blacknet

Sharing

Copy URL

Twitter E-mail

General

Target

Unique_Icons_But_Unknown_Malware_2.rar
Size

2.3MB
Sample

241127-ltejwsykgx
MD5

5d4b7054cd11fb441757a5c52e41759b
SHA1

08956bd2dff30ecc33f7489ab9c1a8c142812e6c
SHA256

fa3f7a4c1502f499a481b56f5e7c185876626e3d00110d84e09652f98b776aff
SHA512

96fab5476cd758aa76c683810e485ae0adcdcbc9938f33ff71968367ef4664d62a79975cde6e5071427135a5073f11c1f55b36b73f88d86b96dcfd3e0ba13122
SSDEEP

49152:kdXUkI/XI52rHPNoZ/jV3DcVVcgGTYWLanJ6:aXk/IAzPMxDcVM8WLaJ6

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

cheat12.ddns.net:57

Mutex

a412988a99c974058615f1975119a5d1

Attributes

reg_key
a412988a99c974058615f1975119a5d1
splitter
|'|'|

Extracted

Family

blacknet

Botnet

HacKed

https://xblackeyex.000webhostapp.com/blacknet/

Mutex

BN[SNqrYexG-0655563]

Attributes

antivm
false
elevate_uac
false
install_name
svchost.exe
splitter
|BN|
start_name
17d5d9a29524a220af2c5580f0145c42
startup
false
usb_spread
false

