azorult | 2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Target

Malware-1-master.zip
Size

45.4MB
Sample

250116-p4et7a1mez
MD5

ef37386fefe6fbbf646805a591add083
SHA1

1abfc73d9a379c796036de72e5f7961b4295bf5e
SHA256

2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c
SHA512

112cccdada7554db108f3fd469e72fc0568aadbcad33b75a2046018827c5542d5fdcb6b454eb7bb0f58a6ea00e65bcd503a807222e1f21cc9a0f087c89453d3e
SSDEEP

786432:8hXFC0opkN2sA1VYXb1ZfLKvrXpXyNoqpkHuMBWn3GhUclPgJ26GEa5+VX:+FnQCXb1ZzsyXpKdBEGeQP2Vj++p

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

bibl1234.ddns.net:1604

pizdash.ddns.net:1604

Mutex

DC_MUTEX-QKPH38W

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
2PaBrGj3TwxK
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Malware-1-master\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3982764349-3037452555-3708423086-1000\BSNVNW-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .BSNVNW The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/155886aaacb6c796 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAANjvVj/Pjg3aJRz5Gyxoz4FU6VD7+f2sq4tJXes4EtFNVi7B6Zbq3iAMzEL6tLkD6nzO6RJWzycXTUEkyI0uK1TsYyFqdHMFAlVDlOFx2R5McdlURHq5Y5HpMgNdCEirZeu5WwtmBYdqk8VwkH6OMbMHkhsEtL/biKqRQ5O5e77laXUZw8xsm+iFnY8LCjnpvVPO4bUsW2tc/+AUHO0QCKOuJVj0jr7fiHuxAvtzFPbr2no/kkUlaTXpZevmwAQ0NLWlCKBegyYOszwFx3Y5agGKTyd2v0BponJSlMcm5BIYyiWIqa1wQfzmt0welVmwaEzA7/mA6cQ96Mt/FFvPEBebf8qU6AYlsWTFrWQS8AiPAOAsBLkPR9DNdqV92T6URpaMiWpMr/dY8jFpv2YhJ9OVGkSbhWVJeoUUJEgpVRHcv+NWa2gCYne9aNc6ahESWDrV7X/YkqVIh80wgjbINz3U6seaR8/OfBxjchsICNMko5TjnnmfSGAR2bfClRIWJCovfEUr/pnRbpn8IkdLbxqy2i9NCPSOsCB36dmm1Gv92kfN46FAF9QXWcIIeaZq7nz4VTcOQy55+WG89Z9EMb75un+am6tcRediAjA/DT25DfelOoItHhCQBMwtnePnaKa0bqSRWO8lGX5O5svsmzUdX+6WTg6BDlzUHWSZVqyV6WfB4Q8G0CJA9S5lLNzcGVyBDQ7NBT2molqrWZY+zNUbysAVMptIGruQqBT7zAw4o/jiXugw4SB8cxRyHASAyspaKGlQEHnUFMQVTeaTMptsEhwW4oNzjFmvMZry8i2HKeVuMPooloxlPkdz0c+/2PaRUz/NBmOx0BtvWgdlCIXKH5eQUb1PbktVdHAUG0krmBa8JBstMBSQvYrolMQvQYNMVD//QN2Obot+uwiDBGdDuXvKxd88/2J0/ZZQuVW+ftvxrs/nDVs0aghmjAaxUE6nvuaTjuy0Aa1bdWdTvzQ1s5JwHtq5Uq2q9nIFU0Jbd+5j6Zw4a2OULUEnX0MauGubwKJXVT7RSLPix8FGd+NXY+J8CENSjWlCVVSkynF4IvYWTRTcDCPbP4ge54xuadx0B56hCH24wdT7iDNVE63hbt3AkTXBFwusREMRXp6eJENqGPymusbnWbv9z+cZ7wUoFHrPRO61L6OsfkA2G1M1EepqZ0vOJF0VoP0QvYrgsA5G6b23WzCBNkNZfwReQg/reYpXxlzbX5No1XDzlFks+lg+JJA2C22NcZrQc9/iv1E1N87XU00qJPu58x6dyPEofW6vvBOOpr8zhHZgOWgw6jd4iYZ6pmAtB/PwlYtzHHWLC2aZWshLRBIG1o1lQK4nz5hNe2v5l4T7qYwjG0pa2sx6yl8Ym4xvJKb0PMrLIXLijBZpbBIKq7HHG7QbGfJk0Qo1OqQJcrSeJJ0P59a/ahcRHye4fCXsLb7U2+woznrEZSkxDh66i19jnLunmqHjh3Adr9r27oBtaCx0qtObDGkFHwhwS7bJtvwSLJUtTqNvmj/c/S064+pc13ofcaPbhnm7znMWsAOdAfoOzEIApPxEozrfS2dOLnI1W/yFQLLrtWw3xEa32jRM0YTgoUiP5VceVuJzuVUsy3ZD9/w3vbZ2Xg55Am7GIsA9kYOZtSkr72Ddpg3e7DboYJh5yTkEQga4Y3OLbUwB/oQcgRzlW5tXgN6wDLPKC8up5HztmuB5KcjfsB04FzqAusA+KOiIWOicHwHI2YTLUDljCKv5YWhq277GPmdBWzYZOYg42eFe7aBHDpquIpALKGmyZ3VroQMuiV2GQO4jdKhJE4l1Lolh3o+Wlt9okbEjirmXwS5HGck25hsWFTfroi1VoGP9QijM8vaTMEWrrfHaJL1hs8XV0EcpK8PAH8HImtccBd0DaGZxNFIzyyrURlUJrNjUygqj1OISNFTS8N4ZBk2rZQ56y9rzEM/j/TnHGnOpCQ77BZQPVGH/MOqdPj0iKSwI3IrxUfXU6IlBWmwN+SxgZlAClgR/HDfAJxir970po1e+ddiotrcml02ZupsG7Ma/jMXl2hN453k7anzSOSyng0Fsrf/y2FhphxhyQkYM3tmxQDR8jLP29y08bQr8BiE2WMhGEClar1AMWRCeo44oWYjq4b2oHHZBwoW0wSwiLo7AEuzd3xxHHCzoZxPT++xQ7rXKLiRJ4kddlwAK0Q+86efoAB1wl9mvN+h0bzKK24bWxDnFO2IJBDV6/CSPKPt5vbA= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZDTphRuXYY7n1WtbfPTG6Hhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9Fne90CCDIxVw6SDJIrsX07SirFGQ/zkfgtFNi/qcantLql56Vi5bF2kV7BouL1/zg2Uut5GoZYA1raBnPtoBHXEdwbpCca4tG4PaawY5pyOIzw2Smix5RITWgqZ1O5JJQJ+5E8wIYoCRO7nKU+fO4mANef+GFCg8NrKg3sxA1KwA7/ZinpChFE3vPLNeao1wAZLnQURlaKfTnX1lDgdX8ImU7fnCzyQUpnn7Iylrmw4XJ4VffpFDeBfGAcE8BhP3dNhn9RQ3XC06ZBEuHtL0igBY1McpHzHpsOfb/PRdsPp4l8V6Pu8LORzJL9NXYMh8cz/ewLRbhtDP+1bmbW6uIcXpdeNtQu9FRhfFKI2vxg0WmDLQgzxwsJfmL5AGFeiSEEyrIVT+HbRwE2KYD/kjM1dHg34W5UffeUvXI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/155886aaacb6c796

