Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe

  • Size

    144KB

  • MD5

    9e9bb42a965b89a9dce86c8b36b24799

  • SHA1

    e2d1161ac7fa3420648ba59f7a5315ed0acb04c2

  • SHA256

    08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d

  • SHA512

    e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8

  • SSDEEP

    3072:ep1qwbk6Wbh/UR++pz1OBrNtZtHpspurmxwPtnneZY:epoP6WV/C116rNbtHpsYrmSP1neZY

  Score

  10^/10

  zloaderbotnetdiscoverypersistencetrojan

  • Zloader family

    zloader

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1

• • Target

    0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

  • Size

    355KB

  • MD5

    b403152a9d1a6e02be9952ff3ea10214

  • SHA1

    74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5

  • SHA256

    0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51

  • SHA512

    0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8

  • SSDEEP

    6144:Fs3o0YvJiTQLmCUmLG0HhLjSKHkYp6dDERdBHMlU8LF:Fs3FmDL5P6YpaAt8LF

  Score

  3^/10

  discovery
  behavioral2

• • Target

    0di3x.exe

  • Size

    111KB

  • MD5

    bd97f762750d0e38e38d5e8f7363f66a

  • SHA1

    9ae3d7053246289ff908758f9d60d79586f7fc9f

  • SHA256

    d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158

  • SHA512

    d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39

  • SSDEEP

    1536:4SYTPSLUTRZaEioqsQRPRXplmbH50B+dLDOZrZRzKZvJj5RmLFs8hN:43OLUra1oqxvplQ50BrStJ9RmLFs

  Score

  10^/10

  smokeloaderbackdoordiscoverytrojan

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Smokeloader family

    smokeloader

  • Loads dropped DLL

  behavioral3

• • Target

    2019-09-02_22-41-10.exe

  • Size

    251KB

  • MD5

    924aa6c26f6f43e0893a40728eac3b32

  • SHA1

    baa9b4c895b09d315ed747b3bd087f4583aa84fc

  • SHA256

    30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

  • SHA512

    3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

  • SSDEEP

    6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF

  Score

  10^/10

  smokeloaderbackdoordiscoverytrojan

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Smokeloader family

    smokeloader

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

  behavioral4

• • Target

    2c01b007729230c415420ad641ad92eb.exe

  • Size

    1.3MB

  • MD5

    daef338f9c47d5394b7e1e60ce38d02d

  • SHA1

    c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e

  • SHA256

    5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58

  • SHA512

    d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4

  • SSDEEP

    24576:W85y6Jwdt8jtWoJpXWHALGX+C1Co3aP8jvuC7g6zwm4m53Sb21SR:HXsSGuC/MIvuC5kFm53Sy1SR

  Score

  7^/10

  discoverypersistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral5

• • Target

    31.exe

  • Size

    12.5MB

  • MD5

    af8e86c5d4198549f6375df9378f983c

  • SHA1

    7ab5ed449b891bd4899fba62d027a2cc26a05e6f

  • SHA256

    7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

  • SHA512

    137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

  • SSDEEP

    393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r

  Score

  10^/10

  agenttesladanabotdharmaformbookgoziqakbotraccoon86920224w9zagilenetbankerbotnetcollectioncredential_accesscryptonedefense_evasiondiscoveryevasionexecutionimpactkeyloggerpackerpersistenceprivilege_escalationransomwareratrezer0rm3spywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot

  • Danabot family

    danabot

  • Danabot x86 payload

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Dharma family

    dharma

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook

  • Formbook family

    formbook

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi

  • Gozi family

    gozi

  • Qakbot family

    qakbot

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon

  • Raccoon Stealer V1 payload

  • Raccoon family

    raccoon

  • AgentTesla payload

  • CryptOne packer

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Formbook payload

    rat

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • ReZer0 packer

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0

  • Renames multiple (536) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Adds policy Run key to start application

    persistence

  • Blocklisted process makes network request

  • Disables Task Manager via registry modification

    evasion

  • Drops file in Drivers directory

  • Looks for VMWare Tools registry key

    evasion

  • System Binary Proxy Execution: InstallUtil

    Abuse InstallUtil to proxy execution of malicious code.