Extracted

Family

pony

http://butterchoco.net/admin/bull/gate.php

Extracted

Family

gozi

Attributes

build
217161

Extracted

Family

gozi

Botnet

3170

oozoniteco.com

cetalischi.com

duvensteut.com

Attributes

build
217161
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Extracted

Path

F:\$RECYCLE.BIN\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/882e0978d5b5a724 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/882e0978d5b5a724 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- Zzu+vauA6/ddVKH/VS7qw+DJElFLaousV7CHTrG7nna+Bzzn9wXJWOx2jgRE7QPbf0LRUhyo4nvFNeArrhSpdhJadvW9PZ28x/fA4rtKaJyGBUY7NssFLGj/76ezBuAvE136xxJfFA7D9tsKVqpok/W2+1ScO0AHDsGysHDYOA+TqPT4fBYvySkDj+9ZPTgZuQ5oAVGwOFCcdgHx3+U+UwwBCOUd8gF12OmmI9J3kNupByZiMej0HoadFjm3prtAbuH3Rjbae19SFfZq/NBPDI6+Smty1ODP8nYYRthSOPLYo64BHjrXrjZvzQiW6GdG2lPDRdgIiWEX7YlgSFjc2eVroohtQe+W8oP1UT9leDFgTuzasc0hvL5iIMjb936lSVjPO7v+J6YFVb/rSX8qKT9RlqN+R+PDp5s4zGwVaFsamIfZhPNOZT2rkLTLEF3rdmr0tMk+kLk/5z+yZWtpWnS7gTo6fQUtJE6rOOhBGfod5xN1xXW2Ioh5Aj/3e75Kc/bDwLSf0gQtdcayDTC2sB0srbrsIiDWhNxg9R12EY236AdGAQUm4m/cs5Imv67kAu8fktCcfbkZa/2jK3NfmvkebDfzmrtjhmVzAZ8PCOLZxwo6lWllealYayoSzDsPfxqXVSW+Aqw03s1rZXeEkqaHwICom+n7KGuDg/2L1P9i79bqrzxbFb0hcATv2Z7uaZkX0vZ/zp5EUuU/YvwLi1k431VVdlS8ZBs5LpKYKdT4TSShVXhwDaUNUgW+rFrjvFI3qvELqvj/+GR8nAasJwrIli5ZZZoGEKkDWE9W++HsapvqgfZnXESLGDjPAUwWKlT1mTXWZspxZUnuvgHz/jAazN1nTr4Yzq5MqnHgftJ4eiUnDCx2st35q0wNL8/uLBJ2ySkzt/vK30CPYJp3P+omgL+TAktjJkBl+GVO/qmGgqkb1f7EOUlVdQqP+ztAUl8YPDp5O8IpitmgEXL8xWZnMUvzsRRcgznxPt5MMV08nJyOaU91UQFQar5Jy0sQ0yqktHPbKKqIevhj4i89az+puH6HMpzkESMpUyWidFzWRmUjqe+54LeKnbmeC1gwBOpuWnHHVqU3Lhy9hw41I+pOHYrKLqMowqidzKGqHfgT6sSIh/Z1B9fReGbnI8Hnc/GNPqr70n8A+026Wbw9L2VwfS5rqdHfd5YFEZJyepIl3QxBubZ6qQAIWVLPuUYPqp0zrG8SF5dMj7glLkYaqiva1HxZOzkk3mqLVCAgzNSboRk9ReMaaTgpi+FEX/qz1OCfvljcIano32Ap5QFWgAVhvqBmZ9G88guECW5w39m53kSIYqOpNY+8274oDirNSs1mXY1Sr16pcmDp7ksLoA5uPb1h0WSoLsgZ4f1FC188eYkfr5Hoj4W2JVt9wHmH4fZaJbMcX6JCRXu3+8x3jxrHHIBW9fnaOsib9Ib9fwDzyFeyM72PhnVT7Ng8oBYWIH1wcEmuccQ5oXAAgb48SlUpFbY48ErG60hEfpshTEzohXvayMuEGrgwuKuPBhrTW6y060AXlhi8KYl/Zj6aFI2uIAscXc8rJZvrxYkiM86gBH7rlpax1RZFqSpZq7NjzL24wkbHmMqECQZ2rpa99lDa6Hd62ng8k3uvf6CYk1S3Mv8DG+fC2ybVvt0OYUCQ0MU1Q5PlD87WqSOr4wA6tIRX/zXLri/kLqRbVZND01lMwbBO07SVzs69LIdwkOAZuABCHghGK2IrNpjXf0EMXJrRt616TvAmG1LBQAodnI3oDh8m4RABuJF0DZ/8BELEECVd1jcUd9FRMJUEYVIv6vS1Yqy1cMv93x89XDkjJerT29RC8TbfdYZLNxLYClJQDBT9Vhu4FXn9NQonEcoVyUqPj4NJHT8tkmy4UH3u/8PSRlifr7/ObwXdB9/1uhTj4iMp8m3h8Xrbn7LO84R+3TIMPKr+4r02HC2LLvNldN0236P/J5SsZMIYwDMkAeGGcJKetfRhNZX6YhZ5t5HQRwIu3MuYKtQtm7JF1btoWbyZ2yn4N4ivKE0JlxGareKoem2JkSaEOzj9Ph4dpwsDrfWg5gEP8r0a4YvMWj28x/VagQytUvKooloimjSE2VpEdBayfJFTobnftf0Yu5PXOJeePilrkX9HoKgR6euBRRGBEW5tjSYjKTcSpZ+xlKnQNPfdh1uWB1ddPVuieAreNj2cFQNLMlMxobm9X45YFSBziysQfLoF3JOzoMwGi+fX4qLcgAoiOAA4ADIAZQAwADkANwA4AGQANQBiADUAYQA3ADIANAAAABCAYBoMQQBkAG0AaQBuAAAAIhJWAE8AUgBIAFAAQgBBAEIAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADYALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHD5ldx7eAuAAQGKAQUyLjAuOQ== ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/882e0978d5b5a724

