General
-
Target
241105-dtxrgatbpg_pw_infected.zip
-
Size
132.7MB
-
Sample
241202-bgptzswpcr
-
MD5
136b5aad00be845ec166ae8f6343b335
-
SHA1
e51860dfb734c9715b6c9b74d9c582abe03ca90c
-
SHA256
38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
-
SHA512
ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42
-
SSDEEP
3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz
Malware Config
Extracted
zloader
main
26.02.2020
https://airnaa.org/sound.php
https://banog.org/sound.php
https://rayonch.org/sound.php
-
build_id
19
Extracted
revengerat
XDSDDD
84.91.119.105:333
RV_MUTEX-wtZlNApdygPh
Extracted
revengerat
Victime
cocohack.dtdns.net:84
RV_MUTEX-OKuSAtYBxGgZHx
Extracted
zloader
25/03
https://wgyvjbse.pw/milagrecf.php
https://botiq.xyz/milagrecf.php
-
build_id
103
Extracted
revengerat
samay
shnf-47787.portmap.io:47787
RV_MUTEX
Extracted
zloader
09/04
https://eoieowo.casa/wp-config.php
https://dcgljuzrb.pw/wp-config.php
-
build_id
140
Extracted
zloader
07/04
https://xyajbocpggsr.site/wp-config.php
https://ooygvpxrb.pw/wp-config.php
-
build_id
131
Extracted
cobaltstrike
305419896
http://47.91.237.42:8443/__utm.gif
-
access_type
512
-
beacon_type
2048
-
host
47.91.237.42,/__utm.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
8443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
-
watermark
305419896
Extracted
revengerat
INSERT-COIN
3.tcp.ngrok.io:24041
RV_MUTEX
Extracted
revengerat
YT
yukselofficial.duckdns.org:5552
RV_MUTEX-WlgZblRvZwfRtNH
Extracted
revengerat
system
yj233.e1.luyouxia.net:20645
RV_MUTEX-GeVqDyMpzZJHO
Extracted
njrat
0.7d
HacKed
srpmx.ddns.net:5552
c6c84eeabbf10b049aa4efdb90558a88
-
reg_key
c6c84eeabbf10b049aa4efdb90558a88
-
splitter
|'|'|
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
njrat
0.7d
HACK
43.229.151.64:5552
6825da1e045502b22d4b02d4028214ab
-
reg_key
6825da1e045502b22d4b02d4028214ab
-
splitter
Y262SUCZ4UJJ
Extracted
darkcomet
2020NOV1
sandyclark255.hopto.org:35887
DC_MUTEX-6XT818D
-
InstallPath
excelsl.exe
-
gencode
n7asq0Dbu7D2
-
install
true
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
true
-
reg_key
office
Extracted
babylonrat
sandyclark255.hopto.org
Extracted
asyncrat
0.5.6A
null
sandyclark255.hopto.org:6606
sandyclark255.hopto.org:8808
sandyclark255.hopto.org:7707
adweqsds56332
-
delay
5
-
install
true
-
install_file
prndrvest.exe
-
install_folder
%AppData%
Extracted
warzonerat
sandyclark255.hopto.org:5200
Extracted
smokeloader
2017
http://92.53.105.14/
Extracted
http://zxvbcrt.ug/zxcvb.exe
http://zxvbcrt.ug/zxcvb.exe
Extracted
azorult
http://195.245.112.115/index.php
Extracted
formbook
4.0
w9z
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
Extracted
gozi
-
build
300869
-
exe_type
loader
Extracted
gozi
86920224
https://sibelikinciel.xyz
-
build
300869
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
Targets
-
-
Target
241105-dtxrgatbpg_pw_infected.zip
-
Size
132.7MB
-
MD5
136b5aad00be845ec166ae8f6343b335
-
SHA1
e51860dfb734c9715b6c9b74d9c582abe03ca90c
-
SHA256
38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
-
SHA512
ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42
-
SSDEEP
3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz
Score1/10 -
-
-
Target
d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337
-
Size
143.9MB
-
MD5
c572596b2caadbc11672ff12af226635
-
SHA1
57a176459d3f24cf94810efbb6511abca2e7dce2
-
SHA256
d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337
-
SHA512
d112c32cab043308c8707350679af122a3af504386e3f7ee846c72edbc2e2fd2e825023d5bc0e793853a065df159dfd35c8e32e5370b03cdfa59ab7aa05cd5c6
