Overview
overview
10Static
static
8Order.exe
windows7-x64
5Order.exe
windows10-2004-x64
5төлем...DF.exe
windows7-x64
10төлем...DF.exe
windows10-2004-x64
1087597.exe
windows7-x64
1087597.exe
windows10-2004-x64
1029146c1ccd...70.exe
windows7-x64
729146c1ccd...70.exe
windows10-2004-x64
72cc3b42957...8e.exe
windows7-x64
102cc3b42957...8e.exe
windows10-2004-x64
10RICHIESTA ...TA.exe
windows7-x64
10RICHIESTA ...TA.exe
windows10-2004-x64
1039c1e12e0a...25c.js
windows7-x64
339c1e12e0a...25c.js
windows10-2004-x64
33f46e10e5f...3b.exe
windows7-x64
103f46e10e5f...3b.exe
windows10-2004-x64
1053074094ad...95dbec
debian-12-mipsel
10632cfc71bd...b1.doc
windows7-x64
10632cfc71bd...b1.doc
windows10-2004-x64
10685dce7a17...03.exe
windows7-x64
10685dce7a17...03.exe
windows10-2004-x64
106c4aab4c3b...e2.exe
windows7-x64
106c4aab4c3b...e2.exe
windows10-2004-x64
1073a52a4c60...c0.exe
windows7-x64
373a52a4c60...c0.exe
windows10-2004-x64
3Inv_7623980.exe
windows7-x64
10Inv_7623980.exe
windows10-2004-x64
108954739d96...a8.ps1
windows7-x64
38954739d96...a8.ps1
windows10-2004-x64
8USD $.exe
windows7-x64
10USD $.exe
windows10-2004-x64
1091d079d937...b9.exe
windows7-x64
General
-
Target
JaffaCakes118_031527224e74b82bf16e639c666134674ecc8a6e648fed2f68255617bd6a3b18
-
Size
21.7MB
-
Sample
241223-pv673szmem
-
MD5
a9460cbeecd230ffdb2c22ae81409572
-
SHA1
8bb274360ff935d945b2a899fe9dc304e5c0a290
-
SHA256
031527224e74b82bf16e639c666134674ecc8a6e648fed2f68255617bd6a3b18
-
SHA512
efd0f21fd9e24225d240c74b03ba2ac734e47ebfc47c74e69fed6d77cebfe42a9838a54822d8de5e0cbba9daff6909ac4484f779d3842a156451a3eebc5a0a10
-
SSDEEP
393216:r2flKxdMPPVBLFH/gF51yAyxv6DLYJhMhD7lHs/lKLX1JwmGGyfj1OQZ2hG9j:ragxE7glyHv6DLnhXlMdKLXImGPfhOQd
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Order.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
төлем туралы есеп#454326_PDF.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
төлем туралы есеп#454326_PDF.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
87597.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
87597.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
RICHIESTA DI OFFERTA.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
RICHIESTA DI OFFERTA.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
Resource
debian12-mipsel-20240221-en
Behavioral task
behavioral18
Sample
632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1.doc
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1.doc
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
Resource
win7-20240729-en
Behavioral task
behavioral23
Sample
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
Inv_7623980.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
Inv_7623980.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
USD $.exe
Resource
win7-20241010-en
Behavioral task
behavioral31
Sample
USD $.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral32
Sample
91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9.exe
Resource
win7-20240903-en
Malware Config
Extracted
xloader
2.3
synv
hareemshareem.com
aromaticus.club
sakabay.com
ebtedaieeduone.com
goodyertirerebate.com
mehmeterdas.com
everestjsc.com
eqtclub.com
ahlcide.ovh
snifu.com
grinabrasive.info
ijustwannablog.com
eng-in-use.com
mo-ip.group
beautynblackbody.com
presto-eng.info
jarah24.com
marigoldbrewery.com
onpointcomprasbrasil.com
cdrh-consultores.com
omnichatph.com
lexandbets.com
nailstotoeswithjenn.com
cookcounselingtherapy.com
