Extracted

Extracted

Extracted

• • Target

    take3.exe

  • Size

    14.3MB

  • MD5

    84c0ea78eb89b7abee5e03ae8ee708e4

  • SHA1

    91339bd35bd8f01868b8ff39d57b2f07fb050a0b

  • SHA256

    9f9cfe42a0768cc02609fcabf58b8ccce826d5d768e8c6d3a6728f543c4eac53

  • SHA512

    ca66588967874065481bbe80c262c55b3c831e3c95a1fb8830581765cc3dbeaa9d5608823aee899de316be9323a986e6866d399f9950af22e37efb527476436f

  • SSDEEP

    393216:KOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:b893hr1dQ53MG4VAHsT

  Score

  10^/10

  ammyyadminflawedammyylokibotnjratquasaroffice04collectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationpyinstallerratspywarestealertrojanupx

  • Ammyy Admin

    Remote admin tool with various capabilities.

    ratammyyadmin

  • AmmyyAdmin payload

  • Ammyyadmin family

    ammyyadmin

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy

  • Flawedammyy family

    flawedammyy

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot

  • Lokibot family

    lokibot

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    evasion

  • Njrat family

    njrat

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • UAC bypass

    evasiontrojan

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Powershell Invoke Web Request.

    execution

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2