Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

09fe7735f7...8a.exe

windows11-21h2-x64

10

0a08857b3b...19.vbs

windows11-21h2-x64

10

0a92b6b6c9...d0.exe

windows11-21h2-x64

10

0b1f6297e8...e6.exe

windows11-21h2-x64

10

0b4ffb13a4...aa.exe

windows11-21h2-x64

10

0b9a6ed57e...55.exe

windows11-21h2-x64

7

0be395d43c...ca.exe

windows11-21h2-x64

7

0c046f07cd...89.exe

windows11-21h2-x64

10

0c1e5acd77...53.exe

windows11-21h2-x64

10

0d825ad1df...37.exe

windows11-21h2-x64

10

0db3c21dec...f9.exe

windows11-21h2-x64

10

0de875f11e...e9.exe

windows11-21h2-x64

10

0e3bb95b7b...77.exe

windows11-21h2-x64

10

0edd5342b1...6d.exe

windows11-21h2-x64

3

0f4450a6b2...b6.exe

windows11-21h2-x64

10

10758789ca...d1.exe

windows11-21h2-x64

10

11a3fde6fb...96.exe

windows11-21h2-x64

10

11bb525d06...1c.exe

windows11-21h2-x64

10

124dcea053...69.exe

windows11-21h2-x64

10

13431e2ee5...1c.elf

windows11-21h2-x64

3

15387da23f...315.js

windows11-21h2-x64

8

15938b5637...72.exe

windows11-21h2-x64

10

170dc238d7...a4.exe

windows11-21h2-x64

10

1728680969...4d.xll

windows11-21h2-x64

10

17dadc2b10...b1.elf

windows11-21h2-x64

3

190ffc93d1...d7.apk

windows11-21h2-x64

3

1a4383821d...e1.vbs

windows11-21h2-x64

8

1aa85c5026...8d.exe

windows11-21h2-x64

10

1b13d05cae...26.exe

windows11-21h2-x64

7

1b9334e09c...52.exe

windows11-21h2-x64

10

1bcbf1dce6...0c.exe

windows11-21h2-x64

7

1bd3fa491c...5b.exe

windows11-21h2-x64

10

Resubmissions

21/12/2024, 22:57

241221-2xpr2atjar 10

21/12/2024, 20:29

241221-y9xfvsyngy 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

  • Size

    973.8MB

  • Sample

    241221-2xpr2atjar

  • MD5

    0523322523fc2607b21cf06ee2c06e2f

  • SHA1

    49924c11f7b22dbb1fec51402214a4b62f0c4da0

  • SHA256

    3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

  • SHA512

    a6ca6c07ece8ad4f4c832cf40bf35e267bfc56f34d0aa252b2cfdcc75ee7fd2b9aa55b547b849820163ca48bd05c9061c76d80756427950d2e5181ebace1ebae

  • SSDEEP

    25165824:cbjDAJklOVFPCJ4jMrhQVzccWZYSXn4yPPGwnSQuw:cbj8Sl66PhncWZYyWw6w

Score
10/10
agentteslaandrmonitorasyncratauroradcraterbiumformbookgafgytgcleaneriratalaplaslokibotmiraineshtanetwirenjratpurecrypterraccoonredlinerhadamanthyssmokeloadersnakekeyloggersocelarsstormkittysystembctofseevidarxloaderxred1636brouteursd1d6daf7a5018968dea23d67c142f047defaultdozkeylzrdmiraipub4a20efofgbackdoorbotnetcollectioncredential_accessdiscoveryevasionexecutioninfostealerkeyloggerloaderpersistenceprivilege_escalationpyinstallerratspywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

gafgyt

C2

185.28.39.15:839

Extracted

Family

irata

C2

https://iuskmmdm.ml

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

purecrypter

C2

http://41.216.183.235/Ogrogk.jpeg

https://cdn.discordapp.com/attachments/1033689147958902804/1033916196451516516/Njnwwomqhh.bmp

https://cdn.discordapp.com/attachments/1033689147958902804/1033908505989628004/Dfygmnwx.png

http://45.139.105.228/Pinkptlahbx.bmp

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21160&authkey=AP6mjbZ6I7me0us

http://185.216.71.120/Dsysssji.bmp

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21159&authkey=AFru6OsgFq10mzo

https://onedrive.live.com/download?cid=BD9480D014FE52E5&resid=BD9480D014FE52E5%21322&authkey=AHyzW5kyN2MBgPo

https://fullline.com.my/loader/uploads/Cofucfwmi.bmp

https://onedrive.live.com/download?cid=96F930A16702BA42&resid=96F930A16702BA42%21110&authkey=AMJ1Am8lmlZPVrM

http://185.216.71.120/Ypvoi.png

https://transfer.sh/get/afXUmU/Uyofoxfltd.jpeg

http://185.216.71.120/Eztxeazszv.png

https://onedrive.live.com/download?cid=A091E1A18B960958&resid=A091E1A18B960958%21165&authkey=AKz2N-2upLtVH0U

