General

  • Target

    Malware-Database.7z

  • Size

    92.7MB

  • Sample

    250110-xlpwfasngx

  • MD5

    775a2ebd94c6a16e537104a81a1d25dd

  • SHA1

    25c79d85b9b67f4eb9b77fc958f8e17938869de8

  • SHA256

    92d84101f2334eacdaef3eb63b3770f3a20a8b1318a881138d6561e5d350207c

  • SHA512

    ad1f2c6a71006cdb98038d1c1eba2d18bc6b29f97a966b5783950b850c34178e2ebdc69c13df6cd2e24d446066afd936d56c3af7ece42896441a4e0acee91f85

  • SSDEEP

    1572864:hx+uwuNsTwOoHFXGFEjyjLWpHU1eUtxyoH4EQGIXlTQlE4RGcNWGyW0q:vvuFEjrpUf1H6rkE4pyW0q

Malware Config

Targets

    • Target

      000.exe

    • Size

      6.7MB

    • MD5

      f2b7074e1543720a9a98fda660e02688

    • SHA1

      1029492c1a12789d8af78d54adcb921e24b9e5ca

    • SHA256

      4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

    • SHA512

      73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

    • SSDEEP

      3072:eaLA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuz1o9Y:fLJlC6j0CX4XmvWHVcd62uO9

    • Disables Task Manager via registry modification

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Sets desktop wallpaper using registry

    • Target

      Alerta.exe

    • Size

      111KB

    • MD5

      e8ed8aaf35e6059ba28504c19ff50bab

    • SHA1

      01412235baf64c5b928252639369eea4e2ba5192

    • SHA256

      2d2a22db20a44474afbd7b0e6488690bad584dcae9789a5db776cc1a00b98728

    • SHA512

      d007c96b2fad26763d27be8447ca65e0ab890deb6388b90cf83c0b3431e09b225f7424098927b54f15fe34eae953b61b45371b0df4b2d89c60be9c006ffe9034

    • SSDEEP

      3072:AuDWghj8FVadgTtzB4QMW+ybdBl7Du1T:bDWqY2qTtCQfb3l+1

    Score
    3/10
    • Target

      Ana.exe

    • Size

      2.1MB

    • MD5

      f571faca510bffe809c76c1828d44523

    • SHA1

      7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2

    • SHA256

      117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb

    • SHA512

      a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51

    • SSDEEP

      49152:OwVYlfBUDiZx8Fa/Q0NuB3btlnCItWNSwoy:OxPUDQmso0NuBZlnCItM

    • Adds policy Run key to start application

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      ArcticBomb.exe

    • Size

      125KB

    • MD5

      ea534626d73f9eb0e134de9885054892

    • SHA1

      ab03e674b407aecf29c907b39717dec004843b13

    • SHA256

      322eb96fc33119d8ed21b45f1cd57670f74fb42fd8888275ca4879dce1c1511c

    • SHA512

      c8cda90323fd94387a566641ec48cb086540a400726032f3261151afe8a981730688a4dcd0983d9585355e22833a035ef627dbd1f643c4399f9ddce118a3a851

    • SSDEEP

      3072:2f9+exxxz0fAcQ8nJHG5VZYYycEIojDknqhclLD:4u68Mdbw0plL

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Bezilom.exe

    • Size

      28KB

    • MD5

      8e9d7feb3b955e6def8365fd83007080

    • SHA1

      df7522e270506b1a2c874700a9beeb9d3d233e23

    • SHA256

      94d2b1da2c4ce7db94ee9603bc2f81386032687e7c664aff6460ba0f5dac0022

    • SHA512

      4157a5628dc7f47489be2c30dbf2b14458a813eb66e942bba881615c101df25001c09afb9a54f88831fa4c1858f42d897f8f55fbf6b4c1a82d2509bd52ba1536

