Overview

overview

10

Static

static

10

0811cf7c27...de.exe

windows7-x64

9

0dd0b31f05...24.exe

windows7-x64

7

1ad888606f...e0.exe

windows7-x64

3

1c77a07e45...95.exe

windows7-x64

10

23f1c183af...bc.exe

windows7-x64

10

38e891599d...90.exe

windows7-x64

10

3a13e092e9...db.exe

windows7-x64

4

3b9dabd99d...82.exe

windows7-x64

3

58fe9776f3...06.exe

windows7-x64

10

5ab93bd422...11.exe

windows7-x64

3

6b06c25fc6...43.exe

windows7-x64

10

6cc8001c9b...07.exe

windows7-x64

1

73ca5dd6d4...3f.exe

windows7-x64

10

7b931d48ea...f0.exe

windows7-x64

10

7d6892645b...0f.exe

windows7-x64

10

9036aeb570...7e.exe

windows7-x64

3

9b6289a8bf...2b.exe

windows7-x64

8

acf2b76704...a7.exe

windows7-x64

3

af2f191f8d...53.exe

windows7-x64

10

cc7045d9fe...ab.dll

windows7-x64

10

d1a6bd542d...a8.exe

windows7-x64

10

efe947e0a8...69.exe

windows7-x64

10

f13edd0b86...9f.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Unique_Icons_But_Unknown_Malware_2.rar

  • Size

    2.3MB

  • Sample

    241127-lbk9qatqcn

  • MD5

    5d4b7054cd11fb441757a5c52e41759b

  • SHA1

    08956bd2dff30ecc33f7489ab9c1a8c142812e6c

  • SHA256

    fa3f7a4c1502f499a481b56f5e7c185876626e3d00110d84e09652f98b776aff

  • SHA512

    96fab5476cd758aa76c683810e485ae0adcdcbc9938f33ff71968367ef4664d62a79975cde6e5071427135a5073f11c1f55b36b73f88d86b96dcfd3e0ba13122

  • SSDEEP

    49152:kdXUkI/XI52rHPNoZ/jV3DcVVcgGTYWLanJ6:aXk/IAzPMxDcVM8WLaJ6

Score
10/10
blacknetchaoscrimsonratdiamondfoxeternitygoziguloadermafiaware666mazenjratpony31707412hackedbankerbotnetcollectioncredential_accessdefense_evasiondiscoverydownloaderevasionexecutionguloaderimpactinfostealerisfbpersistenceprivilege_escalationransomwareratspywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

cheat12.ddns.net:57

Mutex

a412988a99c974058615f1975119a5d1

Attributes
  • reg_key

    a412988a99c974058615f1975119a5d1

  • splitter

    |'|'|

Extracted

Family

blacknet

Botnet

HacKed

C2

https://xblackeyex.000webhostapp.com/blacknet/

Mutex

BN[SNqrYexG-0655563]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    svchost.exe

  • splitter

    |BN|

  • start_name

    17d5d9a29524a220af2c5580f0145c42

  • startup

    false

  • usb_spread

    false

Extracted

Family

pony

C2

http://butterchoco.net/admin/bull/gate.php

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1pWIXSVxobqZoSDMKYuItyAIYUIZhxr8a

xor.base64

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://frameupds.info/rwrw66/2222z.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://frameupds.info/rwrw66/1111z.php

Extracted

Family

crimsonrat

C2

172.245.247.112

Extracted

Family

gozi

Attributes
  • build

    217161

Extracted

Family

gozi

Botnet

7412

C2

signin.microsoft.com

aaaa.bar

cccc.casa

wwwww.bar
Attributes
  • base_path

    /jdraw/

  • build

    250211

  • dns_servers

    107.174.86.134

    107.175.127.22

  • exe_type

    loader

  • extension

    .crw

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Extracted

Family

gozi

Botnet

3170

C2

oozoniteco.com

cetalischi.com

duvensteut.com
Attributes
  • build

    217161

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      0811cf7c2702af79720305f03bb4945d63bd4052d4d6df4aa4cf8e6418e5d9de.exe