http://www.ugr.leszczynskie.net/mapa/Upfhbfhbavc.png

http://185.216.71.120/Yqnvktamyg.png

http://194.180.48.203/Uhprtckm.bmp

http://45.139.105.228/Ittogj.bmp

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

andrmonitor

C2

https://anmon.ru/download_checker.html

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

aurora

C2

176.124.220.67:8081

Extracted

Family

rhadamanthys

C2

http://104.161.119.221:8899/live-edge/nft.png

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/sadew1013/

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

systembc

C2

95.179.146.128:443

146.70.53.169:443

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

Brouteurs

C2

forthewin.ddns.net:13337

Mutex

fc4dbf906d35a96ddea0300f5b82bfb3

Attributes
  • reg_key

    fc4dbf906d35a96ddea0300f5b82bfb3

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

asyncrat

Version

XSSYE 1.0.8

Botnet

Default

C2

open.imgov.cn:8443

Mutex

91e5d29b47a7d36802e6e1151434cd02

Attributes
  • delay

    30

  • install

    false

  • install_file

    1111game.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

raccoon

Botnet

d1d6daf7a5018968dea23d67c142f047

C2

http://5.255.103.158/

Attributes
  • user_agent

    x

xor.plain

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    f9ff07c5a5e00d26196b3460b72ad41c90dbd24c7405de597560a9a72e3582dd

Extracted

Family

snakekeylogger

Credentials

Extracted

Family

erbium

C2

http://77.73.133.53/cloud/index.php

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4433

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106
Attributes
  • url_path

    ....!..../software.php

    ....!..../software.php

Extracted

Family

redline

C2

62.204.41.141:24758

Attributes
  • auth_value

    76a7aa24209b18e5866f6b31583d7851

Extracted

Family

redline

Botnet

Dozkey

C2

91.212.166.17:47242

Attributes
  • auth_value

    c06f8f31502cdaf6d673db7589189fd5

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Extracted

Family

formbook

Version

4.1

Campaign

a20e

Decoy

pushkarinidigital.com

e-shiryoku.com

sendmeblog.website

arniepalmer.com

tinnnitin.click

serummoctoc.online

chmoptk.xyz

kidskarpentry.com

wanglin123.com

onlinecannabis24dispensary.com

hkwx8.com

marcrosenkrans.com

bridginglegal.com

a2r2.cyou

app365e.com

semesta.xyz

encuentratucasacr.com

huiyusc58.com

carnivalofmiami.com

functionalbreeze.com

Extracted

Family

vidar

Version

55.1

Botnet

1636

C2

https://t.me/dghzq

https://t.me/zjsqpz

https://t.me/fqwexzq
Attributes
  • profile_id

    1636

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

agenttesla

Credentials

Extracted

Language
xlm4.0
Source

Extracted

Family

lokibot

C2

http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Campaign

fofg

Decoy

FHyydxpFBs0S8b4ZlP7ZEtd/

EVaCEKb/cVV9xQ==

U9I5lke0IuU7vj5EXus=

rXD3AKPV3qUblOUsV41KMfU=

PwBSy5z56XNzIvnS3ygsKv0=

CQe1BLbSnGXX

HuhKjxhLhxqBy2FFz8WoFA==

QJymezEoLOFZ1T5EXus=

V8r5PAdwuGK2AUARohas

b1XV06ANH9s5uj5EXus=

3EiEhwo7Euw2tl8=

c2PjK8Izkydy5N8x

CXCkYf0m/qPrv8QajKyT6Oo=

pHjy+Mk0CqvWBXdCz8WoFA==

QjSwr3/j5rAyvz5EXus=

+edxANg/sU+k8YFQz8WoFA==

tWiQq3rqyl6cTAG9pA==

GeAyMQxBUOlDwD5EXus=

nQ5eoT2mEKkhDN2DwBek

JP5dIbHlrXXR8umDwBek

Targets

    • Target

      09fe7735f742e003ace00c9884b1eb6d55c719735a1fcd207ac985ce746b008a.exe

    • Size

      1.0MB

    • MD5

      690a381d9e34389a101cc26042eb01d9

    • SHA1

      20cbdf652baa00adc83670d907b14724445da0f2

    • SHA256

      09fe7735f742e003ace00c9884b1eb6d55c719735a1fcd207ac985ce746b008a

    • SHA512

      4d101dbd26245e9365bc8a92a4feaa122811468643b8dc9ec6bdc2dc0e53469e37bbba0912ba45071c105f01af44e3959985a56309476fdbec8c1933d9c12b52

    • SSDEEP

      24576:7kr1gzNc71ZGytgGTpd0FUDJr3HbZMOBr:Qr+aRn0FUd73

    Score
    10/10
    netwirebotnetdiscoveryexecutionratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Netwire family

      netwire

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      0a08857b3b6b52510c544f54f8b7489038e371a85db858ad3c34c4f7198da819.vbs

