Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    Ehhbsuuemv.exe

  • Size

    68.4MB

  • MD5

    368dc6c24db6c1550ce757c0ffbdd9a0

  • SHA1

    89bf95d951ac065bdfd8a323b1ecb70355bbab20

  • SHA256

    9f3d5e17974ea77849869573fcca4be15d641ea937fc23fceb2808c59612b641

  • SHA512

    78c94132c3f426930bcc80fc8dab760f3ecedcb6747150ba72319a23adedfda7c7cdc494122899cca914b7a1daa859f2a9c54c9bacf5b2e9c2f5519275fb2211

  • SSDEEP

    1572864:iEmgHZAuBtRvd59Tdd6ok1vPtBQmjbPV4dDO4oJV36euF3SGzcqj0:zFHZAytD5xdd6FNPtBQeCdDO4oW/P4

  Score

  10^/10

  asyncratvenomratzgratdefaultdiscoveryrat

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Detect ZGRat V2

  • VenomRAT

    Detects VenomRAT - JaffaCakes118.

    rat

  • Venomrat family

    venomrat

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Zgrat family

    zgrat

  • Async RAT payload

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    GjIEmKW.exe

  • Size

    646KB

  • MD5

    f1721c98efdae451be8ef071044cdb85

  • SHA1

    28afdff9b32d7da6918a4ecc3a30eafe3be1f8e6

  • SHA256

    bce1a92464358055d118d7a107bf8d5361f4fc2dfaaa41a18d2a9bc11b640272

  • SHA512

    5e560094bfdb5d9e0a0f545373c9943a57c1da12378153cd0943ac2b10da9fcd1e256a71777f5cab803f5c434db11cd6cdd463bdcd2fe36420d7db5f2c57ffaf

  • SSDEEP

    12288:z4UBGj3cBfudMiILCLbexicLZHgVkbh11a9iZoyfetMYviLZ4uDFa:z49j3Z4Ld30v8R

  Score

  10^/10

  asyncratvenom clientsdiscoveryrat

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Suspicious use of SetThreadContext

  behavioral3behavioral4

• • Target

    Jtvcsfni.exe

  • Size

    300.9MB

  • MD5

    fa2a122398f04f0a45ed7bed477aa4de

  • SHA1

    dec80165e13f370fc832f6fe752084eb5ba944cb

  • SHA256

    cde19a4b3504ff5f04a4291be87d98594673de5e3ba4d939b18305e7e1fd93a2

  • SHA512

    332c34cde567511fc31422d75a77f183546998762f912844726e0b157d5c5bc29893e20b93e0ab5daa90908e39aab326743606ee090b38d73ba51b9d949e8905

  • SSDEEP

    6291456:TzQXTpP65CUl6Xd+6a3BwpQTOQGZ+TmCI/0haPyrUVb0/29c1e1M51K:Y1jUl6sBwKgZXCI/0haqgVb0/l6

  Score

  10^/10

  redline@hukiosidediscoveryinfostealer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext

  behavioral5behavioral6

• • Target

    OriginalBuild.exe

  • Size

    2.0MB

  • MD5

    684b5a8761a8cd0314a1121de37a86a7

  • SHA1

    bd46bea31f6ec26ad80bf9bdda6f2b59750a910a

  • SHA256

    1fc6b522a006f923bd3e6d69377bdcbb6d6e733dc4f68f38608f727bf6b0732f

  • SHA512

    d56b3b60d54ad8ac97b3baf3fc4cdf7ee0158dadd23239238d243d445906d30f8246f4053d53fc9b6f04c80d87c43f548e7cca4b424ec34b0474defa785fbb59

  • SSDEEP

    24576:rLdSwtu5mVZJZYDN5ZKGGQz1JLzsrksuN8qYMLDd3eQ3o7glrAbAlA7AIASAWl9W:r6mVZJZYSVgvoklrAbAlA7AIASAzCq

  Score

  8^/10

  discovery

  • Blocklisted process makes network request

  behavioral7behavioral8

• • Target

    PUMPED_docc.exe

  • Size

    90.3MB

  • MD5

    82bb565e772ed1286a2aae9c572650e9

  • SHA1

    ca36bde4741afafb7fcf62a19673d13b80fb44c6

  • SHA256

    25a410a81c32a80cd2c408fad31582e20a1e7fd01c28ef78576fd2cbb02761fc

  • SHA512

    30861740c92d0022bbee72d638afbf44cd6276d2233e7ce51fc9fb5b7281a0cadb3b76f8b4ef8b3063c7a93960a1fab285aa8d01043ba4063366125ce6ec6e0b

  • SSDEEP

    6144:7Bcs/4U/OaGR+X25Kmn9GFjzsLqBO6/b:tcsgXbKm4XGq86/b

  Score

  10^/10

  redlinedocdiscoveryinfostealer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Uses the VBS compiler for execution