https://mazedecrypt.top/882e0978d5b5a724

Extracted

Path

F:\$RECYCLE.BIN\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/86ec097af9e9ce11 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/86ec097af9e9ce11 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- jO2X230ZRFV3HkEwNpEQlxK38Qu/V21wSLzcEGe12R6JYA6Z8cRviYlpF0trNnxSA+A8famVPw/Jnc3J1lUrB/+bbjduxit+3T4FsR8UDEnrvSEqCkwrotFSsueSSdZlhS6+YmgJJ6f7ZhpC/Sph5lPbVipVORi1ukvN9eCExhEW/Go7msw57gNeftnahczIsbe69CLzQVxLBHm5aaPtnarcxR7A6KGG/p5Ps0dYNK7N4lLAtHtUapHcnVobQkd1fBWVo0iRM2H+cfNVEjEdALF9wtTbp3ExbEKyNlqQyd0pA/bmbBWm/7wTtB8+TxFysg+Zp350WNYEptQOhdRU1JU1H2KYInjPSIBWhHguWYlg1trg1kg1kbcyM/C/gJCamMdaEe/kzOIDwg3gAgYcpd4VQ/CxPYM1bb+5yBLRnIIKq4jyDgyOLzKM4UN5cDul812g9zUabkrIFL3WGKI0+objCwUD8X9pyT3I2xGXk5NXDPFuvNPMtIRxvVlSp0d3r+N/pjL+KbcCClhOHIXtw0MLVEbPE7mQY/uj+l6eiD9F0Y1+FwpxjSooO8P5wwudBVdMsdiGyvoPiz9sHOBPe1kFp+YtTaxOMTVsK9j2BRLAO7EZfgExXEC5GhE7tHLCP0uWgagqORdXvfkKfNRpGheaIFnLBqioCmwIBJwbQ5/oRz9dSCuxgwpxqcZPPaK+PGNFJGR3LO4CVnMAvcyY0aylYR6vMbcnh9tsFIktsPo29R14/KNRL98p40FXEhtyiAtZjQCViyDa6xCDuTm0oFp/o9Zy90DC+/0fsmLFWe+cC45AMJhQj0+ynCQ3SKum8OsWSQYkxtao3iFyW7BK7YlePXvuDYK7BvXVX3RGerJsIuEKbXoVyhVwWhKgdosqKE1QWgW2bsxoeFCz1aePXRLM3HI+bCZUm28ibHa2PcjsNn1Mny1Frh9DspFZUo5zSrkyy8wiB2xapF+MLG03Gtr8bAdL1z7RB5eu5w0sscz7cbSSeGTWGSv0xucLUNlAIYbRdCIRkvH8taH0QkDsKb4k9Voc8c7NNF53X7qhSUnW45+KG/LfUhIWbm/oWq6b16C4Kvy/g+4bp6ykPBAPTf5485DIzO4Aji+yP+UjsIZyuvqBxBo/nufH+lRwJ+c79ep/XsUhPbtHOjRgccQllutZqruedwP8jYdmA8NiaY/HfbTUx4RxsEF+ILGbay/WpghGo3s0dJFjS0mGlu/FOdIo/44yFNq0Du3TJHAskOFYglJdAzacLf24z16GgpRrX4rYPEvg1iktVwFDTUsmEiRzQcmbBLj2uL22WDSCa0maRFpvHNdKSAvQawieW/xlTA6/ZtNp8D9V6DGwVcImgFykgJIh+4lMWEUb6LTo9Nn6a//PZrlpWea8SgkNRYduajGUblENFbYlgj6I9LYBNDmhnyj/ddMmBGtNlh26OW4CsEKRrunrgUWvZq5d3Szy8eVsvy57IAfoZLsynFJxTTUtDUE0v8iOMKzg1CSnnsA4tKW8mEHK2UhJ2WmWbOxgv2F1BjU8cLIz/QN4PFU6RKrcN48CQX6oYML2Q9HNwGDp/RvjLthBKjMIzXq69Ls9mlAU33XSkUQ+3Tk3U99IP7I4WUOV0BOmB3A5fp0wyyshJinY+Up1ACgxNkZ8qRmbagMA4px4SAWnCW75cyBr+yDt1PFfwPTaIrPdgri6zfOJNX/1N9de884ZDHald4b7PYI83weCCxXK9JR429XEsqXWhzJVXLcpyKDa0kuacR0sqlOb0lZ4Nq5/gOO90pC26k3jD2Qewgy8y4qpvXbZ5YwNqghDQEatI02Ekxnn9SCnSZ8gYLj3YZNw4LDYd3rA0hCVwRtpUOT3B5GEbkJfYG2wRhz8FN+snb4pt3g4S3uQ97BA5RTbCLQapK3XmLqwnc9BMp6XeGkujgzujp6uYpQofCQrL4Z8SW4Zno1f/dDaTPouDCH8OFCLZxcrCmEI4qstCwmj4l06nKUhYWIwAchmM7DKUZeQBSg88JsHVE5DsdAS9xsiSh+Q1qbk6fzJ2o2YO8gM8woOua6MDfldEJfpWA9SIJXnVYJl/q68tNHtyZZutxJutgcr8Vh1G+86JCodEBeksUKexgX1qtLpdsyOl2tWSGuZknkx0/EMHyT2LlWb5w+Z2bxDjccCQ59m8WspIVWD4Su+ggMZyLOp9t0x19d5L8xzwVowWFEnKCu+Hfy/tOUr4QAns4flSaAyFb2wMQoiOAA2AGUAYwAwADkANwBhAGYAOQBlADkAYwBlADEAMQAAABCAYBoMQQBkAG0AaQBuAAAAIhJIAEcATgBCAFcAQgBHAFcAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAANAA3ADkALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHCTjeByeAuAAQGKAQUyLjAuOQ== ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/86ec097af9e9ce11

