Overview

overview

10

Static

static

10

JaffaCakes...6d.zip

windows7-x64

1

JaffaCakes...6d.zip

windows10-2004-x64

1

104.248.22...9.html

windows7-x64

3

104.248.22...9.html

windows10-2004-x64

3

104.248.22...ain.js

windows7-x64

3

104.248.22...ain.js

windows10-2004-x64

3

11.html

windows7-x64

3

11.html

windows10-2004-x64

3

12.html

windows7-x64

9

12.html

windows10-2004-x64

3

2019-09-02...10.exe

windows7-x64

10

2019-09-02...10.exe

windows10-2004-x64

10

2c01b00772...eb.exe

windows7-x64

7

2c01b00772...eb.exe

windows10-2004-x64

7

31.exe

windows7-x64

10

31.exe

windows10-2004-x64

10

3DMark 11 ...on.exe

windows7-x64

3

3DMark 11 ...on.exe

windows10-2004-x64

3

42f9729255...61.exe

windows7-x64

10

42f9729255...61.exe

windows10-2004-x64

10

5da0116af4...18.exe

windows7-x64

7

5da0116af4...18.exe

windows10-2004-x64

10

6306868794.bin.zip

windows7-x64

1

6306868794.bin.zip

windows10-2004-x64

1

CVE-2018-1...oC.swf

windows7-x64

3

CVE-2018-1...oC.swf

windows10-2004-x64

3

DoppelPaym...OM.zip

windows7-x64

1

DoppelPaym...OM.zip

windows10-2004-x64

1

E2-2020111...59.zip

windows7-x64

1

E2-2020111...59.zip

windows10-2004-x64

1

E42A.zip

windows7-x64

1

E42A.zip

windows10-2004-x64

1

Resubmissions

01-01-2025 19:48

250101-yjllnstkdm 10

24-12-2024 16:52

241224-vdwynsskdw 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d

  • Size

    221.1MB

  • Sample

    250101-yjllnstkdm

  • MD5

    0c1df79aedd19bad104f962cfa9495a2

  • SHA1

    62f9b3c0e8d3f29663c2bafde2602d7cda044fcc

  • SHA256

    4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d

  • SHA512

    b1f89e94914584186da5f6cd2755b35c134402f66f1c0d6dea22feafe84fe5b96f6e46460edce3c1c5a8ce0d0f766f6921b8c196e97172fcdbeeb0057b6f36db

  • SSDEEP

    3145728:rdm8ZSmWUMbGIngwOqslykYmO6PCtzCtFRU/mvL91UppmkSKmfLeUuO5jPOL0aj0:fSmhMbGqylyzs/imvL91UYLfLd1PHp

Score
10/10
agentteslaasyncratbabylonratcobaltstrikedanabotdarkcometdharmaformbookgozimodiloadernjratqakbotraccoonrevengeratsmokeloaderwarzoneratxredzeppelinzloader07/0409/042020nov125/0330541989686920224hackhackedinsert-coinmainnullsamayspx129systemvictimexdsdddyt159073433926.02.2020w9zagilenetbackdoorbankerbotnetcryptonedefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggermacromacro_on_actionpackerpersistenceprivilege_escalationransomwareratrezer0rm3spywarestealertrojanupx

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.91.237.42:8443/__utm.gif

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    47.91.237.42,/__utm.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    60000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)

  • watermark

    305419896

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php
Attributes
  • build_id

    19

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

C2

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

revengerat

Botnet

Victime

C2

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php
Attributes
  • build_id

    103

rc4.plain

Extracted

Family

revengerat

Botnet

samay

C2

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

zloader

Botnet

09/04

C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php
Attributes
  • build_id

    140

rc4.plain

Extracted

Family

zloader

Botnet

07/04

C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php
Attributes
  • build_id