Extracted

Family

azorult

http://216.170.114.4/send/the/index.php

Extracted

Family

trickbot

Version

1000312

Botnet

sun10

82.202.212.172:443

24.247.181.155:449

24.247.182.39:449

109.234.38.220:443

24.247.182.29:449

24.247.182.7:449

71.14.129.8:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

206.130.141.255:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.187.116:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  Malware-1-master/2530.exe
- Size
  
  1.2MB
- MD5
  
  568d17d6da77a46e35c8094a7c414375
- SHA1
  
  500fa749471dad4ae40da6aa33fd6b2a53bcf200
- SHA256
  
  0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
- SHA512
  
  7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427
- SSDEEP
  
  12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
behavioral1
- Target
  
  Malware-1-master/2887140.exe
- Size
  
  144KB
- MD5
  
  fead887648bddd70a05cf7a7090411dd
- SHA1
  
  250c0de3dc100d265ae495f045a2c47dad3520e9
- SHA256
  
  dfaf75da62d0561d171217fe893bd818a72ebfccd9d7e7f4c046f5b3ca44794e
- SHA512
  
  e1f15de084a78bf27a1c62b5d0d31fabd10be13983dca05962c40ea1e8b3f7bb617e92f44a78048d3484d16f5d4b9e42bc8c5a4b02fda0e0f5eb69368149920a
- SSDEEP
  
