Overview

overview

10

Static

static

10

09fe7735f7...8a.exe

windows7-x64

10

09fe7735f7...8a.exe

windows10-2004-x64

10

0a08857b3b...19.vbs

windows7-x64

10

0a08857b3b...19.vbs

windows10-2004-x64

10

0a92b6b6c9...d0.exe

windows7-x64

10

0a92b6b6c9...d0.exe

windows10-2004-x64

10

0b1f6297e8...e6.exe

windows7-x64

10

0b1f6297e8...e6.exe

windows10-2004-x64

0b4ffb13a4...aa.exe

windows7-x64

10

0b4ffb13a4...aa.exe

windows10-2004-x64

10

0b9a6ed57e...55.exe

windows7-x64

7

0b9a6ed57e...55.exe

windows10-2004-x64

7

0be395d43c...ca.exe

windows7-x64

10

0be395d43c...ca.exe

windows10-2004-x64

7

0c046f07cd...89.exe

windows7-x64

10

0c046f07cd...89.exe

windows10-2004-x64

10

0c1e5acd77...53.exe

windows7-x64

10

0c1e5acd77...53.exe

windows10-2004-x64

10

0d825ad1df...37.exe

windows7-x64

10

0d825ad1df...37.exe

windows10-2004-x64

10

0db3c21dec...f9.exe

windows7-x64

10

0db3c21dec...f9.exe

windows10-2004-x64

10

0de875f11e...e9.exe

windows7-x64

10

0de875f11e...e9.exe

windows10-2004-x64

0e3bb95b7b...77.exe

windows7-x64

10

0e3bb95b7b...77.exe

windows10-2004-x64

10

0edd5342b1...6d.exe

windows7-x64

3

0edd5342b1...6d.exe

windows10-2004-x64

0f4450a6b2...b6.exe

windows7-x64

10

0f4450a6b2...b6.exe

windows10-2004-x64

10

10758789ca...d1.exe

windows7-x64

10

10758789ca...d1.exe

windows10-2004-x64

10

Resubmissions

10-11-2024 21:28

241110-1bhk6avgrr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

  • Size

    973.8MB

  • Sample

    241111-c9yg9s1fjg

  • MD5

    0523322523fc2607b21cf06ee2c06e2f

  • SHA1

    49924c11f7b22dbb1fec51402214a4b62f0c4da0

  • SHA256

    3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

  • SHA512

    a6ca6c07ece8ad4f4c832cf40bf35e267bfc56f34d0aa252b2cfdcc75ee7fd2b9aa55b547b849820163ca48bd05c9061c76d80756427950d2e5181ebace1ebae

  • SSDEEP

    25165824:cbjDAJklOVFPCJ4jMrhQVzccWZYSXn4yPPGwnSQuw:cbj8Sl66PhncWZYyWw6w

Score
10/10
andrmonitorasyncratauroradcraterbiumformbookgafgytgcleaneriratalaplasmiraineshtanetwirenjratpurecrypterraccoonredlinerhadamanthyssmokeloadersnakekeyloggersocelarsstormkittysystembctofseexloaderxredbrouteursd1d6daf7a5018968dea23d67c142f047defaultdozkeylzrdmiraipub4a20efofgg28pbackdoorbotnetdiscoveryevasionexecutioninfostealerloaderpersistenceprivilege_escalationpyinstallerratspywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

gafgyt

C2

185.28.39.15:839

Extracted

Family

irata

C2

https://iuskmmdm.ml

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

purecrypter

C2

http://41.216.183.235/Ogrogk.jpeg

https://cdn.discordapp.com/attachments/1033689147958902804/1033916196451516516/Njnwwomqhh.bmp

https://cdn.discordapp.com/attachments/1033689147958902804/1033908505989628004/Dfygmnwx.png

http://45.139.105.228/Pinkptlahbx.bmp

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21160&authkey=AP6mjbZ6I7me0us

http://185.216.71.120/Dsysssji.bmp

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21159&authkey=AFru6OsgFq10mzo

https://onedrive.live.com/download?cid=BD9480D014FE52E5&resid=BD9480D014FE52E5%21322&authkey=AHyzW5kyN2MBgPo

