General
-
Target
The-MALWARE-Repo-master.zip
-
Size
198.8MB
-
Sample
250118-sa37gaxldl
-
MD5
af60ad5b6cafd14d7ebce530813e68a0
-
SHA1
ad81b87e7e9bbc21eb93aca7638d827498e78076
-
SHA256
b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
-
SHA512
81314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3
-
SSDEEP
6291456:wNl3aFW2h9/fiTwCzCLS6iilVkLZgAEtknRzq:wDaFd//Orcpi4VkL6AfRG
Malware Config
Extracted
njrat
0.7d
Geforce
startitit2-23969.portmap.host:1604
b9584a316aeb9ca9b31edd4db18381f5
-
reg_key
b9584a316aeb9ca9b31edd4db18381f5
-
splitter
Y262SUCZ4UJJ
Extracted
remcos
1.7 Pro
Host
nickman12-46565.portmap.io:46565
nickman12-46565.portmap.io:1735
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
Userdata.exe
-
copy_folder
Userdata
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%WinDir%\System32
-
mouse_option
false
-
mutex
remcos_vcexssuhap
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Targets
-
-
Target
The-MALWARE-Repo-master/Banking-Malware/DanaBot.exe
-
Size
2.7MB
-
MD5
48d8f7bbb500af66baa765279ce58045
-
SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71
-
SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
-
SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd
-
SSDEEP
49152:bbevayZlMTWkygVy0nQZfVY2BtZzpPL4PuQ65+6Dv7m0KXTn:bbexZlMQcEVY2BtZzpPL4WQI9U
Score10/10-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot family
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
-
-
Target
The-MALWARE-Repo-master/Banking-Malware/Dridex/Dridex.JhiSharp.dll.9d75ff0e9447ceb89c90cca24a1dbec1
-
Size
148KB
-
MD5
9d75ff0e9447ceb89c90cca24a1dbec1
-
SHA1
ebae1054d69619e9e70c9b2e806edb9000d7feb9
-
SHA256
f2b33edb7efa853eb7f11cb8259243238e220fdc0bfc6987835ba1b12c4af1eb
-
SHA512
6df94dbe3681c1cb572d63e54a6753b3bae7075b86507f33f152795c6e61f1feac6742986d7c72a2834f28c85d0a1890bb31b5888b98b29754300dceb63e210d
-
SSDEEP
1536:t1hWmKdZ9WmQTt+6KK2Ml+dZyx6wVIWiwiuvro1d2C91q5nYaY4vV4KBmX:t1hYZQtTt+02G+dHgMuzWZ1qISVkX
Score10/10-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex family
-
Deletes itself
-
Network Share Discovery
Attempt to gather information on host network.
-
-
-
Target
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexDroppedVBS.925da3a10f7dde802c8d87047b14fda6
-
Size
140KB
-
MD5
925da3a10f7dde802c8d87047b14fda6
-
SHA1
1fc59fbf692f690b9fe82cfafc9dcbd5aac31a68
-
SHA256
c94fe7b646b681ac85756b4ce7f85f4745a7b505f1a2215ba8b58375238bad10
-
SHA512
82588188de13f34cd751da7409f780c4fc5814da780fe8cad1fa73370414fb24b9822fc56f1f162d0db4a5c27159c225bc4d4fb061a87cb3c0d89b067353a478
-
SSDEEP
3072:X9z9zjy6WEba5uuoLPhiVF3NT5nNpytoQE:X9J9gu0td5nN4
Score10/10-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex family
-
Deletes itself
-
Network Share Discovery
Attempt to gather information on host network.