    • SSDEEP

      384:1gc4XlUUWiY1SN6oHN64iKZz+ZBEKTzEv819YSHOuSsAR/+eR4517wNwEb:1nREWEFsI+wAJw2E

    • Target

      BossDaMajor.exe

    • Size

      1.9MB

    • MD5

      38ff71c1dee2a9add67f1edb1a30ff8c

    • SHA1

      10f0defd98d4e5096fbeb321b28d6559e44d66db

    • SHA256

      730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a

    • SHA512

      8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9

    • SSDEEP

      49152:veG3J7FtM9SbJakTiTBMGSARaspyyx979PSxgKFdGlYU:2GZxSoJrTiTBMGtRa8t7EFddU

    • Modifies WinLogon for persistence

    • UAC bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies system executable filetype association

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      ColorBug.exe

    • Size

      53KB

    • MD5

      6536b10e5a713803d034c607d2de19e3

    • SHA1

      a6000c05f565a36d2250bdab2ce78f505ca624b7

    • SHA256

      775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

    • SHA512

      61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

    • SSDEEP

      1536:ynqAKryDLrASOcRw52sjzIUK7RkYrJ2lrKX:SNdMT8Z8cX

    • Target

      DesktopPuzzle.exe

    • Size

      239KB

    • MD5

      2f8f6e90ca211d7ef5f6cf3c995a40e7

    • SHA1

      f8940f280c81273b11a20d4bfb43715155f6e122

    • SHA256

      1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6

    • SHA512

      2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8

    • SSDEEP

      3072:r/3qftCdbSFtY8Zf8pOk0rHitNWIekbnfFPsr24Cv/Eng9m3ihlCeKH6Fb6aX3WA:WoI/rC0k7ar68nimCYHe3qZr0SlC

    Score
    3/10
    • Target

      FlashKiller.exe

    • Size

      4KB

    • MD5

      331973644859575a72f7b08ba0447f2a

    • SHA1

      869a4f0c48ed46b8fe107c0368d5206bc8b2efb5

    • SHA256

      353df4f186c06a626373b0978d15ec6357510fd0d4ac54b63217b37142ab52d3

    • SHA512

      402662eb4d47af234b3e5fbba10c6d77bdfdb9ff8ecfdd9d204f0264b64ea97fc3b5c54469f537173a26c72b3733550854749649d649bc0153c8fe3faacc50a1

    Score
    3/10
    • Target

      Floxif.exe

    • Size

      532KB

    • MD5

      00add4a97311b2b8b6264674335caab6

    • SHA1

      3688de985909cc9f9fa6e0a4f2e43d986fe6d0ec

    • SHA256

      812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f

    • SHA512

      aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70

    • SSDEEP

      12288:l86GkvJFajbhjTpHjq0dfpT1Oc02XEfGdnGwVUNUnEnAE3F:l8lT9PdpwO0fkGwVUSnEnAoF

    • Floxif family

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    • Detects Floxif payload

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      FreeYoutubeDownloader.exe

    • Size

      396KB

    • MD5

      13f4b868603cf0dd6c32702d1bd858c9

    • SHA1

      a595ab75e134f5616679be5f11deefdfaae1de15

    • SHA256

      cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

    • SHA512

      e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

    • SSDEEP

      12288:jANwRo+mv8QD4+0V16nkFkkk2kyW9EArjaccoH0qzh4:jAT8QE+kHW9EAr+fr4i

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      Gas.exe

    • Size

      18KB

    • MD5

      e7af185503236e623705368a443a17d9

    • SHA1

      863084d6e7f3ed1ba6cc43f0746445b9ad218474

    • SHA256

      da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a

    • SHA512

      8db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3

    • SSDEEP

      192:KtRj6/XFyk9YPdXTH08W8c3LXLtYmEBI9qHVDEV:WV6fFy2Ylz0TiBIw1Dc

    Score
    3/10
    • Target

      HMBlocker.exe

    • Size

      48KB

    • MD5

      21943d72b0f4c2b42f242ac2d3de784c

    • SHA1

      c887b9d92c026a69217ca550568909609eec1c39

    • SHA256

      2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180

    • SHA512

      04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8

    • SSDEEP

      768:xE09MOEzWGoOIx2qCZVZmj+Wg5VK2LDakrDZ5yS/wwHA49kszNAY1XKoJc4P1:t7w73bUNMMkrDry+6Ut