https://fullline.com.my/loader/uploads/Cofucfwmi.bmp

https://onedrive.live.com/download?cid=96F930A16702BA42&resid=96F930A16702BA42%21110&authkey=AMJ1Am8lmlZPVrM

http://185.216.71.120/Ypvoi.png

https://transfer.sh/get/afXUmU/Uyofoxfltd.jpeg

http://185.216.71.120/Eztxeazszv.png

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21165&authkey=AKz2N-2upLtVH0U

http://www.ugr.leszczynskie.net/mapa/Upfhbfhbavc.png

http://185.216.71.120/Yqnvktamyg.png

http://194.180.48.203/Uhprtckm.bmp

http://45.139.105.228/Ittogj.bmp

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

andrmonitor

C2

https://anmon.ru/download_checker.html

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

aurora

C2

176.124.220.67:8081

Extracted

Family

rhadamanthys

C2

http://104.161.119.221:8899/live-edge/nft.png

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/sadew1013/

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

systembc

C2

95.179.146.128:443

146.70.53.169:443

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

Brouteurs

C2

forthewin.ddns.net:13337

Mutex

fc4dbf906d35a96ddea0300f5b82bfb3

Attributes
  • reg_key

    fc4dbf906d35a96ddea0300f5b82bfb3

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

asyncrat

Version

XSSYE 1.0.8

Botnet

Default

C2

open.imgov.cn:8443

Mutex

91e5d29b47a7d36802e6e1151434cd02

Attributes
  • delay

    30

  • install

    false

  • install_file

    1111game.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

raccoon

Botnet

d1d6daf7a5018968dea23d67c142f047

C2

http://5.255.103.158/

Attributes
  • user_agent

    x

xor.plain

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    f9ff07c5a5e00d26196b3460b72ad41c90dbd24c7405de597560a9a72e3582dd

