Extracted

Extracted

Extracted

• • Target

    captured_malware/1Ptfo0FZUMT7hlK.exe

  • Size

    838KB

  • MD5

    bc302d910397e2d1092e47029d8f35df

  • SHA1

    9982779ea783defca4c9d3e95ddb92c11a838447

  • SHA256

    fefa01b761aa8ab9d5a79db0bc41cd8eaee972248cf52e4d5c2629998e9bc6e2

  • SHA512

    866c8af39462887223e03d630c4bf30d4bf9165493d972c8dd94a65f7858f521bee9bfa72b6804b860b235b8b957f7c7f523dad90277945b93d6f6a9f918f05f

  • SSDEEP

    12288:E2iNT/VnFXwSj7V2JHLKJpBUtVOSoHL0tOV0Yd03i/nRar2hBrNls9XOd4+QCaQV:E19/VnR7VQcpqtiAOnd0Ey2hgu

  Score

  10^/10

  xloaderqn6gdiscoveryloaderrat

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader

  • Xloader family

    xloader

  • Xloader payload

    rat

  • Deletes itself

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    captured_malware/20210731_resign.apk

  • Size

    56.1MB

  • MD5

    87d07848d20f7992fb1c217f2986cbdc

  • SHA1

    80d40319ed064551e23bcb868e86a9b61d72d1c9

  • SHA256

    27a6ade69a73b20523b3cc3d2b85a266a5a07422389aa44e13828683ae13bb58

  • SHA512

    59ebac0d8bf0866f44fb64e5b4a7439cc730eadac8842f0314c8454b7e4d457cf7dec8ce143a82a16d609d6a999b9545b188e2742b940eaac1932ff9f11b5306

  • SSDEEP

    1572864:UyZwsSkJw8Cg8DVCUWKpEbdVCrmM2Q/7J:UwHR8wfVyRfJ

  Score

  1^/10
  behavioral3

• • Target

    captured_malware/33722.apk

  • Size

    17.1MB

  • MD5

    c369f5f057dd52fed0e365d25f4cadc9

  • SHA1

    3c84800f4cb79a0876230f9b563606596b4c8939

  • SHA256

    72114ecbd7f743e96d4c73fc038f44c125271362bd340d6c523ce0825c2f8628

  • SHA512

    c0f586b6921514335a9186e0371985649ed74c93fca066a13298f793b0b023902f006ec22702d749b3f62b6cb013d8c295ea0d53c6c53aa020647bcf6283d716

  • SSDEEP

    393216:hvVTG5OXY7BSegQYP/yiiYP0aUdX7UsNS3ExWNpiVYJQ0zXSbL:jeOXY7BSeg3P/SDXDSUx22YJQqXSbL

  Score

  3^/10

  discovery
  behavioral4behavioral5

• • Target

    captured_malware/33722.apk.1

  • Size

    31.1MB

  • MD5

    bb63b45e8eddc268b5060330d21c6486

  • SHA1

    984998477a4560f5e2f638fcae04b19e27733063

  • SHA256

    b0deef91dd3bb202f25da65d6f09121c05f746049e15ba32d76721bc378c6aca

  • SHA512

    be5b6d5eb70de3481230adaabe77e5888bde3257be177694739c5111c407f297e73a1cb5e97ad77cee591e3d6f870a43c63a9b963e614af6cba7f713988f2ee4

  • SSDEEP

    786432:jeOXY7BSeg3P/SDXDSUx22YJQqXSbEGbj6K2Ki4cnnrHKvE3g+BBB:jf3uSUxheSb3jp2KvIn

  Score

  1^/10
  behavioral6

• • Target

    captured_malware/33722.apk.2

  • Size

    31.1MB

  • MD5

    bb63b45e8eddc268b5060330d21c6486

  • SHA1

    984998477a4560f5e2f638fcae04b19e27733063

  • SHA256

    b0deef91dd3bb202f25da65d6f09121c05f746049e15ba32d76721bc378c6aca

  • SHA512

    be5b6d5eb70de3481230adaabe77e5888bde3257be177694739c5111c407f297e73a1cb5e97ad77cee591e3d6f870a43c63a9b963e614af6cba7f713988f2ee4