https://mazedecrypt.top/86ec097af9e9ce11

Extracted

Family

guloader

https://drive.google.com/uc?export=download&id=1pWIXSVxobqZoSDMKYuItyAIYUIZhxr8a

xor.base64

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://frameupds.info/rwrw66/2222z.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://frameupds.info/rwrw66/1111z.php

Extracted

Family

crimsonrat

172.245.247.112

Targets

- Target
  
  0811cf7c2702af79720305f03bb4945d63bd4052d4d6df4aa4cf8e6418e5d9de.exe
- Size
  
  258KB
- MD5
  
  54465f04a6075b8e68f272d09b243e81
- SHA1
  
  49bee4626e538e0d7a0e034e36c04e5949ccddfd
- SHA256
  
  0811cf7c2702af79720305f03bb4945d63bd4052d4d6df4aa4cf8e6418e5d9de
- SHA512
  
  e177d2bd9fe7722a582e3c93ed9ccd25d9b0ebe0818b425d040088744aade3ae848f9ade3be28d70651af08484a9245b1db8fd2fb897f03c1d4c0332847dff0c
- SSDEEP
  
  3072:cmTn8N2QAzgfJkP7+TPbPT/vn/Q7rF48D2W6yop7+TPbPT/vn/Q7jF48DbF62Ime:cX7AYkkT47uC2Wno2T472CbFzXV
Score

9^/10

credential_access discovery ransomware spyware stealer
- Renames multiple (6813) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2
- Target
  
  0dd0b31f05bd8036791494372275f393714ac18bae0f8d26a808387a0fcfe224.exe
- Size
  
  184KB
- MD5
  
  9982685953def8f730e37c9fab083076
- SHA1
  
  0ff503764a952733f5f2c69cc4ebc9add47eb023
- SHA256
  
  0dd0b31f05bd8036791494372275f393714ac18bae0f8d26a808387a0fcfe224
- SHA512
  
  4a1dd5124e5655c5b060df8ddbe2e00c97fa047cf05472dfa5e75c2a2c8093f734b9674a62fd81967498b7155533a4415ec37cb334163f4bfe58e75797d7325c
- SSDEEP
  
  3072:LA1wctAHKZRX9k8KvdoItwUeQzpnGlRuu4KXIzPCyZXK0lNOzzzzzYZt1xrWfew:M1ltAHKZRX9YmuVeopnGh4zRZ/FZRdw
Score

7^/10

credential_access discovery spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
behavioral3 behavioral4
- Target
  
  1ad888606f448d0d04c37ba11348b4c7d06f22b1cb3e8c217a21a5674bf29ce0.exe
- Size
  
  188KB
- MD5
  
  fe3939ed3ab1b6c8e93187e9dedee944
- SHA1
  
  9d6d0fea98e4d6ba614d9c1bdc24d2e83451b228
- SHA256
  
  1ad888606f448d0d04c37ba11348b4c7d06f22b1cb3e8c217a21a5674bf29ce0
- SHA512
  
  7bd8efaa55c99728dd968c855b555a5816e17fd3c434f9dbdc3cf5458e3c273c812c4b366508e3e641ca5c1c68643fc5015d62a06b2812deb9bc21b8ce75c7f6
- SSDEEP
  