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral6

• • Target

    3DMark 11 Advanced Edition.exe

  • Size

    11.6MB

  • MD5

    236d7524027dbce337c671906c9fe10b

  • SHA1

    7d345aa201b50273176ae0ec7324739d882da32e

  • SHA256

    400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

  • SHA512

    e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

  • SSDEEP

    196608:8YG+5pO1Ppb1rAMQQkIscfAb3mO5iW8uO2Kq1TIxz2HU6QPXJ0M2m9b/hE4:8/Bv1zsG2fm2bTcWBIXJHVrW4

  Score

  3^/10

  discovery
  behavioral7

• • Target

    42f972925508a82236e8533567487761.exe

  • Size

    3.7MB

  • MD5

    9d2a888ca79e1ff3820882ea1d88d574

  • SHA1

    112c38d80bf2c0d48256249bbabe906b834b1f66

  • SHA256

    8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

  • SHA512

    17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

  • SSDEEP

    98304:Nn1CVf+y/EFc7DvOUxlpq2JdnQ+O2M7hlXKUmkbtT2TMI:A/EqaUFqItO2M7PXKUmkbtT2T

  Score

  10^/10

  asyncratbabylonratdarkcometnjratwarzonerat2020nov1nulldiscoveryevasioninfostealerpersistenceprivilege_escalationrattrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Babylon RAT

    Babylon RAT is remote access trojan written in C++.

    trojanbabylonrat

  • Babylonrat family

    babylonrat

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Njrat family

    njrat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Async RAT payload

    rat

  • Warzone RAT payload

    rat

  • Disables RegEdit via registry modification

    evasion

  • Disables Task Manager via registry modification

    evasion

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral8

• • Target

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

  • Size

    669KB

  • MD5

    ead18f3a909685922d7213714ea9a183

  • SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

  • SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

  • SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

  • SSDEEP

    6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

  Score

  10^/10

  discoverypersistenceransomwareupx

  • Renames multiple (190) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Modifies file permissions

    discovery

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral9

• • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

  Score

  10^/10

  hakbitcredential_accessdiscoveryevasionexecutionransomwarespywarestealer

  • Disables service(s)

    evasionexecution

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit

  • Hakbit family

    hakbit

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  behavioral10

• • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

  Score

  10^/10

  revengeratexecutionstealertrojan

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat

  • Revengerat family

    revengerat

  • RevengeRat Executable

    stealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Uses the VBS compiler for execution

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Drops file in System32 directory

  behavioral11

• • Target

    948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe

  • Size

    17KB

  • MD5

    aa0a434f00c138ef445bf89493a6d731

  • SHA1

    2e798c079b179b736247cf20d1346657db9632c7

  • SHA256

    948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654

  • SHA512

    e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952

  • SSDEEP

    384:rnhZ7/5eOHY9FmMoEIPJvnbisVK8ysLu2s2:bhdQOS8EIRmIa2

  Score

  10^/10

  revengeratpersistencestealertrojan

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat

  • Revengerat family

    revengerat

  • RevengeRat Executable

    stealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence
  behavioral12

• • Target

    95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe

  • Size

    260KB

  • MD5

    9e9719483cc24dc0ab94b31f76981f42

  • SHA1

    dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b

  • SHA256

    95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9

  • SHA512

    83cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309

  • SSDEEP

    6144:HP2sOvpPfQUH6+SqpcH1lH0CIuK8AWaULcka:HPXOv9RH6fEcH1h0vuLNyk

  Score

  3^/10

  discovery
  behavioral13

• • Target

    Archive.zip__ccacaxs2tbz2t6ob3e.exe

  • Size

    430KB

  • MD5

    a3cab1a43ff58b41f61f8ea32319386b

  • SHA1

    94689e1a9e1503f1082b23e6d5984d4587f3b9ec

  • SHA256

    005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6

  • SHA512

    8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d

  • SSDEEP

    6144:vU9Q9tD5WuDQa4t3BMgLkzvCOnYxcEaSAOPou8BWinO8DR:8Q9tD5WyQlBBVAnYxRhr8DR

  Score

  8^/10

  discoveryexecutionpersistenceprivilege_escalationspywarestealer

  • Creates new service(s)

    persistenceexecution

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral14

• • Target

    DiskInternals_Uneraser_v5_keygen.exe

  • Size

    12.9MB

  • MD5

    17c4b227deaa34d22dd0addfb0034e04

  • SHA1

    0cf926384df162bc88ae7c97d1b1b9523ac6b88c

  • SHA256

    a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e

  • SHA512

    691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c

  • SSDEEP

    196608:zGeHGoZMYsFL0NBneaD/TuEIp8TnWh5bpe0RCQElmYzD9gXYToUdYZF0Nz6AV:yKGDYsdUBnTHLIpWnUeXQeEXU6s