Extracted

Family

snakekeylogger

Credentials

Extracted

Family

erbium

C2

http://77.73.133.53/cloud/index.php

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4433

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Extracted

Family

formbook

Version

4.1

Campaign

g28p

Decoy

whhmgs.asia

wellmedcaredirect.net

beggarded.com

wtpjiv.site

todo-celulares.com

parkitny.net

43345.top

pro-genie.com

cwdxz.com

cbc-inc.xyz

healthspots.net

rulil.top

pyramidaudit.solutions

k8sb15.live

hempaware.report

usclink.life

stayefs.net

05262.top

shop-izakaya-jin.com

iccworldcupnews.com

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Extracted

Family

redline

C2

62.204.41.141:24758

Attributes
  • auth_value

    76a7aa24209b18e5866f6b31583d7851

Extracted

Family

redline

Botnet

Dozkey

C2

91.212.166.17:47242

Attributes
  • auth_value

    c06f8f31502cdaf6d673db7589189fd5

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

formbook

Version

4.1

Campaign

a20e

Decoy

pushkarinidigital.com

e-shiryoku.com

sendmeblog.website

arniepalmer.com

tinnnitin.click

serummoctoc.online

chmoptk.xyz

kidskarpentry.com

wanglin123.com

onlinecannabis24dispensary.com

hkwx8.com

marcrosenkrans.com

bridginglegal.com

a2r2.cyou

app365e.com

semesta.xyz

encuentratucasacr.com

huiyusc58.com

carnivalofmiami.com

functionalbreeze.com

Extracted

Family

formbook

Campaign

fofg

Decoy

FHyydxpFBs0S8b4ZlP7ZEtd/

EVaCEKb/cVV9xQ==

U9I5lke0IuU7vj5EXus=

rXD3AKPV3qUblOUsV41KMfU=

PwBSy5z56XNzIvnS3ygsKv0=

CQe1BLbSnGXX

HuhKjxhLhxqBy2FFz8WoFA==

QJymezEoLOFZ1T5EXus=

V8r5PAdwuGK2AUARohas

b1XV06ANH9s5uj5EXus=

3EiEhwo7Euw2tl8=

c2PjK8Izkydy5N8x

CXCkYf0m/qPrv8QajKyT6Oo=

pHjy+Mk0CqvWBXdCz8WoFA==

QjSwr3/j5rAyvz5EXus=

+edxANg/sU+k8YFQz8WoFA==

tWiQq3rqyl6cTAG9pA==

GeAyMQxBUOlDwD5EXus=

nQ5eoT2mEKkhDN2DwBek

JP5dIbHlrXXR8umDwBek

Targets

    • Target

      09fe7735f742e003ace00c9884b1eb6d55c719735a1fcd207ac985ce746b008a.exe

    • Size

      1.0MB

    • MD5

      690a381d9e34389a101cc26042eb01d9

    • SHA1

      20cbdf652baa00adc83670d907b14724445da0f2

    • SHA256

      09fe7735f742e003ace00c9884b1eb6d55c719735a1fcd207ac985ce746b008a

    • SHA512

      4d101dbd26245e9365bc8a92a4feaa122811468643b8dc9ec6bdc2dc0e53469e37bbba0912ba45071c105f01af44e3959985a56309476fdbec8c1933d9c12b52

    • SSDEEP

      24576:7kr1gzNc71ZGytgGTpd0FUDJr3HbZMOBr:Qr+aRn0FUd73

    Score
    10/10
    netwirebotnetdiscoveryexecutionratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Netwire family

      netwire

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      0a08857b3b6b52510c544f54f8b7489038e371a85db858ad3c34c4f7198da819.vbs

    • Size

      195KB

    • MD5

      a4f71409b11c7a677353f1d7b3e0d13a

    • SHA1

      704ec3fdb8f2ee5e39957785f0d03d5268abd5e6

    • SHA256

      0a08857b3b6b52510c544f54f8b7489038e371a85db858ad3c34c4f7198da819

    • SHA512

      0ed1f3d2fff28a0b7977f966b35c65ed3c3c385eecacf5b1feb38c20ecbbb3017b77b4eca584ea342be86e8e3e5baeec2dbdda3de5c85e97658cd9a4892c1a52

    • SSDEEP

      768:r1wsIXCNd5dghna/lS9P0P7SFuumB/bm/:4wCGBC/

    Score
    10/10
    execution

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral3behavioral4

    • Target

      0a92b6b6c9ccba573ca47718bf608715dbc87ad48afc19bf7004d8eb9bf598d0.exe

    • Size

      930KB

    • MD5

      53f4e52a78bdf6541e3efdaf401ebbd3

    • SHA1

      9c4841f6dc393e0a197aba01e9cb8491999a6150

    • SHA256

      0a92b6b6c9ccba573ca47718bf608715dbc87ad48afc19bf7004d8eb9bf598d0

    • SHA512

      f14c3b7c53df876eae2d1ea6e03d88d419e91ee9926334993d585f470c4a13eaa1326544de95a0ce06d3b2590461b3ef52c988c8d1bde7e56ca6b49081305300

    • SSDEEP

      12288:GMY3QedajfctobEgT4FtM/e2Rw4nZu4LvJ0BPykKu2sN9nuI:GMwdwOobfT4Foe2pLBuhN9n

    Score
    10/10
    formbookxloaderfofgdiscoveryloaderratspywarestealertrojan
    behavioral5behavioral6

    • Target

      0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6.exe

    • Size

      1.2MB

    • MD5

      76f35ccb9dc8b2342d34237d041d16de

    • SHA1

      25b50efad77cebcabf2969a97f31db993286d066

    • SHA256

      0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6

    • SHA512

      06c98ccc3cab2175207f9f2ecc410fafc450f318ff53fc70607b346584f0cefc3377d2eadb347a1814629eb2966cc0c818e9be4fe8a3fb84664178159993fc9c

    • SSDEEP

      12288:Z6xsbHodJWWMvNlg+ijLraGFdhJhVTqzEfaH/jVCLzcmI+Sec3IpCT:Z6xsbfWsXylvaEfa7wEb6MT

    Score
    10/10
    redlinediscoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      0b4ffb13a42cb2432b4e021c18f4b4dd51b669ba0356804ca32dac2de7741caa.exe

    • Size

      2.4MB

    • MD5

      1362efe98b360c63f8901fad9b6542fe

    • SHA1

      7cee9adac7453dcf74e77a6907951916e590e593

    • SHA256

      0b4ffb13a42cb2432b4e021c18f4b4dd51b669ba0356804ca32dac2de7741caa

    • SHA512

      29882782ddd3ccf7f6e26135832da86ea961faefd67ddbce79945ef81f291d49051cd5fddb1cb13e11bf996697be5c542427f6aa8876c417f7ba460b50b3f7e1