    • Size

      258KB

    • MD5

      54465f04a6075b8e68f272d09b243e81

    • SHA1

      49bee4626e538e0d7a0e034e36c04e5949ccddfd

    • SHA256

      0811cf7c2702af79720305f03bb4945d63bd4052d4d6df4aa4cf8e6418e5d9de

    • SHA512

      e177d2bd9fe7722a582e3c93ed9ccd25d9b0ebe0818b425d040088744aade3ae848f9ade3be28d70651af08484a9245b1db8fd2fb897f03c1d4c0332847dff0c

    • SSDEEP

      3072:cmTn8N2QAzgfJkP7+TPbPT/vn/Q7rF48D2W6yop7+TPbPT/vn/Q7jF48DbF62Ime:cX7AYkkT47uC2Wno2T472CbFzXV

    Score
    9/10
    credential_accessdiscoveryransomwarespywarestealer

    • Renames multiple (6789) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1

    • Target

      0dd0b31f05bd8036791494372275f393714ac18bae0f8d26a808387a0fcfe224.exe

    • Size

      184KB

    • MD5

      9982685953def8f730e37c9fab083076

    • SHA1

      0ff503764a952733f5f2c69cc4ebc9add47eb023

    • SHA256

      0dd0b31f05bd8036791494372275f393714ac18bae0f8d26a808387a0fcfe224

    • SHA512

      4a1dd5124e5655c5b060df8ddbe2e00c97fa047cf05472dfa5e75c2a2c8093f734b9674a62fd81967498b7155533a4415ec37cb334163f4bfe58e75797d7325c

    • SSDEEP

      3072:LA1wctAHKZRX9k8KvdoItwUeQzpnGlRuu4KXIzPCyZXK0lNOzzzzzYZt1xrWfew:M1ltAHKZRX9YmuVeopnGh4zRZ/FZRdw

    Score
    7/10
    credential_accessdiscoveryspywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer
    behavioral2

    • Target

      1ad888606f448d0d04c37ba11348b4c7d06f22b1cb3e8c217a21a5674bf29ce0.exe

    • Size

      188KB

    • MD5

      fe3939ed3ab1b6c8e93187e9dedee944

    • SHA1

      9d6d0fea98e4d6ba614d9c1bdc24d2e83451b228

    • SHA256

      1ad888606f448d0d04c37ba11348b4c7d06f22b1cb3e8c217a21a5674bf29ce0

    • SHA512

      7bd8efaa55c99728dd968c855b555a5816e17fd3c434f9dbdc3cf5458e3c273c812c4b366508e3e641ca5c1c68643fc5015d62a06b2812deb9bc21b8ce75c7f6

    • SSDEEP

      3072:GqkghNWHKnYVpJBKvCzZpatl3QxP61p/JULwIjXaNKZRoW5vj/jh42qk:GqXmlpr6nnIj6KZRosLck

    Score
    3/10
    discovery
    behavioral3

    • Target

      1c77a07e45b4f3e7f2b756c76df58a9d0f78785aa0f9e154074503398203c695.exe

    • Size

      114KB

    • MD5

      e534402738b11f52fd1991e2c63f816f

    • SHA1

      5b166f3f830a9f6a3b2e581321c6541819c31771

    • SHA256

      1c77a07e45b4f3e7f2b756c76df58a9d0f78785aa0f9e154074503398203c695

    • SHA512

      b8c8c91c9846e54843098654f6ff52907c58424a8002a67cfe89af1b0905e4ac9c31afa3d407947acff14bc7aa42715f1dba2fb9f11d8e4728cf3823f831858d

    • SSDEEP

      3072:Rg3cVWuLhZtblN5w1/zE5Id0bpeoXErZju:RdVWsfzO1gY0b7XErZ

    Score
    10/10
    eternitydefense_evasiondiscoveryevasionexecutionimpactransomware