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      HorrorBob2.exe

    • Size

      11.9MB

    • MD5

      9331b20120075b2685d3888c196f2e34

    • SHA1

      1af7d3dc4576ef8aaa06fa3199cf422b7657950b

    • SHA256

      98a804d373c7e0e4f80155df20358436e066ecf31c522c31df2ba46923ac68c2

    • SHA512

      83636067d46b1362a6e0e5af56222d170d337fa7b0c4048b8f04c9df0ca35c3634a7254e6226886b00f9894e4353d6ac6b2e4e760bab320058cebe37c7c0cd7b

    • SSDEEP

      196608:zHvwfYWqhZPHE5D7cdPNPi17S+IRTX7UYVlj0EcLnKXanF6eeBUsjD2ABShiFiJt:vZ8R7c5527SpRTXQYVlYEGnKKF6eeWgO

    • UAC bypass

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Sets desktop wallpaper using registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      HorrorTrojan6.exe

    • Size

      6.2MB

    • MD5

      abb3a2f1580a738c96716509a0d9121d

    • SHA1

      9843ed4836e3d08de2a7f73a9adf382dcbddea34

    • SHA256

      32d2d9331da7f7745e9031538997cc1129b28af533dcb3ddcc81230f48b89226

    • SHA512

      01eaec3d0e42408bd3b2331d5e73e0603b728ae513b401075cbb9d948a0870d9a4572cd3b454f6586c4727843b61070699c9f750a5aec3fe2c2e98b5e7d500ac

    • SSDEEP

      98304:jaGNjTo0gBLMFwdvZE+j7AtaSQS+JBciIUDCyCMdKo1zuvpWMz7ZyvD39HaFdQ:jrnOLW+j8LQPLD16oGsvxHCdQ

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      IconDance.exe

    • Size

      301KB

    • MD5

      7ad8c84dea7bd1e9cbb888734db28961

    • SHA1

      58e047c7abecdd31d4e3c937b0ee89c98ab06c6a

    • SHA256

      a4b6e53453d1874a6f78f0d7aa14dfafba778062f4b85b42b4c1001e1fc17095

    • SHA512

      d34b087f7c6dd224e9bfe7a24364f878fc55c5368ce7395349ca063a7fd9ac555baed8431bfa13c331d7e58108b34e0f9d84482ce2e133f623dd086f14345adb

    • SSDEEP

      6144:+gYw2itwtdpXQ9g64B8Ly7Cs1ApMTP8hyLrlre1:8w2itSyV4B9aMQYI

    Score
    3/10
    • Target

      Illerka.C.exe

    • Size

      378KB

    • MD5

      c718a1cbf0e13674714c66694be02421

    • SHA1

      001d5370d3a7ee48db6caaecb1c213b5dfdf8e65

    • SHA256

      cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f

    • SHA512

      ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a

    • SSDEEP

      1536:IM64RFcdoYicOWtlo4yJDsE4KmtZxq3/1d+DSaumOY6eeLnAGTpZspibfaSuOypE:IMJkoY9lpoaKm2vacPESu/wK3+

    • UAC bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Target

      LoveYou.exe

    • Size

      22KB

    • MD5

      31420227141ade98a5a5228bf8e6a97d

    • SHA1

      19329845635ebbc5c4026e111650d3ef42ab05ac

    • SHA256

      1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71

    • SHA512

      cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7

    • SSDEEP

      384:o4LBivz/4RHCxN3IBUDzfGWCw2cKgDwg7dEsL9s+cLUoHl:o4LBu74Ro9ImnfGWJ2cKgsgZDW+cLUe