specialoy.com
plaeralum.com
amazingutahhome.com
homeschoolwin.com
goldenpestcontrols.com
promericans.com
praxisroom.com
fariloo.com
ferryville.city
newagehealings.com
bestmultifunctiontool.com
auctinnation.com
poivcybws.com
inspira-pic.com
valorisr.com
erdostrading.com
chaunceyexcavatingco.com
centralfloridaforlife.com
myfamilyincest.com
sunulokhabar.com
bocaifabu.icu
protocoldome.com
gyenyameedition.com
tmadeitinnewyork.com
relativesshope.com
joshuazoom.com
kybyznpdh.com
monumentproduction.com
skillikz.com
ashlandpowerwashing.com
ameliyatsizkalcatedavisi.com
linkmywebpagetoadomain.com
carlameireles.com
ooveid.com
designsbymanda.com
atypicalexpressions.com
ponpokohoiku.info
cunix88.com
newlypage.com
scientifichypnotherapy.net
ker-huella.com
Extracted
blustealer
Protocol: smtp- Host:
mail.dm-teh.com - Port:
587 - Username:
[email protected] - Password:
Vm@(O;CO.vEQ
Extracted
remcos
3.1.4 Pro
RemoteHost
elninotronics.com:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-E8E8J7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Extracted
bitrat
1.38
185.244.30.28:4898
-
communication_password
58d566f77fed2099674f84e99ed222a8
-
tor_process
tor
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
xloader
2.3
m6b5
ixtarbelize.com
pheamal.com
daiyncc.com
staydoubted.com
laagerlitigation.club
sukrantastansakarya.com
esupport.ltd
vetscontracting.net
themuslimlife.coach
salmanairs.com
somatictherapyservices.com
lastminuteminister.com
comunicarbuenosaires.com
kazuya.tech
insightlyservicedev.com
redevelopment38subhashnagar.com
thefutureinvestor.com
simplysu.com
lagu45.com
livingstonpistolpermit.com
youngedbg.club
askmeboost.com
hizmetbasvuru-girisi.com
fourteenfoodsdq.net
discoglosse.com
shareusall.com
armseducationassociates.com
twilio123.com
hofmann.red
autoanyway.com
duckvlog.com
raceleagues.com
foleyautomotivehydraulics.com
foreverbefaithfultoyou.com
junrui-tech.com
angelinateofilovic.com
justinandsarahgetmarried.com
carlsmithcarlsmith.com
novopeugeot208.com
citestftcwaut17.com
theproductivitygroup.com
cohen-asset.com
trumpismysugardaddy.com
wishcida.com
buncheese.com
dietrichcompanies.com
zafav.xyz
commodore-gravel.com
juport.men
hyanggips.com
aliyunwangpan.com
nuturessoap.com
networksloss.club
blackcouplesofhtown.com
saadiawhite.net
girasmboize.com
melissabelmontefotografias.com
landprorentals.com
bonacrypto.com
meeuba.com
lknstump.com
iregentos.info
linguisticpartner.com
mpsaklera.com
inverservi.com
Extracted
formbook
4.1
vd9n
theunwrappedcollective.com
seckj-ic.com
tyresandover.com
thetrophyworld.com
fonggrconstruction.com
hopiproject.com
sktitle.com
charlotteobscurer.com
qjuhe.com
girlzglitter.com
createmylawn.com
hempcbgpill.com
zzdfdzkj.com
shreehariessential.com
226sm.com
getcupscall.com
neuralviolin.com
sanskaar.life
xn--fhqrm54yyukopc.com
togetherx4fantasy5star.today
buyonlinesaree.com
percyshandman.site
hatchethangout.com
rugpat.com
zen-gizmo.com
vipmomali.com
lacerasavall.cat
aqueouso.com
mkolgems.com
sevenhundredseventysix.fund
fotografhannaneret.com
mitravy.com
bmtrans.net
linterpreting.com
izquay.com
sawaturkey.com
marche-maman.com
eemygf.com
animenovel.com
travelssimply.com
montecitobutterfly.com
volebahis.com
daniela.red
ramseyedk12.com
leyterealestate.info
patriotstrong.net
vkgcrew.com
nadhiradeebaazkiya.online
hotelcarre.com
myfabulouscollection.com
stellantis-luxury-rent.com
hn2020.xyz
emilyscopes.com
lotosouq.com
lovecord.date
stconstant.online
volkite-culverin.net
