azorult

Sharing

Copy URL

Twitter E-mail

General

Target

250116-p2cbaasjam_pw_infected.zip
Size

45.4MB
Sample

250116-qtp3vatlbp
MD5

bb89aa912881fd28b0f49ae859159518
SHA1

77d088904c3f72bf81a5655fee5cc171b2afb190
SHA256

994d6a3c00f42e919b596a6234346a095521ce84013474aa462570aa49b0e3da
SHA512

512869aa6457340e9b67a04495c87b9c56d59941e6594c26b6d0c840026433fd637321de206d4a52b23960cdb97e788422bf3f0ef862bac3452d287c810cd66e
SSDEEP

786432:C52/MKfhxQDvG5KendNkkjGfl4jyb1EzJQhKqFhUq0cIfl2smFKTC+N31MmsaJ/A:C5SVfWAkOyhMqFeqTI9PmsT/umNVmLl

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Malware-1-master\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Family

darkcomet

Botnet

Guest16

bibl1234.ddns.net:1604

pizdash.ddns.net:1604

Mutex

DC_MUTEX-QKPH38W

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
2PaBrGj3TwxK
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3587106988-279496464-3440778474-1000\FMMPWBFZI-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .FMMPWBFZI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/b71d6538ce154346 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAMkjkVMLZPO5xeiSdOrRep3diC+e+ELUAWtt/z4Bt3ij7C+pve/1QCkcLCkW7gfJIUj96oKkDSY+ZTq2sKmGY7Cnxu2Wo11RJEm+n5+Dvupbjk+f5OTcIwNQM6NQs9bdbmt2dzVHZ4us1R8fYn1CJA4WdtTZmnEZ5qdVDdqCg/1r5wx4NTxUJqYS87y08IXWgNRgV/ACvg3N8XNYJ92jZY4uXUgjDIALFM9xmKGu/yWucQiYL4DV5CCwczREsGeMl6duc0QMhYXkEH+0/wIT+wdyz0puV+d9KUziLd5FoK7KxLP4M70rkd5mEp4qWX0A/pfFbfOQLLtT9bELZ6at6wN8MSim+SAj9KOEvyZIOjBqD33/BqLfptSEPBQKB9F2l3E0c/altxqwhJSCqyW5R3mpqntDRxocZ4d8OvEXSdzBJZC4jX0Na2lkrqSKUJ8J+cU4zoBK9u3UIYEDZNGpxorbU8AuDP5QqYArtyo7Ko0E3Js0xBIMuqwX1ZF69SjOylUQUgYIDO2yXq/N3mzbYrHNN58iDORqyfaU0cLZCzYUbKWcUfC2aGAziFrErES+Vu40wSM2Dx4A8O8M7NvZQhHDAmvgEtAGyT+w9KHY365o5z6oTl4D2YLbrl0gJ6lgz6l/AqUOBUzv40S2f7kD5rQ8wdQefPGctqflGymyAipUb1geMC7OCf7v4ZoilXdXBeXjiO5x41bCj2CoVwVPLI1k1lY/JEaGwdHK/CJ6zKr9kyUxnhxpSAu1PFuK8H6+1QtWmMN2TU1T38iEjFSq4pJmEGP7W5Q2tad4B5bZBj1+zoCJIYARI94065btfpIBZuaMjV4qyp3AiIUBN7s1q4V7CLNWwqNPcpauKH29s/CO+GfCiXPlrwmeb9jjA40/WX9XM1mpJmX3qbbHJt3/Zfiq6saVKiQKh0BZGDYFz+1MifgontVx01KcqH5TQdH5BDo1DeY1lWNSpioDx60qQ2KEUtoPaE/OYinntFF1LNnAz/h3QxY24v1t30ykNmv4GumhRXtElo3kZ0hVGsKaMq+cEP/JL6+JpZ7aOYEozI1pEw6DInrVsRb9A+gnKy0M00pcceYfmQ6NY8oPAHd7JN+Kk79Tkm61K5jWsDNZR+NplfZVID6czPo8Sh7dpKdujVPruwrhk5DVAhXnW+Ros+QBS1eDuYmCdGl9E7lpozDYzm3PJzBTEhzJb4rJfBTthkfCakgNn9VBZ/vD5+PrTgGSSpZ7UYBHsuttas1h1vPnK8BSIMTb0RQES5e/O0e+qHeHq9JtmVTGZxgl969V2gjRILtm09/Z1ZSJKpYGo2II/CqvCdoog1oJLQ1kKLF3N4yGh6/UwhjI8cRZLvHDHwxeTld8yLHyGnYklijfU8zk13LGDEOACs9FKlq6eQb243beUpg7hZdKFMjyvFp1fU36XKgvDMaOdKtqs6umYbeoNDmSm1GZvUeYGcRCyFlxqDakMD/plspUQ3EwDIKRBoodI4qW69ZcUEUyz+Tq6yTiaE3ua6gL7qGOq4Vk3GR0B+pOsnVu/yhqFvmNhM4SHpCeE5x5/pl8SPMSI7K/Xh1Wj+oJz5LKXzIFCj/lWnxH3vHD9RnqHD5g4VjTo9gCk121glOgVPyukGpT48jpZLi2KsiWMmbligUz62NfuqxKyTK/f6LdgNZTiVbcTditaXzx0t12KtxdoJtuRa1a7GyAlXz3cwKbw8QN91vO9WyKTCj8A/GEJ+D3VMayIp9xqKkY4Ab69XjSRrLjuI+ndq20RiTXg0PGv2yJUSxuhv8fpVSwMPzn/Vr9xPqF8iZe0Ka44FKB/FKi45rpgj9Yw21ATWVlWtnQCmFmsdUibMmKzNp+w/SCeFmC5CEt/dEYrV8bbNbQ2VzI2rpSspORrl7GXxC10U7jzpBb8MsHTuqNNjfNAbRffjVkihQzUEEZji/T4xRwRHJ6xAE5SPD//RepmDzoH0p7kTj/o4HmQ3YtBZBdx4q4T5tm4+oKxPl6vdwcp8/qTO0izFWWDbCVDt+dRnz05jjsQ21SFOQhj83R+kAp6y3eIaQyhHXk5ANrbuS+PWqd4brZTxiQjxqvRTO0hdjna+FVUWtdLfrd8UnlxSBHKiIV4y/mkyu4o2xVzujUnjnI6miIMM8bIholwY8rPpI1JEzTC6GkbyPTp5eoPdYeNqdqQtq3K7459xeu7mSS+dh0tTo2stxJ6mId0SlszJ5QhyThOCuslTW0tmrQ6/C1yIk= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZYTo1Rp3YM7npWv7fNTGqHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXBsuKj/2c2ResgGt5Yb1qLBnTt+BHXEdwbpScR4t24Pab3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFM3vTLNOav1wIZMXQVRleKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOdb/HRc8P54k7V/HuibORzJL9NXYCh8sz7uxeRbttC/+YbnzW5+JOXs5ePtQu9FxhOlLD2rpghGmLLQQz3Qtdfjj5QGFTiWwEn7JfT+zb ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/b71d6538ce154346