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • Eternity family

      eternity

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Disables Task Manager via registry modification

      evasion
    behavioral4

    • Target

      23f1c183af6a0322746465beeb83e79c30ba8f497cd52d60e2ed544bb7b39ebc.exe

    • Size

      169KB

    • MD5

      4f3006a594b5508cd7d86a8e3823aac3

    • SHA1

      516cb26210726d34709d9a6749909ad025ff6727

    • SHA256

      23f1c183af6a0322746465beeb83e79c30ba8f497cd52d60e2ed544bb7b39ebc

    • SHA512

      24530cdb5fb808e5ff4e2e11a32a5f9ed1706ca66884fd077da60f6b5603cc6d5d1a5c574a3a12bcb2c6e1845c3744e86740dbb6bada90d979ff2d80c530cbd5

    • SSDEEP

      3072:OO8I0hNYpeUoZnXJduG1SNHGM/H4B99VH5AxuGpMS83Q9LZV:0NY4UoZnXJduG1S40kDZAxuO8K

    Score
    10/10
    njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe

    • Size

      265KB

    • MD5

      048df8f057b4ec78233640a09dd80e9b

    • SHA1

      de16d030b3f5b067e5663eb1d75d2498c00d6817

    • SHA256

      38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890

    • SHA512

      d0cd4ce4c9d930866e269d9f44d44f79d24811d47cc700433c3611a287585b72fdc6d0ab38d07a1c3b76533d5ffd7756248d5ef68b7fe5c5218d631521d5e1b8

    • SSDEEP

      3072:4OUEH7tRFNhHm/4FBVlhmhvXsk/GYtnkAtc3MmJNz7YaoXryNnv0uLT+K/5XK3mL:B7t9hpHlIt/GYiJV7Yaq2nvNLT7/I3m

    Score
    10/10
    gozi3170bankerdiscoveryisfbtrojan
    behavioral6

    • Target

      3a13e092e9c857702ad930dbd32ff7e4819151b0eab88be26d0229d95a74b6db.exe

    • Size

      184KB

    • MD5

      bddda24ea5eb8c90d4515f455e15ccd2

    • SHA1

      13643d56b16c171d46f3c5b23795d42714abcfb7

    • SHA256

      3a13e092e9c857702ad930dbd32ff7e4819151b0eab88be26d0229d95a74b6db

    • SHA512

      019d388cc938832a40b3b37bdbaeeca3dfa46916566adcd7f6aadaec053b0b9a19765b0ab64a3006a072dfe0c3892dd2efd88416c2ac576fe39bcc4fb670d701

    • SSDEEP

      3072:93a8ANAzn6PkNQHxT8SZzITXXJeX6trAXy:93jYNUTHJeWAi

    Score
    4/10
    discovery
    behavioral7

    • Target

      3b9dabd99dc58a5242616cb6d1d876bca3046119a9b150c7d7868bf02202ea82.exe

    • Size

      185KB

    • MD5

      76ef16e94f77454aaffdfa4c700be85f

    • SHA1

      9b45b3826706337a11e43248095fb2c62e42d14d

    • SHA256

      3b9dabd99dc58a5242616cb6d1d876bca3046119a9b150c7d7868bf02202ea82

    • SHA512

      4185cf9393877fd6d80ecfb7290c10d40a62fc7013d175e5fc91df56870500ea33b518e4f55b4e7d8a7865d3f7707fb5f49f621d5d944bb1edffda4734f99d53

    • SSDEEP

      3072:fNCpBPbYsMn1mx6nWGdN6YROBxQo6PfSPgHvUJjX1qINSxT3OIpkApPxn:fNiGC6nWGdN6YO6Pf9vAjX1qINGLdRz