-
-
-
Target
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexLoader.bin.exe.c26203af4b3e9c81a9e634178b603601
-
Size
212KB
-
MD5
c26203af4b3e9c81a9e634178b603601
-
SHA1
5e41cbc4d7a1afdf05f441086c2caf45a44bac9e
-
SHA256
7b8fc6e62ef39770587a056af9709cb38f052aad5d815f808346494b7a3d00c5
-
SHA512
bb5aeb995d7b9b2b532812be0da4644db5f3d22635c37d7154ba39691f3561da574597618e7359b9a45b3bb906ec0b8b0104cbc05689455c952e995759e188b6
-
SSDEEP
3072:Te8LOIa22GwayjbzJ4xgAW8NeN00w7Aoalm2HdTStgjuPaMe+H9tJA:iUOIa2sZjPJJQiw4igjAL
Score7/10-
Deletes itself
-
Network Share Discovery
Attempt to gather information on host network.
-
-
-
Target
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A. dbf96ab40b728c12951d317642fbd9da
-
Size
132KB
-
MD5
dbf96ab40b728c12951d317642fbd9da
-
SHA1
38687e06f4f66a6a661b94aaf4e73d0012dfb8e3
-
SHA256
daab430bb5771eaa7af0fbd3417604e8af5f4693099a6393a4dc3b440863bced
-
SHA512
a49cc96651d01da5d6cbb833df36b7987eafb4f09cc9c516c10d0d812002d06ae8edee4e7256c84e300dc2eadad90f7bb37c797bccdee4bad16fcaf88277b381
-
SSDEEP
3072:uItv1YJOQnVc2pEANuoUeyCx9CC5O86BJaoqsf:xrr2pEANuXCx9Jd6c
Score7/10-
Deletes itself
-
Network Share Discovery
Attempt to gather information on host network.
-
-
-
Target
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.6164228ed2cc0eceba9ce1828d87d827
-
Size
152KB
-
MD5
6164228ed2cc0eceba9ce1828d87d827
-
SHA1
cea5bc473c948a78ce565b6e195e6e25f029c0c6
-
SHA256
7fa83f0588f0f50d0635313918137c05cb59aa672d842f864073aebb72c66195
-
SHA512
b53ac27397ce5453fa008d1a2e98f9f66be7d7f08375b92c88007544c09ab844d6c8eeceb2221c988e0a0d6ffc2a8a290e49715e3062a74bcd2310d41bffcc37
-
SSDEEP
3072:VqD/ri6AM4odK4J663POAQgG8rYKvh+5Nl:V0xlIBwPOA+8Zhu
Score10/10-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex family
-
Deletes itself
-
Network Share Discovery
Attempt to gather information on host network.
-
-
-
Target
The-MALWARE-Repo-master/Email-Worm/Amus.exe
-
Size
50KB
-
MD5
47abd68080eee0ea1b95ae31968a3069
-
SHA1
ffbdf4b2224b92bd78779a7c5ac366ccb007c14d
-
SHA256
b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec
-
SHA512
c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a
-
SSDEEP
768:/9NC1eO7wvsgyjgLCtKbqvYGjaESiKMH6BJJE+XqYq7wvefY:/9NC1eOMFyjt2/wDrcq/Mveg
Score6/10-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
The-MALWARE-Repo-master/Email-Worm/Anap.a.exe
-
Size
16KB
-
MD5
0231c3a7d92ead1bad77819d5bda939d
-
SHA1
683523ae4b60ac43d62cac5dad05fd8b5b8b8ae0
-
SHA256
da1798c0a49b991fbda674f02007b0a3be4703e2b07ee540539db7e5bf983278
-
SHA512
e34af2a1bd8f17ddc994671db37b29728e933e62eded7aff93ab0194a813103cad9dba522388f9f67ba839196fb6ed54ce87e1bebcfd98957feb40b726a7e0c6
-
SSDEEP
192:nC34zPAmm2VkeyLffMhyyuyeYHOGFeDK6P6t6:U6oj7LLffMI/jqBo
