dharma

Resubmissions

27-11-2024 13:27

241127-qqdkmsvnhz 10

27-11-2024 09:28

241127-lfrx3atrgr 10

Sharing

Copy URL

Twitter E-mail

General

Target

Unique_Icons_But_Unknown_Malware.rar
Size

55.8MB
Sample

241127-lfrx3atrgr
MD5

9482d0b143b8cc0cb39c5caa948b965d
SHA1

f9e48d067999bbfb827cd94976c7a73b52719ff8
SHA256

abff8ad79e497aeb5787012b0b0b718324e98bff7e703071c9fe75d6e534b6d6
SHA512

5f00aa543d0073ad1db5b2b6a008d98f6c4e585aea93aff7eb492aa46a7f0c536abff669757063d6d7c7131d1e0dd618391561ec453f09e2196168a27406d1a4
SSDEEP

786432:4SHD1JF9dWPBvk7bpHaiT0MYV5WsP9tF7BV/KPgLZroAqmJZpC+uGixVM:4UDZ9dvd6HXXn9PKP0lFvC+unLM

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 997E9968 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Family

emotet

Botnet

Epoch2

24.196.49.98:80

93.147.141.5:443

72.189.57.105:80

91.250.96.22:8080

37.187.72.193:8080

104.131.44.150:8080

167.71.10.37:8080

27.109.153.201:8090

105.247.123.133:8080

190.12.119.180:443

120.151.135.224:80

221.165.123.72:80

103.86.49.11:8080

178.237.139.83:8080

5.32.55.214:80

95.213.236.64:8080

189.203.177.41:443

78.24.219.147:8080

190.117.226.104:80

73.11.153.178:8080

rsa_pubkey.plain

Targets

- Target
  
  04862185775476ae0b6f7e8a02133cb408d212ca17bbff5c20dcfdcf569b3dd9.exe
- Size
  
  633KB
- MD5
  
  54d2510dce5b4d827388d60df115b148
- SHA1
  
  dbdcfb4e9d929749027e14fa1fa78dae281d4f00
- SHA256
  
  04862185775476ae0b6f7e8a02133cb408d212ca17bbff5c20dcfdcf569b3dd9
- SHA512
  
  36dd1d765d034b19b2e81eead484fcc562430894f953e0e2e913cf47e917b2b9d102a0c273ec9febe6ab1f654b9d3fcf81c3acc7522fcbc17e92149399c01c6d
- SSDEEP
  
  6144:yP1SPCRMshMX8pU+E0zyvGJm8v9UDHO1lxAk5C1K4kzRNDa0/C+Lf61Znj:IzPpU4J6unxAKFRFfC+LiDj
Score

1^/10
behavioral1
- Target
  
  09bfd15145c9d8e39f99d3dfe98337a8c488dc334dfe195d27bdeb5b2459fd11.exe
- Size
  
  765KB
- MD5
  
  500ef53924b722ddb43632b0dd9070c9
- SHA1
  
  daf44813ae7f0792ccb3640cd4c700193daf6cf4
- SHA256
  
  09bfd15145c9d8e39f99d3dfe98337a8c488dc334dfe195d27bdeb5b2459fd11
- SHA512
  
  f7ace2a8e018ef576e98221b60ac9e99477b2e5ef7f323147c9f90c3f9a1639cd778eca4558491a2c4217001d52377fa8ec5ac2732ee362221c34c69c7610216
- SSDEEP
  
  12288:Xl26S0vAcB+UwoVSidDHeeIJoCnVRWJvdKLv8S2cZtWkHCmTBQk9TfXX4Jy0Ro0Y:VlS2jgvkTee8VRWJVKLvR2cbWaHTPXqy
Score

9^/10

persistence ransomware spyware stealer
- Renames multiple (3024) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral2
- Target
  