  Score

  3^/10

  discovery
  behavioral15

• • Target

    ForceOp 2.8.7 - By RaiSence.exe

  • Size

    1.0MB

  • MD5

    0a88ebdd3ae5ab0b006d4eaa2f5bc4b2

  • SHA1

    6bf1215ac7b1fde54442a9d075c84544b6e80d50

  • SHA256

    26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680

  • SHA512

    54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37

  • SSDEEP

    24576:sAOcZ1SxlW2YT6EtAcl0URqqqUeiG3STJq3n:64SK2YT6E1l0EqqqU1GwcX

  Score

  7^/10

  discovery

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  behavioral16

• • Target

    HYDRA.exe

  • Size

    2.6MB

  • MD5

    c52bc39684c52886712971a92f339b23

  • SHA1

    c5cb39850affb7ed322bfb0a4900e17c54f95a11

  • SHA256

    f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

  • SHA512

    2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

  • SSDEEP

    49152:HnUXzRe4cjAx+L/G/3JHQZutOnmSzZniyui0EJHezdcc/DK9kTO1S:HUD8djA0LOvJdtOmSlniyuiPFePmS61S

  Score

  10^/10

  smokeloaderbackdoordiscoverypersistencetrojan

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Smokeloader family

    smokeloader

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  behavioral17

• • Target

    KLwC6vii.exe

  • Size

    17KB

  • MD5

    1ded740b925aa0c370e4e5bd02c0741f

  • SHA1

    64731e77b65da3eb192783c074afdcb6a0a245a8

  • SHA256

    a8745addaf2f95e0fe6afbc6d6712f817d4a819cf1d08bf7c0ff01822e18e1db

  • SHA512

    fdaaa6633196851725fe088fafd539eb17483555d9b926338a7caeb961354c12cabcd3f55aa51f32297ce4a884806fbc337dfa725583cc1c86b8ca6c97218d4e

  • SSDEEP

    384:fC68at8DHSXzdgcrS5RnVLeDbSbXsVKWyF5yN:p8MsIWtbeDGHY

  Score

  1^/10
  behavioral18

• • Target

    Keygen.exe

  • Size

    849KB

  • MD5

    dbde61502c5c0e17ebc6919f361c32b9

  • SHA1

    189749cf0b66a9f560b68861f98c22cdbcafc566

  • SHA256

    88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b

  • SHA512

    d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

  • SSDEEP

    24576:uSdQdKdRdOdHdmHBnWs/nROBiGR4+hazer+Vufo/JxBYQ5:hH9DnR1Z+45Ufo/PBL

  Score

  10^/10

  discoveryexecution

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution
  behavioral19

• • Target

    Lonelyscreen.1.2.9.keygen.by.Paradox.exe

  • Size

    13.4MB

  • MD5

    48c356e14b98fb905a36164e28277ae5

  • SHA1

    d7630bd683af02de03aebc8314862c512acd5656

  • SHA256

    b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c

  • SHA512

    278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b

  • SSDEEP

    196608:t7JG5fYHJl9nhdOvPuAZxFa9dfoyG5euyHvf97+pbgEtBRNBL1LFWIHWdgku7:t7BXWGldf+Au6VGBjFmJq

  Score

  3^/10

  discovery
  behavioral20

• • Target

    LtHv0O2KZDK4M637.exe

  • Size

    10.6MB

  • MD5

    5e25abc3a3ad181d2213e47fa36c4a37

  • SHA1

    ba365097003860c8fb9d332f377e2f8103d220e0

  • SHA256

    3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9

  • SHA512

    676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681

  • SSDEEP

    196608:Lj43l1SYnShCcjEtOsZ1MJWTqHkzNcWUU5QH7MiXBhxsns3qveh1DCJv/zdM:LGzUCcUOmKoTqH0N9UV7VxHsnpjXK

  Score

  10^/10

  azorultrmsaspackv2defense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationrattrojanupx

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Azorult family

    azorult

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms

  • Rms family

    rms

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

    lateral_movement

  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

    evasion

  • Boot or Logon Autostart Execution: Port Monitors

    Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    persistence

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Server Software Component: Terminal Services DLL

    persistence

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Stops running service(s)

    evasionexecution

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    persistence

  • Password Policy Discovery

    Attempt to access detailed information about the password policy used within an enterprise network.