-
SSDEEP
3145728:mdmtZSmWUMbLPnDwOqs0ykYmO67RUQ0UEsYf2XH:hSmhMbL/N0y4z0UdH
Score1/10 -
-
-
Target
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe
-
Size
144KB
-
MD5
9e9bb42a965b89a9dce86c8b36b24799
-
SHA1
e2d1161ac7fa3420648ba59f7a5315ed0acb04c2
-
SHA256
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d
-
SHA512
e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8
-
SSDEEP
3072:ep1qwbk6Wbh/UR++pz1OBrNtZtHpspurmxwPtnneZY:epoP6WV/C116rNbtHpsYrmSP1neZY
Score10/10-
Zloader family
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
-
Size
355KB
-
MD5
b403152a9d1a6e02be9952ff3ea10214
-
SHA1
74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5
-
SHA256
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51
-
SHA512
0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8
-
SSDEEP
6144:Fs3o0YvJiTQLmCUmLG0HhLjSKHkYp6dDERdBHMlU8LF:Fs3FmDL5P6YpaAt8LF
Score3/10 -
-
-
Target
0di3x.exe
-
Size
111KB
-
MD5
bd97f762750d0e38e38d5e8f7363f66a
-
SHA1
9ae3d7053246289ff908758f9d60d79586f7fc9f
-
SHA256
d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158
-
SHA512
d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39
-
SSDEEP
1536:4SYTPSLUTRZaEioqsQRPRXplmbH50B+dLDOZrZRzKZvJj5RmLFs8hN:43OLUra1oqxvplQ50BrStJ9RmLFs
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Loads dropped DLL
-
-
-
Target
201106-9sxjh7tvxj_pw_infected.zip
-
Size
162KB
-
MD5
be3fb61218c3f159acc5d2715662eef7
-
SHA1
c34ed3d26f606e0b59c5c6712a17638185f7db07
-
SHA256
b99f3781093d168fe884a5e9578589628d9df871f08aedc6cacddfb223339cb2
-
SHA512
94198ae99c40d9272ef30865f58fff78c919fd593625666c1c118e38cea73e91777148ea3167761565f9ab31693e3dc87893b5616ac39e7a84b38e616bee22a4
-
SSDEEP
3072:5gOrQAaFT9LjOAfocXVEvn7EAS2jePWkwlfBGk9JTwcJIVPlPGSdKNtZcRPAkSxo:RQ5FVOncF2SDPWkwfGk9JTwc2VRGkmtm
Score1/10 -
-
-
Target
2019-09-02_22-41-10.exe
-
Size
251KB
-
MD5
924aa6c26f6f43e0893a40728eac3b32
-
SHA1
baa9b4c895b09d315ed747b3bd087f4583aa84fc
-
SHA256
30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
-
SHA512
3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
-
SSDEEP
6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
2c01b007729230c415420ad641ad92eb.exe
-
Size
1.3MB
-
MD5
daef338f9c47d5394b7e1e60ce38d02d
-
SHA1
c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e
-
SHA256
5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58
-
SHA512
d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4
-
SSDEEP
24576:W85y6Jwdt8jtWoJpXWHALGX+C1Co3aP8jvuC7g6zwm4m53Sb21SR:HXsSGuC/MIvuC5kFm53Sy1SR
Score10/10-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Hawkeye family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
31.exe
-
Size
12.5MB
-
MD5
af8e86c5d4198549f6375df9378f983c
-
SHA1
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
-
SHA256
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
-
SHA512
137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
-
SSDEEP
393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Gozi family
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V1 payload
-
Raccoon family
-
AgentTesla payload
-
CryptOne packer
Detects CryptOne packer defined in NCC blogpost.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Formbook payload
-
Looks for VirtualBox Guest Additions in registry
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
3DMark 11 Advanced Edition.exe
-
Size
11.6MB
-
MD5
236d7524027dbce337c671906c9fe10b
-
SHA1
7d345aa201b50273176ae0ec7324739d882da32e
-
SHA256
400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c
-
