Extracted

• • Target

    e14b05245a8d2e37db397daf0fe85679.jpg

  • Size

    27KB

  • MD5

    e6eb1167acdd8951de147ad523f48467

  • SHA1

    1e6b3460469f2d95ce6d97a1feecf560b95c37a3

  • SHA256

    1f47a36e659fdfb2ca0d5e5a54a69afc61ef159898105bc0ee58d5067258e37f

  • SHA512

    34c32180d0c19cbd6daf4d30a41c4d7dfe76bcc9488f5f31a5af5495505dd3d7e559264d60bd11c585d797869f76b6802888adf48a2f5c6d74bd1a33e98f7126

  • SSDEEP

    384:l9bWcD17qmXo1JZQSwl1pPVwbZZPbN5/0PZpfzBOGfnuaPAdXCfI3q9iubhoFGSG:X74r+/l1UfjXKfzBlfn/P4erbhyWhX

  Score

  10^/10

  badrabbitcrimsonratdiscordratnanocorerevengeratwarzoneratcollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerkeyloggerpersistencephishingprivilege_escalationransomwareratrootkitspywarestealertrojanupx

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit

  • Badrabbit family

    badrabbit

  • CrimsonRAT main payload

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • Crimsonrat family

    crimsonrat

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat

  • Discordrat family

    discordrat

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore

  • Nanocore family

    nanocore

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat

  • Revengerat family

    revengerat

  • UAC bypass

    evasiontrojan

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • RevengeRat Executable

    stealer

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • A potential corporate email address has been identified in the URL: 15@3251

    phishing

  • Clipboard Data

    Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    collection

  • Drops startup file

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Uses the VBS compiler for execution

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Drops file in System32 directory

  • Enumerates processes with tasklist

    discovery

  • Hide Artifacts: Hidden Files and Directories

    defense_evasion

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1