Extracted

Family

azorult

http://216.170.114.4/send/the/index.php

Targets

- Target
  
  Malware-1-master/2530.exe
- Size
  
  1.2MB
- MD5
  
  568d17d6da77a46e35c8094a7c414375
- SHA1
  
  500fa749471dad4ae40da6aa33fd6b2a53bcf200
- SHA256
  
  0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
- SHA512
  
  7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427
- SSDEEP
  
  12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
behavioral1
- Target
  
  Malware-1-master/2887140.exe
- Size
  
  144KB
- MD5
  
  fead887648bddd70a05cf7a7090411dd
- SHA1
  
  250c0de3dc100d265ae495f045a2c47dad3520e9
- SHA256
  
  dfaf75da62d0561d171217fe893bd818a72ebfccd9d7e7f4c046f5b3ca44794e
- SHA512
  
  e1f15de084a78bf27a1c62b5d0d31fabd10be13983dca05962c40ea1e8b3f7bb617e92f44a78048d3484d16f5d4b9e42bc8c5a4b02fda0e0f5eb69368149920a
- SSDEEP
  
  3072:buY0LMcTrgw6mo4bnGkbUyh/h39iN/Ko8LdKpZbZo:SY0IkImZUyh/h3MOc
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
behavioral2
- Target
  