  3072:GqkghNWHKnYVpJBKvCzZpatl3QxP61p/JULwIjXaNKZRoW5vj/jh42qk:GqXmlpr6nnIj6KZRosLck
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  1c77a07e45b4f3e7f2b756c76df58a9d0f78785aa0f9e154074503398203c695.exe
- Size
  
  114KB
- MD5
  
  e534402738b11f52fd1991e2c63f816f
- SHA1
  
  5b166f3f830a9f6a3b2e581321c6541819c31771
- SHA256
  
  1c77a07e45b4f3e7f2b756c76df58a9d0f78785aa0f9e154074503398203c695
- SHA512
  
  b8c8c91c9846e54843098654f6ff52907c58424a8002a67cfe89af1b0905e4ac9c31afa3d407947acff14bc7aa42715f1dba2fb9f11d8e4728cf3823f831858d
- SSDEEP
  
  3072:Rg3cVWuLhZtblN5w1/zE5Id0bpeoXErZju:RdVWsfzO1gY0b7XErZ
Score

10^/10

eternity defense_evasion discovery evasion execution impact ransomware
- Eternity
  Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
  eternity
- Eternity family
  eternity
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral7 behavioral8
- Target
  
  23f1c183af6a0322746465beeb83e79c30ba8f497cd52d60e2ed544bb7b39ebc.exe
- Size
  
  169KB
- MD5
  
  4f3006a594b5508cd7d86a8e3823aac3
- SHA1
  
  516cb26210726d34709d9a6749909ad025ff6727
- SHA256
  
  23f1c183af6a0322746465beeb83e79c30ba8f497cd52d60e2ed544bb7b39ebc
- SHA512
  
  24530cdb5fb808e5ff4e2e11a32a5f9ed1706ca66884fd077da60f6b5603cc6d5d1a5c574a3a12bcb2c6e1845c3744e86740dbb6bada90d979ff2d80c530cbd5
- SSDEEP
  
  3072:OO8I0hNYpeUoZnXJduG1SNHGM/H4B99VH5AxuGpMS83Q9LZV:0NY4UoZnXJduG1S40kDZAxuO8K
Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan hacked
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral10 behavioral9
- Target
  
  38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890.exe
- Size
  
  265KB
- MD5
  
  048df8f057b4ec78233640a09dd80e9b
- SHA1
  
  de16d030b3f5b067e5663eb1d75d2498c00d6817
- SHA256
  
  38e891599dad5b84356bad13b154ef7e26bb07aa651809a00369e52a54adc890
- SHA512
  
  d0cd4ce4c9d930866e269d9f44d44f79d24811d47cc700433c3611a287585b72fdc6d0ab38d07a1c3b76533d5ffd7756248d5ef68b7fe5c5218d631521d5e1b8
- SSDEEP
  
  3072:4OUEH7tRFNhHm/4FBVlhmhvXsk/GYtnkAtc3MmJNz7YaoXryNnv0uLT+K/5XK3mL:B7t9hpHlIt/GYiJV7Yaq2nvNLT7/I3m
Score

10^/10

gozi 3170 banker discovery isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
behavioral11 behavioral12
- Target
  
  3a13e092e9c857702ad930dbd32ff7e4819151b0eab88be26d0229d95a74b6db.exe
- Size
  
  184KB
- MD5
  
  bddda24ea5eb8c90d4515f455e15ccd2
- SHA1
  
  13643d56b16c171d46f3c5b23795d42714abcfb7
- SHA256
  
  3a13e092e9c857702ad930dbd32ff7e4819151b0eab88be26d0229d95a74b6db
- SHA512
  
  019d388cc938832a40b3b37bdbaeeca3dfa46916566adcd7f6aadaec053b0b9a19765b0ab64a3006a072dfe0c3892dd2efd88416c2ac576fe39bcc4fb670d701
- SSDEEP
  