  • Suspicious use of SetThreadContext

  behavioral10behavioral9

• • Target

    Servicing-invoice-template.pdf

  • Size

    34KB

  • MD5

    d422843d566db462f7f8f6bc3be9ca76

  • SHA1

    1b1b89d8227af285a658ba64a15e1f0a56953e46

  • SHA256

    3fff1be296432c5b2cf165c63110531e8e4aa3e31285d1800d0ab92ece7e5c3a

  • SHA512

    a62ad4534bd8b274df69de3dfc64595137941097742173f0e8d02307f35b5344bcfaf3151a203d6f5a24f2a4300996e7713db729763516cade8893e62d63e9cc

  • SSDEEP

    768:zzy3jjj/ZX6HmbabFA7FFFjgXUfUU9ivyoWYU9NlgxUh3:zzijjjRXIcaZAtIyo+lD

  Score

  3^/10

  discovery
  behavioral11behavioral12

• • Target

    cgu3.docx

  • Size

    12KB

  • MD5

    3a99a5077f5178c4320e97d997cfbff1

  • SHA1

    d3e053535607751b0a2d6dc5187f74dac3b1846d

  • SHA256

    154dae89d0d92be206c9c006af8112f36ba1180f56334bfdbbf33668675a76a5

  • SHA512

    218f3265617bd320e862b32591f7ef2c6bd85e9225d565281f54045486cc63593a89fb5c1b15853082554d84545a63492bed16ca73840cfd548e1ef4316b1f34

  • SSDEEP

    192:CtfoVP+CCNxtpgoZ22NNMp14xew+Wfm0FfkvGUlfbN9urD9N:afo1+dNxt/ZtNN04+30On50n9N

  Score

  6^/10

  discovery

  • Legitimate hosting services abused for malware hosting/C2

  behavioral13behavioral14

• • Target

    debt.rtf.lnk

  • Size

    1KB

  • MD5

    fdfc8fbec85d876fafc78d0d6d5bfb2b

  • SHA1

    8787a1343b2610079c48f3d315c9dc9f618793c1

  • SHA256

    95d5648444fbd18f4f19a7a7821e2e35cdd27b2ddfb40bf6dd60f1303660824a

  • SHA512

    790a604522bfcd26cb738dc19121ba70f4b65a7a4a5fd5df8a7cd51069b3645fee42f25ed026152ce10fb83bfe7d23774b91abf3b8e8ddae0d3311d97d7e01bf

  Score

  10^/10

  execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  behavioral15behavioral16

• • Target

    eeee.dotm

  • Size

    15KB

  • MD5

    e98532e1f207b31dc7709a52b1c409b7

  • SHA1

    b2715b7f3367c8a30d65fd06ae8a201e53d9123d

  • SHA256

    3d355a08aefd906bd5c4f5db39535e172f06f646c18be73f7b6d4dc6ed54c5ab

  • SHA512

    13ff9836180e75881340bc5eec2285c6dfd2c7cd2aa968be5ad7673e905c17862d3709571426793c8fc886beb7969c1cfc7585f3bf60a8590f5e90fbfca28e85

  • SSDEEP

    384:tmtl4DqphrASTC78Jex7KBM6akwLWdxdyJYB3ywJ:ql4DqphM98JkYakw6Ly+QwJ

  Score

  3^/10

  discovery
  behavioral17behavioral18

• • Target

    egor.dotm

  • Size

    14KB

  • MD5

    adccb9016b434427cd125ae841d1baaf

  • SHA1

    56aa1a0e7b1ba0d2714be1e36d4a59ca4ca8a05d

  • SHA256

    d6cdc6b64b477100f73ffa15b1fe7597e3a6c81431b527bc766f7bab27701e8b

  • SHA512

    9b4fbb5f16570c7a5165a53ffab8680db2122e3040ed411358f2a4fee2d8a24d525ab430651b0c1d1f93f8b7471b8ba9f7b58a96b167e5245a082a0d51c35c62

  • SSDEEP

    384:tmtl44XewvWv7lC78WQ6Su6akwLWdxdFYB3w:ql44XHvWTu8mSzakw6LqG

  Score

  10^/10

  discoveryexecution

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Legitimate hosting services abused for malware hosting/C2

  behavioral19behavioral20

• • Target

    errr.dotm

  • Size

    14KB

  • MD5

    15320db9003264c8ce3a7356030746a8

  • SHA1

    db6c48cb0b2ea475602ee20bd10d6be192da4a37

  • SHA256

    ed057ee336974e52d68f2eb5278c7d61fdbfff8f388e287d4c8c09bd2eed0a2f

  • SHA512

    608015f8c7ede90b8859fe2c2838322db98e78ff1e369d1a3019cbfb8d279ca515e2494e0d6946d17cdbed1582faeac2ce2bd53eadbe45751dba542794b0a758