  • SSDEEP

    786432:jeOXY7BSeg3P/SDXDSUx22YJQqXSbEGbj6K2Ki4cnnrHKvE3g+BBB:jf3uSUxheSb3jp2KvIn

  Score

  1^/10
  behavioral7

• • Target

    captured_malware/33722.apk.3

  • Size

    31.1MB

  • MD5

    bb63b45e8eddc268b5060330d21c6486

  • SHA1

    984998477a4560f5e2f638fcae04b19e27733063

  • SHA256

    b0deef91dd3bb202f25da65d6f09121c05f746049e15ba32d76721bc378c6aca

  • SHA512

    be5b6d5eb70de3481230adaabe77e5888bde3257be177694739c5111c407f297e73a1cb5e97ad77cee591e3d6f870a43c63a9b963e614af6cba7f713988f2ee4

  • SSDEEP

    786432:jeOXY7BSeg3P/SDXDSUx22YJQqXSbEGbj6K2Ki4cnnrHKvE3g+BBB:jf3uSUxheSb3jp2KvIn

  Score

  1^/10
  behavioral8

• • Target

    captured_malware/5KNTQd5xFuY7hcE.exe

  • Size

    696KB

  • MD5

    94589c900f582c827be848f069c01983

  • SHA1

    bd1d7bd592b90f9322dd738daefb7306822cdeb3

  • SHA256

    04e127c5bdf94f075639d7f44badd25223f3ebeede44258367413d8463505020

  • SHA512

    9e830b9892a6c7cf605e7f5f6b91c7e9f33395e898c9d17436131ab3963709d192e6f39a8cdebec6fcac351c160c8aee430d52adcf983f08613f453f850975c7

  • SSDEEP

    12288:gtWrVHYuWorkU44r2nsjyqJBGKg3p/4F6tDnrJ/4WDO9XM4vuLR1xWWU8XBq3E:gFmB4yvODmevKWDe8UeBq3E

  Score

  10^/10

  xloaderqn6gdiscoveryloaderrat

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader

  • Xloader family

    xloader

  • Xloader payload

    rat

  • Blocklisted process makes network request

  • Deletes itself

  • Suspicious use of SetThreadContext

  behavioral10behavioral9

• • Target

    captured_malware/6Dy0Bg4B9kkMsak.exe

  • Size

    1.3MB

  • MD5

    103d1cc218855c90217da5eab8cf7761

  • SHA1

    2ef02a66a694e86498710e84c81ab722b7b82e62

  • SHA256

    d4ac7a72eeea3ab4a778123b1ee1b804181a7d24b0e380f2874e68937de34cd6

  • SHA512

    359437ce7e7bd4ad15cf44bb3c186901a5c88bbaf4061e5dd8ae26777854175bd7e0df11b91278dbe37049598190ab7af5ecfacbe9c05339e6a17a8396ba06bd

  • SSDEEP

    24576:BsLS/d3PYdkAZhYpW1Vsvj/M9zx6U5cuR9A+mwRGPoN7vdiTbnFM:wrZhX1VC/M9F6U5cc9jm/PoiM

  Score

  10^/10

  agentteslacollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • AgentTesla payload

  • CustAttr .NET packer

    Detects CustAttr .NET packer in memory.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses Microsoft Outlook profiles

    collection

  • Suspicious use of SetThreadContext

  behavioral11behavioral12

• • Target

    captured_malware/6th july.exe

  • Size

    780KB

  • MD5

    09f8303a0b3321883bd45bc8a306c8b1

  • SHA1

    983164073f1b89c80a328b11b574d2a1df9f5a4d

  • SHA256

    17d143d76b7279d4a2aba0ec3c614714384bbc57f7b5c1018a76ae7b60da7049

  • SHA512

    93cbd57bc4ef41e8174e072b2685e0825925848bb516430ae56c0950ea50fffac8206af0616b24243da78454b1d592b807bf2c99b22dccc6ab9dd109897a50fa

  • SSDEEP

    12288:cK1MfoCRVXN5GnTOdU+CHpZszsAI5arGXbqFEjUKcvLFK2yxjRSxo80i5h5HsX:cK+QCRBIcGXbqdvzyxjRCoxi5hWX