    discovery

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  • Hide Artifacts: Hidden Users

    defense_evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral21

• • Target

    Magic_File_v3_keygen_by_KeygenNinja.exe

  • Size

    8.6MB

  • MD5

    80e5a163c5396401b58a3b24f2e00d38

  • SHA1

    589accaeeca95b8d69fa7bc14f402925dd338a6a

  • SHA256

    72fae9a9d8cfd546975fd86222bc1f7f70133d0845798a683569bb8119ffa3b1

  • SHA512

    cc0ede6416032035943522e5249ac378da4ba58ab836d13b53907567a65f0c296aa7263523ca23f1843fb86a88d123864e9385f4b97bac870a110f6fd2ddf1e6

  • SSDEEP

    196608:t5N9rzUBJGKoeyIf6Rffyo5JDXdhz10MaIjP:jN9/EJQO6FX5JDXdhZ0Ma0

  Score

  3^/10

  discovery
  behavioral22

• • Target

    OnlineInstaller.exe

  • Size

    3.6MB

  • MD5

    4b042bfd9c11ab6a3fb78fa5c34f55d0

  • SHA1

    b0f506640c205d3fbcfe90bde81e49934b870eab

  • SHA256

    59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

  • SHA512

    dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

  • SSDEEP

    98304:ghXqJiXwwhwvxR7FI6wYroMUQrYeoFj6bjsKzZx7T7:ghXqsX3hs79bxiEbgKX7

  Score

  8^/10

  discovery

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Checks for any installed AV software in registry

  • Drops file in System32 directory

  behavioral23

• • Target

    Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

  • Size

    9.5MB

  • MD5

    edcc1a529ea8d2c51592d412d23c057e

  • SHA1

    1d62d278fe69be7e3dde9ae96cc7e6a0fa960331

  • SHA256

    970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d

  • SHA512

    c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab

  • SSDEEP

    196608:xQc+2jD8ZyCMeiA24G4jLonzU04DjmLy8OVKLlVT7H39:2c+cD4DMvA24PLMzU0+mLyJVKfX9

  Score

  3^/10

  discovery
  behavioral24

• • Target

    [email protected]

  • Size

    372KB

  • MD5

    2c959a0f9af72398f115f839397c3396

  • SHA1

    80b078a6b74a17e6147321f3b3104bf91b4262f2

  • SHA256

    cc0c949be6493aa98619cd591e6b4a0488eef3227b53fbaeac4309fab9efd206

  • SHA512

    511bd3992e5345c7d2b0a728f2f8ce7d18ebbc46ee41afaa4a6e4dfa937c28ca799361d286196b327e01df81981bfbc88b15ca1ad0d49fdaad46436e5735170c

  • SSDEEP

    3072:/drfV7YqW8waq6ciakIC/BwdrZ4P8Y5gla79yQ1yAnYgoFC3Wxl2G7mr3HWJtRIn:FrV7YqW83q6ciH/B6QZn8nTI

  Score

  10^/10

  icedidbankerdiscoveryloadertrojan

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid

  • Icedid family

    icedid

  • IcedID First Stage Loader

    loader
  behavioral25

• • Target

    SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869

  • Size

    486KB

  • MD5

    cde56cf0169830ee0059ee385c0c5eaf

  • SHA1

    08aacb48ffcdc6b49af18d01155982984de230f7

  • SHA256

    cb762227729d0faadc4c33a4a55b513673a9c76284773535b0e07d7e47d8413e

  • SHA512

    234ddd4191c1abdfe04d9cc1afe2fed2901ef4d38404d0568a356218bc62096d200dd8ec28c8980da4a5852b0a481bf698b244f51d13560b303285b99105b3dd

  • SSDEEP

    6144:o3uSkuqpikJJ0Zkt5GSd2OwuXz//71gJtpdY2/jF6qA6VSFzH0ZUH:vJuqIIoU5HdeuD//+3JcDqSFzz

  Score

  10^/10

  zloader05/05botnetdiscoverytrojan

  • Zloader family

    zloader

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  behavioral26

• • Target

    SecurityTaskManager_Setup.exe

  • Size

    2.9MB

  • MD5

    444439bc44c476297d7f631a152ce638

  • SHA1

    820fcb951d1ac8c2fda1a1ae790f52eb1f8edf2e

  • SHA256

    bc2d5417a6bf47d53c20c280f6e4b1a3e00dc0b6bbd3e26b2e591fd2f2dc4cc3

  • SHA512

    160f4b095d37a9f4c6279a4a19f072e170c5f819d0e8e588b2503711b9e2eaac9567b48a9e42bf15af50ba60e64ef97a64e003230369aec0b032cb2030fdca00