  Malware-1-master/32.exe
- Size
  
  1.2MB
- MD5
  
  568d17d6da77a46e35c8094a7c414375
- SHA1
  
  500fa749471dad4ae40da6aa33fd6b2a53bcf200
- SHA256
  
  0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
- SHA512
  
  7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427
- SSDEEP
  
  12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
behavioral3
- Target
  
  Malware-1-master/5.exe
- Size
  
  312KB
- MD5
  
  0b0dc2b2ccd4b46b3381508f7209a582
- SHA1
  
  a67a1619f96914e4e50e4f86f656ebb54021879a
- SHA256
  
  66ae33003289d8c6c3dc7c45c1b01110b4820281061292ac076b1783700a1f2d
- SHA512
  
  0715c2f6e01a923deb8bd5c4c70906942ee46dba6383bbd2edbde53e23a7b5c2ab8063e5f48a973925815f1dec18fe15c362fcf928d4f35d12dcf123f303cc37
- SSDEEP
  
  3072:5ODQa/lz20bbn7yXO/7/rCaZXo3ZU+BfhYJMyTPkDDYvU:+Qahr7DZXSpnSs
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
behavioral4
- Target
  
  Malware-1-master/96591.exe
- Size
  
  1.2MB
- MD5
  
  568d17d6da77a46e35c8094a7c414375
- SHA1
  
  500fa749471dad4ae40da6aa33fd6b2a53bcf200
- SHA256
  
  0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
- SHA512
  
  7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427
- SSDEEP
  
  12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
behavioral5
- Target
  
  Malware-1-master/Amadey.exe
- Size
  
  49KB
- MD5
  
  871294e398217876017702c96d0e7854
- SHA1
  
  35a22da1522bf86659576ed59235f8ed7029e79b
- SHA256
  
  7fd898dde3a7ed047657e3dc81c3de50ed381857edc53744664332fd98476c54
- SHA512
  
  047237e3a615839918fe32662524f2de5455734a01cbb2f66017c636f3d08207b3aead79cdff9a94729550ad7eddc2b5950d5e774fb25fba2d0d69e048ca7fe5
- SSDEEP
  
  768:AN4a7os+Bd1CiSJfBFdiGOsSyS5/hhurlzdx:3a2xC5+YSyE/hgpzH
Score

7^/10

defense_evasion discovery
- Executes dropped EXE
behavioral6
- Target
  
  Malware-1-master/Download.exe
- Size
  
  247KB
- MD5
  
  6a97f4f16e7879967a5c02d143d0bd46
- SHA1
  
  0898ccf65770813f69bf339462a05a8c6e17be69
- SHA256
  
  de2274da8cf00dfc6e6e52db43f82210a1fb7fd30016ebdc81347fb2d1f248fa
- SHA512
  
  0bc14103518a2e234f4e3f4ddc46e91a1ed21c2885fd4eb27d3cf8cd088e4fa4fffcc221ddb404f52794c57d6693b2ce080e797bf33f2322490030e0fce0ac27
- SSDEEP
  
  3072:ZV3bDzHY2weWeFoyUWfMRBsfpVZynzK4ChhO2IGmXf3Ur3CvZJnodCKJYsUH+Iun:ZBbDzHY0UsfPwUIvOd1
Score

3^/10

discovery
behavioral7
- Target
  
  Malware-1-master/Illuminati.exe
- Size
  
  1.1MB
- MD5
  
  087b2505ac41831c753cf7d1e660c42c
- SHA1
  
  dcae226923e062291f48de4d3416d38387815c67
- SHA256
  
  f99e4c9a4dd14d402b16e36988b72f3fe7f34b42157f756dbd14b39c70059336
- SHA512
  
  10d5f6f7c9f1df66a7afd3dcd2e70288d89bb75a2f6fffa3621b4a4192c40b290eb7c76392b0b282d80925b81d2271c3d1e96a4f406d1f1c0d069a5f6f96c086
- SSDEEP
  
  24576:qqvM7STjLT5MSLMDPS2X0xCyj8pk3tgqdtKkkoMJJck:VwMfTvcS2kjPgUGfJ
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral8
- Target
  
