomwareratstealerthemidatrojanupxvmprotect

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon

  • Avaddon family

    avaddon

  • Avaddon payload

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Azorult family

    azorult

  • GandCrab payload

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab

  • Gandcrab family

    gandcrab

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat

  • Hiverat family

    hiverat

  • UAC bypass

    evasiontrojan

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • Xmrig family

    xmrig

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • HiveRAT payload

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Warzone RAT payload

    rat

  • XMRig Miner payload

    miner

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Hide Artifacts: Hidden Files and Directories

    defense_evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1