  3072:buY0LMcTrgw6mo4bnGkbUyh/h39iN/Ko8LdKpZbZo:SY0IkImZUyh/h3MOc
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
behavioral2
- Target
  
  Malware-1-master/32.exe
- Size
  
  1.2MB
- MD5
  
  568d17d6da77a46e35c8094a7c414375
- SHA1
  
  500fa749471dad4ae40da6aa33fd6b2a53bcf200
- SHA256
  
  0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
- SHA512
  
  7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427
- SSDEEP
  
  12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
behavioral3
- Target
  
  Malware-1-master/5.exe
- Size
  
  312KB
- MD5
  
  0b0dc2b2ccd4b46b3381508f7209a582
- SHA1
  
  a67a1619f96914e4e50e4f86f656ebb54021879a
- SHA256
  
  66ae33003289d8c6c3dc7c45c1b01110b4820281061292ac076b1783700a1f2d
- SHA512
  
  0715c2f6e01a923deb8bd5c4c70906942ee46dba6383bbd2edbde53e23a7b5c2ab8063e5f48a973925815f1dec18fe15c362fcf928d4f35d12dcf123f303cc37
- SSDEEP
  
  3072:5ODQa/lz20bbn7yXO/7/rCaZXo3ZU+BfhYJMyTPkDDYvU:+Qahr7DZXSpnSs
Score

3^/10

discovery
behavioral4
- Target
  
  Malware-1-master/96591.exe
- Size
  
  1.2MB
- MD5
  
  568d17d6da77a46e35c8094a7c414375
- SHA1
  
  500fa749471dad4ae40da6aa33fd6b2a53bcf200
- SHA256
  
  0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
- SHA512
  
  7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427
- SSDEEP
  
  12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
behavioral5
- Target
  
  Malware-1-master/Amadey.exe
- Size
  
  49KB
- MD5
  
  871294e398217876017702c96d0e7854
- SHA1
  
  35a22da1522bf86659576ed59235f8ed7029e79b
- SHA256
  
  7fd898dde3a7ed047657e3dc81c3de50ed381857edc53744664332fd98476c54
- SHA512
  
  047237e3a615839918fe32662524f2de5455734a01cbb2f66017c636f3d08207b3aead79cdff9a94729550ad7eddc2b5950d5e774fb25fba2d0d69e048ca7fe5
- SSDEEP
  
  768:AN4a7os+Bd1CiSJfBFdiGOsSyS5/hhurlzdx:3a2xC5+YSyE/hgpzH
Score

7^/10

defense_evasion discovery
- Executes dropped EXE
behavioral6
- Target
  
  Malware-1-master/Download.exe
- Size
  
  247KB
- MD5
  
  6a97f4f16e7879967a5c02d143d0bd46
- SHA1
  
  0898ccf65770813f69bf339462a05a8c6e17be69
- SHA256
  
  de2274da8cf00dfc6e6e52db43f82210a1fb7fd30016ebdc81347fb2d1f248fa
- SHA512
  
  0bc14103518a2e234f4e3f4ddc46e91a1ed21c2885fd4eb27d3cf8cd088e4fa4fffcc221ddb404f52794c57d6693b2ce080e797bf33f2322490030e0fce0ac27
- SSDEEP
  
  3072:ZV3bDzHY2weWeFoyUWfMRBsfpVZynzK4ChhO2IGmXf3Ur3CvZJnodCKJYsUH+Iun:ZBbDzHY0UsfPwUIvOd1
Score

3^/10

discovery
behavioral7
- Target
  
  Malware-1-master/Illuminati.exe
- Size
  
  1.1MB
- MD5
  
  087b2505ac41831c753cf7d1e660c42c
- SHA1
  
  dcae226923e062291f48de4d3416d38387815c67
- SHA256
  
  f99e4c9a4dd14d402b16e36988b72f3fe7f34b42157f756dbd14b39c70059336
- SHA512
  
  10d5f6f7c9f1df66a7afd3dcd2e70288d89bb75a2f6fffa3621b4a4192c40b290eb7c76392b0b282d80925b81d2271c3d1e96a4f406d1f1c0d069a5f6f96c086
- SSDEEP
  
