Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    Mr4X5srRQR20TfuVZShfsrAN.exe

  • Size

    321KB

  • MD5

    94c78c311f499024a9f97cfdbb073623

  • SHA1

    50e91d3eaa06d2183bf8c6c411947304421c5626

  • SHA256

    6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e

  • SHA512

    29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545

  • SSDEEP

    6144:DQbZ65iKd8Ro5c7bW+7kUyptNv+6FsVAIXRwGA69PZ+9ElvczV:6Z65im8Rb7D7kUyP5cVAIhwGA69B+9uY

  Score

  10^/10

  gcleaneronlyloggerdiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger

  • Onlylogger family

    onlylogger

  • OnlyLogger payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1behavioral2

• • Target

    OEmxRS9UaiMPqIKXPz6Ef8jI.exe

  • Size

    589KB

  • MD5

    34c76bcc1506b513c7a1ac605c045c4e

  • SHA1

    271c6b3853e33e039242da7cf8f4465c48e90d2e

  • SHA256

    1e7f2339065e8a6909eea27f090499a1af6427d1563ceac0cd25c916c637d29d

  • SHA512

    cb2170b5fa492dcb7df54cfd7f4ad94214de98face0f1710cbad749c79bf322ea1106ace723520486bdeabdf0aa2eefbf70dcc060d61fcda1124298225c36865

  • SSDEEP

    12288:fhdKHkwkYGXXRJRC7ijHRAWteLwnHdYnXQ6mr4ZFrUD:fzKYQv

  Score

  10^/10

  redlinesectoprat23.08discoveryinfostealerrattrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Suspicious use of SetThreadContext

  behavioral3behavioral4

• • Target

    OvVYhhgvd6ZhUony5cRMqVoB.exe

  • Size

    2.4MB

  • MD5

    b15db436045c3f484296acc6cff34a86

  • SHA1

    346ae322b55e14611f10a64f336aaa9ff6fed68c

  • SHA256

    dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193

  • SHA512

    804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9

  • SSDEEP

    49152:/JhGe/xVHII4W2qFRCsh7BQ0vLYtA2uORNJet/ylyPj792:/Jcevr2mLS0cT/Mj792

  Score

  9^/10

  discoveryevasionthemidatrojan

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral5behavioral6

• • Target

    QKvpJeDIaPtXDcwKwH_WmAYY.exe

  • Size

    2.4MB

  • MD5

    a7feb91676ca65d3da71c8ff8798e2ec

  • SHA1

    96b60cacea9e992ae9eef8e159d51e50bb0c7a79

  • SHA256

    844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f

  • SHA512

    d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75

  • SSDEEP

    49152:yzaIawrFIsU6+anPakV7/HFangWtl4UjhlXAl6RUbbzRMWv5pKJa2Xkut:yzzaOBU6++PrV7/lDmhxAl6UbbzRMWba

  Score

  9^/10

  discoveryevasionthemidatrojan

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral7behavioral8

• • Target

    QxZsdXOO8Xn2bW7iW8ff3gjN.exe

  • Size

    317KB

  • MD5

    145bf5658332302310a7fe40ed77783d

  • SHA1

    5370ac46379b8db9d9fca84f21d411687109486f

  • SHA256

    bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3

  • SHA512

    d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776

  • SSDEEP

    6144:QIH2L4AqFKDXavv7HPdVVJ31H0WJhtJSOi4k/YjN6+7i3eWQj3KWS/jrAZcEujqY:WLKFKqvz3CehLSO+YjN43jRPoZNm

  Score

  10^/10

  gcleaneronlyloggerdiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger

  • Onlylogger family

    onlylogger

  • OnlyLogger payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Legitimate hosting services abused for malware hosting/C2

  behavioral10behavioral9

• • Target

    QzUu4XgUxQuvhFNx7Nf5D6C3.exe

  • Size

    4.4MB

  • MD5

    7627ef162e039104d830924c3dbdab77

  • SHA1

    e81996dc45106b349cb8c31eafbc2d353dc2f68b

  • SHA256

    37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5

  • SHA512

    60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1

  • SSDEEP

    98304:eeR4o4V2M07mXFtVw5jkUvDo74SivdfVlj5JM+MPZ4rv3U:eeRD4JMmX/VgQUs7rGljDjMPQv3U

  Score

  10^/10

  gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba family

    glupteba

  • Glupteba payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • Windows security bypass

    evasiontrojan

  • Modifies boot configuration data using bcdedit

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Manipulates WinMon driver.