  Malware-1-master/MEMZ-Clean.bat
- Size
  
  9KB
- MD5
  
  bbae81b88416d8fba76dd3145a831d19
- SHA1
  
  42fa0e1b90ad49f66d4ab96c8cca02f81248da8b
- SHA256
  
  5c3fde60c178ed0306dd3e396032acdc9bc55c690e27a926923dd18238bbd64c
- SHA512
  
  f03ac63bbb504cb53dc896c2bec8666257034b1c4a5827a4ad75c434af05f1cd631a814cc8689e60210e4ca757e61390db8d222f05bf9f3a0fa7026bdf8c4368
- SSDEEP
  
  192:XBOTDzoOgdlf7MAdTyQuHq2b1vXei2SLca5icrLJlz3:ss/tDyQuHZddL5Jlz3
Score

7^/10

discovery execution
- Executes dropped EXE
behavioral9
- Target
  
  Malware-1-master/MEMZ-Clean.exe
- Size
  
  12KB
- MD5
  
  9c642c5b111ee85a6bccffc7af896a51
- SHA1
  
  eca8571b994fd40e2018f48c214fab6472a98bab
- SHA256
  
  4bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5
- SHA512
  
  23cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c
- SSDEEP
  
  192:BCMfc/GinpRBueYDw4+kEeN4FRrfMFFp3+f2dvGhT59uay:AMfceinpOeRENYhfOj+eGdKa
Score

5^/10

discovery
- Drops file in System32 directory
behavioral10
- Target
  
  Malware-1-master/MEMZ-Destructive.bat
- Size
  
  13KB
- MD5
  
  4e2a7f369378a76d1df4d8c448f712af
- SHA1
  
  1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
- SHA256
  
  5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
- SHA512
  
  90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
- SSDEEP
  
  192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3
Score

7^/10

bootkit discovery execution persistence
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral11
- Target
  
  Malware-1-master/MEMZ-Destructive.exe
- Size
  
  14KB
- MD5
  
  19dbec50735b5f2a72d4199c4e184960
- SHA1
  
  6fed7732f7cb6f59743795b2ab154a3676f4c822
- SHA256
  
  a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
- SHA512
  
  aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
- SSDEEP
  
  192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj
Score

6^/10

bootkit discovery persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral12
- Target
  
  Malware-1-master/Petya.exe
- Size
  
  225KB
- MD5
  
  af2379cc4d607a45ac44d62135fb7015
- SHA1
  
  39b6d40906c7f7f080e6befa93324dddadcbd9fa
- SHA256
  
  26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
- SHA512
  
  69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
- SSDEEP
  
  6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral13
- Target
  
  Malware-1-master/Software.exe
- Size
  
  1.6MB
- MD5
  
  db056b8fa628b67e11bd626192939d6b
- SHA1
  
  248ca50f39de6b6180265d19fb6eedc68bf25afc
- SHA256
  
  e7f04e85236f0caafe518bd96369313021969077dba1c4a6d42e694498dab04f
- SHA512
  
  bca1856b4bb8342c0f6d5ee19edcb420c70e6b272f087d3f8f73daa00842fa00037840a5eb5655e1445af8d578d304874323b2889f75b27136df9366df596336
- SSDEEP
  
  24576:ytb20pkaCqT5TBWgNQ7ayEYyM63uUOyok0ceJZwd/w9mML9eu4MaMUp46A:/Vg5tQ7ayExZO9k0waPLR4Ma25
Score

10^/10

imminent discovery spyware trojan
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- Imminent family
  imminent
- Drops startup file
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  Malware-1-master/WannaCry.EXE
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Sets desktop wallpaper using registry
  ransomware
behavioral15
- Target
  
  Malware-1-master/Win32.EvilClusterFuck.exe
- Size
  
  64KB
- MD5
  
  2e84f71165225ba0f7f8187c0b2f0f37
- SHA1
  
  3c9bf036163ede4b7f9152d04d1a83b7253dd029
- SHA256
  
  c9b98408ca67d08e1986d1855c4d99944caad5580533d18496cd8de86dd0885f
- SHA512
  
  82c39aaef6103877c8472a55eab6270d57f4d7c46830aedf5fbb5661d7e3fd7aee2e172cdc830cba22cd9034f37784a8cc34f70a5918491bccf148ee923db389
- SSDEEP
  
  768:S5ohpPUa2T1VZj4jkVQu7MKquVspXKCxiJrFnMWDmLfe9NZ+OAhaptX/71tXHHi4:tcd1Pl7ZVsw3rFiLfe9NZmAP5ZC6N+
Score

