bazarbackdoor | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

04-12-2024 19:31

241204-x8wmhaxmcv 10

04-12-2024 11:47

04-12-2024 11:40

04-12-2024 11:35

03-12-2024 19:23

03-12-2024 16:27

Sharing

Copy URL

Twitter E-mail

General

Target

241105-dtxrgatbpg_pw_infected.zip
Size

132.7MB
Sample

241204-nsybqazjek
MD5

136b5aad00be845ec166ae8f6343b335
SHA1

e51860dfb734c9715b6c9b74d9c582abe03ca90c
SHA256

38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
SHA512

ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42
SSDEEP

3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

Attributes

build_id
19

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

revengerat

Botnet

Victime

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

25/03

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

Attributes

build_id
103

rc4.plain

Extracted

Family

revengerat

Botnet

samay

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

zloader

Botnet

09/04

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

Attributes

build_id
140

rc4.plain

Extracted

Family

zloader

Botnet

07/04

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

Attributes

build_id
131

rc4.plain

Extracted

Family

cobaltstrike

Botnet

305419896

http://47.91.237.42:8443/__utm.gif

Attributes

access_type
512
beacon_type
2048
host
47.91.237.42,/__utm.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
watermark
305419896

Extracted

Family

revengerat

Botnet

INSERT-COIN

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

revengerat

Botnet

system

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

srpmx.ddns.net:5552

Mutex

c6c84eeabbf10b049aa4efdb90558a88

Attributes

reg_key
c6c84eeabbf10b049aa4efdb90558a88
splitter
|'|'|

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

HACK

43.229.151.64:5552

Mutex

6825da1e045502b22d4b02d4028214ab

Attributes

reg_key
6825da1e045502b22d4b02d4028214ab
splitter
Y262SUCZ4UJJ

Extracted

Family

revengerat

Botnet

Guest

178.17.174.71:3310

Mutex

RV_MUTEX-HxdYuaWVCGnhp

Extracted

Family

emotet

Botnet

Epoch1

12.163.208.58:80

45.33.35.74:8080

87.106.253.248:8080

192.241.146.84:8080

190.115.18.139:8080

65.36.62.20:80

170.81.48.2:80

83.169.21.32:7080

185.232.182.218:80

190.2.31.172:80

77.106.157.34:8080

82.230.1.24:80

202.4.58.197:80

201.213.177.139:80

78.249.119.122:80

123.51.47.18:80

77.90.136.129:8080

60.93.23.51:80

152.169.22.67:80

190.117.79.209:80

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

Epoch3

71.57.180.213:80

185.86.148.68:443

168.235.82.183:8080

181.113.229.139:443

181.134.9.162:80

217.199.160.224:8080

105.209.235.113:8080

216.75.37.196:8080

97.104.107.190:80

203.153.216.182:7080

107.161.30.122:8080

41.106.96.12:80

202.5.47.71:80

201.235.10.215:80

105.213.67.88:80

115.79.195.246:80

179.5.118.12:80

212.112.113.235:80

139.59.12.63:8080

177.37.81.212:443

rsa_pubkey.plain

Extracted

Family

icedid

knockaddress.xyz

Extracted

Family

trickbot

Version

100001

Botnet

tar2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
castor123@

Mutex

245f77ec-c812-48df-870b-886d22992db6

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Extracted

Family

zloader

Botnet

05/05

https://rswtgmhf.pw/wp-config.php

https://fwgdhdln.icu/wp-config.php

Attributes

build_id
181

rc4.plain

Extracted

Family

zloader

Botnet

June08

Campaign

June

http://snnmnkxdhflwgthqismb.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

Attributes

build_id
149

rc4.plain

rsa_pubkey.plain

Extracted

Family

zloader

Botnet

nut

Campaign

12/11

https://tfbuildingjoinery.co.uk/robots.php

https://globalpacificproperties.com.au/terms.php

https://www.loonybinforum.com/errors.php

https://luminousintent.com.au/wp-smarts.php

https://espazioabierto.com/wp-smarts.php

https://racriporrosepo.tk/wp-smarts.php

Attributes

build_id
233

rc4.plain

rsa_pubkey.plain

Targets

- Target
  
  Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
- Size
  
  9.5MB
- MD5
  
  edcc1a529ea8d2c51592d412d23c057e
- SHA1
  
  1d62d278fe69be7e3dde9ae96cc7e6a0fa960331
- SHA256
  
  970645912c0c0b6eb857236e6bcbfcafcb0eaf0f19d2b278c5b180ee31bb8a5d
- SHA512
  
  c8d9fc14c74c87284ed92d7879e5968129572b8fc4e921f48a14b82b98f26737f89daa87213cd9068fa53a8ef84b8e07f1ce053f06790d417ff8dc621b346cab
- SSDEEP
  