    131

rc4.plain

Extracted

Family

revengerat

Botnet

INSERT-COIN

C2

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

srpmx.ddns.net:5552

Mutex

c6c84eeabbf10b049aa4efdb90558a88

Attributes
  • reg_key

    c6c84eeabbf10b049aa4efdb90558a88

  • splitter

    |'|'|

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

HACK

C2

43.229.151.64:5552

Mutex

6825da1e045502b22d4b02d4028214ab

Attributes
  • reg_key

    6825da1e045502b22d4b02d4028214ab

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi

Attributes
  • build

    300869

  • exe_type

    loader

Extracted

Family

gozi

Botnet

86920224

C2

https://sibelikinciel.xyz

Attributes
  • build

    300869

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Extracted

Family

danabot

C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247
rsa_pubkey.plain

Extracted

Family

qakbot

Version

324.141

Botnet

spx129

Campaign

1590734339

C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Extracted

Family

babylonrat

C2

sandyclark255.hopto.org

Extracted

Family

warzonerat

C2

sandyclark255.hopto.org:5200

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

C2

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707
Mutex

adweqsds56332

Attributes
  • delay

    5

  • install

    true

  • install_file

    prndrvest.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2020NOV1

C2

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6XT818D

Attributes
  • InstallPath

    excelsl.exe

  • gencode

    n7asq0Dbu7D2

  • install

    true

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    true

  • reg_key

    office

Targets

    • Target

      JaffaCakes118_4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d

    • Size

      221.1MB

    • MD5

      0c1df79aedd19bad104f962cfa9495a2

    • SHA1

      62f9b3c0e8d3f29663c2bafde2602d7cda044fcc

    • SHA256

      4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d

    • SHA512

      b1f89e94914584186da5f6cd2755b35c134402f66f1c0d6dea22feafe84fe5b96f6e46460edce3c1c5a8ce0d0f766f6921b8c196e97172fcdbeeb0057b6f36db

    • SSDEEP

      3145728:rdm8ZSmWUMbGIngwOqslykYmO6PCtzCtFRU/mvL91UppmkSKmfLeUuO5jPOL0aj0:fSmhMbGqylyzs/imvL91UYLfLd1PHp

    Score
    1/10
    behavioral1behavioral2

    • Target

      104.248.221.3/systemerror-ie-edge/indexe2c9.html

    • Size

      30KB

    • MD5

      c3d72f83e398064acdc21509226b47fa

    • SHA1

      df3afbd526151107acce3bae7d25f1cf33349b4c

    • SHA256

      e8da6f7472b2ce092fddf64bce7ea2960ed63ea92ba4dfbfa93bff5bf7913025

    • SHA512

      b77ea23c163d100fcaa4f3ef2020072793fc4605145c13c26302faad6baf4f27a3cb827340eef61b2c154b89ccabe5b8f773c1f34b9f39786fa6979271fffdcd

    • SSDEEP

      384:H+51uEhO56OIop2I8NKFWuS6F+TtObFhuw6F+TtOFE31+/VUxfh07oQNI7gW0M:e5fq+bz+oElsVUxfh07ocI7gg

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      104.248.221.3/systemerror-ie-edge/js/main.js

    • Size

      2KB

    • MD5

      912734e981f454609fcde1c63a4467b3

    • SHA1

      6c475e786a6858804719d90c809fd5bffe317d2f

    • SHA256

      e8af3476f0800500930ac809b2316f11bdcdaeb88f7309f523e4d0c2e5f58db7

    • SHA512

      5471bfdda02cb56860d7a205b54b5fb96fc7f7ff1f781d5ded3f2b15e975d9796460e3c7f8e5bf02eeb8ec226996c95cbe6b11d20a1cec9b36496f7c9793e590

    Score
    3/10
    execution
    behavioral5behavioral6

    • Target

      11.html

    • Size

      7KB

    • MD5

      ad4a9397a513760d6b7b7c95949a0421

    • SHA1

      d6284164627c386d2a2a2577c4e94cd22ba9fcf7

    • SHA256

      31ee9a4d7bedce33c62b7bb5cca7551813ff7fd9c486293f749a58f4486f0300

    • SHA512

      d49b4ee6eee88e2d0f81ca03871cd38e482aa26dec4016359237b0a71b297721e068047abefe09f714ddb77f4b63fcca88de80cfc4f27c0d94faf26158bc2cb0

    • SSDEEP

      192:zzbRccMfnoFoj6FQjHRiO7hp/iL7z6/Jz0fuz55555555555555555555555555b:DRcNfZ/na7z6hz0fuz5555555555555V

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      12.html

    • Size

      2KB

    • MD5

      3e1beb3a3cc648f798284e78e948cb0a

    • SHA1

      02c1f8d16a5667c3fce31354fe4a8a134bfc30b1

    • SHA256

      15d6940e18fbce99ff0b7509c09c32ada4760a5e3a5f64d8ad8b3b8c8f564fbb

    • SHA512

      dc0c5a5e9cf8e99c749c07fe7adcfbf20ab5db84e249861c4fad2577e0136d6dbabc5a7b96e8b99d0b86479c6a30a910857b7b7db39c884532eaccb08b9aabe2