    • Size

      195KB

    • MD5

      a4f71409b11c7a677353f1d7b3e0d13a

    • SHA1

      704ec3fdb8f2ee5e39957785f0d03d5268abd5e6

    • SHA256

      0a08857b3b6b52510c544f54f8b7489038e371a85db858ad3c34c4f7198da819

    • SHA512

      0ed1f3d2fff28a0b7977f966b35c65ed3c3c385eecacf5b1feb38c20ecbbb3017b77b4eca584ea342be86e8e3e5baeec2dbdda3de5c85e97658cd9a4892c1a52

    • SSDEEP

      768:r1wsIXCNd5dghna/lS9P0P7SFuumB/bm/:4wCGBC/

    Score
    10/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral2

    • Target

      0a92b6b6c9ccba573ca47718bf608715dbc87ad48afc19bf7004d8eb9bf598d0.exe

    • Size

      930KB

    • MD5

      53f4e52a78bdf6541e3efdaf401ebbd3

    • SHA1

      9c4841f6dc393e0a197aba01e9cb8491999a6150

    • SHA256

      0a92b6b6c9ccba573ca47718bf608715dbc87ad48afc19bf7004d8eb9bf598d0

    • SHA512

      f14c3b7c53df876eae2d1ea6e03d88d419e91ee9926334993d585f470c4a13eaa1326544de95a0ce06d3b2590461b3ef52c988c8d1bde7e56ca6b49081305300

    • SSDEEP

      12288:GMY3QedajfctobEgT4FtM/e2Rw4nZu4LvJ0BPykKu2sN9nuI:GMwdwOobfT4Foe2pLBuhN9n

    Score
    10/10
    formbookxloaderfofgdiscoveryloaderratspywarestealertrojan
    behavioral3

    • Target

      0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6.exe

    • Size

      1.2MB

    • MD5

      76f35ccb9dc8b2342d34237d041d16de

    • SHA1

      25b50efad77cebcabf2969a97f31db993286d066

    • SHA256

      0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6

    • SHA512

      06c98ccc3cab2175207f9f2ecc410fafc450f318ff53fc70607b346584f0cefc3377d2eadb347a1814629eb2966cc0c818e9be4fe8a3fb84664178159993fc9c

    • SSDEEP

      12288:Z6xsbHodJWWMvNlg+ijLraGFdhJhVTqzEfaH/jVCLzcmI+Sec3IpCT:Z6xsbfWsXylvaEfa7wEb6MT

    Score
    10/10
    redlinediscoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      0b4ffb13a42cb2432b4e021c18f4b4dd51b669ba0356804ca32dac2de7741caa.exe

    • Size

      2.4MB

    • MD5

      1362efe98b360c63f8901fad9b6542fe

    • SHA1

      7cee9adac7453dcf74e77a6907951916e590e593

    • SHA256

      0b4ffb13a42cb2432b4e021c18f4b4dd51b669ba0356804ca32dac2de7741caa

    • SHA512

      29882782ddd3ccf7f6e26135832da86ea961faefd67ddbce79945ef81f291d49051cd5fddb1cb13e11bf996697be5c542427f6aa8876c417f7ba460b50b3f7e1

    • SSDEEP

      49152:Z2Yz1Y1xuKe6eF5NPw13Q4/Dof7G41kBNqrcygeCDqQ/XJ5txoJbljwjcWKVA5hq:MwWEvzo13Q2D6GmMScecqQcJbWIKDq

    Score
    10/10
    gcleanerdiscoveryloader

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral5

    • Target

      0b9a6ed57e23d874bde98d89d3c50a44b3982570cb8bbf41660fad19d3fbe855.exe

    • Size

      5.4MB

    • MD5

      3a6af02d19a5f472a0357ccb50e5b0a6

    • SHA1

      245b235c383d80ca2ae88681bf12f27bea96b92e

    • SHA256

      0b9a6ed57e23d874bde98d89d3c50a44b3982570cb8bbf41660fad19d3fbe855

    • SHA512

      ac7dde150babc8348b963345ce330ee081978e80c1c80344a240c14cb277ba219a0189b6fbd9353a42869281e00b176021a491fdded3b456f4e9bd8638f5a8e4

    • SSDEEP

      98304:xZc4ddDQkADTo0arkXDiBH9ftXnFmEuM2B4lXzqN346KNadVRvhfPqH:Dbv6UGDohFO/sY1rRJ

    Score
    7/10
    discoverypersistencevmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe

    • Size

      349KB

    • MD5

      02a41eb01d841ddffe402fcfbb73bd0e

    • SHA1

      932bdc88df3e0c3d0747ec3a53b9aaaf7365b88b

    • SHA256

      0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca

    • SHA512

      c6f42a2f012e320ffdb435e129bf2ab2b62bcea7af20ac10d60ccb11239ef02324845f4a74d2868a70db2715fe6dc9ff7e7c4a789e1bbdaaf3bbef07166e1773