    Score
    3/10
    discovery
    behavioral8

    • Target

      58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806.exe

    • Size

      506KB

    • MD5

      65cf08ffaf12e47de8cd37098aac5b33

    • SHA1

      68f823b5572c628d5f8b5b0665ed7d54d85b443f

    • SHA256

      58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806

    • SHA512

      81850cc1cb702ea9833b5e1afd3c90b294969ea635b3dc6513c24fb6d88b38e6b7f47d39fc217cc645f70e7528b0eb08a1f9d29089b2792a30bbdbdaa1b0369c

    • SSDEEP

      12288:ArrVAOlxCOHj4yyVgxhDOpAdvaiv/+24yX5dSwlK:ArZAzRyCaDPvbv/9Xa

    Score
    10/10
    mazecredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealertrojan
    behavioral9

    • Target

      5ab93bd4225586706037be1870f84d4bd124b38df01f78de5648e3e0f30b8911.exe

    • Size

      189KB

    • MD5

      edf55c47be55365e15be64ed8240fbf0

    • SHA1

      e240ec08e175e7a9739c4f3e3b9797c6f8f27d6a

    • SHA256

      5ab93bd4225586706037be1870f84d4bd124b38df01f78de5648e3e0f30b8911

    • SHA512

      aaa439ca2bcf0ee832f54942b37960f66262d696e4964244e5c3c47209c173de803de46e567efc9df5d2af34cafcf1049cd5a247c0049b6dfdaf5091b320247a

    • SSDEEP

      1536:/y29YoWallrxCka5FMXKe0fobM/zrzhzrY:K297rVKFKKe0fobM/dg

    Score
    3/10
    discovery
    behavioral10

    • Target

      6b06c25fc6181adf110e8109550698897836b5c429fe9b013b2e51a3abc05343.exe

    • Size

      156KB

    • MD5

      d6d75850a2ec8570b1e0217dde3b6ac7

    • SHA1

      a695229c100ede35204da2081fff6769f4d30ecb

    • SHA256

      6b06c25fc6181adf110e8109550698897836b5c429fe9b013b2e51a3abc05343

    • SHA512

      2d9d2b6397498e9179b514fa5796f1297f128f658dec5c9635e12c91abcbe10ecd55b31072cec9c90514a120ca41b39e540400895b4aa2ae5ba87baac00b2bc4

    • SSDEEP

      1536:nhoA+BcD5sIa36HMFlS31U7lTve2Ya2ChJKzOuIzGv:CA+mD5s13/HTvZnEJ

    Score
    10/10
    guloaderdiscoverydownloaderguloader

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Guloader payload

      guloader

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11

    • Target

      6cc8001c9b61f55dc390743a9a6adfe2de01efd983f68599b288d39d3bfb7207.exe

    • Size

      156KB

    • MD5

      693701db23a12f69c6f8a47fde7e8ada

    • SHA1

      c72997afaf96010c2ba2a53631395fc355ffc252

    • SHA256

      6cc8001c9b61f55dc390743a9a6adfe2de01efd983f68599b288d39d3bfb7207

    • SHA512

      09471a5757098227780f6c8a9ca61cb4cf7f33c97858855f35332699e85e8c576e63630f98927887c61554cbb2ac94f91013b2c7fb7f5eae64709393eaefa2dd

    • SSDEEP

      1536:s4plMDQqy8HvtyzXJCUJ1he3mDL0ZiZpBJ1fi/dPUZJ/CeXgiD3W38QsGK7MlZcw:LpmDRXvtMJCU7DzpBhJZMIB7aOQj

    Score
    1/10
    behavioral12

    • Target

      73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe

    • Size

      212KB

    • MD5

      43b55685945d2cecc170b850cf622038

    • SHA1

      3b301a8a8a38dddd3cfb554b264342f9948102b0

    • SHA256

      73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f

    • SHA512

      ba08284c9c07150f68fc92be46cdf058caa0b6f9b25135cc2716c286efdbcfd59d79f5bf211260d900ac3fd8fe78b582010ae8985b2f240829c9b94020ae7a65