    Score
    9/10
    discoveryransomware

    • Renames multiple (233) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in System32 directory

    behavioral10behavioral9

    • Target

      2019-09-02_22-41-10.exe

    • Size

      251KB

    • MD5

      924aa6c26f6f43e0893a40728eac3b32

    • SHA1

      baa9b4c895b09d315ed747b3bd087f4583aa84fc

    • SHA256

      30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

    • SHA512

      3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

    • SSDEEP

      6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF

    Score
    10/10
    smokeloaderbackdoordiscoverytrojan
    behavioral11behavioral12

    • Target

      2c01b007729230c415420ad641ad92eb.exe

    • Size

      1.3MB

    • MD5

      daef338f9c47d5394b7e1e60ce38d02d

    • SHA1

      c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e

    • SHA256

      5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58

    • SHA512

      d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4

    • SSDEEP

      24576:W85y6Jwdt8jtWoJpXWHALGX+C1Co3aP8jvuC7g6zwm4m53Sb21SR:HXsSGuC/MIvuC5kFm53Sy1SR

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      31.exe

    • Size

      12.5MB

    • MD5

      af8e86c5d4198549f6375df9378f983c

    • SHA1

      7ab5ed449b891bd4899fba62d027a2cc26a05e6f

    • SHA256

      7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

    • SHA512

      137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

    • SSDEEP

      393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r

    Score
    10/10
    agenttesladanabotformbookgoziqakbotraccoon86920224spx1291590734339w9zagilenetbankerbotnetcryptonedefense_evasiondiscoveryexecutionimpactkeyloggerpackerransomwareratrezer0rm3spywarestealertrojandharmaevasionpersistence

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot family

      danabot

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

      botnet

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Gozi family

      gozi

    • Qakbot family

      qakbot

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V1 payload

    • Raccoon family

      raccoon

    • AgentTesla payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Formbook payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      3DMark 11 Advanced Edition.exe

    • Size

      11.6MB

    • MD5

      236d7524027dbce337c671906c9fe10b

    • SHA1

      7d345aa201b50273176ae0ec7324739d882da32e

    • SHA256

      400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

    • SHA512

      e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

    • SSDEEP

      196608:8YG+5pO1Ppb1rAMQQkIscfAb3mO5iW8uO2Kq1TIxz2HU6QPXJ0M2m9b/hE4:8/Bv1zsG2fm2bTcWBIXJHVrW4

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      42f972925508a82236e8533567487761.exe

    • Size

      3.7MB

    • MD5

      9d2a888ca79e1ff3820882ea1d88d574

    • SHA1

      112c38d80bf2c0d48256249bbabe906b834b1f66

    • SHA256

      8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

    • SHA512

      17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

    • SSDEEP

      98304:Nn1CVf+y/EFc7DvOUxlpq2JdnQ+O2M7hlXKUmkbtT2TMI:A/EqaUFqItO2M7PXKUmkbtT2T

    Score
    10/10
    asyncratbabylonratdarkcometnjratwarzoneratnulldiscoveryevasioninfostealerpersistenceprivilege_escalationrattrojan2020nov1

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

      trojanbabylonrat

    • Babylonrat family

      babylonrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Njrat family

      njrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Async RAT payload

      rat

    • Warzone RAT payload

      rat

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

    • Size

      669KB

    • MD5

      ead18f3a909685922d7213714ea9a183

    • SHA1

      1270bd7fd62acc00447b30f066bb23f4745869bf

    • SHA256

      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    • SHA512

      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    • SSDEEP

      6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

    Score
    10/10
    discoverypersistenceupxransomware

    • Renames multiple (169) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral21behavioral22

    • Target

      6306868794.bin.zip

    • Size

      698KB

    • MD5

      b63a1d3001cc1a5bcc2104ecb8eb5d53

    • SHA1

      d04ebc24cc00ea67870c9eef92de7c5adf4c65d5

    • SHA256

      56b423e8f7e99ce24a6250507b1ac9e4476837a32f0518ebc5474eaeb9ecaa78

    • SHA512

      29be52929db5bd0e8d85e10696c08ded581213c5e2e97eb3e72e32ddc5861aa8f9c6d20a1ec9a81c442a4319491500dc91345c6879651b5cc546294cd12f0b2e

    • SSDEEP

      12288:OZVZvijaJxMV5DH6Asfuez5GxNmHUguf4OkEokPhuDIX7dCjBb3RcN7VI:2iGJxMV5ThsGeFykCf4OIiusXhCh3RcM