    • SSDEEP

      49152:Z2Yz1Y1xuKe6eF5NPw13Q4/Dof7G41kBNqrcygeCDqQ/XJ5txoJbljwjcWKVA5hq:MwWEvzo13Q2D6GmMScecqQcJbWIKDq

    Score
    10/10
    gcleanerdiscoveryloadermiraibotnet

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

      botnetmirai

    • Mirai family

      mirai

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral10behavioral9

    • Target

      0b9a6ed57e23d874bde98d89d3c50a44b3982570cb8bbf41660fad19d3fbe855.exe

    • Size

      5.4MB

    • MD5

      3a6af02d19a5f472a0357ccb50e5b0a6

    • SHA1

      245b235c383d80ca2ae88681bf12f27bea96b92e

    • SHA256

      0b9a6ed57e23d874bde98d89d3c50a44b3982570cb8bbf41660fad19d3fbe855

    • SHA512

      ac7dde150babc8348b963345ce330ee081978e80c1c80344a240c14cb277ba219a0189b6fbd9353a42869281e00b176021a491fdded3b456f4e9bd8638f5a8e4

    • SSDEEP

      98304:xZc4ddDQkADTo0arkXDiBH9ftXnFmEuM2B4lXzqN346KNadVRvhfPqH:Dbv6UGDohFO/sY1rRJ

    Score
    7/10
    discoverypersistencevmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence
    behavioral11behavioral12

    • Target

      0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe

    • Size

      349KB

    • MD5

      02a41eb01d841ddffe402fcfbb73bd0e

    • SHA1

      932bdc88df3e0c3d0747ec3a53b9aaaf7365b88b

    • SHA256

      0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca

    • SHA512

      c6f42a2f012e320ffdb435e129bf2ab2b62bcea7af20ac10d60ccb11239ef02324845f4a74d2868a70db2715fe6dc9ff7e7c4a789e1bbdaaf3bbef07166e1773

    • SSDEEP

      6144:FweEwTKu1gRtv6cWGqV/9zYTyOpMKbsAJRv31M0E2Jt:Mv6cxqV/GGOqKoAPv31M0/

    Score
    10/10
    formbookg28pdiscoveryratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      0c046f07cd96f008a224dc272c32b52af4611cd1852d38db9737abbe3fcf9e89.exe

    • Size

      229KB

    • MD5

      f8c0a565c50b57b8ebc9c280007312ec

    • SHA1

      e0a90e6d88b92002c7b77dc8298cd1b98f89d99e

    • SHA256

      0c046f07cd96f008a224dc272c32b52af4611cd1852d38db9737abbe3fcf9e89

    • SHA512

      483f609a16c268bfb7626bd6dc7826d8822671342cad1ebdab64115863efe7a75dd13ce6ed31b3c89f691644b2a5d719d43f47994769db2c5753e34bdaedf185

    • SSDEEP

      6144:wf6fRxdLyrc/quEJfylTp45uuo9qcOY7Mnh:wf6fRbGcSuEJfylTp4YuUf

    Score
    10/10
    tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Tofsee family

      tofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe

    • Size

      371KB

    • MD5

      341944954703c303537b9d8aa25e5531

    • SHA1

      836351bd41f31d10209d0bdab117186d86071816

    • SHA256

      0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553

    • SHA512

      9fc832dbd848b6fba32e5beca85e7e55e385f677739ce4372d3cd76a3b05d044e1cb4edbae3fda7eadd185803359642fef50ea8691ae488d8d7dce19eca99073

    • SSDEEP

      6144:Ic/RLyHWHs8c5LRMuPpucS5YUhb7jRXBsL36vAiVMaY/6V:Ic/R2HsIMuo5YUNNX4U1VM

    Score
    10/10
    redlinedozkeydiscoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery
    behavioral17behavioral18