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  behavioral11behavioral12

• • Target

    SHSPDO6BYDV7xlwsZDJxsLj9.exe

  • Size

    317KB

  • MD5

    145bf5658332302310a7fe40ed77783d

  • SHA1

    5370ac46379b8db9d9fca84f21d411687109486f

  • SHA256

    bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3

  • SHA512

    d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776

  • SSDEEP

    6144:QIH2L4AqFKDXavv7HPdVVJ31H0WJhtJSOi4k/YjN6+7i3eWQj3KWS/jrAZcEujqY:WLKFKqvz3CehLSO+YjN43jRPoZNm

  Score

  10^/10

  gcleaneronlyloggerdiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger

  • Onlylogger family

    onlylogger

  • OnlyLogger payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Legitimate hosting services abused for malware hosting/C2

  behavioral13behavioral14

• • Target

    SqCuVl85T1P8OuH3gpVMKnDi.exe

  • Size

    599KB

  • MD5

    85d019feb83854aa587fb13a34d1e2e7

  • SHA1

    5af4a2e70f32dc2705d3517260341456249b96b7

  • SHA256

    8acc169eac0f47377ad2a34a4fe277b73431f26cf3b262728bc1a8f17020c3e8

  • SHA512

    aa0baabd8d2533464b1ce752f14adbaf93da91abad85a10bdbef4463f4c260f224deb37ac332221b9e7eee053f58eaca96fe44f679d8d8cbcfb75a04ffaa953d

  • SSDEEP

    12288:uN1kItBnm0Z1/kjkTD59+rLiFn7s0ZEfCsWre/W:fItBnWjEDqrL87jZ34/

  Score

  10^/10

  vidardiscoverystealer995

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Vidar Stealer

    stealer
  behavioral15behavioral16

• • Target

    T8Ulrjj8F65YXJ2qZEm11v_x.exe

  • Size

    586KB

  • MD5

    29903569f45cc9979551427cc5d9fd99

  • SHA1

    0487682dd1300b26cea9275a405c8ad3383a1583

  • SHA256

    eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6

  • SHA512

    f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb

  • SSDEEP

    12288:+zoXpiQ70M3HvlvGWE/FckBRi+9wjQPf48a6EzMzPxiDOZ1z4/2fH:T2GlvGkC

  Score

  10^/10

  redlinesectopratdibild2discoveryinfostealerrattrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Suspicious use of SetThreadContext

  behavioral17behavioral18

• • Target

    Trj0QcTNVE3l8SBp_3LNLFS9.exe

  • Size

    4.4MB

  • MD5

    7627ef162e039104d830924c3dbdab77

  • SHA1

    e81996dc45106b349cb8c31eafbc2d353dc2f68b

  • SHA256

    37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5

  • SHA512

    60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1

  • SSDEEP

    98304:eeR4o4V2M07mXFtVw5jkUvDo74SivdfVlj5JM+MPZ4rv3U:eeRD4JMmX/VgQUs7rGljDjMPQv3U

  Score

  10^/10

  gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba family

    glupteba

  • Glupteba payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • Windows security bypass

    evasiontrojan

  • Modifies boot configuration data using bcdedit

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Manipulates WinMon driver.