  141d93e2d408738bba4f523f60d6ead702424e7d62c34921c8a34150a31870aa.exe
- Size
  
  694KB
- MD5
  
  69d1816b669117f2bd58c44c3395d781
- SHA1
  
  4eb14f9bb555143671faef063da7f518a7493d94
- SHA256
  
  141d93e2d408738bba4f523f60d6ead702424e7d62c34921c8a34150a31870aa
- SHA512
  
  ea097012b4e0729e81f725b437c4b3d650b152ede8e7e27df3615941bbbd2c75346d1b51eb9308531343bd6d1bb6b553015a5805c964c61bc7372862a950806f
- SSDEEP
  
  12288:Dmrvzqs6OZxzLogi93gAuEaw5hMlvN79yb5wdhuEvKcpK85DOMJb4zzlj:Daqs6OZxzLogivMl7bvjpK85DOM+zl
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (321) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral3
- Target
  
  16c2807567b31c30288d92c0649ce78ea87434104bac72db407bb45bf65a4855.exe
- Size
  
  568KB
- MD5
  
  90b53ba29d2aa7f436059ef1103c2130
- SHA1
  
  db8a3b842a830e72bb4f067dd88aea76010d0704
- SHA256
  
  16c2807567b31c30288d92c0649ce78ea87434104bac72db407bb45bf65a4855
- SHA512
  
  fec790d618aa41cdb88fc407c3ddc5d652c103dbc65c9ae94edfd554a6a45d81352bf907e259fcb359eb29c7d4412f884337c3a14cb38516a280d3b554c4eb81
- SSDEEP
  
  12288:zNftIXXgD3gyO7Ibi/yQ0pF+T3r+ZgzGd5:zNfWXXgDWIbikpFy3rId5
Score

3^/10

discovery
behavioral4
- Target
  
  2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95.exe
- Size
  
  1.5MB
- MD5
  
  b8f887a092b6bdcb1bd882e35164d1d7
- SHA1
  
  08152f67bf925a7478312d45a67f33116a6097b3
- SHA256
  
  2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95
- SHA512
  
  057b60f71a84c51d3112e553164d4a476f9488bd1369cec4405975b8cece83fe29d58342bd02ad17542ca1e38254f05dadca027ecbeb281d3b94ff198517dff7
- SSDEEP
  
  24576:7zwwr/TK4y3+HaxwUsgdYNLhzEnmfp499VYn6nTtEpR59qUN0i6OtH:78wra+ksgdYNLhYmfpaVYn6nTMR59VSi
Score

10^/10

jigsaw persistence ransomware spyware stealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Jigsaw family
  jigsaw
- Renames multiple (1973) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
- Size
  
  583KB
- MD5
  
  74d4e0e6dcf5cc7942c35e630036af0c
- SHA1
  
  c7c4bb3907344aed022d181eb73f8fd812e06f88
- SHA256
  
  3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901
- SHA512
  
  110bb901dacc153fb484673fd033d2c0f9a3f7cbfd73a46f54c44c1f699796844b68db5a860cbbb5be08c03f4ad9dfcd25feb71fc8a9b37445e137a002e6a8eb
- SSDEEP
  
  12288:5D+7m+CQXYm2o0PTYRPA6PHoVhVtknag6g6n+9iuE5vt+PC3H8H:I7mYRyGA6PIzVtknRJ6notmH8H
Score

10^/10

xorist credential_access discovery persistence ransomware spyware stealer upx
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Xorist family
  xorist
- Renames multiple (35894) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral6
- Target
  
  419a809f42361b2fcff98eb6f201e54ecef532c9b378db06e999f54285032889.exe
- Size
  
  1.5MB
- MD5
  
  cfc9c44d0b4c399d84f24402ddd8394e
- SHA1
  
  c7fbb886991a6ecb68ccd32906361caab21610f5
- SHA256
  
  419a809f42361b2fcff98eb6f201e54ecef532c9b378db06e999f54285032889
- SHA512
  
  041834ef114ab6422ad3fdc8754b4dc62c2e6e96f6773cf8e0a9d7cd1da3c691da5a33edd429beee3e4d6a36bf38d9f6897e0ef026ec7e1b28881e13a5597b84
- SSDEEP
  