3^/10

discovery
behavioral16
- Target
  
  Malware-1-master/apache.exe
- Size
  
  252KB
- MD5
  
  8e747a4c115ac090e54dfa899c287129
- SHA1
  
  a1c523ad0a2fa1b533fb752a25aa48ff1cd4e1e3
- SHA256
  
  1117f585985ca4ddd03695876522f80951c919cb41db5854f013923f62285c09
- SHA512
  
  049fae2cccf4e1afc79d9e72e016f27d7714ad8b747c28ec3ad520bc25ff319f12aced97d16dbbe863aaab11514a9e90477656983fd67939c0e6d2ddb93558b3
- SSDEEP
  
  6144:ZcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQc:ZcWkbgTYWnYnt/IDYhPn
Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral17
- Target
  
  Malware-1-master/butterflyondesktop.exe
- Size
  
  2.8MB
- MD5
  
  1535aa21451192109b86be9bcc7c4345
- SHA1
  
  1af211c686c4d4bf0239ed6620358a19691cf88c
- SHA256
  
  4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
- SHA512
  
  1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
- SSDEEP
  
  49152:5aA7f7tlVmdqK23H2bpHI4Qs5ABV9WRHZRsgI82lcHGAaKLinXBgJ:Q+VMkX224QsWBq5SfARGRgJ
Score

7^/10

discovery persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral18
- Target
  
  Malware-1-master/crb.exe
- Size
  
  139KB
- MD5
  
  24275604649ac0abafe99b981b914fbc
- SHA1
  
  818b0e3018ad27be9887e9e5f4ef1971f422652c
- SHA256
  
  4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749
- SHA512
  
  008ef045724963d6ae3b845a6c3de8ebb6682b0f4b8ea77c2d35e2193596b78f0092183de0a88a34f7dde4e71abbc129b2f0f00fd8469801fff66f1b8390b6c8
- SSDEEP
  
  1536:JLMVCWvZ8URtqOz3d+1Qs6H9Mk2e3E2avMWC3yMgYxf6+okbdWsWjcdpKCaIxWzX:VM9ntZ3s1QJdnU2SQdf64ZZ8CaIxWec
Score

10^/10

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (296) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral19
- Target
  
  Malware-1-master/eternalblue.exe
- Size
  
  886KB
- MD5
  
  981aaac4782bb076aa737901910f2556
- SHA1
  
  a552a4dac03b584cbb7d461fd48b01ddaa85af5d
- SHA256
  
  7f5f447fe870449a8245e7abc19b9f4071095e02813d5f42c622add56da15b8b
- SHA512
  
  334d096f72d46adc522f21834d116968a7cb5f05dc21c60e094ac4ccff69412a2c108aeb5c54861ac717ebf884c632edd0291a3d832e4ab7dcc7903e7f965934
- SSDEEP
  
  12288:96fny4wDTzvE/XICULcJ48j406qbgg6RaAD9bSoGGHgm3Ihr6k:96fny4wbkHJ4I40vggPWSoGWv3c
Score

1^/10
behavioral20
- Target
  
  Malware-1-master/fear.png.exe
- Size
  
  66KB
- MD5
  
  60ffde3dd3003cd24feeba26e47e6571
- SHA1
  
  e6c57a55ca93b1f6ebccb8c5fe9757fd0801eea3
- SHA256
  
  101678f77a65b5b5830a128e4c737b2aaaea5be95327ec68213ebb92e4251170
- SHA512
  
  0a448886296c1f67760f2e09cbc226955c5abd833b6e7b2ce146cc673ddacca7bfbc59f2fa3f3a83381e7d67a0a677c487fc343833e3834dce84e00a6d286ca5
- SSDEEP
  
  768:AQyHrxwRjWjPc/u1SDSepzEtYcF6HKc6K:AJHrOWjPcmSDSepz46Kcl
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral21
- Target
  
  Malware-1-master/getr3kt.bat
- Size
  
  13KB
- MD5
  
  4e2a7f369378a76d1df4d8c448f712af
- SHA1
  
  1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
- SHA256
  
  5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
- SHA512
  
  90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
- SSDEEP
  
  192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3
Score

7^/10

bootkit discovery execution persistence
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral22
- Target
  