allwaysautism.com
sheisnatashasimone.com
sepantaceram.com
ishopgrady.com
lifestorycard.com
sexybbwavailable.website
domainbaycapital.com
constructioncleanup.pro
Extracted
xloader
2.3
weni
sdmdwang.com
konversationswithkoshie.net
carap.club
eagldeream.com
856380585.xyz
elgallocoffee.com
magetu.info
lovertons.com
theichallenge.com
advancedautorepairsonline.com
wingsstyling.info
tapdaugusta.com
wiloasbanhsgtarewdasc.solutions
donjrisdumb.com
experienceddoctor.com
cloverhillconsultants.com
underwear.show
karensgonewild2020.com
arodsr.com
thefucktardmanual.com
712kenwood.info
telecompink.com
ebizkendra.com
kitkatmp3.com
utformehagen.com
profitsnavigator.com
kathyharvey.com
tongaoffshore.com
vrpreservation.com
hy7128.com
nicolettejohnsonphotography.com
rating.travel
visualartcr.com
nationalbarista.com
lovecartoonforever.com
koimkt.com
directpractice.pro
blockchaincloud360.com
queverenbuenosaires.com
coachmyragolden.com
awree.com
facebookipl.com
rcheapwdbuy.com
trinspinsgreen.com
voxaide.com
ecorner.online
mattvickery.com
regarta.com
fknprfct.com
theessentialstore.net
sunilpsingh.com
ovtnywveba.club
optimalgafa.com
awdjob.info
humachem.com
southeasternsteakcompany.com
centerevents.net
warrenswindowcleans.co.uk
lebullterrier.com
thecxchecker.com
formerknown.com
pupbutler.com
tincanphones.com
tgeuuy.cool
panyu-qqbaby.com
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.badonfashoin.com/ - Port:
21 - Username:
[email protected] - Password:
kKsIA9XNV2zG
Targets
-
-
Target
Order.exe
-
Size
184KB
-
MD5
b48a1b6628f1f941e506d15013a72619
-
SHA1
4d6a9fb6ad5aa1b53440c2eb0806602fc164b0a2
-
SHA256
cf540119b481ff1a73efd8f50bc5942faaa46e79f9cb78d06b2b993ef4c921a4
-
SHA512
c74f5fb663cd9e34c234a78884a30399825ed4211d5c1a795bebc6fa2546ae02ba9ddf24e648fd251ac5a265131cd645855483aeb411892367858ac2a571f6be
-
SSDEEP
3072:LizuMU66n2qcHf29Twf8uDiy88V2Sx5Ci8LBNaP08uxcRqqHq0cS0Gf3RMlyPrsD:lM+Me9cfBDiy8i20HunvxcRHqfGlov+M
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
төлем туралы есеп#454326_PDF.exe
-
Size
899KB
-
MD5
8ffb5b1aba6759d623f20a9744de4dd0
-
SHA1
969a580a9e874f8e5a38d7fb4db664be1aa35ce5
-
SHA256
8674688f673421c41dd39734f690c3b1b0aa8aceb5adeb057cf8b21d8f2e41a6
-
SHA512
3713871db07036eca5846ca681432e63dbf1951a47186c1f8458a3395da57b53ab796f5b44025bb277cb6f281fecf401d090bc8618fa72b9ea20fce8991a538c
-
SSDEEP
12288:PNVCqo8zTyvUIZbVlBPI2VBPpZ9SgkVJNoH6tm8EblyuVYvv/zzbVgnQe:0vDBlBPIOBPHsl7Q6tm7blmv/nbO
-
Formbook family
-
Formbook payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
87597.exe
-
Size
704KB
-
MD5
7e19235ca4a6192bdace52baa0a40d26
-
SHA1
1ac8aa96052b0da4f7d1072ca8fee01ade2e9f71
-
SHA256
ed762437d06ffae4d27baec39379997d8acf7ae6e6e758611793f3fb2fafcee1
-
SHA512
a67be81bf2487babe021184427d47004791fca072b93ea61efa40d81680132ffcbd96cd78a00a8f316be50d5308ce1d5f2b29dc19be32e91a74a65a63c7705a0
-
SSDEEP
12288:l3MyvUIZbVWX7Q6cgNMuAx206pm2MGydGcHazvuHw3ItoaI43JYLh2ADli:5TvDBW3cEaeMGpcHazv0tV/OLh2ADl
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670
-
Size
2.5MB
-
MD5
20f44573ee6dea2e3b5935c6b1b979db
-
SHA1
4c7429743c92dddb6929931585de25eebf1792cb
-
SHA256
29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670
-
SHA512
8c96de16c6cf01b351eff07585c0063167f9d1695510b2a1701ced7fd45aa8c34d101d5cc1e785306daf6c9f4ab9fedd7898608b92468f9483ce44637015aa0b
-
SSDEEP
49152:rUy6Rw/xG6ds61Yt0E1EgivHgYkYU06z:8Rw/xG073vH0Y
Score7/10-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
-
-
Target