  12288:MHovgGspGZU+CaVy+AQVlR7Ud91D/rSCBaN6B11wIg/1vBLPHjFlWE7hnFI9q1U:dvt5CagTQVPO1LrfBk6BII83nWElr1U
Score

3^/10

discovery
behavioral7
- Target
  
  4b10fd0d5e4370dde456862f810e27b2be1f854356191b9893ab1a65f4af5358.exe
- Size
  
  624KB
- MD5
  
  b9ea663ffcfe1152bd6e9a452a4eaf14
- SHA1
  
  e45d164dfab4898baefa313ee53c360a7e850f30
- SHA256
  
  4b10fd0d5e4370dde456862f810e27b2be1f854356191b9893ab1a65f4af5358
- SHA512
  
  8fb37dc3ad80f46e83785988037a6f1801e4f326f23b1584bb3b3b4e58d7a489b55322e8ba2a8eba4ab627462802aadb83c3f392c6b3f4f32f0741ee675c0c5f
- SSDEEP
  
  6144:hzTCYruA1ohrPv8FG0+DVg5w83gSkdwPU0YnG3Fx+GaJ5674pIbVg73zf7ewvNwq:hzBCAnFfG83qEU0YGTcJ47Fmreu+Du
Score

10^/10

emotet epoch2 banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- Drops file in System32 directory
behavioral8
- Target
  
  4d78c439ed8860a14aebcf79dfef27047a51fc36c514b40b48724cd9340ff6f7.exe
- Size
  
  6.5MB
- MD5
  
  14b6f391b8983ee29eae1b12046198fe
- SHA1
  
  7151e86314dc13dbbe1c933e561657a5f0659d8f
- SHA256
  
  4d78c439ed8860a14aebcf79dfef27047a51fc36c514b40b48724cd9340ff6f7
- SHA512
  
  f40ff4c506f17e9f387921e7c57bf518cc668a3f2bf57a5e71ddab12e17f1bc179d55dcbd2bbfcd6b4d805064e9af6481c54ceb254d203485e52cae9c5c6d5b9
- SSDEEP
  
  196608:RXYF+gp1DM9onJ5hrZER9xQ3jo4UR7+OjPw:mpNM9c5hlER9xA2RSOj
Score

7^/10
- Loads dropped DLL
behavioral9
- Target
  
  4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe
- Size
  
  5.7MB
- MD5
  
  ef8e29925a165755db235f31092eb5e6
- SHA1
  
  3bae3a4c18c7d8baf0fca9b0a5e58b7785f33123
- SHA256
  
  4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663
- SHA512
  
  5ae5e1fa3bc54431dad5cfb16ea14ac7ac203265197af9ad181d0362dee248cd2e9de18da71a5712e97522c2eb3fa5c24629ebd418b2aadcc32c694237bc2200
- SSDEEP
  
  98304:yVWEpMFhfhIp8WIs6d0xCNj3DeoWhoWEEN2F5qh27OkgnQxdT6/dsjNUoWUP9O:zB1IdIs6dNN2oIoWEn/qhNk0H/dsaI9
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10
- Target
  
  597deecbe673c67d998825bdf4ddeca83f6fbb3bdccec91dabf4f9052713ac4d.exe
- Size
  
  838KB
- MD5
  
  b4f28f47e2115e7a578761f2d38fd079
- SHA1
  
  7bf97badf3eb26218bb13bfcafc30c956d18b56f
- SHA256
  
  597deecbe673c67d998825bdf4ddeca83f6fbb3bdccec91dabf4f9052713ac4d
- SHA512
  
  3fdc3bce35d80bd91dbbe816fd05be613cb1d5a2b2a234d0d0c7f862289b3f9ef5413c682f981d66df1ef0347e0b7f342d302aee52fa97d07b585442d2daf637
- SSDEEP
  
  24576:0y4sIMHgxyMCQW0zAqK1vaNOIEDTuy+Bt:KDMHgx/CQW0cqMva8IEDTuyc
Score

7^/10

agilenet discovery spyware stealer
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
behavioral11
- Target
  