    • SSDEEP

      6144:FweEwTKu1gRtv6cWGqV/9zYTyOpMKbsAJRv31M0E2Jt:Mv6cxqV/GGOqKoAPv31M0/

    Score
    7/10
    discovery

    • Executes dropped EXE

    behavioral7

    • Target

      0c046f07cd96f008a224dc272c32b52af4611cd1852d38db9737abbe3fcf9e89.exe

    • Size

      229KB

    • MD5

      f8c0a565c50b57b8ebc9c280007312ec

    • SHA1

      e0a90e6d88b92002c7b77dc8298cd1b98f89d99e

    • SHA256

      0c046f07cd96f008a224dc272c32b52af4611cd1852d38db9737abbe3fcf9e89

    • SHA512

      483f609a16c268bfb7626bd6dc7826d8822671342cad1ebdab64115863efe7a75dd13ce6ed31b3c89f691644b2a5d719d43f47994769db2c5753e34bdaedf185

    • SSDEEP

      6144:wf6fRxdLyrc/quEJfylTp45uuo9qcOY7Mnh:wf6fRbGcSuEJfylTp4YuUf

    Score
    10/10
    tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Tofsee family

      tofsee

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe

    • Size

      371KB

    • MD5

      341944954703c303537b9d8aa25e5531

    • SHA1

      836351bd41f31d10209d0bdab117186d86071816

    • SHA256

      0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553

    • SHA512

      9fc832dbd848b6fba32e5beca85e7e55e385f677739ce4372d3cd76a3b05d044e1cb4edbae3fda7eadd185803359642fef50ea8691ae488d8d7dce19eca99073

    • SSDEEP

      6144:Ic/RLyHWHs8c5LRMuPpucS5YUhb7jRXBsL36vAiVMaY/6V:Ic/R2HsIMuo5YUNNX4U1VM

    Score
    10/10
    redlinedozkeydiscoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline
    behavioral9

    • Target

      0d825ad1df7c2ac718991f061800e31c6ae4ac7a35516676ac0dad40b84b6037.exe

    • Size

      229KB

    • MD5

      5ee27318991c7dcdfea2fb99ae8f219b

    • SHA1

      1490d4de2bbdb3379819aa08cfd0f0c7762b3783

    • SHA256

      0d825ad1df7c2ac718991f061800e31c6ae4ac7a35516676ac0dad40b84b6037

    • SHA512

      88cfef8883ed42b841563632ffd7eae1eebfb2d3e1bedda3a6794b37d559bcbaa48de979e7a77011325ea96bd36742673b8f1704bad840a938e4ba829018abb7

    • SSDEEP

      3072:DNPnQxjSky4aM1woJLJVqdj98m6hce5VYytX7RMzshG3ZcOGgSerQiswun:DNPQxGNuLJVYj9hgikXlU3TDSKxu

    Score
    10/10
    smokeloaderpub4backdoordiscoverytrojan
    behavioral10

    • Target

      0db3c21dec09a297e99a07ec1ebd007146adfbcb3c8f0d4a3f88868778c6aef9.exe

    • Size

      317KB

    • MD5

      fe62aba35fd5f1c6ca2c1c8be6c27ed3

    • SHA1

      b1912c42ae6742ee1f85be843ad3f66a45372464

    • SHA256

      0db3c21dec09a297e99a07ec1ebd007146adfbcb3c8f0d4a3f88868778c6aef9

    • SHA512

      2d4fedf8c40f2796539a046277ea7f8b6a514e2cecd0b630e8a3a137254a627c873684d247f9e01b53cda4cd36dfa504e9ef1e3c1ed521f9343d45d41032b92a

    • SSDEEP

      6144:fhu1FLTeIjxfniZ5nr6qBgplf95QfGuYjuK2uPbcRItN:fhuXOAfnErgplf3huNuPb0I

    Score
    10/10
    gcleanerdiscoveryloader

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner
    behavioral11

    • Target

      0de875f11ee5d69c5b4633e3b878529f08788440f87fb3ab0cde77e698b200e9.exe

    • Size

      350KB

    • MD5

      36fcbb3b37a9ba63f1fa77c22297c6a9

    • SHA1

      96f7e90a7949064e286c5cf6a39e40aea2f21263

    • SHA256

      0de875f11ee5d69c5b4633e3b878529f08788440f87fb3ab0cde77e698b200e9

    • SHA512

      ce25057372e00b915f92fae2b4398af9badcec1b8f4a0a5b532f12050adb1bf2ae0657849a8f54e066fcd14cac00e3a691da5393c6c3aae23083358d3d701c11