  3072:93a8ANAzn6PkNQHxT8SZzITXXJeX6trAXy:93jYNUTHJeWAi
Score

4^/10

discovery
behavioral13 behavioral14
- Target
  
  3b9dabd99dc58a5242616cb6d1d876bca3046119a9b150c7d7868bf02202ea82.exe
- Size
  
  185KB
- MD5
  
  76ef16e94f77454aaffdfa4c700be85f
- SHA1
  
  9b45b3826706337a11e43248095fb2c62e42d14d
- SHA256
  
  3b9dabd99dc58a5242616cb6d1d876bca3046119a9b150c7d7868bf02202ea82
- SHA512
  
  4185cf9393877fd6d80ecfb7290c10d40a62fc7013d175e5fc91df56870500ea33b518e4f55b4e7d8a7865d3f7707fb5f49f621d5d944bb1edffda4734f99d53
- SSDEEP
  
  3072:fNCpBPbYsMn1mx6nWGdN6YROBxQo6PfSPgHvUJjX1qINSxT3OIpkApPxn:fNiGC6nWGdN6YO6Pf9vAjX1qINGLdRz
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806.exe
- Size
  
  506KB
- MD5
  
  65cf08ffaf12e47de8cd37098aac5b33
- SHA1
  
  68f823b5572c628d5f8b5b0665ed7d54d85b443f
- SHA256
  
  58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
- SHA512
  
  81850cc1cb702ea9833b5e1afd3c90b294969ea635b3dc6513c24fb6d88b38e6b7f47d39fc217cc645f70e7528b0eb08a1f9d29089b2792a30bbdbdaa1b0369c
- SSDEEP
  
  12288:ArrVAOlxCOHj4yyVgxhDOpAdvaiv/+24yX5dSwlK:ArZAzRyCaDPvbv/9Xa
Score

10^/10

maze credential_access defense_evasion discovery execution impact ransomware spyware stealer trojan
- Maze
  Ransomware family also known as ChaCha.
  trojan ransomware maze
- Maze family
  maze
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
behavioral17 behavioral18
- Target
  
  5ab93bd4225586706037be1870f84d4bd124b38df01f78de5648e3e0f30b8911.exe
- Size
  
  189KB
- MD5
  
  edf55c47be55365e15be64ed8240fbf0
- SHA1
  
  e240ec08e175e7a9739c4f3e3b9797c6f8f27d6a
- SHA256
  
  5ab93bd4225586706037be1870f84d4bd124b38df01f78de5648e3e0f30b8911
- SHA512
  
  aaa439ca2bcf0ee832f54942b37960f66262d696e4964244e5c3c47209c173de803de46e567efc9df5d2af34cafcf1049cd5a247c0049b6dfdaf5091b320247a
- SSDEEP
  
  1536:/y29YoWallrxCka5FMXKe0fobM/zrzhzrY:K297rVKFKKe0fobM/dg
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  6b06c25fc6181adf110e8109550698897836b5c429fe9b013b2e51a3abc05343.exe
- Size
  
  156KB
- MD5
  
  d6d75850a2ec8570b1e0217dde3b6ac7
- SHA1
  
  a695229c100ede35204da2081fff6769f4d30ecb
- SHA256
  
  6b06c25fc6181adf110e8109550698897836b5c429fe9b013b2e51a3abc05343
- SHA512
  
  2d9d2b6397498e9179b514fa5796f1297f128f658dec5c9635e12c91abcbe10ecd55b31072cec9c90514a120ca41b39e540400895b4aa2ae5ba87baac00b2bc4
- SSDEEP
  
  1536:nhoA+BcD5sIa36HMFlS31U7lTve2Ya2ChJKzOuIzGv:CA+mD5s13/HTvZnEJ
Score

10^/10

guloader discovery downloader guloader
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Guloader payload
  guloader
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral21 behavioral22
- Target
  
  6cc8001c9b61f55dc390743a9a6adfe2de01efd983f68599b288d39d3bfb7207.exe
- Size
  
  156KB
- MD5
  
  693701db23a12f69c6f8a47fde7e8ada
- SHA1
  
  c72997afaf96010c2ba2a53631395fc355ffc252
- SHA256
  
  6cc8001c9b61f55dc390743a9a6adfe2de01efd983f68599b288d39d3bfb7207
- SHA512
  
  09471a5757098227780f6c8a9ca61cb4cf7f33c97858855f35332699e85e8c576e63630f98927887c61554cbb2ac94f91013b2c7fb7f5eae64709393eaefa2dd
- SSDEEP
  