  6b59edf464eaaeac4f4b2f43474e573694429f08c448db770618dc574b6171e8.exe
- Size
  
  536KB
- MD5
  
  11f3f3382708bc7235e4d72130bc16e4
- SHA1
  
  165459297e28175a41690fcf5f71642018a438c4
- SHA256
  
  6b59edf464eaaeac4f4b2f43474e573694429f08c448db770618dc574b6171e8
- SHA512
  
  0ccfd5ddbdc2b86d39a4e18bfeb9ef29e5ea4f904aa40f148eb761aa82f8d45a7c6c81fce09dbd8b605a96446b0c8d5eea07496fb52053c6404c5f92e3a3de32
- SSDEEP
  
  12288:kpKKP6WRDw6hPGUIrPiqK6UIrPiqK9h4u0hyZPAF:49PFdw6h+xjJRxjJj8P6
Score

8^/10

evasion
- Disables Task Manager via registry modification
  evasion
behavioral12
- Target
  
  7def3cd43d98a30a04f09be284cab8b8dbf96ecc2e78302f6c45ad524c41d7d8.exe
- Size
  
  6.5MB
- MD5
  
  145d87e44b5607f5cbe102d1f5afe333
- SHA1
  
  62f3e3e1535a1955853f4c2628cf31d99197bf1d
- SHA256
  
  7def3cd43d98a30a04f09be284cab8b8dbf96ecc2e78302f6c45ad524c41d7d8
- SHA512
  
  6edabdff5cb316045f20e4de4334e5e6f7aa2909436b94cd4da6f34929682caec31c6e4bdab1992399e9a97c48c51dd4ea2228c055bf523e9a661c710bdb5b4c
- SSDEEP
  
  196608:LrJnLa9onJ5hrZERVM+ENFJzFcguwW+W7THsC3k:NG9c5hlERVMRFJzFcgupl7TN
Score

7^/10

spyware stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral13
- Target
  
  96ba85326e2250f4e1cf07f5981bb96ea1383901663a6354899b5da0cd77b98a.exe
- Size
  
  6.7MB
- MD5
  
  09ed7ffe72f67fe9d02df3d31ecaf9c2
- SHA1
  
  fd9d56bb3d30986e41c12db7652dc6ade26bafe7
- SHA256
  
  96ba85326e2250f4e1cf07f5981bb96ea1383901663a6354899b5da0cd77b98a
- SHA512
  
  fdc4ded62ee81705cebab17b577ee63f404d230bd6f3fc9f5e08c671ce5bd0b0d643779dc351c2ecfa03394d59055992bcda907d6b2ce0cb1f9e2bf2c92497d9
- SSDEEP
  
  196608:wCHgeIs9onJ5hrZERlyiU8AdZYJERurTbqGnNqbm:is9c5hlERJAdZYygrvqG
Score

7^/10
- Loads dropped DLL
behavioral14
- Target
  
  97f1b6afb24cda22203275fc34bd07ba51170729edba8ee67bdb66a529574a2e.exe
- Size
  
  9.9MB
- MD5
  
  35c38b54ec41899c417ec3fcb06cccf4
- SHA1
  
  3dd53581b2120c467191267f23f021d9d939d899
- SHA256
  
  97f1b6afb24cda22203275fc34bd07ba51170729edba8ee67bdb66a529574a2e
- SHA512
  
  58010a01088e2817f278ba9c5dd3dc6e05f21c33d1d45797d170b712fdf183eccbd4d6eaee58f73b5eb79fc04b39089fc543cf60be259b62fab1a425ddd3eec4
- SSDEEP
  
  196608:UQBQji8WWzNfmRUJbeq/gEY8OA33+yzzRZa/viMRLpMXBMJTybG:NB06gNfuUB7/gk33+sz7KpRVGGJTWG
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral15
- Target
  