    • SSDEEP

      3072:DNDzKKCY4RZzOo8u2IJskwUu25iiik4l9ep6RHpm0/d2IK9EzB2tPNxBWg3facbN:pDGKClZl8P6KVRH83TtVf33bncxfq

    Score
    10/10
    discoveryexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral13

    • Target

      7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe

    • Size

      82KB

    • MD5

      71168fd55a8d0cc983b653566d942efc

    • SHA1

      732906708ad72b0f41bbe8937d2b2014758dd18a

    • SHA256

      7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0

    • SHA512

      fe374f46eb82c7bed927b48b45896ae3a0d118171e2be248905e2e14306e0c85ae4b34521b1c0af90cb2bb6f7fe45800d289ce36b4921067aeea3e9c2a9a0842

    • SSDEEP

      768:569iQap3x5Mt/+E6kmzVmh8uVHI5432rufLRoYFIk1eUwHXPmI+mL:o9m5Mt/+EtmzVs8ui+3IyRbykUHfFh

    Score
    10/10
    crimsonratrat

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • Crimsonrat family

      crimsonrat

    • Executes dropped EXE

    behavioral14

    • Target

      7d6892645bc5ba581b2fff986b3e9371dd7298bab6aac890c99f80c8b1d78f0f.exe

    • Size

      247KB

    • MD5

      312e0a90fe8474691950d41e57bfb003

    • SHA1

      f8185c7943c6e93b75c0cec34daf2eccd7db848b

    • SHA256

      7d6892645bc5ba581b2fff986b3e9371dd7298bab6aac890c99f80c8b1d78f0f

    • SHA512

      511b9029002da76cceaa9fc2a47aebfe6a365f3588614094ec8bddaaad80305fe79ba45d9a1cb23ca0c1d1572eb5106073fac033b644df5e867a13db69e39678

    • SSDEEP

      3072:FYl5q4euWjwNpbF3onQ7twT12Hd+d9nVap5Ty6dz6m:yTqgWcbF/7twTWm64

    Score
    10/10
    blacknethackedpersistencetrojan

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

      trojanblacknet

    • BlackNET payload

    • Blacknet family

      blacknet

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      9036aeb570b22497c0f937e7edcef624800426011f0193a2b78c7f124e3a4c7e.exe

    • Size

      87KB

    • MD5

      cd9dca1277ac7597aaff4d93c866692b

    • SHA1

      2446eb432aee7ea6a387db50623bfa1c7dd9d515

    • SHA256

      9036aeb570b22497c0f937e7edcef624800426011f0193a2b78c7f124e3a4c7e

    • SHA512

      0e826ee27ffb6299071db1c363e48e81b9e5f8278d648048e95ee437ba23d127d63ec0cc67aeb25c74929c51d79ca24ab14d27756a76fd988758bf29f32ba9c7

    • SSDEEP

      1536:IooxEzyAtoLcNDsWjcdYj5x0Et+supkyxFCELwDXFai2Q:I34FtJsc5N+sarLcf2Q

    Score
    3/10
    discovery
    behavioral16

    • Target

      9b6289a8bf3eab91297cc6d01215b06f4d979a81656eb80bc0ae6d3b7e8b112b.exe

    • Size

      86KB

    • MD5

      0fdc37659fc3457c7a5a65cd0a7f60df

    • SHA1

      80be5349ebe8ab391303cc4b9045ffbf7c8a4ce2

    • SHA256

      9b6289a8bf3eab91297cc6d01215b06f4d979a81656eb80bc0ae6d3b7e8b112b

    • SHA512

      22ffd409d8b802c6fe811d2afeaf29fb2922493a01edc8ec620224d5405e8a8e1bef9fb4784dff791269ee14aca4068324e869b221c48dfce4e4561bd82ba8c4

    • SSDEEP

      1536:za5jmXUnxNeqxUNzUpBnyduZFnb3IilknvMZGvbDYs6Wi7P+:e5jmXULeHN4pBf33IVvTbEs6Wi7P+