    • SSDEEP

      6144:ocLt8AYW3GpW4DW7Q74jOxdiUhtoMgJ51XPKM7MBr:ocR8TP87QIWAUhtoXJnXPKo

    Score
    10/10
    redlinedozkeydiscoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline
    behavioral12

    • Target

      0e3bb95b7ba92dadc59985e6b0d1a75db091d6ca03f755fca34437398217f877.exe

    • Size

      2.4MB

    • MD5

      7e5e288607447a41931025d1f79760ae

    • SHA1

      4ad9a21318ce3c9150b16d1c7d4acef655eb86bf

    • SHA256

      0e3bb95b7ba92dadc59985e6b0d1a75db091d6ca03f755fca34437398217f877

    • SHA512

      7738b15725bab95d16f949f0dc8cc2e9b9c61936d8b3a54a932fb6dd3f0ab38bc21c8f484395eaaa2686d397e22032f6b681c3920721faa04f5663d20c3da083

    • SSDEEP

      49152:Z20nrOjMNC7wlZ6+3WddBI6crIdYnX5oCmG1YQV0REpLgfNcA5hq:MAOjM4wlQCWfBINsADvV0R2gf1Dq

    Score
    10/10
    gcleanerdiscoveryloader

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral13

    • Target

      0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d.exe

    • Size

      252KB

    • MD5

      130f4b6ad5c42bdb5abb4e45406cef94

    • SHA1

      efc55e5f2520c089bfedcc3cfcb4630f595fb688

    • SHA256

      0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d

    • SHA512

      88fdbe7ef0b3a076ebc872d5dc00fb2fa9ff827420433fc24d886d27fc5b462ba090301be042a9a3c5b31241f82b361afe8d586dd48bd5df393f39d0305d4192

    • SSDEEP

      6144:XCutDb6sMMMMMMMMMMMuMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMg:yObMMMMMMMMMMMuMMMMMMMMMMMMMMMMh

    Score
    3/10
    discovery
    behavioral14

    • Target

      0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe

    • Size

      219KB

    • MD5

      566a30af3032ed8c2718c99a9c0d7289

    • SHA1

      4d08ff905ddfdaf7f39465b9af09b6441e8993d7

    • SHA256

      0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6

    • SHA512

      03aa457d3d68d96cdcb8a2d234fac21466bac359bc10948ac1b79222361e992d456df8ba89c8c4e0ada87da0502857a3586ed232a114db9823f13d60308526b1

    • SSDEEP

      3072:UXWlLKlKMO5qI0Ac7ztrQNZezyzh91Ih3Az9Mo+ATIulLwt:QQLrM937JUNZeeFTEMuoZTIuh

    Score
    10/10
    tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Tofsee family

      tofsee

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      10758789ca875d9783a8988e0b0dbfd88f75a6ac0eb544b5b37241492223fdd1.exe

    • Size

      647KB

    • MD5

      92e6f05295ae825d4f3d9982a616b98e

    • SHA1

      eb73f950397f919df73442f66cbd15deee931cea

    • SHA256

      10758789ca875d9783a8988e0b0dbfd88f75a6ac0eb544b5b37241492223fdd1

    • SHA512

      100e49ead6c63aba1470ebad85d969310741cc6d7c8d974551ffa07aa1923dec4f4153d363387328c493198ad98bf7535f2f4e138203daa3849ca28f265a3243

    • SSDEEP

      12288:rYK4r6syCKHtudgQcEfCUkNNvshJGxnLeFnQ:rYK4RNKCcg1knvsh45LeFnQ

    Score
    10/10
    formbooka20ediscoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      11a3fde6fbce94c261cc8785856d132eccd5239e95a9129c2ba404cad58bbd96.exe

    • Size

      307KB

    • MD5

      848cfa950baa476b7127aa42a8f8cb2f

    • SHA1

      60fd5296042413a9cebb3a4952f8efa36d8d31d1

    • SHA256

      11a3fde6fbce94c261cc8785856d132eccd5239e95a9129c2ba404cad58bbd96

    • SHA512

      6bed8b5a08a9bfd6eb88eb4203960e6f71e348ae254877653ece37ad144d0e94d79bee58a3e1a39e0c33d0170e2e4aa1ee269224325799cbe5d8fe0b7e1a4e58

    • SSDEEP

      3072:sXqhLZd18O5PcsUpbfxaBytteEd8mGkhXhSSOxtzIZ9dKfV0DgR84+5sm+t904:ooLZ84csYaBk/hXgSOxtodKuDgRTX

    Score
    10/10
    vidar1636discoverystealer
    behavioral17

    • Target

      11bb525d06957723f55934f7697eaf4c6e0437e435d3fea9f1f4a16d71cd041c.exe

    • Size

      222KB

    • MD5

      80c18619e17ff0835fd578aed8422e4b

    • SHA1

      d82dd7c61eede169f542f89b2fce22841345c1a1

    • SHA256

      11bb525d06957723f55934f7697eaf4c6e0437e435d3fea9f1f4a16d71cd041c

    • SHA512

      25b0946140fe0de5eda34f67089a6bb39827fdd421853edaca55cfa5cbcd199430c0c85dda90b0e225793c1a70708eb7ec8175fed6176f174becdf522ed22584