  9906747639b782d738555a2522acd4a09ca8a3356f7848a4e68f284d888d891e.exe
- Size
  
  577KB
- MD5
  
  0a305e53c26f277a2afeb9cf4541f756
- SHA1
  
  be05166cf743ca175fb5a31ffefd384e4793ee76
- SHA256
  
  9906747639b782d738555a2522acd4a09ca8a3356f7848a4e68f284d888d891e
- SHA512
  
  677eb1db78cdcd19d1048669e9217d635454e0bf23c9577ef569e13a116526847663cba777e5f22f1b0466ea317fe406c5b3a1801ab3063a0892ad68abfca5f5
- SSDEEP
  
  12288:LBEZRnbrET0OeW5fw0q1Ybwv98ic+cy3GBX:LBmEYEVw0qTe8GX
Score

1^/10
behavioral16
- Target
  
  9e1609ab7f01b56a9476494d9b3bf5997380d466744b07ec5d9b20e416b10f08.exe
- Size
  
  1.3MB
- MD5
  
  70117cfb0d652621da77c47c952fb81a
- SHA1
  
  3d841739fd18d02612851c10684631ddcdbc442c
- SHA256
  
  9e1609ab7f01b56a9476494d9b3bf5997380d466744b07ec5d9b20e416b10f08
- SHA512
  
  abaa63d29588b5fdd5fdc99b1a9eeeeb5ec32416b24054ea5111d960c483492e8b76fd5652d32d8bf6380a7a803916e3009c90ffae9988bee6c4f09b4b7a71d8
- SSDEEP
  
  24576:nTSTiRsBE12BIVpT2QhYpAILUo/g9QZqpMC3QVbIoTdWR8SfEuGujqZF13z8H81:nT7RseZDT2tSbvQsIbe8YVjPH81
Score

10^/10

mafiaware666 discovery ransomware
- Detect MafiaWare666 ransomware
- MafiaWare666 Ransomware
  MafiaWare666 is ransomware written in C# with multiple variants.
  ransomware mafiaware666
- Mafiaware666 family
  mafiaware666
- Renames multiple (99) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops desktop.ini file(s)
behavioral17
- Target
  
  b7fc91fc1fa6a53b1e5d97e21a7abefbde3ca7349d4db0fdbe15ec2702b1b737.exe
- Size
  
  6.7MB
- MD5
  
  80ed1719d442fc2171378203cf4a18d9
- SHA1
  
  460e8fe2a7cc6ce2ad7fce8efa646309c83b0f2d
- SHA256
  
  b7fc91fc1fa6a53b1e5d97e21a7abefbde3ca7349d4db0fdbe15ec2702b1b737
- SHA512
  
  a682fe3b247dca16b11329264749ce8f5fe3a9742dde70e19edff5eb72f0399f0502965c1bdea02d80428c989ccffba399146e27899ca79a16e49a44bde5468b
- SSDEEP
  
  196608:Wpl+gp1DM9onJ5hrZER9xQ3jo4UR7+cOKcAYuO:y3pNM9c5hlER9xA2RSccA
Score

7^/10
- Loads dropped DLL
behavioral18
- Target
  
  bf179bbd2ce7ca31e421334efa7d262e30dc16b9bb5cced1b8b18d119adc4425.exe
- Size
  
  1.7MB
- MD5
  
  3a7ee11b5c67258e478c564b6a54f3d0
- SHA1
  
  fc7448b0e35688c3181b71d41f7f0eb86ad23f09
- SHA256
  
  bf179bbd2ce7ca31e421334efa7d262e30dc16b9bb5cced1b8b18d119adc4425
- SHA512
  
  16e88c8095167279736b71074414a7598e3d7b776239f90fe1d6607886f176bc15eebd7cb7233f474455de4b078351f8691fdc94d47d5cbde0052de8f463036c
- SSDEEP
  