  Malware-1-master/iimo3.exe
- Size
  
  1.7MB
- MD5
  
  4f8767983d865a5e706ae3c6aa5ab6c5
- SHA1
  
  535bc0a1cf7140176fd6e6a205f3394d146c2ba3
- SHA256
  
  5ac017285572c24fc8b77324a52ca484e83c3622c61bea80a74a6850f0a16061
- SHA512
  
  a88e5fd993d2fdde869ef32a5271d5bbd222f2174217bf4e2c4cea6fad624d237b3528478b70ab1ec5011bd031fc93319865f5877e06fb3efcc53cc5c7e786a3
- SSDEEP
  
  49152:ZgTJ84RvagaNgNu5W05jvIAo69PnaLgnMu4x:ZgmmygtNfCvjf58
Score

10^/10

discovery evasion trojan
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral23
- Target
  
  Malware-1-master/jey.exe
- Size
  
  744KB
- MD5
  
  5a38a223e632a4754f6ec51cbe31215a
- SHA1
  
  008cfd9a4345ff5307daa5d2662db2e185fc3014
- SHA256
  
  97cd04af9acddab58cffa58c677d7645f5d894769d76539f44380b9175a67bd4
- SHA512
  
  e42691b8fda725865b1f379ad8fb56e333ab0c588989ae2890c074679fc59f392b475c57dc472998f00b4a3cad7456810e83886f4f7dd57a8492266ea4eeb189
- SSDEEP
  
  12288:Sss9czpqdx1S3DcWayzZPnpdVYke81SmUJqwCW+:uczp4Y3DN5VYkN1ShFCW+
Score

10^/10

azorult discovery infostealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
behavioral24
- Target
  
  Malware-1-master/m.exe
- Size
  
  1.3MB
- MD5
  
  cb53694f76bda870730f964f84f754a5
- SHA1
  
  bc1e6f81d8c54a5fb2e14f9f1ecce980eacb8844
- SHA256
  
  9ca85dc8b2ff574f775ddc92a45e48a74323c79e8fb2458413decd53cdf47aa6
- SHA512
  
  676c46b803b489afd780b4a0f58297578c9a1bec14b1e43a703664c3beda290dd6c88b6175afa59007d491924f217e623a831026aa2cec77a1c86305865eadf6
- SSDEEP
  
  24576:CYt5D+J+TLTSdZRFNR8aBNBweeS2ifqpAp7xGFyN/nd+7dQ5fUMkl:CYt5++T/SdbjBNOeeJiSp87Eu/dUd2UN
Score

1^/10
behavioral25
- Target
  
  Malware-1-master/mo3.exe
- Size
  
  1.9MB
- MD5
  
  9d7166176660b51398b82a2793d9e9ab
- SHA1
  
  b8511b36463a9b64b1a383805f16c99d4cf9ab30
- SHA256
  
  ff4e859d5fa6d8dea84aba8c9c0ccbc58f86be198e4a569f19f60c7844dd4edd
- SHA512
  
  938b5c274cb2d3218465f6f9eac21fb37de419e7f5e1a1383a5620d2a5b4cf50f4e730d4de45a67dca9b00373e8fd7c096d1cece1ffdb8a16be85e92f394b587
- SSDEEP
  
  49152:h6EMvW2D6H+CFkDSMMRTw+0PRzgUfyMzKmWSfg:h6EChD6HPeDFpHGUfy4rlY
Score

9^/10

discovery evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral26
- Target
  
  Malware-1-master/mo332.exe
- Size
  
  14.0MB
- MD5
  
  552326e3f16df1857e7918a569dcca50
- SHA1
  
  3a3fd7027c65c75b3e8930535b27e29b4681814c
- SHA256
  
  f5d20a2ef757dd374b1651a955a80113b33b87578e3484fd3589565d296d55cc
- SHA512
  
  a3d00cc28de8131484ebe29d1addfc9e27c9e782a6ec07bee2a19c88ee3afe0f867f8c0c933b6a83946266d46606483d87c8d57b5679cafeeae09eeae1ba41f3
- SSDEEP
  
  196608:OSfbf3vp28hgy4ohRID4CUAq52Zdm4nKJJmbmChthPtbSttLPSwYJQ:ffT3XhgQRI8C82ZP+MblGttLSpJQ
Score

10^/10

discovery evasion persistence trojan
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral27
- Target
  