  • SSDEEP

    49152:4s+HgXcROcfipeyNcRmyQLCUOE+N+2JLKmltavtaKhGiD79l+90U:4s+9ROcapelxQLGEjscg6939l+V

  Score

  4^/10

  discovery
  behavioral27

• • Target

    Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

  • Size

    10.5MB

  • MD5

    8103aad9a6f5ee1fb4f764fc5782822a

  • SHA1

    4fb4f963243d7cb65394e59de787aebe020b654c

  • SHA256

    4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40

  • SHA512

    e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8

  • SSDEEP

    196608:CQq8NSRYBrs7LgUGCdpV9KhK7ByrkisRdslNn9YOa5QfKJIJM0hI/oVytz:CQq8NkYBCPGCdpbyK7ByrkikdsGOynq2

  Score

  3^/10

  discovery
  behavioral28

• • Target

    VyprVPN.exe

  • Size

    1.6MB

  • MD5

    f1d5f022e71b8bc9e3241fbb72e87be2

  • SHA1

    1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c

  • SHA256

    08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d

  • SHA512

    f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f

  • SSDEEP

    24576:nTadGsNY1i8fWCsSpqq5M0bOk61uyG2CWm3U9X+Y0ttcN0sH2U9:nsGsm1qSp/MzRuI19X+Y0w39

  Score

  10^/10

  discoverypersistencespywarestealer

  • Modifies WinLogon for persistence

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral29

• • Target

    WSHSetup[1].exe

  • Size

    898KB

  • MD5

    cb2b4cd74c7b57a12bd822a168e4e608

  • SHA1

    f2182062719f0537071545b77ca75f39c2922bf5

  • SHA256

    5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

  • SHA512

    7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

  • SSDEEP

    12288:vI3h+hoVEZnvy/hF4CMWZrU7S/iAfMIItotPP2rbPCrF7:vu+hIE9BYO7S/iAOtc4be

  Score

  3^/10

  discovery
  behavioral30

• • Target

    Yard.dll

  • Size

    400KB

  • MD5

    3cf481ccbb1019894fcbacb554f3bda1

  • SHA1

    63c11153ab0afb36703723c5121cd0e9b48ac6e8

  • SHA256

    c8c5815fe4a06a752e51f79332a393db1f91a8e39b67899aa996e4ca76cfa675

  • SHA512

    628e34581b3ebc7645639f2e6da19ce15afb794cc032e99d895841eecef0bd372da27895a9485bb18630864b921c1239fa6e4904d6bd6f54ca80a220a3fe66d0

  • SSDEEP

    6144:eUtz+achtLV3moKNkmxl2w3tgLCEpakLVF7Lsno1oVb67Yf2zBo3:Lz8ht5l0SuYLsAodqo2zBO

  Score

  10^/10

  zloadernut12/11botnetdiscoverytrojan

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Zloader family

    zloader

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader

  • Blocklisted process makes network request

  • Suspicious use of SetThreadContext

  behavioral31

• • Target

    b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (2).exe

  • Size

    209KB

  • MD5

    417457ac3e000697959127259c73ee46

  • SHA1

    e060125845cc1c4098f87632f453969ad9ec01ab

  • SHA256

    d74e9aa01bffcb4944742f93ad5b87d4c057f4faad008f04f7397634fe3f234d

  • SHA512

    7e2dac573db052dc03d89499d9e879bc530e94f3d1235898064aa87e99aee8fced1ac4aeeba342b77afd1480e0584a238ad7cd79cdef9c562bb89d65ba365b31

  • SSDEEP

    3072:tnwDl1lJiIPMUMEhTo6pWmuRdIDAP2Oh0oF14tO/m92B96W5ryx0d:y1DUUMETotmubnP2O314am92

  Score

  10^/10

  zloadercanadaloadsnerinobotnetdiscoverypersistencetrojan

  • Zloader family

    zloader

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader

  • Adds Run key to start application

    persistence

  • Blocklisted process makes network request

  • Suspicious use of SetThreadContext

  behavioral32