  196608:xQc+2jD8ZyCMeiA24G4jLonzU04DjmLy8OVKLlVT7H39:2c+cD4DMvA24PLMzU0+mLyJVKfX9
Score

3^/10

discovery
behavioral1
- Target
  
  [email protected]
- Size
  
  372KB
- MD5
  
  2c959a0f9af72398f115f839397c3396
- SHA1
  
  80b078a6b74a17e6147321f3b3104bf91b4262f2
- SHA256
  
  cc0c949be6493aa98619cd591e6b4a0488eef3227b53fbaeac4309fab9efd206
- SHA512
  
  511bd3992e5345c7d2b0a728f2f8ce7d18ebbc46ee41afaa4a6e4dfa937c28ca799361d286196b327e01df81981bfbc88b15ca1ad0d49fdaad46436e5735170c
- SSDEEP
  
  3072:/drfV7YqW8waq6ciakIC/BwdrZ4P8Y5gla79yQ1yAnYgoFC3Wxl2G7mr3HWJtRIn:FrV7YqW83q6ciH/B6QZn8nTI
Score

10^/10

icedid banker discovery loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Icedid family
  icedid
- IcedID First Stage Loader
  loader
behavioral2
- Target
  
  SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869
- Size
  
  486KB
- MD5
  
  cde56cf0169830ee0059ee385c0c5eaf
- SHA1
  
  08aacb48ffcdc6b49af18d01155982984de230f7
- SHA256
  
  cb762227729d0faadc4c33a4a55b513673a9c76284773535b0e07d7e47d8413e
- SHA512
  
  234ddd4191c1abdfe04d9cc1afe2fed2901ef4d38404d0568a356218bc62096d200dd8ec28c8980da4a5852b0a481bf698b244f51d13560b303285b99105b3dd
- SSDEEP
  
  6144:o3uSkuqpikJJ0Zkt5GSd2OwuXz//71gJtpdY2/jF6qA6VSFzH0ZUH:vJuqIIoU5HdeuD//+3JcDqSFzz
Score

10^/10

zloader 05/05 botnet discovery trojan
- Zloader family
  zloader
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
behavioral3
- Target
  
  SecurityTaskManager_Setup.exe
- Size
  
  2.9MB
- MD5
  
  444439bc44c476297d7f631a152ce638
- SHA1
  
  820fcb951d1ac8c2fda1a1ae790f52eb1f8edf2e
- SHA256
  
  bc2d5417a6bf47d53c20c280f6e4b1a3e00dc0b6bbd3e26b2e591fd2f2dc4cc3
- SHA512
  
  160f4b095d37a9f4c6279a4a19f072e170c5f819d0e8e588b2503711b9e2eaac9567b48a9e42bf15af50ba60e64ef97a64e003230369aec0b032cb2030fdca00
- SSDEEP
  
  49152:4s+HgXcROcfipeyNcRmyQLCUOE+N+2JLKmltavtaKhGiD79l+90U:4s+9ROcapelxQLGEjscg6939l+V
Score

4^/10

discovery
behavioral4
- Target
  
  Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
- Size
  
  10.5MB
- MD5
  
  8103aad9a6f5ee1fb4f764fc5782822a
- SHA1
  
  4fb4f963243d7cb65394e59de787aebe020b654c
- SHA256
  
  4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40
- SHA512
  
  e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8
- SSDEEP
  
  196608:CQq8NSRYBrs7LgUGCdpV9KhK7ByrkisRdslNn9YOa5QfKJIJM0hI/oVytz:CQq8NkYBCPGCdpbyK7ByrkikdsGOynq2
Score