  1536:s4plMDQqy8HvtyzXJCUJ1he3mDL0ZiZpBJ1fi/dPUZJ/CeXgiD3W38QsGK7MlZcw:LpmDRXvtMJCU7DzpBhJZMIB7aOQj
Score

1^/10
behavioral23 behavioral24
- Target
  
  73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe
- Size
  
  212KB
- MD5
  
  43b55685945d2cecc170b850cf622038
- SHA1
  
  3b301a8a8a38dddd3cfb554b264342f9948102b0
- SHA256
  
  73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f
- SHA512
  
  ba08284c9c07150f68fc92be46cdf058caa0b6f9b25135cc2716c286efdbcfd59d79f5bf211260d900ac3fd8fe78b582010ae8985b2f240829c9b94020ae7a65
- SSDEEP
  
  3072:DNDzKKCY4RZzOo8u2IJskwUu25iiik4l9ep6RHpm0/d2IK9EzB2tPNxBWg3facbN:pDGKClZl8P6KVRH83TtVf33bncxfq
Score

10^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral25 behavioral26
- Target
  
  7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe
- Size
  
  82KB
- MD5
  
  71168fd55a8d0cc983b653566d942efc
- SHA1
  
  732906708ad72b0f41bbe8937d2b2014758dd18a
- SHA256
  
  7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0
- SHA512
  
  fe374f46eb82c7bed927b48b45896ae3a0d118171e2be248905e2e14306e0c85ae4b34521b1c0af90cb2bb6f7fe45800d289ce36b4921067aeea3e9c2a9a0842
- SSDEEP
  
  768:569iQap3x5Mt/+E6kmzVmh8uVHI5432rufLRoYFIk1eUwHXPmI+mL:o9m5Mt/+EtmzVs8ui+3IyRbykUHfFh
Score

10^/10

crimsonrat rat
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Crimsonrat family
  crimsonrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral27 behavioral28
- Target
  
  7d6892645bc5ba581b2fff986b3e9371dd7298bab6aac890c99f80c8b1d78f0f.exe
- Size
  
  247KB
- MD5
  
  312e0a90fe8474691950d41e57bfb003
- SHA1
  
  f8185c7943c6e93b75c0cec34daf2eccd7db848b
- SHA256
  
  7d6892645bc5ba581b2fff986b3e9371dd7298bab6aac890c99f80c8b1d78f0f
- SHA512
  
  511b9029002da76cceaa9fc2a47aebfe6a365f3588614094ec8bddaaad80305fe79ba45d9a1cb23ca0c1d1572eb5106073fac033b644df5e867a13db69e39678
- SSDEEP
  
  3072:FYl5q4euWjwNpbF3onQ7twT12Hd+d9nVap5Ty6dz6m:yTqgWcbF/7twTWm64
Score

10^/10

blacknet hacked persistence trojan
- BlackNET
  BlackNET is an open source remote access tool written in VB.NET.
  trojan blacknet
- BlackNET payload
- Blacknet family
  blacknet
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral29 behavioral30
- Target
  
  9036aeb570b22497c0f937e7edcef624800426011f0193a2b78c7f124e3a4c7e.exe
- Size
  
  87KB
- MD5
  
  cd9dca1277ac7597aaff4d93c866692b
- SHA1
  
  2446eb432aee7ea6a387db50623bfa1c7dd9d515
- SHA256
  
  9036aeb570b22497c0f937e7edcef624800426011f0193a2b78c7f124e3a4c7e
- SHA512
  
  0e826ee27ffb6299071db1c363e48e81b9e5f8278d648048e95ee437ba23d127d63ec0cc67aeb25c74929c51d79ca24ab14d27756a76fd988758bf29f32ba9c7
- SSDEEP
  
  1536:IooxEzyAtoLcNDsWjcdYj5x0Et+supkyxFCELwDXFai2Q:I34FtJsc5N+sarLcf2Q
Score

3^/10

discovery
behavioral31 behavioral32