  Score

  10^/10

  xloaderaqu2discoveryexecutionloaderrat

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader

  • Xloader family

    xloader

  • Xloader payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Suspicious use of SetThreadContext

  behavioral13behavioral14

• • Target

    captured_malware/77KpMaGlUit8zQl.exe

  • Size

    1.4MB

  • MD5

    3cbb3413f0326aba622bee17f556a293

  • SHA1

    b88d01c455322fd6d2d1e1dc04f691de95d044b2

  • SHA256

    b7259e9f3050809248c04326cc3af49d4eed3a0bd19c0905b32993a9c219bd3a

  • SHA512

    df1b6038dea11721b4389b31673e52ae9c6aa3f58f80b4b3c7dde90484bf2a6487e305cba22d3cd71e04660c39ee50078d8cb9c1373f3cbf28fdbb005355a497

  • SSDEEP

    24576:wmIkkua/yFuKR/lvecdFBWKUaLrIpBOJAs8CN/NcJWGEQuiNB/eJyM:wHVua/VlpB2DlcJWNQuiNB/eQ

  Score

  10^/10

  xloaderqn6gdiscoveryloaderrat

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader

  • Xloader family

    xloader

  • Xloader payload

    rat

  • Deletes itself

  • Suspicious use of SetThreadContext

  behavioral15behavioral16

• • Target

    captured_malware/BuXTaVVWA5WdvtU.exe

  • Size

    1.3MB

  • MD5

    7c5e5f9ba055d8124f78cc32cd02d70f

  • SHA1

    25a5bc05d8e3c60bdeb0161176be10c3ace478ff

  • SHA256

    28e9c4ad5816632edc837be54ccb120cbb6206e888b6671bc3ab935f1684e203

  • SHA512

    50e4b61a8bc70f12b438a37340d802997ea8c5874ddbe8b909def09d87e2c1433164ef78e37fbf1b18cc89dee7b0d4fddf1ada346a127ccd142e9e561e757e03

  • SSDEEP

    24576:2tNS/d3bYdkadXVcZnGpBcJp8bjzC8IndPn+mwRGPoN7vdiTbnFM:SzlVcILc/8bjkF+m/PoiM

  Score

  10^/10

  agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • AgentTesla payload

  • CustAttr .NET packer

    Detects CustAttr .NET packer in memory.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses Microsoft Outlook profiles

    collection

  • Suspicious use of SetThreadContext

  behavioral17behavioral18

• • Target

    captured_malware/DBti7kFcOLHaK2z.exe

  • Size

    556KB

  • MD5

    a4579e15af982f864c88df0a1c1dbf0a

  • SHA1

    ede5c14efcb9bc3d863df6289e09f47ea7c65b1c

  • SHA256

    bc19e3e01dca70098a0d215f9ca4f7779ef62a76d2a4bfefe164dfd542035b0e

  • SHA512

    5b982af60e8e678742bcd722ba58840169529af8813411d2d958ea1718bc02ae79ee7e6484a5d0193ff3f89bd537e67014ee0d8210f371e645f9dfce161eb5b1

  • SSDEEP

    12288:ydv3BzKv38y51FvvpCeCqZLjkvWHBOlvbK3K2G2pv5E+t4bulI:yvKv33bvvpsc3kvWHAluK5k4WI

  Score

  3^/10

  discovery
  behavioral19behavioral20

• • Target

    captured_malware/EMU.exe

  • Size

    1.1MB

  • MD5

    9d950d95e33cda5789d549ae9f27d3a1

  • SHA1

    f96003fff605e13c18773741878b0a9f1a03a4c6

  • SHA256

    a09ad5ee3ef9214717004d7e8c2761a0a2f010e74755f4c99ab4be8d592794cc

  • SHA512

    db04584c57392bb453c99ba9f6a614b62a9727b33f2e55c05766e5004b2086f47399b938161d292b6439f079624c03ac501d44428d8209a90ce61eae7cabdbab

  • SSDEEP

    24576:xYHtb9SH7UHokfWOLVDtz/Pkg0n5f9l6PIYpbjb6:xYNbIUHokfrVtz/MD5FcxbH

  Score

  10^/10

  xloaderqn6gdiscoveryexecutionloaderrat

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader

  • Xloader family

    xloader

  • Xloader payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Suspicious use of SetThreadContext

  behavioral21behavioral22

• • Target

    captured_malware/EgVhr9cVP2SFBEU.exe

  • Size

    554KB

  • MD5

    bfdc6b9626ebc50042b3aaa98f9e4b28

  • SHA1

    1baaccf5312e31af76226563d0888da5bd01eba0

  • SHA256

    08da3e0469aeef33e9297ba4e98c67717fdff972a31782ccf539da0bf026bfb0

  • SHA512

    afea425f09bd28bd2a1c6db997cb2f14534fd26af786f4bc861f5eb604b6fadeac1cf45b47f60d876b44774892f4904dfffb47bd31ed02e8b37c5c357abfdac3

