Overview
overview
10Static
static
101214e5f9de...98.exe
windows7-x64
61214e5f9de...98.exe
windows10-2004-x64
7236020bb91...f6.exe
windows7-x64
10236020bb91...f6.exe
windows10-2004-x64
1025dc70a3de...60.exe
windows7-x64
1025dc70a3de...60.exe
windows10-2004-x64
1054de718b63...d9.exe
windows7-x64
154de718b63...d9.exe
windows10-2004-x64
37ae9504811...a4.exe
windows7-x64
107ae9504811...a4.exe
windows10-2004-x64
109c2554e79b...a0.exe
windows7-x64
109c2554e79b...a0.exe
windows10-2004-x64
10a568f22004...3b.exe
windows7-x64
10a568f22004...3b.exe
windows10-2004-x64
8aefd0c7794...37.exe
windows7-x64
10aefd0c7794...37.exe
windows10-2004-x64
10d68b4d6cec...27.exe
windows7-x64
10d68b4d6cec...27.exe
windows10-2004-x64
10General
-
Target
JaffaCakes118_4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409
-
Size
20.8MB
-
Sample
241225-clsl4svjcp
-
MD5
36b2834c2743039c4df1ce9346886c13
-
SHA1
1ee1736c4e2aae820b4d6cd80e43fea0ed6eadc6
-
SHA256
4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409
-
SHA512
43dc749e7002f1ba08b7066e737523a8eaf69365eb148946d6f317234a2eff010307b4210d744a23a7d8641b72ba31fe8735dfcd6d0421537c8ba1293389cd73
-
SSDEEP
393216:sS8p+jyX+POyHEWdLvAVcybpk43ytUJtUP8kilTun/u1l6I70xA0x4Nsef:sGHtoVchXyKWEIUq02Nsef
Behavioral task
behavioral1
Sample
1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe
Resource
win7-20241010-en
Malware Config
Extracted
asyncrat
0.5.6A
null
95.169.210.148:6666
bavaulifmjawicwh
-
delay
5
-
install
false
-
install_folder
%AppData%
Extracted
metasploit
windows/single_exec
Extracted
redline
Sergey
185.203.243.131:27365
Extracted
njrat
0.7d
test
hakim32.ddns.net:2000
2.tcp.ngrok.io:17971
7510b18d6d0540b453f74c07e4a22b0c
-
reg_key
7510b18d6d0540b453f74c07e4a22b0c
-
splitter
|'|'|
Extracted
redline
@Seno_47
45.81.227.32:22625
Extracted
redline
@Fanat_022
152.228.150.198:11188
Targets
-
-
Target
1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98
-
Size
1.0MB
-
MD5
0d52c34732339d12e58c62cdcbcd2241
-
SHA1
b00a95fe388a69d375b4e370fa5112dda61c2ede
-
SHA256
1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98
-
SHA512
4da5f2b48663a183cc46799c02179bd5bc84a71993387742984a5c76ca92d4c7aec60d25efe758636a1a006ba8a4032a6e7763c48e9515801db8be6a98d6a3de
-
SSDEEP
24576:OfQYMfhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRF+G:Vo54clgLH+tkWJ0Nj
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6
-
Size
541KB
-
MD5
616b97038b6328ae6e45a08077df4a7a
-
SHA1
11473c1f0515f06579e7704dc036bbc620c7510a
-
SHA256
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6
-
SHA512
4730733b4be691840fa1905fc4bfeeeba7ebb06e10d24cfe78a285a3e518a2f2ba31bbc378cda68edf4311df322fd137ed1f65d4b844737e9f0df547506c04e0
-
SSDEEP
12288:vNpszYhvXWSVJdMaeaxxJHuT8DmP79TovFZFW84:FhvJVJdMQPuTVP792gR
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560
-
Size
405KB
-
MD5
bf2e00fc28e5f89ec6b3b457a5a245fb
-
SHA1
d42962e2e987c4cd8201badf832f3368afb09d24
-
SHA256
25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560
-
SHA512
e1f61fec329fab9f0bd997e7b34945e156475a53531c30630a03c550e60c029627e5697c5efb6a0a81b2bc23e178264aabfb26c8b68153d7107d367035730b2a
