Extracted

Extracted

Extracted

Extracted

• • Target

    https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.04.7z

  Score

  10^/10

  agentteslagluptebahawkeyelokibotnanocorenetwireparallaxqakbotredlinebankerbotnetcollectiondefense_evasiondiscoverydropperevasionexecutionimpactinfostealerkeyloggerloaderpersistenceprivilege_escalationpyinstallerransomwareratrootkitspywarestealerthemidatrojanupx

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Disables service(s)

    evasionexecution

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba family

    glupteba

  • Glupteba payload

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Hawkeye family

    hawkeye

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot

  • Lokibot family

    lokibot

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore

  • Nanocore family

    nanocore

  • NetWire RAT payload

    rat

  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire

  • Netwire family

    netwire

  • Parallax family

    parallax

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax

  • ParallaxRat payload

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Qakbot family

    qakbot

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • AgentTesla payload

  • Contacts a large (65351) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Renames multiple (971) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Stops running service(s)

    evasionexecution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Blocklisted process makes network request

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: Clear Persistence

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion

  • Modifies boot configuration data using bcdedit

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1