  • SSDEEP

    12288:+G9BcAs40ifjOT75ItUf+v07/KrDgegG0:XBc9FiUNISK0LXG0

  Score

  3^/10

  discovery
  behavioral23behavioral24

• • Target

    captured_malware/Hlt9VTppbZE9UGs.exe

  • Size

    1.1MB

  • MD5

    3aa98571fcb0f1d734605cc6e2d8adf0

  • SHA1

    b48853c9e2eabbb5ba1c62563b46081a539088e2

  • SHA256

    4ac2dcd5ce04c588c08e4cd0350559bc8d5f7ff5c8302721619b74b39f61c786

  • SHA512

    83504c1a19851f99bd5cc12a7009c55b9a53a54eab94364e5954b621bc5f1838f52c042461816cf464c0b982d18bce1b40f1ff633a7932682d701a7a9e28c2b9

  • SSDEEP

    12288:O+jrpNOT6PI1Vp+ZdNr7LpQo0rEHlKKS6k6+JIELfLfaybj3lc+GEQqLiNBA6LT9:oVc+GEQuiNB/eJ9KuzVcIITSNG

  Score

  3^/10

  discovery
  behavioral25behavioral26

• • Target

    captured_malware/KVxnEZMWrmek1i6.exe

  • Size

    1.0MB

  • MD5

    71b6febdaccea66e739ead121613814a

  • SHA1

    10a055107d83f9bc7ae5dd0ba6cdb2f368c014cc

  • SHA256

    03ca3c211536cd312b4e46531314c5ad021171026441e99f1d951b9ee8e29e46

  • SHA512

    619ecad7a7425ffd8bd3e3b79d9869ed760501ff9e6cbc50fa5e533b3e3c372839ca37b170bf4e103631bd98a8764ce9e1d629af586b5bda9e1dde7e8ffcaf73

  • SSDEEP

    12288:0T7zT6Ffi0i/75/BH2djXOQ0mp0ptZJKI/W4YtPw72ygbSOTNdj5Ir5ctQfO001K:0T7yFfvi/75/BceQh0nZJKIuPQMTLIl

  Score

  3^/10

  discovery
  behavioral27behavioral28

• • Target

    captured_malware/P0weOPjsmVN5OCW.exe

  • Size

    964KB

  • MD5

    98967ce40ebd4dac5ec4c937b9c755a3

  • SHA1

    1bfb7de1afa9ecd50945cdc5b7305b63b36c1520

  • SHA256

    002d56a69567db513519d5b528da88133425214a569e6f758dd20ac7492374fb

  • SHA512

    f92611d13b4943888e517fa864734b208911b729c8c471276d8a73018e1bbd0e2270095a89e6fd5a86c21d00f2242878b2cb1a581c070893684051aa5394c12d

  • SSDEEP

    24576:rW5OadePnRlODOlZ9FME0XdgR10F33p2/:rydePnRltH/M9dg10p

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • AgentTesla payload

  • CustAttr .NET packer

    Detects CustAttr .NET packer in memory.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext

  behavioral29behavioral30

• • Target

    captured_malware/YCUMy7OsLy2HRs6.exe

  • Size

    1.4MB

  • MD5

    ed6c05676795aec8b92b73201c000b3b

  • SHA1

    04b28d1f45f0383780b2f80edfb8678d013b1f95

  • SHA256

    88adfc181742099b77f42fbe0de808397332c397edbe9174f3710d1899789b13

  • SHA512

    bf57069344790bf2ab91da81a94c85b2081595b6739451c01857bc01788d4c3ea9795b20d1f4019fa5c66d15f72ede9261db1150adda62d825a3bbb330516112

  • SSDEEP

    24576:7oREAJra/fx8DgMfx8DgksWWkoWIyC1H2KsEK+g9ZCvLL:m3JrW58DgM58DgKotyCxdsEuZCT

  Score

  10^/10

  agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • AgentTesla payload

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses Microsoft Outlook profiles

    collection

  • Suspicious use of SetThreadContext

  behavioral31behavioral32