    • SSDEEP

      3072:BSnlmJpEgXKnlL0EAhoTwN6+k5P5Ykc7Dh2N/qyGqPBBu5YGLTuUO/BcCp:BSYULyNczcp2F1HsYG/VO/BcC

    Score
    10/10
    smokeloaderpub4backdoordiscoverytrojan
    behavioral18

    • Target

      124dcea053b32060dc96c5b2901df4264837a87ea25e635e0ac76145450d9a69.exe

    • Size

      732KB

    • MD5

      c5e02c378a0ddbc62c4172830947e97d

    • SHA1

      d0ed805d5b40454a091f233d0c1d9b29ec64c515

    • SHA256

      124dcea053b32060dc96c5b2901df4264837a87ea25e635e0ac76145450d9a69

    • SHA512

      97a79a56be88085ab2402e4a7474afa344e1eab45108429f2e80de7860da04a97f04220496602d737b9523c854b9c1c24895329d85eb962101b90c19cced5d79

    • SSDEEP

      12288:oy10PPJaxEOCf5lpLR6AlAaXjxmQpunxdk9dmhbbE8QUuQZ60sSj:kTxpcxdPtbE8Duu60sSj

    Score
    10/10
    snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      13431e2ee5bc86bdc9b53f47dd2ea61912a00952a3ea8f97ea3842ad7053551c.elf

    • Size

      96KB

    • MD5

      9a44a623c0b3bf86f337244a492bb849

    • SHA1

      14e27701d655f430048e92a429926a5fd8abf362

    • SHA256

      13431e2ee5bc86bdc9b53f47dd2ea61912a00952a3ea8f97ea3842ad7053551c

    • SHA512

      5b2337ffe4a6089621586544bba4fd1809e9b113b05566be1326a7b733571332ecc5241ef9bcaf81cab91a34dfd73318df2987781cfb4c3d78311a21a0bbc321

    • SSDEEP

      1536:7QQfckMzQzgv9OtAC0QptczD3z+FavgfTXvEmL49VqFjtUfkjX:7xH/JFDtczD3m57vEmU9VqFBUfkjX

    Score
    3/10
    behavioral20

    • Target

      15387da23f7465d5c4ccd137bc21d15d74c0006c7536b92afed5337cdb3e0315.js

    • Size

      100KB

    • MD5

      ed9d1e4c580a9f92815d0cbf00b47b20

    • SHA1

      ccc8533cc8fd804988c75f9ff827192bb98dab3b

    • SHA256

      15387da23f7465d5c4ccd137bc21d15d74c0006c7536b92afed5337cdb3e0315

    • SHA512

      ae543bb540190d4e799cce94f943526ca60d1b8376413dc8fb66251f567087ffaa8ebaf4e67761c51b098c538e0da937e8b65859f968bc58908b9899fd0b24b4

    • SSDEEP

      3072:9F7D4Y+Jk9olJaXvY96bal9BtNe66WWtUrcZtXGD23VMJFB:9FniHKYIOB

    Score
    8/10
    execution

    • Blocklisted process makes network request

    behavioral21

    • Target

      15938b5637e639c182992c8fdf65b8db3d461c85f6eac57044f40d2a68955372.exe

    • Size

      229KB

    • MD5

      83fd029a3fbe2efc79f203479a4c21e6

    • SHA1

      4290032c569c5eb64d7ebd4c50ef36f01f08dc27

    • SHA256

      15938b5637e639c182992c8fdf65b8db3d461c85f6eac57044f40d2a68955372

    • SHA512

      feb38390727625b364246e17217501b090d4bec00e131043887a5e7e74e9a4caa9b300fa67ed393504aacb62dd7284a471bd747ca6b2b1057b919e6d284d7c17

    • SSDEEP

      3072:GS6n5Yu86fFYNLLS8sZDRw6Cv5NOCr9YBVBNZ/IxwTGHFMtFiRiU4A:GS6uaYRLS82DKL3OCrEVzZ/IAGlmFtU

    Score
    10/10
    tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Tofsee family

      tofsee

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral22

    • Target

      170dc238d7e8c6f55a0aedddd2d01deb03d62e71d7da5c51f67632d2de3f93a4.exe

    • Size

      1.2MB

    • MD5

      749fd58dcffee43317d573fbec8eaddf

    • SHA1

      08964a5cbccfe8460fdbd126004ffdd6c81a1121

    • SHA256

      170dc238d7e8c6f55a0aedddd2d01deb03d62e71d7da5c51f67632d2de3f93a4

    • SHA512

      357eb5dcdaa4aa2249d8a1937cae7c8d362466d63fcbe8232cdf8c561623ee7470ae9f4601090dffb3b41545a032d63fcaba504a0c3c1bbaba579c1333b3f09f