  49152:kHftXHrT6Qdbu/OUlYF+E7UAQndLI8oOHxPKalwx:k/t3f6QdbbUlYkzAQd8WxCaU
Score

3^/10

discovery
behavioral19
- Target
  
  cfc68c40f4631954894898633fd0c5a06c5ce5837eba7d4b56fc3514c01e124f.exe
- Size
  
  595KB
- MD5
  
  dedb7d290dc95b76d6daf34569d25522
- SHA1
  
  7bc1c4e3ca288a096ef9abb347238e904970a955
- SHA256
  
  cfc68c40f4631954894898633fd0c5a06c5ce5837eba7d4b56fc3514c01e124f
- SHA512
  
  bfae90fa15abd4513869f55a8b51501da68222b3475fdb77292130fa6da32c025983d5715e12572a8083f1f758336032483ec7cb9a388875e106105d7c6e2ac2
- SSDEEP
  
  12288:egYqC/dIVYS1QYMHy4Ijd1jF4sjMUUWp+GIMHg:hodIVyYMS4IjTljcO+hM
Score

6^/10

discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral20
- Target
  
  e6e948a0aa3605bbd636ccdfa56e771dfebafa1e150d84f96b1968f8803edbeb.exe
- Size
  
  853KB
- MD5
  
  4df094b7a875e5d2e7cb634752cd951d
- SHA1
  
  c088d58529b77f6670891f9ebb7af80da830c9ce
- SHA256
  
  e6e948a0aa3605bbd636ccdfa56e771dfebafa1e150d84f96b1968f8803edbeb
- SHA512
  
  a932b3ca31cf5457d73f9d73429610c24fafd60e69ce849e0e3de7e4ab1ffe464ba40182d903b8f7dd7f80202587be81871d8a5dfec7a4da2d030eb67d63872e
- SSDEEP
  
  12288:Btu7UAD3Qlp2MtIaM2QVA2DrYrgMDvsu/UJHI20KoGIVlGiL:T+V3ap2pDsPvsu/UJHTkF
Score

1^/10
behavioral21
- Target
  
  f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768.exe
- Size
  
  6.6MB
- MD5
  
  466b6ffd9a2098925c8727c60099626f
- SHA1
  
  9b1bef96aa713e21b0946506e2fcb6cede4bfc0b
- SHA256
  
  f02fe52119ff47fed2e52b28ec2c42a8eae8233b4c588c310dbaef3297b5d768
- SHA512
  
  005b6feed62de8a274ba5f2ef7904a0263e513dee18995a04cc4b5fbb746bc094bfd06f56f4aa8ef5e89793bc958a37d1bdb0c57327dae437f1ecb36b4534307
- SSDEEP
  
  196608:wjB8ZML/cWcIjvuK7qtigyegsZPc+3ZGe74rb8cWEDc:wjB8Z6cOv17qisRXcPWE4
Score

8^/10

discovery evasion execution persistence
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
behavioral22
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  b5a1f9dc73e2944a388a61411bdd8c70
- SHA1
  
  dc9b20df3f3810c2e81a0c54dea385704ba8bef7
- SHA256
  
  288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
- SHA512
  
  b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
- SSDEEP
  
  96:p7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNQ3e:lXhHR0aTQN4gRHdMqJVgNH
Score

3^/10

discovery
behavioral23
- Target
  
  $PLUGINSDIR/nsProcess.dll
- Size
  
  4KB
- MD5
  
  05450face243b3a7472407b999b03a72
- SHA1
  
  ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
- SHA256
  
  95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
- SHA512
  
  f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b
Score

3^/10

discovery
behavioral24
- Target
  
  secrehosted.exe
- Size
  
  6.7MB
- MD5
  
  c1b7d5a866e2c21c7bc6222328638cfc
- SHA1
  
  3c09adc17b23ec529951d467481afd495d227cdc
- SHA256
  
  0cedeb6633fdc8079cde76d2cc72bf98f0496c0dd644a7f215e59014b3dc5f4b
- SHA512
  
  7e47ea282cb82f003c92565ff9dc9d1cfcdbeeecd8668565eaecd4ef99e609083b3a0192bf01e8e13b467b53e266157cb61cc13c77f1ad169cec1cd141a28814
- SSDEEP
  
  196608:3YvW2URVICtO4SS2khNmunJI036/n+WWYBB:qWDkC8kTHKPQYP
Score

3^/10

discovery
behavioral25