SHA512
e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a
-
SSDEEP
196608:8YG+5pO1Ppb1rAMQQkIscfAb3mO5iW8uO2Kq1TIxz2HU6QPXJ0M2m9b/hE4:8/Bv1zsG2fm2bTcWBIXJHVrW4
Score3/10 -
-
-
Target
42f972925508a82236e8533567487761.exe
-
Size
3.7MB
-
MD5
9d2a888ca79e1ff3820882ea1d88d574
-
SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66
-
SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
-
SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840
-
SSDEEP
98304:Nn1CVf+y/EFc7DvOUxlpq2JdnQ+O2M7hlXKUmkbtT2TMI:A/EqaUFqItO2M7PXKUmkbtT2T
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Babylonrat family
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Njrat family
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Async RAT payload
-
Warzone RAT payload
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
-
Size
669KB
-
MD5
ead18f3a909685922d7213714ea9a183
-
SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf
-
SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
-
SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
-
SSDEEP
6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
6306868794.bin.zip
-
Size
698KB
-
MD5
b63a1d3001cc1a5bcc2104ecb8eb5d53
-
SHA1
d04ebc24cc00ea67870c9eef92de7c5adf4c65d5
-
SHA256
56b423e8f7e99ce24a6250507b1ac9e4476837a32f0518ebc5474eaeb9ecaa78
-
SHA512
29be52929db5bd0e8d85e10696c08ded581213c5e2e97eb3e72e32ddc5861aa8f9c6d20a1ec9a81c442a4319491500dc91345c6879651b5cc546294cd12f0b2e
-
SSDEEP
12288:OZVZvijaJxMV5DH6Asfuez5GxNmHUguf4OkEokPhuDIX7dCjBb3RcN7VI:2iGJxMV5ThsGeFykCf4OIiusXhCh3RcM
Score1/10 -
-
-
Target
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
-
Size
80KB
-
MD5
8152a3d0d76f7e968597f4f834fdfa9d
-
SHA1
c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
-
SHA256
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
-
SHA512
eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
-
SSDEEP
1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0
Score10/10-
Disables service(s)
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Hakbit family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
-
Size
21KB
-
MD5
6fe3fb85216045fdf8186429c27458a7
-
SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710
-
SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
-
SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
-
SSDEEP
384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1
Score10/10-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in System32 directory
-
-
-
Target
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
-
Size
17KB
-
MD5
aa0a434f00c138ef445bf89493a6d731
-
SHA1
2e798c079b179b736247cf20d1346657db9632c7
-
SHA256
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654
-
SHA512
e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952
-
SSDEEP
384:rnhZ7/5eOHY9FmMoEIPJvnbisVK8ysLu2s2:bhdQOS8EIRmIa2
Score10/10-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe
-
Size
260KB
-
MD5
9e9719483cc24dc0ab94b31f76981f42
-
SHA1
dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b
-
SHA256
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9
-
SHA512
83cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309
-
SSDEEP
6144:HP2sOvpPfQUH6+SqpcH1lH0CIuK8AWaULcka:HPXOv9RH6fEcH1h0vuLNyk
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
Archive.zip__ccacaxs2tbz2t6ob3e.exe
-
Size
430KB
-
MD5
a3cab1a43ff58b41f61f8ea32319386b
-
SHA1
94689e1a9e1503f1082b23e6d5984d4587f3b9ec
-
SHA256
005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6
-
SHA512
8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d