    • Target

      0d825ad1df7c2ac718991f061800e31c6ae4ac7a35516676ac0dad40b84b6037.exe

    • Size

      229KB

    • MD5

      5ee27318991c7dcdfea2fb99ae8f219b

    • SHA1

      1490d4de2bbdb3379819aa08cfd0f0c7762b3783

    • SHA256

      0d825ad1df7c2ac718991f061800e31c6ae4ac7a35516676ac0dad40b84b6037

    • SHA512

      88cfef8883ed42b841563632ffd7eae1eebfb2d3e1bedda3a6794b37d559bcbaa48de979e7a77011325ea96bd36742673b8f1704bad840a938e4ba829018abb7

    • SSDEEP

      3072:DNPnQxjSky4aM1woJLJVqdj98m6hce5VYytX7RMzshG3ZcOGgSerQiswun:DNPQxGNuLJVYj9hgikXlU3TDSKxu

    Score
    10/10
    smokeloaderpub4backdoordiscoverytrojan
    behavioral19behavioral20

    • Target

      0db3c21dec09a297e99a07ec1ebd007146adfbcb3c8f0d4a3f88868778c6aef9.exe

    • Size

      317KB

    • MD5

      fe62aba35fd5f1c6ca2c1c8be6c27ed3

    • SHA1

      b1912c42ae6742ee1f85be843ad3f66a45372464

    • SHA256

      0db3c21dec09a297e99a07ec1ebd007146adfbcb3c8f0d4a3f88868778c6aef9

    • SHA512

      2d4fedf8c40f2796539a046277ea7f8b6a514e2cecd0b630e8a3a137254a627c873684d247f9e01b53cda4cd36dfa504e9ef1e3c1ed521f9343d45d41032b92a

    • SSDEEP

      6144:fhu1FLTeIjxfniZ5nr6qBgplf95QfGuYjuK2uPbcRItN:fhuXOAfnErgplf3huNuPb0I

    Score
    10/10
    gcleanerdiscoveryloader

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner
    behavioral21behavioral22

    • Target

      0de875f11ee5d69c5b4633e3b878529f08788440f87fb3ab0cde77e698b200e9.exe

    • Size

      350KB

    • MD5

      36fcbb3b37a9ba63f1fa77c22297c6a9

    • SHA1

      96f7e90a7949064e286c5cf6a39e40aea2f21263

    • SHA256

      0de875f11ee5d69c5b4633e3b878529f08788440f87fb3ab0cde77e698b200e9

    • SHA512

      ce25057372e00b915f92fae2b4398af9badcec1b8f4a0a5b532f12050adb1bf2ae0657849a8f54e066fcd14cac00e3a691da5393c6c3aae23083358d3d701c11

    • SSDEEP

      6144:ocLt8AYW3GpW4DW7Q74jOxdiUhtoMgJ51XPKM7MBr:ocR8TP87QIWAUhtoXJnXPKo

    Score
    10/10
    redlinedozkeydiscoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery
    behavioral23behavioral24

    • Target

      0e3bb95b7ba92dadc59985e6b0d1a75db091d6ca03f755fca34437398217f877.exe

    • Size

      2.4MB

    • MD5

      7e5e288607447a41931025d1f79760ae

    • SHA1

      4ad9a21318ce3c9150b16d1c7d4acef655eb86bf

    • SHA256

      0e3bb95b7ba92dadc59985e6b0d1a75db091d6ca03f755fca34437398217f877

    • SHA512

      7738b15725bab95d16f949f0dc8cc2e9b9c61936d8b3a54a932fb6dd3f0ab38bc21c8f484395eaaa2686d397e22032f6b681c3920721faa04f5663d20c3da083

    • SSDEEP

      49152:Z20nrOjMNC7wlZ6+3WddBI6crIdYnX5oCmG1YQV0REpLgfNcA5hq:MAOjM4wlQCWfBINsADvV0R2gf1Dq

    Score
    10/10
    gcleanerdiscoveryloader

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral25behavioral26

    • Target

      0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d.exe

    • Size

      252KB

    • MD5

      130f4b6ad5c42bdb5abb4e45406cef94

    • SHA1

      efc55e5f2520c089bfedcc3cfcb4630f595fb688

    • SHA256

      0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d

    • SHA512

      88fdbe7ef0b3a076ebc872d5dc00fb2fa9ff827420433fc24d886d27fc5b462ba090301be042a9a3c5b31241f82b361afe8d586dd48bd5df393f39d0305d4192