    Score
    8/10
    evasionpersistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      acf2b767040e546b689b4f1724569fd9992189ba2035654cfbf866b933e5b1a7.exe

    • Size

      253KB

    • MD5

      f5a44dcdc172eda48524f913e8a9b1b6

    • SHA1

      f57bd06d5d94a470d11daa7f8baa31a59e9cff00

    • SHA256

      acf2b767040e546b689b4f1724569fd9992189ba2035654cfbf866b933e5b1a7

    • SHA512

      ea74f74fa86dbe0a2a094b0389733655bbf39b902ab215fc52c72b788a5472c0541aa2f8d0f29c26cee0720f086682e01a83c7d21f87634f36d9dd6c16508cbd

    • SSDEEP

      6144:yvnWcO9CKmdUpn7OSZht+VN0Bd3YGZUyJAb4tYKBg:y/oCKmdUzht+VNUYGdtm

    Score
    3/10
    discovery
    behavioral18

    • Target

      af2f191f8d2199d74867e9b1b9071e677c91b24d529d17b83ff04d0f03098a53.exe

    • Size

      317KB

    • MD5

      ba86b03b4a7416194db00e101051273f

    • SHA1

      951e60b7acbb3c05f8e02bc0148abda7c8e22dca

    • SHA256

      af2f191f8d2199d74867e9b1b9071e677c91b24d529d17b83ff04d0f03098a53

    • SHA512

      48233e887d770dc074f6e2a91b04484c275afa548025d240b55de8516d4cc3fb40e083eedcef288e6791acfaadf14ae2d9fe9392185e3d2c4eb8a68446b19d62

    • SSDEEP

      6144:pbFCWw8bLymcsPKQ/bBltLL8+8jtmMBylDA0sa:XCWw8fyjWLZ/U8MBSb

    Score
    10/10
    diamondfoxbotnetdiscoveryinfostealerstealer

    • DiamondFox

      DiamondFox is a multipurpose botnet with many capabilities.

      botnetstealerdiamondfox

    • Diamondfox family

      diamondfox

    • DiamondFox payload

      Detects DiamondFox payload in file/memory.

      infostealer

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral19

    • Target

      cc7045d9fe77c4aa4cb646d01fb4700008a34f58f49358d0b0b0997d21016aab.exe

    • Size

      256KB

    • MD5

      fcb53acd5fd1637a2ac1bc69f396e92c

    • SHA1

      a09432a56375c5a39856d59e402c3f8642edda7b

    • SHA256

      cc7045d9fe77c4aa4cb646d01fb4700008a34f58f49358d0b0b0997d21016aab

    • SHA512

      47bcd8326a65b2a50ee7a9691853c6a6d6a424ad4e0a7760794aa20c137450017793ed9756302666b6b1aed93048d879395a6fde2c95f9b9fc67ca4bd6e38116

    • SSDEEP

      3072:eb/VDsMK5SdPlKCXbkB9Kv1y5Gun6XKwRDcXEX55d2wNQ+XnwEf4bvuQ5OjrDGZt:WCoMRt6XKUSRACdOj57jY5jM9H8eGN

    Score
    10/10
    gozi7412bankerdiscoveryisfbtrojan
    behavioral20

    • Target

      d1a6bd542d3570297f37ef478a638a2c7e04645cfb66fef1abe8210aa41c48a8.exe

    • Size

      273KB

    • MD5

      1d96091dc25660ac8989193299659be7

    • SHA1

      bc95772709ad585d528e43de2af29ed0bb628841

    • SHA256

      d1a6bd542d3570297f37ef478a638a2c7e04645cfb66fef1abe8210aa41c48a8

    • SHA512

      8c47793a478b0aaf12353ee1f1b2883c0a64eba1511889d33a6782e47f0ac8755dc3b594f2a74820f155243f215f015eb216ef62b6500a8fe9cc0d9cbe0baaa2