2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e
-
Size
887KB
-
MD5
040cca91f06819461187ad57faa81f30
-
SHA1
51b4261aa8c7a475ca9223d4dfddc19a2720096f
-
SHA256
2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e
-
SHA512
b95e41af609572c7e1de13f03abc9779b00cbc7fc4587345ad1a6259baec08a82e11d8e66e02f11049946dcef6620dcc50d9d9fa120e476eb571698718e4bc80
-
SSDEEP
12288:ybL3+yvUIZbVlBPI2VBPicnA6dLviSv8PLpSaeFzLyeSXmOpgfm3Q+:yb5vDBlBPIOBPtnfdLaSEzpwzyXpqe
-
Xloader family
-
Xloader payload
-
Suspicious use of SetThreadContext
-
-
-
Target
RICHIESTA DI OFFERTA.exe
-
Size
236KB
-
MD5
73bb5c4b690b8d6df88d6bc18fb3a553
-
SHA1
60adddd91b6038fc9d819cf6d647ce3be0b11d38
-
SHA256
a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
-
SHA512
9c023dc66d9bcfb2f5bc0274001d92948ac058fc8765d2178907dfd8fb9885ede57acc3836d583ad97516dce1a97c50f081800b41a1f42ea938efb8b23e87567
-
SSDEEP
3072:+3BepJlZa/xao5JKwI7V4R4iUW/qcijw2HJlZapGBR:EiUIo5JKPgU99vHP
Score10/10-
Guloader family
-
-
-
Target
39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c
-
Size
846B
-
MD5
351b843f627dad02a1e21178f29b59ab
-
SHA1
801db68232be9a0d7b89a834a18d0d1ecf4cdeea
-
SHA256
39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c
-
SHA512
9c3adc2f1251223b1e0dd1ce983dcb0e4a86c5b3abc7880b4028b1e5d9e8d9c59a394e2b0638eaea2aa9dd84c2d49a0ff775a1558bcfee4c3c9443481d0c46a0
Score3/10 -
-
-
Target
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b
-
Size
1.1MB
-
MD5
1ee5c7e3b59f02fef1b0f793d2196afd
-
SHA1
3f1a1ce12dec33f946079a532ccda8e0c72f2c7c
-
SHA256
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b
-
SHA512
0d106c3451f88ed8f27abe47917c4ba4b25706df623f3a0879c5a67c09a269a48b35b94ca25fc2cb7447be75a7e05cbf5464f4c1aff80224c20f263d321387be
-
SSDEEP
24576:1kcNn8Y5TrvvDB/mF1BVB/9ogBzVf/ppYbItJ4Rvk7xz:l5TrTcBVl9BTpTrV
Score10/10-
Blustealer family
-
Suspicious use of SetThreadContext
-
-
-
Target
53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
-
Size
35KB
-
MD5
99551779549809d289d12efa5ac43e4e
-
SHA1
66b5b7aa0264b12e24f37388330a60991de3146a
-
SHA256
53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
-
SHA512
46c3e62d314c028ff812d299ed54e0cc8602422d462d58e35a1ea92b020cddb1700cfb91f339729b4018cd3cac7eb2268c5e0d5599f6a15f21d663626e2a2afe
-
SSDEEP
768:RQI4+orqJGPvcK/kmG+1mAaElNZuw3/9WmEyhqbaWB:6FKJGsgkm/mABlNZ//cmnhqt
-
Mirai family
-
-
-
Target
632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1
-
Size
9.3MB
-
MD5
aaa839e4993c07fdfba45afe8826d6bf
-
SHA1
3d00bce50c92b31c3d74d20c5451aedc6878a246
-
SHA256
632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1
-
SHA512
e3bca0a028a39e602b093069fb84a84ff13d7451ebaaf05dc127aa061ae7d096460133a3b8d726adedafd1dd08d09621197bf9e8747ac622bfedd909dec6f3cc
-
SSDEEP
98304:IydePKsBylarg6bY/J1ZKbTsBylarg6bY/J1ZKb2ayX0I6:IHisB2Eb01ZssB2Eb01Z820X
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Remcos family
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03
-
Size
2.2MB
-
MD5
9882d9bb0a03a191d8ba9b4bc9c254c5
-
SHA1
23bbe2b78cfb4d2c1232fb48bda0dc1ea30222d6
-
SHA256
685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03
-
SHA512
c3d683b765eb78dd21105096da079720a4b3abf717cb170b88059e900bd3749caf8002f125e7a0d6e4be2f4f703a5267d951af565eb4ba2a635d0233a8fdb6cc
-
SSDEEP
49152:AknKa6MMOFqbdx14d2RjbWk0nUt0LrOmJwHL0leN3vkPZ:j4OAxxK2R+UaEQ8kP
-
Bitrat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
-
Size
4.6MB
-
MD5
eaee663dfeb2efcd9ec669f5622858e2
-
SHA1