  24576:qqvM7STjLT5MSLMDPS2X0xCyj8pk3tgqdtKkkoMJJck:VwMfTvcS2kjPgUGfJ
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral8
- Target
  
  Malware-1-master/MEMZ-Clean.bat
- Size
  
  9KB
- MD5
  
  bbae81b88416d8fba76dd3145a831d19
- SHA1
  
  42fa0e1b90ad49f66d4ab96c8cca02f81248da8b
- SHA256
  
  5c3fde60c178ed0306dd3e396032acdc9bc55c690e27a926923dd18238bbd64c
- SHA512
  
  f03ac63bbb504cb53dc896c2bec8666257034b1c4a5827a4ad75c434af05f1cd631a814cc8689e60210e4ca757e61390db8d222f05bf9f3a0fa7026bdf8c4368
- SSDEEP
  
  192:XBOTDzoOgdlf7MAdTyQuHq2b1vXei2SLca5icrLJlz3:ss/tDyQuHZddL5Jlz3
Score

7^/10

discovery execution
- Executes dropped EXE
behavioral9
- Target
  
  Malware-1-master/MEMZ-Clean.exe
- Size
  
  12KB
- MD5
  
  9c642c5b111ee85a6bccffc7af896a51
- SHA1
  
  eca8571b994fd40e2018f48c214fab6472a98bab
- SHA256
  
  4bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5
- SHA512
  
  23cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c
- SSDEEP
  
  192:BCMfc/GinpRBueYDw4+kEeN4FRrfMFFp3+f2dvGhT59uay:AMfceinpOeRENYhfOj+eGdKa
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
behavioral10
- Target
  
  Malware-1-master/MEMZ-Destructive.bat
- Size
  
  13KB
- MD5
  
  4e2a7f369378a76d1df4d8c448f712af
- SHA1
  
  1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
- SHA256
  
  5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
- SHA512
  
  90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
- SSDEEP
  
  192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3
Score

7^/10

bootkit discovery execution persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral11
- Target
  
  Malware-1-master/MEMZ-Destructive.exe
- Size
  
  14KB
- MD5
  
  19dbec50735b5f2a72d4199c4e184960
- SHA1
  
  6fed7732f7cb6f59743795b2ab154a3676f4c822
- SHA256
  
  a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
- SHA512
  
  aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
- SSDEEP
  
  192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj
Score

7^/10

bootkit discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral12
- Target
  
  Malware-1-master/Petya.exe
- Size
  
  225KB
- MD5
  
  af2379cc4d607a45ac44d62135fb7015
- SHA1
  
  39b6d40906c7f7f080e6befa93324dddadcbd9fa
- SHA256
  
  26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
- SHA512
  
  69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
- SSDEEP
  
  6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral13
- Target
  
  Malware-1-master/Software.exe
- Size
  
  1.6MB
- MD5
  
  db056b8fa628b67e11bd626192939d6b
- SHA1
  
  248ca50f39de6b6180265d19fb6eedc68bf25afc
- SHA256
  
  e7f04e85236f0caafe518bd96369313021969077dba1c4a6d42e694498dab04f
- SHA512
  
  bca1856b4bb8342c0f6d5ee19edcb420c70e6b272f087d3f8f73daa00842fa00037840a5eb5655e1445af8d578d304874323b2889f75b27136df9366df596336
- SSDEEP
  
  24576:ytb20pkaCqT5TBWgNQ7ayEYyM63uUOyok0ceJZwd/w9mML9eu4MaMUp46A:/Vg5tQ7ayExZO9k0waPLR4Ma25
Score

10^/10

imminent discovery spyware trojan
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- Imminent family
  imminent
- Drops startup file
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  Malware-1-master/WannaCry.EXE
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Sets desktop wallpaper using registry
  ransomware
behavioral15
- Target
  
  Malware-1-master/Win32.EvilClusterFuck.exe
- Size
  
  64KB
- MD5
  
  2e84f71165225ba0f7f8187c0b2f0f37
- SHA1
  
  3c9bf036163ede4b7f9152d04d1a83b7253dd029
- SHA256
  
  c9b98408ca67d08e1986d1855c4d99944caad5580533d18496cd8de86dd0885f
- SHA512
  
  82c39aaef6103877c8472a55eab6270d57f4d7c46830aedf5fbb5661d7e3fd7aee2e172cdc830cba22cd9034f37784a8cc34f70a5918491bccf148ee923db389
- SSDEEP
  