3^/10

discovery
behavioral5
- Target
  
  VyprVPN.exe
- Size
  
  1.6MB
- MD5
  
  f1d5f022e71b8bc9e3241fbb72e87be2
- SHA1
  
  1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c
- SHA256
  
  08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d
- SHA512
  
  f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f
- SSDEEP
  
  24576:nTadGsNY1i8fWCsSpqq5M0bOk61uyG2CWm3U9X+Y0ttcN0sH2U9:nsGsm1qSp/MzRuI19X+Y0w39
Score

10^/10

discovery persistence spyware stealer
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral6
- Target
  
  WSHSetup[1].exe
- Size
  
  898KB
- MD5
  
  cb2b4cd74c7b57a12bd822a168e4e608
- SHA1
  
  f2182062719f0537071545b77ca75f39c2922bf5
- SHA256
  
  5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
- SHA512
  
  7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348
- SSDEEP
  
  12288:vI3h+hoVEZnvy/hF4CMWZrU7S/iAfMIItotPP2rbPCrF7:vu+hIE9BYO7S/iAOtc4be
Score

3^/10

discovery
behavioral7
- Target
  
  Yard.dll
- Size
  
  400KB
- MD5
  
  3cf481ccbb1019894fcbacb554f3bda1
- SHA1
  
  63c11153ab0afb36703723c5121cd0e9b48ac6e8
- SHA256
  
  c8c5815fe4a06a752e51f79332a393db1f91a8e39b67899aa996e4ca76cfa675
- SHA512
  
  628e34581b3ebc7645639f2e6da19ce15afb794cc032e99d895841eecef0bd372da27895a9485bb18630864b921c1239fa6e4904d6bd6f54ca80a220a3fe66d0
- SSDEEP
  
  6144:eUtz+achtLV3moKNkmxl2w3tgLCEpakLVF7Lsno1oVb67Yf2zBo3:Lz8ht5l0SuYLsAodqo2zBO
Score

10^/10

zloader nut 12/11 botnet discovery trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Zloader family
  zloader
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral8
- Target
  
  b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (2).exe
- Size
  
  209KB
- MD5
  
  417457ac3e000697959127259c73ee46
- SHA1
  
  e060125845cc1c4098f87632f453969ad9ec01ab
- SHA256
  
  d74e9aa01bffcb4944742f93ad5b87d4c057f4faad008f04f7397634fe3f234d
- SHA512
  
  7e2dac573db052dc03d89499d9e879bc530e94f3d1235898064aa87e99aee8fced1ac4aeeba342b77afd1480e0584a238ad7cd79cdef9c562bb89d65ba365b31
- SSDEEP
  
  3072:tnwDl1lJiIPMUMEhTo6pWmuRdIDAP2Oh0oF14tO/m92B96W5ryx0d:y1DUUMETotmubnP2O314am92
Score

10^/10

zloader botnet discovery trojan
- Zloader family
  zloader
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
behavioral9
- Target
  
  b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (3).exe
- Size
  
  187KB
- MD5
  
  561d814286baee1b2e815c06e39d6e4e
- SHA1
  
  12defd78c0cd18d77a5ee085684e6e3c26ed42e9
- SHA256
  
  f1987289f7a42f8ef652f6f6504991dbf0cd00a92653c544f67f1f25d4361ffc
- SHA512
  
  01aa8a343625339321e55b5264a1f7f5c15309eccaaf78964e4e6a37c70416c35f64e874afbbaa5e8481c6687cee7fde3382404a24d920711707b8a5359e420b
- SSDEEP
  
  3072:f4xfbcuY2y7gVX63XkuOTfg36TGqxJnEIQVZWZZpXgA4rtTcclLJruMUx+nU9Ei8:fEk2y7oX6EpfhJnEIUZWLpA5QclLJrT9
Score

10^/10

zloader 09/04 botnet discovery trojan
- Zloader family
  zloader
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Suspicious use of SetThreadContext
behavioral10
- Target
  
  b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (4).exe
- Size
  
  183KB
- MD5
  
  6d2864f9d3349fc4292884e7baab4bcc
- SHA1
  
  b4e7df23ccd50f4d136f66e62d56815eab09e720
- SHA256
  
  2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba
- SHA512
  
  dcfc50105df4ea00add6dc3d121baa3ff93180a0be71e444e89e3a8249d1fd2103eb34aa61aa57ada45c5a86ed5783a67e10f21eeb9dda802a49f627aaa0cec0
- SSDEEP
  