  Malware-1-master/mysqlconf.exe
- Size
  
  252KB
- MD5
  
  fac6ab167e1b02c2e1465ae88fb8fcdc
- SHA1
  
  fe4fff9c4681c3f146c3ea31961d0a2933f07098
- SHA256
  
  cc02e9684f8e78227a2ec631172d32fbb48a4fc2a60fd91d160d2ef5e11c587b
- SHA512
  
  82a912a914ca01b533e97ece88550c25d3ba8095c71110fce55e38805ead66807c05b154adff0a457c6d8c98c96f6204503f158ba9dd38928ef86c8d3e0d089c
- SSDEEP
  
  6144:jcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQCO:jcWkbgTYWnYnt/IDYhPs
Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral28
- Target
  
  Malware-1-master/o.exe
- Size
  
  110KB
- MD5
  
  73f0230c31eaca0f8cb20c88b4bd6599
- SHA1
  
  79d4ceaa753437e14f4baae45c4675a302f4d383
- SHA256
  
  47b306c80cf27a773d252757397fe9ec0a9571666044276166ede5b5958489ff
- SHA512
  
  afb59f13e5485e6815ac38a82b68cdf93bc2a8b01f818e88570fd8a50a6debafa2dcdb61ca4812700a0a223b44f60466333114375075b2c76e7a59c73a72bf01
- SSDEEP
  
  768:YY+RphoNSQhwS2BGmhn6MxRhUeADEe+NBgNK:XkY+pzn6shAgeqB
Score

3^/10

discovery
behavioral29
- Target
  
  Malware-1-master/qOA7iZJcoB8.exe
- Size
  
  400KB
- MD5
  
  7a58e7f8cd91b372af614ffe5db58eca
- SHA1
  
  8e341ffcfcb4b60b93700996b037c35f0221ec39
- SHA256
  
  6b111be3c180de78849b4f1c2d39ee0045695e22d339b50879a769351b1e6b31
- SHA512
  
  c89d62ddcc79d0e1a42dc090b3a149483e91f61c9aa9aaa489535dc32462d55d6accc2f55a255c42579c89a78afdd62f271dbcb4aab6c075b8cb70f6a143b5bf
- SSDEEP
  
  3072:bQgo+/qo6aiN3HKwkRF9kl+BHpQB8ID0msCJhp4Swm5WXDtVL3d0:2+/qo6f9kRFyl+BJM8ID0pCr/wm5S
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
behavioral30
- Target
  
  Malware-1-master/rig.exe
- Size
  
  2.4MB
- MD5
  
  570a9cc9fd20159e92707abe69676299
- SHA1
  
  864cb610c0c80cf8ff00fd4aaae9b05fa63fd990
- SHA256
  
  ba52bd426e17cf8902ae05eb8caea7e0510d668db97dedd2cabcd1dc5a06063f
- SHA512
  
  ba11d2e1888f736d1934e78db6397ae04ea49422beb7392575422ea51cd459ac9b0c8a274397ab828792728364d145c16fc2390242a17a56a8ad02fa4c580f92
- SSDEEP
  
  49152:BfOqHErn3OFIJDOmxFVIdtKfBDhqGDZdB4hYk/0AK0uOkJA79OB8OITieIr:fcne+9Omb+dtKfBD3rZOkJA79OBkbI
Score

10^/10

privateloader xmrig discovery loader miner vmprotect
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral31
- Target
  
  Malware-1-master/sserv.jpg
- Size
  
  1.3MB
- MD5
  
  c90cf61a0eaa05c312f7b77a09127bc9
- SHA1
  
  cb63424ccc3f5606ba789cf69b57356c35e89f15
- SHA256
  
  ea06a7494932ab6c092151d25da6161eaf724f04881ff07f2f30cfc622eec33e
- SHA512
  
  9db8e3533122e8f0cdd3b097dc56236d27bee5daf42f8d5eb912db52293e4a4b2357a6c97816e527caab791f920538b133b3432dbcb65331d5bf2b197733a937
- SSDEEP
  
  24576:bSyLtIBYWFkfV0hfPnZBdWGktI7ie8ydTF4EWCA:fKBlNfPjd1ktOie8y1FzA
Score

10^/10

troldesh defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx
- Troldesh family
  troldesh
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral32