Extracted

Extracted

Extracted

• • Target

    RNSM00394.7z

  • Size

    31.2MB

  • MD5

    76b93f055cb09b9c703f1c934853ff39

  • SHA1

    7c82fe366d1ed04a5ada0cab06762e9e8136664d

  • SHA256

    38ab2002e8df4e98a0bfd4272f9dd3acb7c1ae6e9137a1343baf2f3e4994cec7

  • SHA512

    842e5e23cbac2b6031ac16be6869d2d296dc7233a802edb0a545d513a41698421b6c1a7019e6f470998785df221edad75f708af00ba9cfb35f7602558334aba1

  • SSDEEP

    786432:frOl5j9tSAcWHyw7AvM06/p3sC9C18FIz6oD2UHf:fS99vuuSC9C18QHf

  Score

  10^/10

  azorultbalaclavadharmagandcrabwarzoneratbackdoorbootkitcredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceransomwareratspywarestealertrojanupxvmprotect

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Azorult family

    azorult

  • Balaclava Malware

    Balaclava malware is a ransomware program.

    ransomwarebalaclava

  • Balaclava family

    balaclava

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Dharma family

    dharma

  • GandCrab payload

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab

  • Gandcrab family

    gandcrab

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Renames multiple (450) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Warzone RAT payload

    rat

  • Blocklisted process makes network request

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1