  3072:V+EdIHvacHR4IJ1/eIvfHJKsopu5Zu1yiJ1nE8dFZfdcn0TctjCQ9gXaj0jjh3DL:V+aKvac72IfHJmpu5g1yUpE8dFZls0o6
Score

10^/10

zloader 07/04 botnet discovery trojan
- Zloader family
  zloader
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Suspicious use of SetThreadContext
behavioral11
- Target
  
  cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7.exe
- Size
  
  1.1MB
- MD5
  
  82b5c0acec3a7946f002c9e555a7125f
- SHA1
  
  f48992935c658b5685fedc7c8d5ee4b12c19ba6a
- SHA256
  
  cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7
- SHA512
  
  e802adf79040570783e77643b4b75853c61e583272aaafc85f7df29fc9b1b42d37753e172a6865082701fde423ce2aa3f19ab3e346126bf0ffb1fae3b360bbd0
- SSDEEP
  
  24576:9S3tM1EQlFuyzJlvD6gJWa7npqKp6hpKNAaQC:4zQlFfJ96WWa7806OYC
Score

10^/10

revengerat guest discovery trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- Drops startup file
- Suspicious use of SetThreadContext
behavioral12
- Target
  
  cobaltstrike_shellcode.exe
- Size
  
  219KB
- MD5
  
  8e4d8b8796d2188324a0cfd6fdc8de92
- SHA1
  
  9e7a053d34eb00e732e470bc28cc1fa4aa030b8f
- SHA256
  
  1ae532cc0fa2e16cac4f23e289741e256cf517afbbb536aeeb0d7cd601bc05a1
- SHA512
  
  db4ced8b71b63a7bd48a5bf96270e99c7380865ec31e875b9e0862535298828f4bbae3a4feeb52ef507a8ba461b744c1ce338e3ed191e90cb7079f209ecdbcf3
- SSDEEP
  
  6144:b5E/nRS7UwaWiVDSYOY0iZ4i1GrTxI43ZB:b5lUpDSCFfApP
Score

10^/10

cobaltstrike 305419896 backdoor discovery trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
behavioral13
- Target
  
  default.exe
- Size
  
  211KB
- MD5
  
  f42abb7569dbc2ff5faa7e078cb71476
- SHA1
  
  04530a6165fc29ab536bab1be16f6b87c46288e6
- SHA256
  
  516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
- SHA512
  
  3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
- SSDEEP
  
  6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn
Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Buran family
  buran
- Detects Zeppelin payload
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Zeppelin family
  zeppelin
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (6065) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral14
- Target
  
  ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3
- Size
  
  917KB
- MD5
  
  d592e787314d1c327dbc2da117e1dc59
- SHA1
  
  ba3a26eaa200d53129e304078309758bbb3c95f1
- SHA256
  
  ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3
- SHA512
  
  1e805105ab482c752bd24afa028daa3e7bd83f0258510a6fa2ea0c90eb44d1eec590c926982252dbf3a28bb070befbaea5e78c00d556bd9b380a3c79f1480cf7
- SSDEEP
  
  24576:Hk5FAciH/EjiQXFPQ0NQaScQqYLQnasbbTq4cSJG:Hk5O/EjiuFP32CYL/wnqlUG
Score

10^/10

djvu discovery ransomware
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Djvu family
  djvu
behavioral15
- Target
  
  efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
- Size
  
  920KB
- MD5
  
  4339e3b6d6cf2603cc780e8e032e82f6
- SHA1
  
  195c244a037815ec13d469e3b28e62a0e10bed56
- SHA256
  
  efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4
- SHA512
  
  a87c47c998f667eb8ac280f4e6dc3df182d721c44267c68ee042c17e8168115e38f2e1d59c6928ca595bb93b3bfd112cbd7bffb0ee6ff8ca81f469056f26ff87
- SSDEEP
  
  12288:obIkK9q/oPvPrNAuPfZpAvJvqWTe57Zb8Pyfdyr4G8HdsNhAwpC:obDcnrNtPfZpYvqWTeDQIdyrb8HqhNpC
Score

3^/10

execution
behavioral16
- Target
  
  emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504._exe
- Size
  
  505KB
- MD5
  
  cbe9aa4dce4217491cf9bffae2c66537
- SHA1
  
  2b7a15303157f8b9f1cce01e5e7a130628eb2c22
- SHA256
  
  ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f
- SHA512
  
  71e2736fafa1be308ef341a937a1c6d0dc5a311952bfb9bfbd492c2e16950508f1aea5e63a8e3614c9a35cdc6a684d3ff6e2dba38fe483af74508d3df41262a5
- SSDEEP
  
  6144:DaRhOv5KaMqEZD+m6eewOmkGOYQ87wwzcCgZi3lzAOAWPcnLiG8Ztkq66ti9pdZx:wOKhDD6yUGOYQto3lzAOATStkfxeY
Score

10^/10

emotet epoch1 banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- Emotet payload
  Detects Emotet payload in memory.
  trojan banker
- Executes dropped EXE
- Drops file in System32 directory
behavioral17
- Target
  
  emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe
- Size
  
  448KB
- MD5
  
  6becbc70725f55f6e6dbe66f383f82bf
- SHA1
  
  7ea5f70e20171e23ccec3c18da638b78dcadfc5c
- SHA256
  
  93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1
- SHA512
  
  e3d8815ea584ec745bc103494e123ca489bdc8b8599745548acab449b9630a7e4a8d47c63db752aee63d18d1fec10f961f2f9c4cdc2324c26460c80421e09957
- SSDEEP
  
  12288:ZfzaBuiszJbE9mO4sl9kHAOyQkNvOzxrq:ZbMmO4sl9gR2Ot2
Score

10^/10

emotet epoch3 banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- Emotet payload
  Detects Emotet payload in memory.
  trojan banker
- Executes dropped EXE
- Drops file in System32 directory
behavioral18
- Target
  
  eupdate.exe
- Size
  
  87KB
- MD5
  
  ccfaeed043685c189ef498c3c6f675e7
- SHA1
  
  6973b66e83db7f6d9ba957a6f9cca60a4983f0e8
- SHA256
  
  5d81fc6ab3e6c7bd353ee53297478fc10abfc7f851359f81a65dea74c70156ff
- SHA512
  
  ab8f2d33ec8300d87423f53243f45b720e27d59ab7839d7dcb9d37572c1f4e34536221bfda25dee939218475f44915cac2cf4e9270881af15f53d916bd9dc204
- SSDEEP
  
  1536:ZzfLlsKsEJQgrsOCvojaWr2mACx9lRMgzIY/M0t4T5y5cum:Z7wngrsOCvov2mACDP/IY00eVyc
Score

3^/10

discovery
behavioral19
- Target
  
  f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
- Size
  
  332KB
- MD5
  
  1e0ff1a8078820c5c10652e406d51bef
- SHA1
  
  e191fdbe58b527301eb4bd244a2258ba1cad0182
- SHA256
  
  f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f
- SHA512
  
  eb1a011724b988362aa52bdcb69d2886b736dbbe72fe9e53fa3530eeec6bb4089519896a88af48df8e99c7010930fb84cd33599e57f8477e8748cf5259e428a0
- SSDEEP
  
  6144:R+xWEy53Bhj8sW4y9wTeT10hFPascnojIXTvUv7ohqfp2:RSw53Bhj8sW4ya6T6hFPasco4cv7o7
Score

10^/10

bazarbackdoor backdoor
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Bazarbackdoor family
  bazarbackdoor
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral20
- Target
  
  fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
- Size
  
  19KB
- MD5
  
  6029c37a32d7e4951449e197d4850213
- SHA1
  
  6ed7bb726b1e04d6858c084bc9bf475a13b77c95
- SHA256
  
  fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c
- SHA512
  
  bf3639710e259aa38d0cd028071408bdd41c01ee1bd0ea70a16ada78b848c63886854ed40407242e3a68fd9b5444fce2e6ddc050e0c8a2f578b00f43b6c52b6f
- SSDEEP
  