    • SSDEEP

      6144:XCutDb6sMMMMMMMMMMMuMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMg:yObMMMMMMMMMMMuMMMMMMMMMMMMMMMMh

    Score
    3/10
    discovery
    behavioral27behavioral28

    • Target

      0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe

    • Size

      219KB

    • MD5

      566a30af3032ed8c2718c99a9c0d7289

    • SHA1

      4d08ff905ddfdaf7f39465b9af09b6441e8993d7

    • SHA256

      0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6

    • SHA512

      03aa457d3d68d96cdcb8a2d234fac21466bac359bc10948ac1b79222361e992d456df8ba89c8c4e0ada87da0502857a3586ed232a114db9823f13d60308526b1

    • SSDEEP

      3072:UXWlLKlKMO5qI0Ac7ztrQNZezyzh91Ih3Az9Mo+ATIulLwt:QQLrM937JUNZeeFTEMuoZTIuh

    Score
    10/10
    tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Tofsee family

      tofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      10758789ca875d9783a8988e0b0dbfd88f75a6ac0eb544b5b37241492223fdd1.exe

    • Size

      647KB

    • MD5

      92e6f05295ae825d4f3d9982a616b98e

    • SHA1

      eb73f950397f919df73442f66cbd15deee931cea

    • SHA256

      10758789ca875d9783a8988e0b0dbfd88f75a6ac0eb544b5b37241492223fdd1

    • SHA512

      100e49ead6c63aba1470ebad85d969310741cc6d7c8d974551ffa07aa1923dec4f4153d363387328c493198ad98bf7535f2f4e138203daa3849ca28f265a3243

    • SSDEEP

      12288:rYK4r6syCKHtudgQcEfCUkNNvshJGxnLeFnQ:rYK4RNKCcg1knvsh45LeFnQ

    Score
    10/10
    formbooka20ediscoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Network Service Discovery

1
T1046

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

miraiupxvmprotectlzrdratpyinstallerbrouteursthemidadefaultd1d6daf7a5018968dea23d67c142f047gafgytiratamiraipurecrypterdcratandrmonitoraurorarhadamanthyssocelarsstormkittysystembcxrednjratasyncratneshtaraccoonlaplassnakekeyloggererbium
Score
10/10

behavioral1

netwirebotnetdiscoveryexecutionratstealer
Score
10/10

behavioral2

netwirebotnetdiscoveryexecutionratstealer
Score
10/10

behavioral3

execution
Score
10/10

behavioral4

execution
Score
10/10

behavioral5

formbookxloaderfofgdiscoveryloaderratspywarestealertrojan
Score
10/10

behavioral6

formbookxloaderfofgdiscoveryloaderratspywarestealertrojan
Score
10/10

behavioral7

redlinediscoveryinfostealer
Score
10/10

behavioral8

Score
1/10

behavioral9

gcleanermiraibotnetdiscoveryloader
Score
10/10

behavioral10

gcleanerdiscoveryloader
Score
10/10

behavioral11

discoverypersistencevmprotect
Score
7/10

behavioral12

discoverypersistencevmprotect
Score
7/10

behavioral13

formbookg28pdiscoveryratspywarestealertrojan
Score
10/10

behavioral14

discovery
Score
7/10

behavioral15

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral16

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral17

redlinedozkeydiscoveryinfostealer
Score
10/10

behavioral18

redlinedozkeydiscoveryinfostealer
Score
10/10

behavioral19

smokeloaderpub4backdoordiscoverytrojan
Score
10/10

behavioral20

smokeloaderpub4backdoordiscoverytrojan
Score
10/10

behavioral21

gcleanerdiscoveryloader
Score
10/10

behavioral22

gcleanerdiscoveryloader
Score
10/10

behavioral23

redlinedozkeydiscoveryinfostealer
Score
10/10

behavioral24

Score
1/10

behavioral25

gcleanerdiscoveryloader
Score
10/10

behavioral26

gcleanerdiscoveryloader
Score
10/10

behavioral27

discovery
Score
3/10

behavioral28

Score
1/10

behavioral29

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral30

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral31

formbooka20ediscoveryexecutionratspywarestealertrojan
Score
10/10

behavioral32

formbooka20ediscoveryexecutionratspywarestealertrojan
Score
10/10