Extracted

Extracted

• • Target

    RNSM00356.7z

  • Size

    3.9MB

  • MD5

    376785ae266b5afd8aca391147462e44

  • SHA1

    35b982f366aaae74e368e935560a9040e5a16ce6

  • SHA256

    a5aad9efebed50cd31ba1f27ed16d7b56da8aa63407e2f949bed778e18233c51

  • SHA512

    6eb0f0869ec1954dfa14cb788b7b1557ab355d5f0a57bab0fa457a6ab272e80b802b8e36796cccdb3e83dcd0979e8178f6ed2ce19a35d04f3ba4c3bf3feb743c

  • SSDEEP

    98304:xhMqxdoBUoWTqmowUNWxnnruTPQaXbB7wfXyBsogDP2JEuqg9d:pzCgnrgP9ByyBsogilR9d

  Score

  10^/10

  gandcrabhawkeye_rebornm00nd3v_loggertroldeshbackdoorcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerpersistenceransomwarespywarestealertrojanupx

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab

  • Gandcrab family

    gandcrab

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn

  • Hawkeye_reborn family

    hawkeye_reborn

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger

  • M00nd3v_logger family

    m00nd3v_logger

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies visibility of file extensions in Explorer

    evasion

  • Troldesh family

    troldesh

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh

  • Windows security bypass

    evasiontrojan

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • M00nD3v Logger payload

    Detects M00nD3v Logger payload in memory.

    infostealer

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Renames multiple (297) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Windows security modification

    evasiontrojan

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1