  384:EB8JbJPKd1Bf3rNeD9k4NcKlb5sCSvyP5CtrCzYcHe+Z:EBCNPKd155ulNzxoUzYcHe+Z
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral21
- Target
  
  fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe
- Size
  
  660KB
- MD5
  
  b44c5540e020963aca89f3b9a96beb35
- SHA1
  
  14a6e46be7863db3090d81a18d4e080ac005f437
- SHA256
  
  fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350
- SHA512
  
  63ffac732d6b6b469f6072efa0b4ad0ef224072418b18ed879fe914c3cb64b6714ca4948c5d1816218d611865a1f1747121e126a407acbcc038b4615f9b7fd31
- SSDEEP
  
  12288:96zG7KjQ+oJLVaRwYdNKxRBUU8vg0whwRKCV50robF7z:9l7eoFsRjdN6BUUP01RKC8EbF/
Score

10^/10

trickbot tar2 banker discovery trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot family
  trickbot
behavioral22
- Target
  
  file(1).exe
- Size
  
  16KB
- MD5
  
  9ca9044bbac6aa39072da89d05cb3dcf
- SHA1
  
  7cb6ec980704bf7eb109918a1cb037deed4341fe
- SHA256
  
  3ac39ece6e1953f03e88fdfb942bf9f0dcb8d1da643cbd9677032f2ac7861d03
- SHA512
  
  5f6cfae5220c219455a180ee6a6fe094fe73475be6acdef24f33476a995097c355af0cf147fd6b986ca3bd84eee0b4928a6d08cabfab63f101259e05d037d9bd
- SSDEEP
  
  384:9jmvn8X19vieB6gb9oDPlMNcLlb5sVKRye5Ct:9jmvni19TBDclMNEho
Score

1^/10
behavioral23
- Target
  
  file.exe
- Size
  
  101KB
- MD5
  
  88dbffbc0062b913cbddfde8249ef2f3
- SHA1
  
  e2534efda3080e7e5f3419c24ea663fe9d35b4cc
- SHA256
  
  275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
- SHA512
  
  036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
- SSDEEP
  
  1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS
Score

7^/10

persistence
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral24
- Target
  
  gjMEi6eG.exe
- Size
  
  23KB
- MD5
  
  9ab1a677fb73e7c5a41d151c4c21f69e
- SHA1
  
  10219ed34a3f76ca7fe30eb27a1a78d83c9ada37
- SHA256
  
  2027c43348230de4a40e7ec590d692f744f36cdb13eb65f599983158e920cdb9
- SHA512
  
  0c9f2e1555c36a3742a2ec604faf9a89bfd856946024596912bc116ad7f4fd15ee67969704956d30d70e7b6cb3a626168c309add57469adb03d389df0596f3c5
- SSDEEP
  
  384:nY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZtd:wL2s+tRyRpcnuQ
Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral25
- Target
  
  good.exe
- Size
  
  143KB
- MD5
  
  b034e2a7cd76b757b7c62ce514b378b4
- SHA1
  
  27d15f36cb5e3338a19a7f6441ece58439f830f2
- SHA256
  
  90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac
- SHA512
  
  1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385
- SSDEEP
  
  3072:VMb/kbqjO/3FxV8l8wiEXHPV9r99rWhzAxH7wpjv4z:VMxo3Z8BvV9rL6h2H7wJ4
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral26
- Target
  
  hyundai steel-pipe- job 8010(1).exe
- Size
  
  721KB
- MD5
  
  0999a03694a1c97a43ac0de89cbf355e
- SHA1
  
  0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d
- SHA256
  
  8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b
- SHA512
  
  6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9
- SSDEEP
  
  12288:wdnX6tet6u5CB6m6FQgsPQCjyEtbK7DSQDnwjAR7EOP9uSlcC3ro:QXUim6m6FyPJzcQjNSuYro
Score

10^/10

hawkeye_reborn m00nd3v_logger collection discovery infostealer keylogger spyware stealer trojan
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- Hawkeye_reborn family
  hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- M00nd3v_logger family
  m00nd3v_logger
- M00nD3v Logger payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral27
- Target
  
  hyundai steel-pipe- job 8010.exe
- Size
  
  721KB
- MD5
  
  0999a03694a1c97a43ac0de89cbf355e
- SHA1
  
  0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d
- SHA256
  
  8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b
- SHA512
  
  6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9
- SSDEEP
  
  12288:wdnX6tet6u5CB6m6FQgsPQCjyEtbK7DSQDnwjAR7EOP9uSlcC3ro:QXUim6m6FyPJzcQjNSuYro
Score