    Score
    3/10
    • Target

      MistInfected_newest.exe

    • Size

      22KB

    • MD5

      1e527b9018e98351782da198e9b030dc

    • SHA1

      647122775c704548a460d6d4a2e2ff0f2390a506

    • SHA256

      5f7471c215b433f1b28dd4b328b99362099b6df7cb9e5c1d86a756388e0c7aeb

    • SHA512

      4a11c811f30016218075d43a9f983fa7a484a06f22d625b1bd2d92b4cfabbfb142945ca0a9ca1cf91391a3e73c154f6121140d2f1d42aa35ad7f10817534a21b

    • SSDEEP

      384:qosO55gUoO4D+DFBCd6GyhETw62O0OnYPL3p+:XsOkUoO4Dsbc22

    Score
    8/10
    • Drops file in Drivers directory

    • Target

      MistInstaller.exe

    • Size

      83KB

    • MD5

      8813125a606768fdf8df506029daa16f

    • SHA1

      48e825f14522bd4d149ef8b426af81eec0287947

    • SHA256

      323060680fed9a3205e3e36d2b62b7b5b6c6e6245e4555dcc733cf6ef390f41c

    • SHA512

      9486a027029a27cbf0424760625c08d73aa62e28e45081751c5bada7c07ca05b4e44239da7774cf4f76298fb6b71769ae62595ae439b470c8308d39e1b2289d8

    • SSDEEP

      1536:IyD2eyujEyC5YYafh1Mc8/gsWjcdjl9btC:I+2eytf3B9bQ

    Score
    8/10
    • Drops file in Drivers directory

    • Target

      MrsMajor3.0.exe

    • Size

      381KB

    • MD5

      35a27d088cd5be278629fae37d464182

    • SHA1

      d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

    • SHA256

      4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

    • SHA512

      eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

    • SSDEEP

      6144:Th3idhONY259BH1DzJ5PzVNtGgc+F9TBd096cTKAsLEbqqbd+VWM8AHiKn9SlXNA:Th3iXPw9Tc6kVXMHHLEf8l7

    Score
    10/10
    • UAC bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      Nivdort.exe

    • Size

      871KB

    • MD5

      ed2cd14a28ff2d00a5cefcf6a074af8d

    • SHA1

      5b3e04f8208d3de912413efce27372255d6b3fe9

    • SHA256

      eea059174127860154f4dce1a7d8995a9a5056febf73819d63ddadb522ed6c8f

    • SHA512

      e07a16daf102fd45ced2ba03dfb0e135e3129d143e2fd53d392158a90546a75e32b872710dccd160ee8f143e38f8ff74f2694e292cb530e70863abac51a4bf9a

    • SSDEEP

      24576:3BgjXGPO1tWpi+2NfonQgvb6VBg3JJgn/+:Wj2stWpMoQqbWG5Gn/

    Score
    7/10
    • Target

      Nostart.exe

    • Size

      233KB

    • MD5

      20fa439e1f64c8234d21c4bc102d25f8

    • SHA1

      ba6fc1d9ba968c8328a567db74ef03eee9da97d8

    • SHA256

      2f10f1384f3513f573a88e1771c740a973a5a304387e23aa4bf310794532fa8e

    • SHA512

      19e9d62a852293ffa99a412ba8fa5dd0336a7753af4975e06cd53c02ee6f0058485160f8f8a64a8bca19d88eb426a4a2785885c02a494f33f2b6e383204a7f39

    • SSDEEP

      3072:iwHcAxExO4fY0Jg8KXXSRZCavlSEEH9FZYlChQRp2Fgw/y2VRSjfoP4iylvAP9ly:xd8kAZCa9YHu8hQRCz/xJSloP9l

    Score
    3/10
    • Target

      PCToaster.exe

    • Size

      411KB

    • MD5

      04251a49a240dbf60975ac262fc6aeb7

    • SHA1

      e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0

    • SHA256

      85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3

    • SHA512

      3422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2

    • SSDEEP

      3072:quJFS5Aqu+WwjxeI/0gVnfKl0FA+aPobO24yNz88iu8vDYHTlI5EJD5Hbibfd6PK:/JM0mCsWq1/qpz+nF5c