    • SSDEEP

      3072:U+vMJOW7ySZS3XbhbbzPZEhIUejpSvA+jJwktRCoWvgDcephDZhAzN0V:6GSAHNbbdsjDIcHWvg4efvA

    Score
    10/10
    mafiaware666discoveryransomware

    • Detect MafiaWare666 ransomware

    • MafiaWare666 Ransomware

      MafiaWare666 is ransomware written in C# with multiple variants.

      ransomwaremafiaware666

    • Mafiaware666 family

      mafiaware666

    • Renames multiple (422) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops desktop.ini file(s)

    behavioral21

    • Target

      efe947e0a8842997d152af946ef0293a972cc11662f3c62a8461bc4a07427669.exe

    • Size

      161KB

    • MD5

      9e1da7b0d3c74f1d6d77a95557115e51

    • SHA1

      f3fe719be56d67edc3d44e21edbb4115d062ed0d

    • SHA256

      efe947e0a8842997d152af946ef0293a972cc11662f3c62a8461bc4a07427669

    • SHA512

      ec1be9c4cb3f0e0a439fd43fbc2d7e5e9383dbe6a3a0ead7092bc2b6eb63122d9a285c431847db1b20bfa09aa096c16ea822edab89c6ca7c145c7fc027237c51

    • SSDEEP

      3072:1MTLZhs0uDI0rAfOXl+y+uql/GOtsrVrqhTqndtndhndKndI:2TLFuD6fOXlql/GLJrqqndtndhndKndI

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral22

    • Target

      f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f.exe

    • Size

      188KB

    • MD5

      d158894d0bb726520cdd6a7fce485502

    • SHA1

      2f96ff31e88d76e28892f5e7289d7dab12355a57

    • SHA256

      f13edd0b86c095dfb681e8bf08d7df0d53d9fb4301f2ba65ae9706a0aaeefe9f

    • SHA512

      31c1c755e0506fccf08c07479e79fbb4b081b84684449e63d53eeaa3036edba741ce6d10f484ff82ec0dcd8a50b121b998211f3c661bc8747512a88688638350

    • SSDEEP

      3072:sgMAkr98bY+GC+4cGRJfnAi+dZMLwjezS0OtEoifN5l:mr98MQ+4cGRJonZgwGUM

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomware

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Chaos family

      chaos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (117) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    behavioral23

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

2
T1114

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

4
T1490

Tasks

static1

hackedeternitynjratblacknetmafiaware666ponychaos
Score
10/10

behavioral1

credential_accessdiscoveryransomwarespywarestealer
Score
9/10

behavioral2

credential_accessdiscoveryspywarestealer
Score
7/10

behavioral3

discovery
Score
3/10

behavioral4

eternitydefense_evasiondiscoveryevasionexecutionimpactransomware
Score
10/10

behavioral5

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral6

gozi3170bankerdiscoveryisfbtrojan
Score
10/10

behavioral7

discovery
Score
4/10

behavioral8

discovery
Score
3/10

behavioral9

mazecredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealertrojan
Score
10/10

behavioral10

discovery
Score
3/10

behavioral11

guloaderdiscoverydownloaderguloader
Score
10/10

behavioral12

Score
1/10

behavioral13

discoveryexecution
Score
10/10

behavioral14

crimsonratrat
Score
10/10

behavioral15

blacknethackedpersistencetrojan
Score
10/10

behavioral16

discovery
Score
3/10

behavioral17

evasionpersistenceprivilege_escalation
Score
8/10

behavioral18

discovery
Score
3/10

behavioral19

diamondfoxbotnetdiscoveryinfostealerstealer
Score
10/10

behavioral20

gozi7412bankerdiscoveryisfbtrojan
Score
10/10

behavioral21

mafiaware666discoveryransomware
Score
10/10

behavioral22

ponycollectioncredential_accessdiscoveryratspywarestealer
Score
10/10

behavioral23

chaosdefense_evasionevasionexecutionimpactransomware
Score
10/10