-
SSDEEP
6144:vU9Q9tD5WuDQa4t3BMgLkzvCOnYxcEaSAOPou8BWinO8DR:8Q9tD5WyQlBBVAnYxRhr8DR
Score8/10-
Downloads MZ/PE file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
CVE-2018-15982_PoC.swf
-
Size
12KB
-
MD5
82fe94beb621a4368e76aa4a51998c00
-
SHA1
b7c79b8f05c3d998e21d01b07b9ba157160581a9
-
SHA256
c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb
-
SHA512
055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27
-
SSDEEP
192:gR6qPBBRRcrxFx/pHPn9moz7p/+tqHM41rftZDBLj9b5d/:gwqDcLx/pH/IoBiqH/BfbDBLj9b5h
Score3/10 -
-
-
Target
DiskInternals_Uneraser_v5_keygen.exe
-
Size
12.9MB
-
MD5
17c4b227deaa34d22dd0addfb0034e04
-
SHA1
0cf926384df162bc88ae7c97d1b1b9523ac6b88c
-
SHA256
a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e
-
SHA512
691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c
-
SSDEEP
196608:zGeHGoZMYsFL0NBneaD/TuEIp8TnWh5bpe0RCQElmYzD9gXYToUdYZF0Nz6AV:yKGDYsdUBnTHLIpWnUeXQeEXU6s
Score3/10 -
-
-
Target
E2-20201118_141759.zip
-
Size
148KB
-
MD5
fa541ef43e1473d845aa50ccaba6aa23
-
SHA1
df7704aec365df548379c91a721d31989d8d4ef1
-
SHA256
948ae9b9e469c0df7478cf8840a78869299e59ffd85b581840b39abc89760001
-
SHA512
2b8b5dda4c387ca02f31b4e7a2f5a5935163ec158b614bf042d6985fa5da1474e6ff23db4e8561a6f573e9d4482cc2de0e5e4da1a49d19108e8f27139690b8f5
-
SSDEEP
3072:PCWcu3nJryPqmiLotuF9e0kYIMeZke4OsqprU2sz7xQL+OqmwjilD:KWcu3JrEqToUFMg1OsqxU22qL+p1MD
Score1/10 -
-
-
Target
ForceOp 2.8.7 - By RaiSence.exe
-
Size
1.0MB
-
MD5
0a88ebdd3ae5ab0b006d4eaa2f5bc4b2
-
SHA1
6bf1215ac7b1fde54442a9d075c84544b6e80d50
-
SHA256
26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680
-
SHA512
54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37
-
SSDEEP
24576:sAOcZ1SxlW2YT6EtAcl0URqqqUeiG3STJq3n:64SK2YT6E1l0EqqqU1GwcX
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
HYDRA.exe
-
Size
2.6MB
-
MD5
c52bc39684c52886712971a92f339b23
-
SHA1
c5cb39850affb7ed322bfb0a4900e17c54f95a11
-
SHA256
f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d
-
SHA512
2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b
-
SSDEEP
49152:HnUXzRe4cjAx+L/G/3JHQZutOnmSzZniyui0EJHezdcc/DK9kTO1S:HUD8djA0LOvJdtOmSlniyuiPFePmS61S
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
KLwC6vii.exe
-
Size
17KB
-
MD5
1ded740b925aa0c370e4e5bd02c0741f
-
SHA1
64731e77b65da3eb192783c074afdcb6a0a245a8
-
SHA256
a8745addaf2f95e0fe6afbc6d6712f817d4a819cf1d08bf7c0ff01822e18e1db
-
SHA512
fdaaa6633196851725fe088fafd539eb17483555d9b926338a7caeb961354c12cabcd3f55aa51f32297ce4a884806fbc337dfa725583cc1c86b8ca6c97218d4e
-
SSDEEP
384:fC68at8DHSXzdgcrS5RnVLeDbSbXsVKWyF5yN:p8MsIWtbeDGHY
Score1/10 -
-
-
Target
Keygen.exe
-
Size
849KB
-
MD5
dbde61502c5c0e17ebc6919f361c32b9
-
SHA1
189749cf0b66a9f560b68861f98c22cdbcafc566
-
SHA256
88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b
-
SHA512
d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb
-
SSDEEP
24576:uSdQdKdRdOdHdmHBnWs/nROBiGR4+hazer+Vufo/JxBYQ5:hH9DnR1Z+45Ufo/PBL
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
-
-
Target
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
-
Size
13.4MB
-
MD5
48c356e14b98fb905a36164e28277ae5
-
SHA1
d7630bd683af02de03aebc8314862c512acd5656
-
SHA256
b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c
-
SHA512
278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b
-
SSDEEP
196608:t7JG5fYHJl9nhdOvPuAZxFa9dfoyG5euyHvf97+pbgEtBRNBL1LFWIHWdgku7:t7BXWGldf+Au6VGBjFmJq
Score3/10 -
-
-
Target
LtHv0O2KZDK4M637.exe
-
Size
10.6MB
-
MD5
5e25abc3a3ad181d2213e47fa36c4a37
-
SHA1
ba365097003860c8fb9d332f377e2f8103d220e0
-
