Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa

  • Size

    49KB

  • MD5

    8cc63c91ed1bc3fa9202391e42364a50

  • SHA1

    ea335ad31b2c19892ddc5d46a3a14ff0d1be0850

  • SHA256

    15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa

  • SHA512

    8fa5112f444339a0a7bee333078cd162eeee7d3d80b3a362f3cc785addea8fa682de92081129ffde6ebb6c71b42db22ee8ad6526655cb5eb74c004429b72d057

  • SSDEEP

    1536:F/MwxLXpy3/pfZtwbjH/xwinmQb8b4znB:F/MwxLXpy3/pfZCuinDb8EnB

  Score

  6^/10

  discovery

  • Network Service Discovery

    Attempt to gather information on host's network.

    discovery
  behavioral1behavioral2

• • Target

    304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b

  • Size

    203KB

  • MD5

    76b5931a8eab2e7e98023a43c489bbbf

  • SHA1

    033e6f5547c62a8650f449fc5b0034424f9b5f85

  • SHA256

    304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b

  • SHA512

    533f26e6379f35bf8aae578461b538ae891d9c00386476dab2235fc965655b35f0ca5433cd5c9c5c106b66369ef37c9e76c091e9635aad9dc2ca57af033344b1

  • SSDEEP

    3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIGXzDtCihaFue8Y1WRFj7KV7i:sLV6Bta6dtJmakIM5/NC5x8Y167Y7i

  Score

  10^/10

  nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore

  • Nanocore family

    nanocore

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan
  behavioral3behavioral4

• • Target

    43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb

  • Size

    876KB

  • MD5

    7e39e9345427ccc8be9a0137cef89742

  • SHA1

    f6f24e1b571a0089c05d5a1e00116742f9e98a93

  • SHA256

    43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb

  • SHA512

    9282a11b1a3be4bd721fd8f46c019a545b7ffe992f5daad7d50ab724094c30f807e3e96bac30c881760d1a66f080e69745284e5c46885181ce643383eb17af01

  • SSDEEP

    12288:WgD9eZ8DvlbUUp0qAMlyveojV0uGO27fY6WntFmPkTJCkoqDwlcbgQtRJd98f+se:WoeZUdUw2d8w6MXmPkckddH

  Score

  10^/10

  redlinesectopratdiscoveryinfostealerrattrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Suspicious use of SetThreadContext

  behavioral5behavioral6

• • Target

    61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd

  • Size

    1.4MB

  • MD5

    c58f3effb9efb892109332a676aae546

  • SHA1

    c1dced7e3e3b49f23cc0125589cc5b29d4055924

  • SHA256

    61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd

  • SHA512

    9c9329df603ad34b10437fc6313d61d273b603996a82f88e0d57af9e50ea86bb0cbb2134a3d4905b40fd73cd40222235739f4140cf4de19a3bea352af947adec

  • SSDEEP

    24576:a27mrhic6gvYbAKsy5Ulh3iXWl9557sK6X3ZO0GinMSvTNWfshnGmg/ykTPnewlm:anrhr/vAcWKv6X3o0GQN0s/g/ybDT

  Score

  10^/10

  njrathackeddiscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

  • Njrat family

    njrat

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  behavioral7behavioral8

• • Target

    78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6

  • Size

    118KB

  • MD5

    95c93ba88cbebbf97fa7aec965dac908

  • SHA1

    d71ca71cdcf375b7f55cf26d66e5f4b2b387bec4

  • SHA256

    78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6

  • SHA512

    4bddaca540dc9ea0039a735d254e4a30b06cd5a24dc696bcc9820126b00eae57977d80ffc3528e3c92b9981dbd241276132616e29ccf47a6adc044d65258f64a

  • SSDEEP

    3072:QjPR+2iJ6Cr/B+PHbsVLK3usN9bAeiLZU6pmoXX1:K+2i7/B+gMec9bdg

  Score

  10^/10

  stormkittydiscoverypersistenceprivilege_escalationspywarestealer

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Downloads MZ/PE file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  behavioral10behavioral9

• • Target

    878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453

  • Size

    45KB

  • MD5

    5af5a9087ecf42eb83fb358d49b06e92

  • SHA1

    0d4a5c5d90e6306c476036ca097a01a17b4295db

  • SHA256

    878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453

  • SHA512

    d0608f648dd26b81d262741c373737dba3bfeb1508f86d8c448ec634a78bd9f86f52961d22cf027418c5012f2f7388928480495003dfeac7b94deb590bb7d22c

  • SSDEEP

    768:Qu08dTbAoeyWUE++Ymo2q8EpL2d78tPIAzjbygX3i46U44rylUVkBDZax:Qu08dTbfz2ESA3b1XSHULy9dax

  Score

  10^/10

  asyncratdefaultdiscoveryrat

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Async RAT payload

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  behavioral11behavioral12

• • Target

    922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754

  • Size

    810KB

  • MD5

    16ddab2483d7281fb61fc3537fff886e

  • SHA1

    e33e073023d425e052c23f739c1fd8befa51476b

  • SHA256

    922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754

  • SHA512

    4e328a032763e8e8b3c133f24f0364c97f40eae25ebc288836ce1af6745b69baf08c00498223d1e0f6882dc9325a723e90d2960d389aa0a31a80282425c45de9

  • SSDEEP

    12288:zFE4TC330BjGSm2nIBQDNpSZY5fpbhQOtkd4CzySphGMyb9027C6yKbDSpX4Vu78:9EBOAT+ONkY8IBQmS8R6Nx

  Score

  10^/10

  lokibotcollectiondiscoveryspywarestealertrojan

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot

  • Lokibot family

    lokibot

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Suspicious use of SetThreadContext

  behavioral13behavioral14

• • Target

    98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad

  • Size

    42KB

  • MD5

    97481bcfd96a1bee367aed197aaa62f6

  • SHA1

    407e6b50c111909067a630f4acbd86c0ca90512e

  • SHA256

    98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad

  • SHA512

    b46e1eab0ce7d0926c3970e1832db467b2c74959c5117641e7ae543df7d83f650f42d2e214c922ac47b6649969075fd48d62bd3e1313990a2926cb0367f06a87

  • SSDEEP

    768:LRhQkBZ6an8z5pDtshuZNL4qTjZKZKfgm3EhMZ:F1n8z5PsoL4qTlF7EyZ

  Score

  10^/10

  mercurialgrabberevasionspywarestealer

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber

  • Mercurialgrabber family

    mercurialgrabber

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  behavioral15behavioral16

• • Target

    b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f

  • Size

    101KB

  • MD5

    4c8326862379b2d2d6fbc47a8c33777b

  • SHA1

    3d5d4d3f340ca4c1e004fa25588cff11f5034e3b

  • SHA256

    b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f

  • SHA512

    3cc74d73d8548a9a16d4cb3921c40a0641d5c0818c81d494f6fff5b16d9389c31da825dc9e1f3fa81d8b2a72b659a51c1f57047aac98cb56f1234bfab99d02e7

  • SSDEEP

    3072:j5j9XUQdkDsRDiqtNDLXMbPbNYLKGoNbCyfN:Vj1yWi2NPM9b

  Score

  8^/10

  evasionpersistenceprivilege_escalation

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence
  behavioral17behavioral18