    Score
    1/10
    behavioral23behavioral24

    • Target

      CVE-2018-15982_PoC.swf

    • Size

      12KB

    • MD5

      82fe94beb621a4368e76aa4a51998c00

    • SHA1

      b7c79b8f05c3d998e21d01b07b9ba157160581a9

    • SHA256

      c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb

    • SHA512

      055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27

    • SSDEEP

      192:gR6qPBBRRcrxFx/pHPn9moz7p/+tqHM41rftZDBLj9b5d/:gwqDcLx/pH/IoBiqH/BfbDBLj9b5h

    Score
    3/10
    discovery
    behavioral25behavioral26

    • Target

      DoppelPaymer.RANSOM.zip

    • Size

      3.1MB

    • MD5

      43cdf0d6afb39d4eef072b493175c960

    • SHA1

      d660534dfe66a661afc7e728222e7179311996bc

    • SHA256

      ab86077baa2c5a0baac61785a7608456c47a3f52c672c10df6726f4aa2d5dab2

    • SHA512

      073950a883a02cdc0ed2a0ca439b7ffc8b0e1decf6b68fe557b043eb409ebe7e006d78d74d8a093abd2281adfb61079f577117466c61465122a4a8548228e11e

    • SSDEEP

      49152:WbwX3ENOtYazWNE6ZopU17WQ7PEBwAr0ZTdk3WcgxQXtSTcaA0AlF0Uu+r2qMk9:VvYazvC1RQyTTe3WHu9STcaAZv8qMo

    Score
    1/10
    behavioral27behavioral28

    • Target

      E2-20201118_141759.zip

    • Size

      148KB

    • MD5

      fa541ef43e1473d845aa50ccaba6aa23

    • SHA1

      df7704aec365df548379c91a721d31989d8d4ef1

    • SHA256

      948ae9b9e469c0df7478cf8840a78869299e59ffd85b581840b39abc89760001

    • SHA512

      2b8b5dda4c387ca02f31b4e7a2f5a5935163ec158b614bf042d6985fa5da1474e6ff23db4e8561a6f573e9d4482cc2de0e5e4da1a49d19108e8f27139690b8f5

    • SSDEEP

      3072:PCWcu3nJryPqmiLotuF9e0kYIMeZke4OsqprU2sz7xQL+OqmwjilD:KWcu3JrEqToUFMg1OsqxU22qL+p1MD

    Score
    1/10
    behavioral29behavioral30

    • Target

      E42A.zip

    • Size

      194KB

    • MD5

      73f2228828738c041f4aa25344895bb1

    • SHA1

      983c3f4cf870ef5b0df11c0451c19ba3e538c9d0

    • SHA256

      8758246c4509bbcda1d1adea726442eec076e39dac24a8cb467178024c209a8e

    • SHA512

      ef5abbe966c73e22aaa3345707fdb4dd01bb2f83e98cf09d6aaebd347786b0c2e547bb42e23985d5e630b494d8fee66bdf87b830570c9789048ff43a0d928e4a

    • SSDEEP

      6144:8kNIs9YIb+wNcARfGdJ1slcliM6pjR3JnaQOWqNJ:MMRRfGhslcx6nQ

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

5
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

8
T1012

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks

static1

macromacro_on_action305419896main26.02.2020upxstealerxdsdddvictime25/03samaycryptonepacker09/0407/04insert-coinytsystemhackedhackmodiloaderzeppelincobaltstrikenjratrevengeratzloaderxred
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

execution
Score
3/10

behavioral6

execution
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discoveryransomware
Score
9/10

behavioral10

discovery
Score
3/10

behavioral11

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral12

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral13

discoverypersistence
Score
7/10

behavioral14

discoverypersistence
Score
7/10

behavioral15

agenttesladanabotformbookgoziqakbotraccoon86920224spx1291590734339w9zagilenetbankerbotnetcryptonedefense_evasiondiscoveryexecutionimpactkeyloggerpackerransomwareratrezer0rm3spywarestealertrojan
Score
10/10

behavioral16

agenttesladanabotdharmaformbookgozi86920224w9zagilenetbankerbotnetcryptonedefense_evasiondiscoveryevasionexecutionimpactkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojan
Score
10/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

asyncratbabylonratdarkcometnjratwarzoneratnulldiscoveryevasioninfostealerpersistenceprivilege_escalationrattrojan
Score
10/10

behavioral20

asyncratbabylonratdarkcometnjratwarzonerat2020nov1nulldiscoveryevasioninfostealerpersistenceprivilege_escalationrattrojan
Score
10/10

behavioral21

discoverypersistenceupx
Score
7/10

behavioral22

discoverypersistenceransomwareupx
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

discovery
Score
3/10

behavioral26

Score
3/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10