2b96f0d568128240d0c53b2a191467fde440fd93
-
SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
-
SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
-
SSDEEP
49152:U8+7QhuKuy4ab57x03AFPd96gUyeBW51fN4AsYfW4sAMnB4jt40bjqkNQU1:U8puFyft
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Servhelper family
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Blocklisted process makes network request
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Modifies RDP port number used by Windows
-
Possible privilege escalation attempt
-
Server Software Component: Terminal Services DLL
-
Loads dropped DLL
-
Modifies file permissions
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
-
-
Target
73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0
-
Size
835KB
-
MD5
7c81e999e91d1d0f772010dfa4c34923
-
SHA1
76caadc92346688b50a408b6c48017563a24844f
-
SHA256
73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0
-
SHA512
ee5777aafc4b568465b85322ba6ffcf0a38ecadde6274a2e4fdf440cf2ea061762a4b07eeb9a5b40b61d8bf3dab91871715bc5e64da74768f0be342b1f79ae27
-
SSDEEP
12288:8BzZm7d9AZAYJVB7ii/XAvKxRJBnwvogSJ4M4G4aBgZ7u/8u5DGDt2:ucneJVBvXAvwRJdwvZ5aGzu5DGR2
Score3/10 -
-
-
Target
Inv_7623980.exe
-
Size
829KB
-
MD5
b20d9ced5d063ec28425551a520ac59d
-
SHA1
f6bfd3346ed28ef6ed5e45d89f6b1f89d8296b0f
-
SHA256
3ad516ed1d59d2a83e03dd014de474999c1d20885639cd2f77c1108c636636df
-
SHA512
2bbfa0ab4ef7132e5740e54d1fcacb35fdbea4a89b5208f42b4660377f5e18f7a09cad7c589d3a1c3b02d06228ba8b3cb02d6f32b0fcf18b71f23c0e367c48d4
-
SSDEEP
12288:sJzJBoc+ZPzbmhJP8jA+09+Ny6UMZET3jcqd+lHLN3BwspCVad5+v991DqGTR:sjec+ZPzbmf8jFNu4ETQqwtBw
-
Xloader family
-
Xloader payload
-
Suspicious use of SetThreadContext
-
-
-
Target
8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8
-
Size
1KB
-
MD5
c3bc357d17e8b2403ce323807e75911a
-
SHA1
4b37b7afbadab1bbdac7e43fb283f7180e47ea1d
-
SHA256
8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8
-
SHA512
463b9dd8f7d8006ec0f28b9383357904b3caeeaf1792e1127be011b20f1ee0c49ca422c4ed7fbfed60fad83bfff5d6728da43e68b4863d6032b7866e162b9c86
Score8/10-
Blocklisted process makes network request
-
-
-
Target
USD $.exe
-
Size
1.0MB
-
MD5
7098068c07032900ff073b55a8ad8e0b
-
SHA1
5bdda0bc06b935689f29d55b297d0523d82c6bfa
-
SHA256
2d7aac32ea8a8329262ead70ec2f030c1a4061e4edafdf03e605bb9ce606836e
-
SHA512
c5568a37cd6cfa600af5742acd1143d434035e2b5d7caa515ccbf182c6f72030e28a3562ee9f5e9341bcc5aeef45f498434fb8ff6835bc07c04220440d0aaf39
-
SSDEEP
12288:WA72Z5kzykTvNYf3ACtYKWBAZcQEuanCJ4ZTuWnCT2EypSTU0KfOgzUhr2X0GSGl:WAaZ5k7TvqfwCqiZ9149O21FCWZ
-
Xloader family
-
Xloader payload
-
Suspicious use of SetThreadContext
-
-
-
Target
91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9
-
Size
400KB
-
MD5
315c3439a84941a3da05b9b09752dd5f
-
SHA1
ef24cc39f3f75c879d819480831541f12273f9f0
-
SHA256
91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9
-
SHA512
78229f409f4cdf93b87153325e37460855363eac92a84193d5aa82a6121c538d89e77c0da0dac977fbe3f8dc43482f560831ce2384e68268c8c99beb1d71d4ff
-
SSDEEP
6144:gFLtM1nJIDQx2L2RCo0iRdd21gloXpSFyLbSp13XsfN1/QH5s1mkbK4f4OxoWts4:EOLIyRn0ivdVlCSFlp1383wsmC4VplY1
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
2File Deletion
1Network Share Connection Removal
1Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Discovery
Browser Information Discovery
1Permission Groups Discovery
1Local Groups
1Query Registry
3System Information Discovery
5System Location Discovery
1System Language Discovery
1