    Score
    7/10
    • Modifies file permissions

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      PankozaDestructive 2.0.exe

    • Size

      734KB

    • MD5

      b172b2bcebd8e4797ceaf0503c5840ae

    • SHA1

      ecaec7910a01b4a142741a0ff0d49c0a47acdfd1

    • SHA256

      86b279800d7aa3025b59391f4f8bab2039c41258d0daf3d85365b0c3ddf05065

    • SHA512

      f1e2a996be71155e1a101ad5e28c826ef61baaa4d5bb5a003b7038531e647d02438a4b82f67ab26d96c0b6af412b7e0b45b2568a8325beb1b90b81fb4266947a

    • SSDEEP

      12288:/gyq+/b1bnZBkd87AzpF69TFDgfQzs9K2+9gF9DkWE0ozoS9nNcTgUKad0/zbTPQ:oyLdZBTszpWFDgYEcgFGrHnNcTgUKad7

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Modifies system executable filetype association

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      PowerPoint.exe

    • Size

      136KB

    • MD5

      70108103a53123201ceb2e921fcfe83c

    • SHA1

      c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

    • SHA256

      9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

    • SHA512

      996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

    • SSDEEP

      1536:3VrdxBvcGdDHHtWv8udA1JYREgJ/qEOpsChnU4V1lyqHv4vAmOG9HSDKRppppp5B:1H5D0dSgo7ppTV1lyqPOAmOG9HSOD

    • Deletes itself

    • Executes dropped EXE

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      ROTANOTEDKSID-Destructive.exe

    • Size

      17.9MB

    • MD5

      8b93e46a7e9e681b2124ffe7647bbba1

    • SHA1

      dee59152e78de697f1d23b350cd0f1e14b648960

    • SHA256

      c9b88b16d87992287ef72834bae3ac45db9eba4e32dcc8db4756bf6349d97a25

    • SHA512

      47618d6f367b99a0b9688dd2bdfba9e2999195c556dc8c4defb4284998093d737b586911de280dfaf51fe76ca628fc6d47096dd4077ce2224c4df3272439e138

    • SSDEEP

      393216:3bAOuHdROJY4gVM5RdxEK1iLXXEhkrzu2WXJcC8d9SkdOt:3sOg0Y4qM5RXEKWNjWKCc/o

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Sevgi.a.exe

    • Size

      203KB

    • MD5

      b28505a8050446af4638319060e006e9

    • SHA1

      d3ddca0f06af4df29a9f9fadb6bad8504add5525

    • SHA256

      750e37d1fdd64e9ea015272a0db6720ac9a8d803dc0caad29d0653756a8e5b17

    • SHA512

      889dc35054f5adc5b5445fc90dae5e19fe95ee04432f5230994124b73f9a1fc4bb050aac789f4934c84ed42d8c063b8219563e33a48b92f10294b7d8e426b9f9

    • SSDEEP

      3072:M7PDcEPPhtIlT5ri9bOqStDvzvSheG3ivbV0EIU9j4szgGGl/2tdnpm7no3:qPDcEPZSTrsyLzSovp0PGUGkQnY7o3

    • Target

      Spark.exe

    • Size

      495KB

    • MD5

      181ee63003e5c3ec8c378030286ed7a2

    • SHA1

      6707f3a0906ab6d201edc5b6389f9e66e345f174

    • SHA256

      55bfcb784904477ef62ef7e4994dee42f03d69bfec3591989513cccbba3fc8fe

    • SHA512

      e9820f60b496d6631e054204c6fc5b525527d40a578faac1d5cdb116abcb4a35aacf4f4354ff092a2b455c5d9c2e0f29a761d737d9c9ad3d59d70b51d0583d92

    • SSDEEP

      12288:ehny10sOqEl5yD4UmxYV1g1bT2kdSOSGL84Umxb:exZ5vYORMOJ/b

    • Modifies boot configuration data using bcdedit

    • Enables test signing to bypass driver trust controls

      Allows any signed driver to load without validation against a trusted certificate authority.