    • SSDEEP

      24576:XAOcZ9OUVm7BVha9TlEkqIMMvBwA2MNxjFJ7oHeWXL7WY:pC0klEkTMMvZx9+7WY

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Executes dropped EXE

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral23

    • Target

      17286809694b9d22325e29af4e74b2083398de0488d9a96644566c468628554d.xll

    • Size

      551KB

    • MD5

      8c3611f6e56cb6edf445374ba7b8d6b9

    • SHA1

      15b32a9f730e1828193ed0f0bc09aa150d66916a

    • SHA256

      17286809694b9d22325e29af4e74b2083398de0488d9a96644566c468628554d

    • SHA512

      71954f7e5fb770ea06f97d78fb0510cf2f638f6afc5c0555c62c1b411ccded1a487903a284c0e7921beba0de019995877d7f7f518f39559f72e445e2cb53c89c

    • SSDEEP

      12288:Yn/zjvGHAykHJRLW/4+8bzbBSreM3pqZGDxK:az7GHAzH7jX1GFx

    Score
    10/10

    • Loads dropped DLL

    behavioral24

    • Target

      17dadc2b105c925bb5d598789e418a9fdedac3a5a26a05fa4b77c8d82f685bb1.elf

    • Size

      26KB

    • MD5

      1c9847187417b3862a8bb18705951f8d

    • SHA1

      eed2e1e9134b783f8e2cc5b25de151fdcf1d3d7f

    • SHA256

      17dadc2b105c925bb5d598789e418a9fdedac3a5a26a05fa4b77c8d82f685bb1

    • SHA512

      59374fcc66d8d805a13b9b076001600df03049ea87c7f6c0468779352f4475c151048a1797b0842058a0543c52f5dbef57c0da3f6a3fcdf558f8bdfd614f0f81

    • SSDEEP

      768:eMKyhegCCMqf2ExRIIOyF+Hx42gU99k9q3UELuZ:NKy4qf2XmFYaqNLE

    Score
    3/10
    behavioral25

    • Target

      190ffc93d1cf8112811d0568736905e6a943cc4787fb569754ed7e15ecd2efd7.apk

    • Size

      25.8MB

    • MD5

      eb89d696dd5f7922b4c49db6585a69a0

    • SHA1

      dc70bebb49ea7e0d85c45b206e4a557891e7e122

    • SHA256

      190ffc93d1cf8112811d0568736905e6a943cc4787fb569754ed7e15ecd2efd7

    • SHA512

      433df9feea2ee58701bf51d4db69925c0471b9361016a8a095a5bc76c2cff06834ad1dd5a1dea6d7e700c75ffea5108c472e6db2870184f69d9812d08b44c8cf

    • SSDEEP

      393216:/q1j7QtsfFZWOHhlFXRdTKosUBU+X8UPNwhgcCgBj8aCyiPJeq39YSpv:iB7Q+fVtGGBNCgeB4aCylM95pv

    Score
    3/10
    behavioral26

    • Target

      1a4383821db896055970d1358d5f3591a7b5963f93ffcca737ac94bf6972cce1.vbs

    • Size

      554KB

    • MD5

      a4afe82ecf3940b8363d806604bc37a6

    • SHA1

      8d44d22cbe509b8f5662daf586e8de5446089ec9

    • SHA256

      1a4383821db896055970d1358d5f3591a7b5963f93ffcca737ac94bf6972cce1

    • SHA512

      be1817f80a514d1f7887a7a2b8f6e1364e3c14165effa26c3f12f95bdded410f81781246f36f2e0a7baa70682e513380b2fce5c4541bf9555594011013cf0649

    • SSDEEP

      12288:89OSGK7KzVkqo3CoMndRBwcm4MpPrNbbx9Od/UR1VY:eGKW6nMn7BiPpDZbAMfVY

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    behavioral27

    • Target

      1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe

    • Size

      851KB

    • MD5

      84a4e8581550b0634e38d3218813ac79

    • SHA1

      1005f9154fb27c448ce8e39646b2da1fc010942e

    • SHA256

      1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d

    • SHA512

      0c924c0763f9bec6c7de3f303263436c8c63ff40682966feb04ffa54eb282aabe5d52a8d5dbffd417666f0a7d77d25eb24956a853616dfed24c79c278e9dd5a9

    • SSDEEP

      12288:y4xTxt9ivc50KsBNgK10IJkHKqZrDgSQlOnvgfEunph:3FivcRsBVBJyZX28n2

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral28

    • Target

      1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326.exe

    • Size

      1.7MB

    • MD5

      f18a8734fe5484be1f784dd47178d6c6

    • SHA1

      abf12814aa5c4fd746e3b5a9635667a2c5ac0604

    • SHA256

      1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326

    • SHA512

      f56646998a95a74bebd3174565ef01675f8c8ae9124f61598efbcfed60855e924accb4506da2f120bb9c9c59766fdc3de8f3dc79f5577ac0bd17ff9bf0d47f52