SHA256
3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9
-
SHA512
676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681
-
SSDEEP
196608:Lj43l1SYnShCcjEtOsZ1MJWTqHkzNcWUU5QH7MiXBhxsns3qveh1DCJv/zdM:LGzUCcUOmKoTqH0N9UV7VxHsnpjXK
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Modifies Windows Defender Real-time Protection settings
-
Modifies visiblity of hidden/system files in Explorer
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Rms family
-
UAC bypass
-
Windows security bypass
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
XMRig Miner payload
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s)
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Password Policy Discovery
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
Magic_File_v3_keygen_by_KeygenNinja.exe
-
Size
8.6MB
-
MD5
80e5a163c5396401b58a3b24f2e00d38
-
SHA1
589accaeeca95b8d69fa7bc14f402925dd338a6a
-
SHA256
72fae9a9d8cfd546975fd86222bc1f7f70133d0845798a683569bb8119ffa3b1
-
SHA512
cc0ede6416032035943522e5249ac378da4ba58ab836d13b53907567a65f0c296aa7263523ca23f1843fb86a88d123864e9385f4b97bac870a110f6fd2ddf1e6
-
SSDEEP
196608:t5N9rzUBJGKoeyIf6Rffyo5JDXdhz10MaIjP:jN9/EJQO6FX5JDXdhZ0Ma0
Score3/10 -
-
-
Target
Malware
-
Size
183KB
-
MD5
28334841e31d428d689465dc64f15307
-
SHA1
8c84f0d662d71a6e421e767e68eb60d2854f7722
-
SHA256
53c6cfe9358749d0550adebd63c3461c12910dafbc27bff25c8a5d096dd5413d
-
SHA512
b2985c353b32eb1de95b0ec992e7b704fdda81f9f77eb335d9d22deb479b78f0f246f65d0b659fdea26912ef23a9124cc1f5142c9cdb1b9b97cafb4d457eb8d8
-
SSDEEP
3072:JoDuqQ45BbpadYUadYmadY5ldNowdcHUWtDtLtxtDtyjtqtWnwebS6U4dEUKda0y:eDuqQ4/bpaqUaqmaq5ldNowdcHU+hp/E
Score1/10 -
-
-
Target
REVENGE-RAT.js.zip
-
Size
134KB
-
MD5
98967fb850d6fe8346f8b40b74576d34
-
SHA1
abfb33d5270ad5802f80a114069232fea625a432
-
SHA256
ec30d04e3a22d5db309583cf59909aaff90fb2cca48b86320908057033b9f75f
-
SHA512
b8b7c7002d550a1cac7e76c4e996a395cf4b84fb54c30646d7761c71e50eda936a9f06227b89c0ae43f4804a526f6a4a85c82cd4a666c9c4c37d66810d9a32cc
-
SSDEEP
3072:MLo8F12TygesO04F8UQvk7w+ZlZL90VbxTeo7Azj:MLo8H2TheDF2UjvLI1Af
Score1/10 -
-
-
Target
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서.tgz
-
Size
575KB
-
MD5
7fb27e920c0d272d03a1b1258b81ede8
-
SHA1
6273137ac4b396ff99b6d227e5207273b2d19fab
-
SHA256
04eb8b5e59d657f4c00573d1d49c24932e10ad503be1a802d24c86463319764e
-
SHA512
9924847acdf1188ab14060bad5771e01d88cff233bcf81fe83d1b795a68d4eb42316fe35c0ece66160a160669cd23ea072c0f6c50626db991d4484a45ce8cf90
-
SSDEEP
12288:+HpIr3xwSfqKtsHsNFO9ZdX/WAYqDwrmjJwX3bdiuaRCu:jnfHyZdX/WAYQ4mjJwXVaRCu
Score1/10 -
-
-
Target
b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.zip
-
Size
187KB
-
MD5
e2cfccc39bd989ba47337ba94a6a5ccc
-
SHA1
fe9bd998cdede8170ee4428004ca84632687b6f0
-
SHA256
2b0df16d6ea20b06a52e00a4b7bb85d7b18195b28f8bee28c1672946139803c1
-
SHA512
37e02ce284cd3800f32ff7d66aadd5835258dbab7117d4a13e32a8800f8fe13e906c5d8c8e3cbe542b8040ee0301752552236ddd901440f9f75fe7051e6f4083
-
SSDEEP
3072:vh0Zaiex7fNDGiWFoU5qNF1kZGfJvZBnhStRVAvB2F2ukwF6Xc4q6zMICDSQIqRX:vh0ZaieXDQqNFKoJvZXqeBMQXXq6zMI8
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Windows Management Instrumentation
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
2File Deletion
2Modify Registry
9Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Password Policy Discovery
1Peripheral Device Discovery
2Permission Groups Discovery
1Local Groups
1Query Registry
9Remote System Discovery
1System Information Discovery
9System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
2