-
SSDEEP
12288:wa8EKlXgFxY3wBeTLDQknVwtw/eMTM6fXgyyC5Te4A6:wDQkqm7nwHC5ZA
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9
-
Size
15.7MB
-
MD5
79339229bc0c59d7b5abba71d1c96a8e
-
SHA1
4c7c22308821a08edeacebe691da49249384de9d
-
SHA256
54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9
-
SHA512
a173e48fb0cb08705e56468ffc0a6845b03b261e98d282815eebdf77f482064a9c89f84ada89ef3aa994d0727db34629ff51e021bbcf8abd6fac5354ce295af2
-
SSDEEP
393216:jhufPMmrg+zE0xNXm9wphJ/4ODYo1lgvx5Okbp:ofZtW9wpQ2SLOk1
Score3/10 -
-
-
Target
7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4
-
Size
4.5MB
-
MD5
dde0965428c655c1fabbcba5a44e7830
-
SHA1
b5118f55982bf9784bb34a3f0af738f7d409a5ff
-
SHA256
7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4
-
SHA512
f6b83ff23e0e7102a69bf43e723f312acb0bbf95e04d7386513cc2c5b2f9e160f0f38b179688702675ecb7c4a0782fad1f007f3db59c2104aa08a7cdcc6b2e13
-
SSDEEP
98304:t38JVPdnSYmzQTkZKhu8PXq7Yf7nRSVfbmfgwLAG:Z85nYUjCkTnR6fPQAG
-
Glupteba family
-
Glupteba payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0
-
Size
359KB
-
MD5
f476fd152a5d6a53f297517f9ffca28e
-
SHA1
a0bc4cb4763de9f540fca4f97835522620087e17
-
SHA256
9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0
-
SHA512
56f683733356faa4be86883e3248ab70884c645e61dedc7ceba64eefa4813b2fda04d102e7b8c5794093f2c5918049900da987b2e235764e4ea87e78224003dc
-
SSDEEP
6144:2IN5Yqofb4MI1XfPpnvTGLkZ96Tvu2fHk+:2C5Y3fb4MINfPpnvCLkZ96TvffHk+
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Suspicious use of SetThreadContext
-
-
-
Target
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b
-
Size
83KB
-
MD5
4ed7de390496be3ec2ea7fdb3804282a
-
SHA1
2c919d469853fac9a7719f59407b395e8e360a49
-
SHA256
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b
-
SHA512
5716a8d9d86f9b1f1ad53f3fca96b5622b83ede56d370edc309a503263ad52b542b29e5d74810aed013e9f2e00b77b8c54d81aa0b43c77bfdf5bc7227251bd86
-
SSDEEP
1536:83kml69eWJKrec/tOu6Qes2cI2FDrj7fk1ImNUITeT0MB:80mlketr1/Qu6o2QFkSmN4p
-
Njrat family
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337
-
Size
206KB
-
MD5
70c771952bc897446d3ddad90541a1e6
-
SHA1
b00b50a893e4552651c4a5c38cf4bb9aed7a101e
-
SHA256
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337
-
SHA512
33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d
-
SSDEEP
3072:UVqoCl/YgjxEufVU0TbTyDDalW49D9fMiSE9CCHGOn54yWgW9tFwyMJjVQbE/FGl:UsLqdufVUNDapD9fMs9u7
Score10/10-
Modifies visiblity of hidden/system files in Explorer
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827
-
Size
48KB
-
MD5
13ed5f6560bb91d089f56bd4ca015ff0
-
SHA1
f43cd2a78815c1ca4091207a8f36cc68398550bf
-
SHA256
d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827
-
SHA512
5d6adf163ca3e18691fc0b34ce1b8277a540e93cb387ae7813bc1dbc84d2c75ca8ff462e67083c08ae4f3cdfdfb1f2671cdd30738f6bbf824b2a93bda7043ad2
-
SSDEEP
768:OqXwHbXXUIbp98FZbMF1NCxRGa0baDHJeRdlYnXVEK44pDBNYI6OCF2tYcFmVc6K:O5bp84v4+baD8RdloyK99x6OoKmVcl
-
Asyncrat family
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1