  768:S5ohpPUa2T1VZj4jkVQu7MKquVspXKCxiJrFnMWDmLfe9NZ+OAhaptX/71tXHHi4:tcd1Pl7ZVsw3rFiLfe9NZmAP5ZC6N+
Score

3^/10

discovery
behavioral16
- Target
  
  Malware-1-master/apache.exe
- Size
  
  252KB
- MD5
  
  8e747a4c115ac090e54dfa899c287129
- SHA1
  
  a1c523ad0a2fa1b533fb752a25aa48ff1cd4e1e3
- SHA256
  
  1117f585985ca4ddd03695876522f80951c919cb41db5854f013923f62285c09
- SHA512
  
  049fae2cccf4e1afc79d9e72e016f27d7714ad8b747c28ec3ad520bc25ff319f12aced97d16dbbe863aaab11514a9e90477656983fd67939c0e6d2ddb93558b3
- SSDEEP
  
  6144:ZcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQc:ZcWkbgTYWnYnt/IDYhPn
Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral17
- Target
  
  Malware-1-master/butterflyondesktop.exe
- Size
  
  2.8MB
- MD5
  
  1535aa21451192109b86be9bcc7c4345
- SHA1
  
  1af211c686c4d4bf0239ed6620358a19691cf88c
- SHA256
  
  4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
- SHA512
  
  1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
- SSDEEP
  
  49152:5aA7f7tlVmdqK23H2bpHI4Qs5ABV9WRHZRsgI82lcHGAaKLinXBgJ:Q+VMkX224QsWBq5SfARGRgJ
Score

7^/10

discovery persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral18
- Target
  
  Malware-1-master/crb.exe
- Size
  
  139KB
- MD5
  
  24275604649ac0abafe99b981b914fbc
- SHA1
  
  818b0e3018ad27be9887e9e5f4ef1971f422652c
- SHA256
  
  4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749
- SHA512
  
  008ef045724963d6ae3b845a6c3de8ebb6682b0f4b8ea77c2d35e2193596b78f0092183de0a88a34f7dde4e71abbc129b2f0f00fd8469801fff66f1b8390b6c8
- SSDEEP
  
  1536:JLMVCWvZ8URtqOz3d+1Qs6H9Mk2e3E2avMWC3yMgYxf6+okbdWsWjcdpKCaIxWzX:VM9ntZ3s1QJdnU2SQdf64ZZ8CaIxWec
Score

10^/10

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (285) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral19
- Target
  
  Malware-1-master/eternalblue.exe
- Size
  
  886KB
- MD5
  
  981aaac4782bb076aa737901910f2556
- SHA1
  
  a552a4dac03b584cbb7d461fd48b01ddaa85af5d
- SHA256
  
  7f5f447fe870449a8245e7abc19b9f4071095e02813d5f42c622add56da15b8b
- SHA512
  
  334d096f72d46adc522f21834d116968a7cb5f05dc21c60e094ac4ccff69412a2c108aeb5c54861ac717ebf884c632edd0291a3d832e4ab7dcc7903e7f965934
- SSDEEP
  
  12288:96fny4wDTzvE/XICULcJ48j406qbgg6RaAD9bSoGGHgm3Ihr6k:96fny4wbkHJ4I40vggPWSoGWv3c
Score

1^/10
behavioral20
- Target
  
  Malware-1-master/fear.png.exe
- Size
  
  66KB
- MD5
  
  60ffde3dd3003cd24feeba26e47e6571
- SHA1
  
  e6c57a55ca93b1f6ebccb8c5fe9757fd0801eea3
- SHA256
  
  101678f77a65b5b5830a128e4c737b2aaaea5be95327ec68213ebb92e4251170
- SHA512
  
  0a448886296c1f67760f2e09cbc226955c5abd833b6e7b2ce146cc673ddacca7bfbc59f2fa3f3a83381e7d67a0a677c487fc343833e3834dce84e00a6d286ca5
- SSDEEP
  
  768:AQyHrxwRjWjPc/u1SDSepzEtYcF6HKc6K:AJHrOWjPcmSDSepz46Kcl
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral21
- Target
  