10^/10

hawkeye_reborn m00nd3v_logger collection discovery infostealer keylogger spyware stealer trojan
- HawkEye Reborn
  HawkEye Reborn is an enhanced version of the HawkEye malware kit.
  keylogger trojan stealer spyware hawkeye_reborn
- Hawkeye_reborn family
  hawkeye_reborn
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- M00nd3v_logger family
  m00nd3v_logger
- M00nD3v Logger payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral28
- Target
  
  infected dot net installer.exe
- Size
  
  1.7MB
- MD5
  
  6eb2b081d12ad12c2ce50da34438651d
- SHA1
  
  2092c0733ec3a3c514568b6009ee53b9d2ad8dc4
- SHA256
  
  1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104
- SHA512
  
  881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b
- SSDEEP
  
  49152:znsHyjtk2MYC5GDbQ2cRQh9GexmCxBxVV56CmWQax:znsmtk2aj2cROGom6mGvx
Score

10^/10

xred backdoor discovery persistence
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral29
- Target
  
  inps_979.xls
- Size
  
  228KB
- MD5
  
  56fc044937a072471fdd8d63b874e04a
- SHA1
  
  738552f8db33ac0271aa860775815f3d1b291980
- SHA256
  
  59afe59cdbebf60434bd78270826ca9689c3765264dfcace312b89c606c0a962
- SHA512
  
  dbaf2e36ec17d474c829d847705de796bea153b784c8e894d4ff7bebb3bfcdf01447d97f217d9303e0eed5aa9b39046b75b2581331be28771582af2ea48c960b
- SSDEEP
  
  3072:bfMhNhd8o7Vym+BoOvuuUVZV/AHyhb3/7428JMPvjLJKHpEYC5ZNWehxleT0t:bfMhL70DBoOmf1FbAJMWEYC5Z3leA
Score

1^/10
behavioral30
- Target
  
  jar.jar
- Size
  
  81KB
- MD5
  
  9e8b6710fdd55ad0675295c2c3960732
- SHA1
  
  aed08772376bde9f848f335e77e2e3c3c230234d
- SHA256
  
  f2fb2d0c469abc0add346ef809ad86e0194400d391a2e5429b8cbeea2711bbad
- SHA512
  
  26f94b0b9766e9c244297cbe4af78f1b09087fbe471f099b5a77f5ca76fd5c905ee4d36188af67dbd6dc2c7f8402c882d0d2503a288af277840a1025562eac96
- SSDEEP
  
  1536:0GZABd/SAZR5RzfFMAjP/jg6X4bUdv/mIgQnXOunxgCfj:jZ0d//JfyAz/XIbCvOIgQemWCfj
Score

10^/10

qnodeservice trojan
- QNodeService
  Trojan/stealer written in NodeJS and spread via Java downloader.
  trojan qnodeservice
- Qnodeservice family
  qnodeservice
- Executes dropped EXE
behavioral31
- Target
  
  june9.dll
- Size
  
  491KB
- MD5
  
  f8a7273ef763776e5612ac1f47f6d405
- SHA1
  
  c51f2a884c024e442c1ae0d9bf9511c96a1fa02c
- SHA256
  
  c653365657fbf65429ad845d0a0d93106e972aca929739560ff4b4796bd2be08
- SHA512
  
  5ea060662350237d38d2c6a3c1da5fd7aeec6c05e71cdbb2725fcac47ad8e5c9568adc937329397108ab0cecdf29e9a811ab7e183884dd3044d7c5a6089f88aa
- SSDEEP
  
  12288:uDKxKMk8ChMNo+e8kGOK9ab4ozUWdBENcYcj6D9r6W3FaOi:uDjMk8IMNYnGOSSjgW41QEv1aO
Score

10^/10

zloader june08 june botnet discovery trojan
- Zloader family
  zloader
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Suspicious use of SetThreadContext
behavioral32