  • SSDEEP

    384:tmtl4pb+aVHXwnSC78Qot2J6akwLWdxd36UbYB3ho:ql4pq6El8Qojakw6L0M

  Score

  3^/10

  discovery
  behavioral21behavioral22

• • Target

    example.dotm

  • Size

    16KB

  • MD5

    1aae26fe5d7b7dc4d6794a7828aecedc

  • SHA1

    fbb8c6f45f53dc80e276a72cf9f567054b65c206

  • SHA256

    1d473e82efa66368ffb4ce8f5eb947296c8e8d3febbe3a6283857da6fb1cc7d5

  • SHA512

    2036693971d4710c9d59c569a8a8fef98ee33422b324c343c07aac9fb67500f82e54c6904054f65a7294dbbc745773fdbf6a6051aa7a71ac8b04b9c3dcf5c6e0

  • SSDEEP

    384:tBt67TB+TZ2T/aNxt/ZtNNei/eX+30Oncsqf:R6PaGIxllNeAeX+3BcBf

  Score

  10^/10

  discoveryexecution

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Legitimate hosting services abused for malware hosting/C2

  behavioral23behavioral24

• • Target

    fasfs.dotm

  • Size

    16KB

  • MD5

    56265082f8036943f8aa659cda6b4b6f

  • SHA1

    4b4c75a574e7bc18117cecfe8cad64205097ec43

  • SHA256

    4adf62e4e36861567206126d6ef1a1d59bf169f9c72cde72dad9a3bfe0c09faf

  • SHA512

    33792ecfeaf686435db9d6537b8e99d74b08198c198e3357b0b6ba324f7c5eb410060a34e64b2a09aa3b20f9a7b459ae6b13670abb4e03550ffb79fb0e155c2d

  • SSDEEP

    384:tmtLW4BPok2xSxCyX+ZKC78qN9j6akwLWdxdA97YB3H/:qa4Bn2xzyX+383akw6L2M9

  Score

  10^/10

  discoveryexecution

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution
  behavioral25behavioral26

• • Target

    ferrr.dotm

  • Size

    15KB

  • MD5

    2fcd4aa1392a81644323e0dfc715146f

  • SHA1

    bb48a7af90cdb8c46e78bb20fb7e733c626d4f2f

  • SHA256

    58ab07d938bb5a6a5c2fb772f4b511b805b6e9c165ed01280c4ee9a1c817f9dc

  • SHA512

    91bccc3fba9abbab4b052c394274de3d701d5c6a06b36c2df688f3f36c0296835d028e966eb331ebdea863c34be63f03cfb604b1583640e6edee0de3a81bc639

  • SSDEEP

    384:tmtl4Ttwa5+VjgUbuC78Qo0mR6akwLWdxdf8YB3U:ql4Ttwp2UbZ8QZm0akw6Lxi

  Score

  3^/10

  discovery
  behavioral27behavioral28

• • Target

    fffffffnew.dotm

  • Size

    16KB

  • MD5

    56265082f8036943f8aa659cda6b4b6f

  • SHA1

    4b4c75a574e7bc18117cecfe8cad64205097ec43

  • SHA256

    4adf62e4e36861567206126d6ef1a1d59bf169f9c72cde72dad9a3bfe0c09faf

  • SHA512

    33792ecfeaf686435db9d6537b8e99d74b08198c198e3357b0b6ba324f7c5eb410060a34e64b2a09aa3b20f9a7b459ae6b13670abb4e03550ffb79fb0e155c2d

  • SSDEEP

    384:tmtLW4BPok2xSxCyX+ZKC78qN9j6akwLWdxdA97YB3H/:qa4Bn2xzyX+383akw6L2M9

  Score

  10^/10

  discoveryexecution

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution
  behavioral29behavioral30

• • Target

    fp4h5ur67j.exe

  • Size

    1.3MB

  • MD5

    8cd05b06930579102407341364cdedd4

  • SHA1

    f1c3d91406f6e461c67d7c12c26d43968cd42031

  • SHA256

    5859d191a74777c836d807c66f0dcd9ce61d792997e5fae991dd5297b1065d83

  • SHA512

    06b799f4e57ca6ebc168021e9f19904fceb467e65684a0391d8325bec341c8776cadea8555afe9a0874203085044983106a50f6a3062c9b5d9f84de7d34f4354

  • SSDEEP

    6144:q2AdvNiBrRuWzr3Qk7AOziNR14LE8mnq4wqluSPB0YJpc:3AdvNsrXv781vwr7YJq

  Score

  10^/10

  redline@forxidsdiscoveryinfostealer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Uses the VBS compiler for execution

  • Suspicious use of SetThreadContext

  behavioral31behavioral32