  Malware-1-master/getr3kt.bat
- Size
  
  13KB
- MD5
  
  4e2a7f369378a76d1df4d8c448f712af
- SHA1
  
  1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
- SHA256
  
  5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
- SHA512
  
  90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
- SSDEEP
  
  192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3
Score

7^/10

bootkit discovery execution persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral22
- Target
  
  Malware-1-master/iimo3.exe
- Size
  
  1.7MB
- MD5
  
  4f8767983d865a5e706ae3c6aa5ab6c5
- SHA1
  
  535bc0a1cf7140176fd6e6a205f3394d146c2ba3
- SHA256
  
  5ac017285572c24fc8b77324a52ca484e83c3622c61bea80a74a6850f0a16061
- SHA512
  
  a88e5fd993d2fdde869ef32a5271d5bbd222f2174217bf4e2c4cea6fad624d237b3528478b70ab1ec5011bd031fc93319865f5877e06fb3efcc53cc5c7e786a3
- SSDEEP
  
  49152:ZgTJ84RvagaNgNu5W05jvIAo69PnaLgnMu4x:ZgmmygtNfCvjf58
Score

10^/10

discovery evasion trojan
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral23
- Target
  
  Malware-1-master/jey.exe
- Size
  
  744KB
- MD5
  
  5a38a223e632a4754f6ec51cbe31215a
- SHA1
  
  008cfd9a4345ff5307daa5d2662db2e185fc3014
- SHA256
  
  97cd04af9acddab58cffa58c677d7645f5d894769d76539f44380b9175a67bd4
- SHA512
  
  e42691b8fda725865b1f379ad8fb56e333ab0c588989ae2890c074679fc59f392b475c57dc472998f00b4a3cad7456810e83886f4f7dd57a8492266ea4eeb189
- SSDEEP
  
  12288:Sss9czpqdx1S3DcWayzZPnpdVYke81SmUJqwCW+:uczp4Y3DN5VYkN1ShFCW+
Score

10^/10

azorult discovery infostealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
behavioral24
- Target
  
  Malware-1-master/m.exe
- Size
  
  1.3MB
- MD5
  
  cb53694f76bda870730f964f84f754a5
- SHA1
  
  bc1e6f81d8c54a5fb2e14f9f1ecce980eacb8844
- SHA256
  
  9ca85dc8b2ff574f775ddc92a45e48a74323c79e8fb2458413decd53cdf47aa6
- SHA512
  
  676c46b803b489afd780b4a0f58297578c9a1bec14b1e43a703664c3beda290dd6c88b6175afa59007d491924f217e623a831026aa2cec77a1c86305865eadf6
- SSDEEP
  
  24576:CYt5D+J+TLTSdZRFNR8aBNBweeS2ifqpAp7xGFyN/nd+7dQ5fUMkl:CYt5++T/SdbjBNOeeJiSp87Eu/dUd2UN
Score

1^/10
behavioral25
- Target
  
  Malware-1-master/mo3.exe
- Size
  
  1.9MB
- MD5
  
  9d7166176660b51398b82a2793d9e9ab
- SHA1
  
  b8511b36463a9b64b1a383805f16c99d4cf9ab30
- SHA256
  
  ff4e859d5fa6d8dea84aba8c9c0ccbc58f86be198e4a569f19f60c7844dd4edd
- SHA512
  
  938b5c274cb2d3218465f6f9eac21fb37de419e7f5e1a1383a5620d2a5b4cf50f4e730d4de45a67dca9b00373e8fd7c096d1cece1ffdb8a16be85e92f394b587
- SSDEEP
  
  49152:h6EMvW2D6H+CFkDSMMRTw+0PRzgUfyMzKmWSfg:h6EChD6HPeDFpHGUfy4rlY
Score

9^/10

discovery evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral26
- Target
  
  Malware-1-master/mo332.exe
- Size
  
  14.0MB
- MD5
  
  552326e3f16df1857e7918a569dcca50
- SHA1
  
  3a3fd7027c65c75b3e8930535b27e29b4681814c
- SHA256
  
  f5d20a2ef757dd374b1651a955a80113b33b87578e3484fd3589565d296d55cc
- SHA512
  
  a3d00cc28de8131484ebe29d1addfc9e27c9e782a6ec07bee2a19c88ee3afe0f867f8c0c933b6a83946266d46606483d87c8d57b5679cafeeae09eeae1ba41f3
- SSDEEP
  