    • Loads dropped DLL

    • Target

      SuperDeath2.exe

    • Size

      7.3MB

    • MD5

      391942faa157675018a6d26b6c631011

    • SHA1

      5dd90332e1e1d632fd6e63f9aa2024e667aa5cd5

    • SHA256

      9c027063879df3d477e9092a187c306c7d20eba956cf7517423d8eb2ad5960f2

    • SHA512

      debba49b7fbab85f099e5ff10bd2c75105166f20eb63b058d580e9043f33f272f80096bbce181f71d2476b1fd8059d386c28435a032bfca7210d2cf36f007e4e

    • SSDEEP

      196608:GJXjwzfuuvf08BjSDLpiWA/HTIKUI7RVt:KwzfuqBuDLpiWAfbR

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      TaskILL.exe

    • Size

      31KB

    • MD5

      c261c6e3332d0d515c910bbf3b93aab3

    • SHA1

      ff730b6b2726240df4b2f0db96c424c464c65c17

    • SHA256

      4663715548c70eec7e9cbf272171493d47a75d2652e38cca870412ea9e749fe9

    • SHA512

      a93bd7b1d809493917e0999d4030cb53ab7789c65f6b87e1bbac27bd8b3ad2aeb92dec0a69369c04541f5572a78f04d8dfba900624cf5bd82d7558f24d0a8e26

    • SSDEEP

      768:Tyc7/ovNV004AjWU3GQelVUlidf+prtbjzjy1QVIibtYcFOKc6K:Tyc2z0ajWTQelzdGDbjzKQVIi7OKcl

    Score
    1/10
    • Target

      VeryFun.exe

    • Size

      3.0MB

    • MD5

      ef7b3c31bc127e64627edd8b89b2ae54

    • SHA1

      310d606ec2f130013cc9d2f38a9cc13a2a34794a

    • SHA256

      8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387

    • SHA512

      a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5

    • SSDEEP

      49152:wshda+bFz6dmTTfO0JBhybeUXzELz/RkxI6Zxkxur4E5IReTD5GKHmDVJPY8:Js/4ibecELz/RkO6LF4hRq5GKHmBBY

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
5/10

behavioral1

discoveryevasionpersistenceransomware
Score
8/10

behavioral2

discovery
Score
3/10

behavioral3

bootkitdefense_evasiondiscoveryevasionpersistencetrojanupx
Score
8/10

behavioral4

discoveryupx
Score
5/10

behavioral5

discoverypersistence
Score
6/10

behavioral6

defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral7

discoverypersistence
Score
6/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

floxifbackdoordiscoverytrojanupx
Score
10/10

behavioral11

discoverypersistence
Score
7/10

behavioral12

discovery
Score
3/10

behavioral13

discoverypersistenceupx
Score
7/10

behavioral14

discoveryevasionpersistenceransomwaretrojanupx
Score
10/10

behavioral15

discoveryupx
Score
5/10

behavioral16

discovery
Score
3/10

behavioral17

discoveryevasiontrojan
Score
10/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
8/10

behavioral20

discovery
Score
8/10

behavioral21

agilenetevasiontrojan
Score
10/10

behavioral22

discoveryphishing
Score
7/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
7/10

behavioral25

bootkitdiscoverypersistenceprivilege_escalationupx
Score
7/10

behavioral26

bootkitdiscoverypersistence
Score
7/10

behavioral27

bootkitdiscoveryevasionpersistence
Score
8/10

behavioral28

discoverypersistence
Score
6/10

behavioral29

defense_evasiondiscoveryevasionransomware
Score
9/10

behavioral30

discoveryupx
Score
5/10

behavioral31

Score
1/10

behavioral32

discoveryevasionpersistenceprivilege_escalationtrojanupx
Score
6/10