    • SSDEEP

      49152:H6VUMI6hKcPoV8bZLL9uj5a/Nxg+i/qA3gv:H688lLcj5Yg7/qegv

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Blocklisted process makes network request

    behavioral29

    • Target

      1b9334e09c3df74ba3135169e49533c7a4d5a6c7ce090e31188e6f6a33403b52.exe

    • Size

      226KB

    • MD5

      19407c99f4b2baf3fcd8cc632ea60b97

    • SHA1

      b6574e349b99bd865c84e79a0ca596c5fdadcaf4

    • SHA256

      1b9334e09c3df74ba3135169e49533c7a4d5a6c7ce090e31188e6f6a33403b52

    • SHA512

      969235b95372f6df5980151c6fa75ad920cee8004a2a07df114c83aec2b1c83c9a7aa53903842dcd3cfed4cd683664643f1846089386c34733921a4e08edeba5

    • SSDEEP

      3072:EOS07dizsmBglaL0X+qa6eGR5d/Lhvw35WptqsVMn2jCV+btxEnogr:NSlDL0XXabGh/dwCnVM2jCVGtxEog

    Score
    10/10
    tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Tofsee family

      tofsee

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral30

    • Target

      1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe

    • Size

      214KB

    • MD5

      da9914f2f681c7ef59293d3804c9133d

    • SHA1

      49d23c8eac05f7c8af203f0b46f7d805fc4b1724

    • SHA256

      1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c

    • SHA512

      3eaaf3ba1df0f3fef3141a3f2fb0e455620ffcf569dbe438d8a8a9fa2173c275897001f6ef52b18b138d5f88e9facc053f7e8a6751c655ee320842ee756f0615

    • SSDEEP

      6144:qweEpobsxm+SEfyjP4P3yYZcfrFPWHFjp:bowkAwfrFPWH

    Score
    7/10
    discovery

    • Executes dropped EXE

    behavioral31

    • Target

      1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b.exe

    • Size

      447KB

    • MD5

      d93ae89b2dd80e754f282db2f968e537

    • SHA1

      52d0f0a4cc753daae727e5d79ae575f37042e6c2

    • SHA256

      1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b

    • SHA512

      021879e0ad17ceab7fa3cd29e483da9e7ff6155f4e1e1a493517549d8d25f004f234f6d2caf74944bd4718e6e24c79a5139d4018018350bc7434fafa3230c806

    • SSDEEP

      6144:1HW9ZEjeXjYA2ospqAlwdVgDmETmGJE9i/pfp5thhhhYPDK2gIKb:mZ3XjYA2oXCRBuwpBrjYPDC

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

JavaScript

1
T1059.007

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

miraiupxvmprotectlzrdratpyinstallerbrouteursthemidadefaultd1d6daf7a5018968dea23d67c142f047gafgytiratamiraipurecrypterdcratandrmonitoraurorarhadamanthyssocelarsstormkittysystembcxrednjratasyncratneshtaraccoonlaplassnakekeyloggererbium
Score
10/10

behavioral1

netwirebotnetdiscoveryexecutionratstealer
Score
10/10

behavioral2

execution
Score
10/10

behavioral3

formbookxloaderfofgdiscoveryloaderratspywarestealertrojan
Score
10/10

behavioral4

redlinediscoveryinfostealer
Score
10/10

behavioral5

gcleanerdiscoveryloader
Score
10/10

behavioral6

discoverypersistencevmprotect
Score
7/10

behavioral7

discovery
Score
7/10

behavioral8

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral9

redlinedozkeydiscoveryinfostealer
Score
10/10

behavioral10

smokeloaderpub4backdoordiscoverytrojan
Score
10/10

behavioral11

gcleanerdiscoveryloader
Score
10/10

behavioral12

redlinedozkeydiscoveryinfostealer
Score
10/10

behavioral13

gcleanerdiscoveryloader
Score
10/10

behavioral14

discovery
Score
3/10

behavioral15

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral16

formbooka20ediscoveryexecutionratspywarestealertrojan
Score
10/10

behavioral17

vidar1636discoverystealer
Score
10/10

behavioral18

smokeloaderpub4backdoordiscoverytrojan
Score
10/10

behavioral19

snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer
Score
10/10

behavioral20

Score
3/10

behavioral21

execution
Score
8/10

behavioral22

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral23

agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral24

Score
10/10

behavioral25

Score
3/10

behavioral26

Score
3/10

behavioral27

discovery
Score
8/10

behavioral28

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral29

discovery
Score
7/10

behavioral30

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral31

discovery
Score
7/10

behavioral32

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10