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  behavioral19behavioral20

• • Target

    Uwc7l02HzjEVLDdBFF3ZKItU.exe

  • Size

    900KB

  • MD5

    7714deedb24c3dcfa81dc660dd383492

  • SHA1

    56fae3ab1186009430e175c73b914c77ed714cc0

  • SHA256

    435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

  • SHA512

    2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

  • SSDEEP

    12288:jx1vJUpzeLkTqhqeEmC7QOZGafeei7fqiHf:H2zIkTgqeEVQO5fess

  Score

  1^/10
  behavioral21behavioral22

• • Target

    VoTrXaqIJ3vc2GnUIU6Wi5LW.exe

  • Size

    321KB

  • MD5

    94c78c311f499024a9f97cfdbb073623

  • SHA1

    50e91d3eaa06d2183bf8c6c411947304421c5626

  • SHA256

    6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e

  • SHA512

    29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545

  • SSDEEP

    6144:DQbZ65iKd8Ro5c7bW+7kUyptNv+6FsVAIXRwGA69PZ+9ElvczV:6Z65im8Rb7D7kUyP5cVAIhwGA69B+9uY

  Score

  10^/10

  gcleaneronlyloggerdiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger

  • Onlylogger family

    onlylogger

  • OnlyLogger payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Legitimate hosting services abused for malware hosting/C2

  behavioral23behavioral24

• • Target

    Wp77te7DqjxTjTIGMDSB0RHr.exe

  • Size

    2.4MB

  • MD5

    161b975933aaae18920d241890000dac

  • SHA1

    1cbbad54762c6301ad9ad2291159b9d2a141c143

  • SHA256

    dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83

  • SHA512

    758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443

  • SSDEEP

    49152:hlbpFMtUtFOfw2skeX+NPO59F07SwtUcxHBL3a87GV68GK2:hNjCfwWeX+NYCSJWo8aVOJ

  Score

  9^/10

  discoveryevasionthemidatrojan

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral25behavioral26

• • Target

    XOCYAkm_NnnfPmgVDNgu9MQ3.exe

  • Size

    5.3MB

  • MD5

    083da7bfea93dcaac5ca4c910c0c9636

  • SHA1

    5d94f9e397441ee8bb733122f9dce827b80f7e96

  • SHA256

    c06817143741717add66241dcd4f1b6ce497c6242d78793a69661b47a3796535

  • SHA512

    067b5940f3c04bbe908e978b735818cc6e46f8a34a6dfffdf63eca062b855d19a83f12e351dcb5da81464981771bb2a717d39bed9abdd96087cf4cd2996b31b5

  • SSDEEP

    98304:rHiCdkni6JIK0qZS3HzXCbQbxv3j+oJRfchpT93kWJrnClc3DgIFakHDZ++:OO4N0q4zXqC1TVsZ3bOlczgIND4+

  Score

  10^/10

  sectopratdiscoveryevasionratthemidatrojan

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral27behavioral28

• • Target

    Xd_XnNqsZTJJf8dCq4s_mlAi.exe

  • Size

    273KB

  • MD5

    ac7f28f999ef6657abc24673642b518a

  • SHA1

    37c701301ba28e8329f7c990a790320d021331a0

  • SHA256

    46d153d7d517ea834af83364c01388f5c4af458c359625244aa7bac158e8bff2

  • SHA512

    d45fe4a99c81d2221ebb4b537a23ac2a64e05defb8c789eb8a716af30685d2ca5963e8caeadcaec74e5ea588311ea59509077f14870193408114b261e7b97370

  • SSDEEP

    6144:38Gjn4iGmFj3lToLMjHxWs0YMaGahpgxSDj4SmsLdnAJ:jnfGmRVTL74mpgSDkudnA

  Score

  10^/10

  smokeloaderpub1backdoordiscoverytrojan

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Smokeloader family

    smokeloader
  behavioral29behavioral30

• • Target

    Xr9ca9oQNQWbUwEgChRmX6Z9.exe

  • Size

    2.4MB

  • MD5

    161b975933aaae18920d241890000dac

  • SHA1

    1cbbad54762c6301ad9ad2291159b9d2a141c143

  • SHA256

    dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83

  • SHA512

    758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443

  • SSDEEP

    49152:hlbpFMtUtFOfw2skeX+NPO59F07SwtUcxHBL3a87GV68GK2:hNjCfwWeX+NYCSJWo8aVOJ

  Score

  9^/10

  discoveryevasionthemidatrojan

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral31behavioral32