  196608:OSfbf3vp28hgy4ohRID4CUAq52Zdm4nKJJmbmChthPtbSttLPSwYJQ:ffT3XhgQRI8C82ZP+MblGttLSpJQ
Score

10^/10

discovery evasion persistence trojan
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral27
- Target
  
  Malware-1-master/mysqlconf.exe
- Size
  
  252KB
- MD5
  
  fac6ab167e1b02c2e1465ae88fb8fcdc
- SHA1
  
  fe4fff9c4681c3f146c3ea31961d0a2933f07098
- SHA256
  
  cc02e9684f8e78227a2ec631172d32fbb48a4fc2a60fd91d160d2ef5e11c587b
- SHA512
  
  82a912a914ca01b533e97ece88550c25d3ba8095c71110fce55e38805ead66807c05b154adff0a457c6d8c98c96f6204503f158ba9dd38928ef86c8d3e0d089c
- SSDEEP
  
  6144:jcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQCO:jcWkbgTYWnYnt/IDYhPs
Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral28
- Target
  
  Malware-1-master/o.exe
- Size
  
  110KB
- MD5
  
  73f0230c31eaca0f8cb20c88b4bd6599
- SHA1
  
  79d4ceaa753437e14f4baae45c4675a302f4d383
- SHA256
  
  47b306c80cf27a773d252757397fe9ec0a9571666044276166ede5b5958489ff
- SHA512
  
  afb59f13e5485e6815ac38a82b68cdf93bc2a8b01f818e88570fd8a50a6debafa2dcdb61ca4812700a0a223b44f60466333114375075b2c76e7a59c73a72bf01
- SSDEEP
  
  768:YY+RphoNSQhwS2BGmhn6MxRhUeADEe+NBgNK:XkY+pzn6shAgeqB
Score

3^/10

discovery
behavioral29
- Target
  
  Malware-1-master/qOA7iZJcoB8.exe
- Size
  
  400KB
- MD5
  
  7a58e7f8cd91b372af614ffe5db58eca
- SHA1
  
  8e341ffcfcb4b60b93700996b037c35f0221ec39
- SHA256
  
  6b111be3c180de78849b4f1c2d39ee0045695e22d339b50879a769351b1e6b31
- SHA512
  
  c89d62ddcc79d0e1a42dc090b3a149483e91f61c9aa9aaa489535dc32462d55d6accc2f55a255c42579c89a78afdd62f271dbcb4aab6c075b8cb70f6a143b5bf
- SSDEEP
  
  3072:bQgo+/qo6aiN3HKwkRF9kl+BHpQB8ID0msCJhp4Swm5WXDtVL3d0:2+/qo6f9kRFyl+BJM8ID0pCr/wm5S
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
behavioral30
- Target
  
  Malware-1-master/wintonic.exe
- Size
  
  1.6MB
- MD5
  
  c7cc7175fa6a305036ecd68cfb4c970c
- SHA1
  
  c440e7653a4811935222651dfe61e56a70e5b92a
- SHA256
  
  a0375c241cebcf6c4a0293f45a5dc0ce1150fe8169ea410c818af67e6f487b4c
- SHA512
  
  0fe4873d7cf6be5fcae7cefd545205ea58a977679b2183ec5caabd47920e3b66813e31e6e545d585f15d3a17d21846b042cd40a507d662c19a2bc58fbfbe4fff
- SSDEEP
  
  49152:+h+ZkldoPK8YakOvfcrEb8XCOEU5fwr9K:X2cPK83vkrEb8XCfU5AM
Score

3^/10

discovery
behavioral31
- Target
  
  Malware-1-master/youwin.exe
- Size
  
  379KB
- MD5
  
  c3f3773a596db65c6491b578db621c45
- SHA1
  
  ba5529fe2d6648ebfa93c17145f5570f448e1111
- SHA256
  
  dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c
- SHA512
  
  8d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061
- SSDEEP
  
  6144:dVH5X7dPd2cUnZF+ZXsFv+g11ZebOzWl4QFUTUPYeOEH9yyIKC0ywAHTWZ:dVH5X7dPd2zcO+8ebRJlQeOEH9ytfvw4
Score

10^/10

trickbot sun10 banker discovery evasion execution persistence trojan
- Modifies Windows Defender notification settings
  evasion trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot family
  trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral32