agenttesla

Resubmissions

05-11-2024 03:18

241105-dtxrgatbpg 10

Sharing

Copy URL

Twitter E-mail

General

Target

d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337
Size

143.9MB
Sample

241105-dtxrgatbpg
MD5

c572596b2caadbc11672ff12af226635
SHA1

57a176459d3f24cf94810efbb6511abca2e7dce2
SHA256

d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337
SHA512

d112c32cab043308c8707350679af122a3af504386e3f7ee846c72edbc2e2fd2e825023d5bc0e793853a065df159dfd35c8e32e5370b03cdfa59ab7aa05cd5c6
SSDEEP

3145728:mdmtZSmWUMbLPnDwOqs0ykYmO67RUQ0UEsYf2XH:hSmhMbL/N0y4z0UdH

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

http://47.91.237.42:8443/__utm.gif

Attributes

access_type
512
beacon_type
2048
host
47.91.237.42,/__utm.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
watermark
305419896

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

Attributes

build_id
19

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

revengerat

Botnet

Victime

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

25/03

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

Attributes

build_id
103

rc4.plain

Extracted

Family

revengerat

Botnet

samay

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

zloader

Botnet

09/04

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

Attributes

build_id
140

rc4.plain

Extracted

Family

zloader

Botnet

07/04

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

Attributes

build_id
131

rc4.plain

Extracted

Family

revengerat

Botnet

INSERT-COIN

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

revengerat

Botnet

system

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

srpmx.ddns.net:5552

Mutex

c6c84eeabbf10b049aa4efdb90558a88

Attributes

reg_key
c6c84eeabbf10b049aa4efdb90558a88
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HACK

43.229.151.64:5552

Mutex

6825da1e045502b22d4b02d4028214ab

Attributes

reg_key
6825da1e045502b22d4b02d4028214ab
splitter
Y262SUCZ4UJJ

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi

Attributes

build
300869
exe_type
loader

Extracted

Family

gozi

Botnet

86920224

https://sibelikinciel.xyz

Attributes

build
300869
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Extracted

Family

qakbot

Version

324.141

Botnet

spx129

Campaign

1590734339

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Extracted

Family

formbook

Version

4.1

Campaign

i0qi

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Extracted

Family

danabot

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family

babylonrat

sandyclark255.hopto.org

Extracted

Family

warzonerat

sandyclark255.hopto.org:5200

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707

Mutex

adweqsds56332

Attributes

delay
5
install
true
install_file
prndrvest.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2020NOV1

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6XT818D

Attributes

InstallPath
excelsl.exe
gencode
n7asq0Dbu7D2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
office

Extracted

Family

djvu

http://dell1.ug/hosuhf37t5iqy3guygg6w4guiner/37tiuywgw/get.php

Attributes

extension
.meds
offline_id
Pq9d1D32xIxjAlRK7OkLl3utdbWN8syVVEm35xt1
payload_url
http://dell1.ug/files/cost/updatewin1.exe

http://dell1.ug/files/cost/updatewin2.exe

http://dell1.ug/files/cost/updatewin.exe

http://dell1.ug/files/cost/3.exe

http://dell1.ug/files/cost/4.exe

http://dell1.ug/files/cost/5.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-ZFjRnJfc9f Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 162Ad768734uygjdfg

rsa_pubkey.plain

Extracted

Family

zloader

Botnet

googleaktualizacija

Campaign

googleaktualizacija1

https://iqowijsdakm.ru/gate.php

https://wiewjdmkfjn.ru/gate.php

https://dksaoidiakjd.su/gate.php

https://iweuiqjdakjd.su/gate.php

https://yuidskadjna.su/gate.php

https://olksmadnbdj.su/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

Attributes

build_id
155

rc4.plain

rsa_pubkey.plain

Targets

- Target
  
  08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe
- Size
  
  144KB
- MD5
  
  9e9bb42a965b89a9dce86c8b36b24799
- SHA1
  
  e2d1161ac7fa3420648ba59f7a5315ed0acb04c2
- SHA256
  
  08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d
- SHA512
  
  e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8
- SSDEEP
  
  3072:ep1qwbk6Wbh/UR++pz1OBrNtZtHpspurmxwPtnneZY:epoP6WV/C116rNbtHpsYrmSP1neZY
Score

10^/10

zloader main 26.02.2020 botnet discovery persistence trojan
- Zloader family
  zloader
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
- Size
  
  355KB
- MD5
  
  b403152a9d1a6e02be9952ff3ea10214
- SHA1
  
  74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5
- SHA256
  
  0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51
- SHA512
  
  0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8
- SSDEEP
  
  6144:Fs3o0YvJiTQLmCUmLG0HhLjSKHkYp6dDERdBHMlU8LF:Fs3FmDL5P6YpaAt8LF
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  0di3x.exe
- Size
  
  111KB
- MD5
  
  bd97f762750d0e38e38d5e8f7363f66a
- SHA1
  
  9ae3d7053246289ff908758f9d60d79586f7fc9f
- SHA256
  
  d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158
- SHA512
  
  d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39
- SSDEEP
  
  1536:4SYTPSLUTRZaEioqsQRPRXplmbH50B+dLDOZrZRzKZvJj5RmLFs8hN:43OLUra1oqxvplQ50BrStJ9RmLFs
Score

10^/10

smokeloader backdoor trojan discovery
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Loads dropped DLL
behavioral5 behavioral6
- Target
  
  4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab
- Size
  
  524KB
- MD5
  
  4aa199c19c28cd1d176b7f6ff59bd713
- SHA1
  
  ec321c45f365ad178bbbef4f873578ffc52b6114
- SHA256
  
  4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab
- SHA512
  
  b764a3378677a4d7ceba3d57442b98028581c0c2841bdac287c5caced0f350638a2c1c0a6136873d29627420b208789873c0d5a5ad4d28e3f1e3758e3a12a6f5
- SSDEEP
  
  3072:3izUDxPs3Wo9MuFaNJXzWPfdidHzaCiZv1DwWD3aw8Vnx/VJqX8IoxKOgl9aYz4h:SuyRLavQTjd8VzJSnyK1UYzSx
Score

10^/10

zloader googleaktualizacija googleaktualizacija1 botnet discovery trojan
- Zloader family
  zloader
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
behavioral7 behavioral8
- Target
  
  2019-09-02_22-41-10.exe
- Size
  
  251KB
- MD5
  
  924aa6c26f6f43e0893a40728eac3b32
- SHA1
  
  baa9b4c895b09d315ed747b3bd087f4583aa84fc
- SHA256
  
  30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
- SHA512
  
  3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
- SSDEEP
  
  6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF
Score

10^/10

smokeloader backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  2c01b007729230c415420ad641ad92eb.exe
- Size
  
  1.3MB
- MD5
  
  daef338f9c47d5394b7e1e60ce38d02d
- SHA1
  
  c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e
- SHA256
  
  5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58
- SHA512
  
  d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4
- SSDEEP
  
  24576:W85y6Jwdt8jtWoJpXWHALGX+C1Co3aP8jvuC7g6zwm4m53Sb21SR:HXsSGuC/MIvuC5kFm53Sy1SR
Score

10^/10

hawkeye collection discovery keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Hawkeye family
  hawkeye
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  31.exe
- Size
  
  12.5MB
- MD5
  
  af8e86c5d4198549f6375df9378f983c
- SHA1
  
  7ab5ed449b891bd4899fba62d027a2cc26a05e6f
- SHA256
  
  7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
- SHA512
  
  137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
- SSDEEP
  
  393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r
Score

10^/10

agenttesla danabot dharma formbook gozi qakbot raccoon 86920224 spx129 1590734339 i0qi w9z agilenet banker cryptone defense_evasion discovery execution impact keylogger packer persistence ransomware rat rezer0 rm3 spyware stealer trojan botnet evasion
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot family
  danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Qakbot family
  qakbot
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- AgentTesla payload
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  3DMark 11 Advanced Edition.exe
- Size
  
  11.6MB
- MD5
  
  236d7524027dbce337c671906c9fe10b
- SHA1
  
  7d345aa201b50273176ae0ec7324739d882da32e
- SHA256
  
  400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c
- SHA512
  
  e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a
- SSDEEP
  
  196608:8YG+5pO1Ppb1rAMQQkIscfAb3mO5iW8uO2Kq1TIxz2HU6QPXJ0M2m9b/hE4:8/Bv1zsG2fm2bTcWBIXJHVrW4
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  42f972925508a82236e8533567487761.exe
- Size
  
  3.7MB
- MD5
  
  9d2a888ca79e1ff3820882ea1d88d574
- SHA1
  
  112c38d80bf2c0d48256249bbabe906b834b1f66
- SHA256
  
  8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
- SHA512
  
  17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840
- SSDEEP
  
  98304:Nn1CVf+y/EFc7DvOUxlpq2JdnQ+O2M7hlXKUmkbtT2TMI:A/EqaUFqItO2M7PXKUmkbtT2T
Score

10^/10

asyncrat babylonrat darkcomet njrat warzonerat null discovery evasion infostealer persistence privilege_escalation rat trojan 2020nov1
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Babylon RAT
  Babylon RAT is remote access trojan written in C++.
  trojan babylonrat
- Babylonrat family
  babylonrat
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Njrat family
  njrat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- Warzone RAT payload
  rat
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
- Size
  
  669KB
- MD5
  
  ead18f3a909685922d7213714ea9a183
- SHA1
  
  1270bd7fd62acc00447b30f066bb23f4745869bf
- SHA256
  
  5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
- SHA512
  
  6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
- SSDEEP
  
  6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL
Score

10^/10

discovery persistence upx ransomware
- Renames multiple (146) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral19 behavioral20
- Target
  
  c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286
- Size
  
  983KB
- MD5
  
  e15e3cfa542459e8d87e8bfdf70a38a1
- SHA1
  
  1c98fbf7b780fc8ab7f73d468ab77b41570c9665
- SHA256
  
  c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286
- SHA512
  
  fd55639cc4f757f90a01236b10bf33bd678ef7a141c6538a5285133aa8d610bb0bf287043717557a26d28a924f3c44fbf37c13421f27a389f2e8fc76ce4b91fe
- SSDEEP
  
  24576:Fp90jN2CdssXMZ/ggHEfsLJ4qFKqyqG5nFYR1t:N0NDdssygGl94qFKqyqYa
Score

10^/10

djvu discovery persistence ransomware
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Djvu family
  djvu
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral21 behavioral22
- Target
  
  69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
- Size
  
  80KB
- MD5
  
  8152a3d0d76f7e968597f4f834fdfa9d
- SHA1
  
  c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
- SHA256
  
  69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
- SHA512
  
  eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
- SSDEEP
  
  1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0
Score

10^/10

hakbit credential_access discovery evasion execution ransomware spyware stealer
- Disables service(s)
  evasion execution
- Hakbit
  Ransomware which encrypts files using AES, first seen in November 2019.
  ransomware hakbit
- Hakbit family
  hakbit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral23 behavioral24
- Target
  
  905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
- Size
  
  21KB
- MD5
  
  6fe3fb85216045fdf8186429c27458a7
- SHA1
  
  ef2c68d0b3edf3def5d90f1525fe87c2142e5710
- SHA256
  
  905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
- SHA512
  
  d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
- SSDEEP
  
  384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1
Score

10^/10

revengerat xdsddd execution stealer trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- RevengeRat Executable
  stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Uses the VBS compiler for execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in System32 directory
behavioral25 behavioral26
- Target
  
  948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
- Size
  
  17KB
- MD5
  
  aa0a434f00c138ef445bf89493a6d731
- SHA1
  
  2e798c079b179b736247cf20d1346657db9632c7
- SHA256
  
  948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654
- SHA512
  
  e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952
- SSDEEP
  
  384:rnhZ7/5eOHY9FmMoEIPJvnbisVK8ysLu2s2:bhdQOS8EIRmIa2
Score

10^/10

revengerat victime persistence stealer trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- RevengeRat Executable
  stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral27 behavioral28
- Target
  
  95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe
- Size
  
  260KB
- MD5
  
  9e9719483cc24dc0ab94b31f76981f42
- SHA1
  
  dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b
- SHA256
  
  95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9
- SHA512
  
  83cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309
- SSDEEP
  
  6144:HP2sOvpPfQUH6+SqpcH1lH0CIuK8AWaULcka:HPXOv9RH6fEcH1h0vuLNyk
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  Archive.zip__ccacaxs2tbz2t6ob3e.exe
- Size
  
  430KB
- MD5
  
  a3cab1a43ff58b41f61f8ea32319386b
- SHA1
  
  94689e1a9e1503f1082b23e6d5984d4587f3b9ec
- SHA256
  
  005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6
- SHA512
  
  8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d
- SSDEEP
  
  6144:vU9Q9tD5WuDQa4t3BMgLkzvCOnYxcEaSAOPou8BWinO8DR:8Q9tD5WyQlBBVAnYxRhr8DR
Score

8^/10

discovery
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral31 behavioral32