Score3/10 -
-
-
Target
The-MALWARE-Repo-master/Email-Worm/Axam.a.exe
-
Size
11KB
-
MD5
0fbf8022619ba56c545b20d172bf3b87
-
SHA1
752e5ce51f0cf9192b8fa1d28a7663b46e3577ff
-
SHA256
4ae7d63ec497143c2acde1ba79f1d9eed80086a420b6f0a07b1e2917da0a6c74
-
SHA512
e8d44147609d04a1a158066d89b739c00b507c8ff208dac72fdc2a42702d336c057ae4b77c305f4ccdfe089665913098d84a3160a834aaebe41f95f4b4bfddeb
-
SSDEEP
192:33K8Vn5fAIBkPA9tQdEnhAv+mKqh1RwE9gCOMv8eIry2aZoa5qq/:33X54IB8SCY2W3qmSgaIrTDSqq/
Score7/10-
Drops startup file
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
The-MALWARE-Repo-master/Email-Worm/Brontok.exe
-
Size
106KB
-
MD5
d7506150617460e34645025f1ca2c74b
-
SHA1
5e7d5daf73a72473795d591f831e8a2054947668
-
SHA256
941ebf1dc12321bbe430994a55f6e22a1b83cea2fa7d281484ea2dab06353112
-
SHA512
69e0bd07a8bdbfe066593cdd81acd530b3d12b21e637c1af511b8fee447831b8d822065c5a74a477fe6590962ceff8d64d83ae9c41efd930636921d4d6567f6f
-
SSDEEP
768:i9R/zAKUQfZw7j4KBHZD8f5R3ETmv48Xxh04UwQaMzl6G1gNov35BMC:0AcwPf5D8rUTmnX9maQ6SgM5
Score10/10-
Modifies WinLogon for persistence
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Disables RegEdit via registry modification
-
Disables cmd.exe use via registry modification
-
Drops file in Drivers directory
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
The-MALWARE-Repo-master/Email-Worm/Bugsoft.exe
-
Size
32KB
-
MD5
70f549ae7fafc425a4c5447293f04fdb
-
SHA1
af4b0ed0e0212aced62d40b24ad6861dbfd67b61
-
SHA256
96425ae53a5517b9f47e30f6b41fdc883831039e1faba02fe28b2d5f3efcdc29
-
SHA512
3f83e9e6d5bc080fb5c797617078aff9bc66efcd2ffac091a97255911c64995a2d83b5e93296f7a57ff3713d92952b30a06fc38cd574c5fe58f008593040b7f0
-
SSDEEP
384:/TELevJlARz3z1AWoYbEz3QqRbViB3CoUEmeQo/o2Y0gsjDWK7L:/gLevJlARz3z1AWoYbEz3Ngk6WK7L
Score4/10 -
-
-
Target
The-MALWARE-Repo-master/Email-Worm/Duksten.exe
-
Size
9KB
-
MD5
900ebff3e658825f828ab95b30fad2e7
-
SHA1
7451f9aee3c4abc6ea6710dc83c3239a7c07173b
-
SHA256
caec6e664b3cff5717dd2efea8dcd8715abdcfe7f611456be7009771f22a8f50
-
SHA512
e325f3511722eee0658cfcf4ce30806279de322a22a89129a8883a630388ab326955923fa6228946440894bd2ef56d3e6dfda3973ea16cc6e463d058dd6e25ce
-
SSDEEP
192:SwPplT5bFhtWHIBAfU2Du6jWuo/TOvZQZPAb:dp3jsH+V2Du66V/TOx84b
Score6/10-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
The-MALWARE-Repo-master/Email-Worm/Emin.js
-
Size
2KB
-
MD5
d9fd66a813b647e9461e654ba80db7bc
-
SHA1
075344db68a3b4bb3f549c0cb79c672aaed70b87
-
SHA256
3db96ebba9a6875bb058a3a2a4457165103f8ed51183cf4d79a525c959602499
-
SHA512
55eafa2716d45a629aadb1422dd240609faa9f55c7ec4488569e6fb15298a586b7ed5a95060329e76dd4b272edce8954ea18be5f238d4cac70fbf59a391bb09f
Score3/10 -
-
-
Target
The-MALWARE-Repo-master/Email-Worm/Funsoul.exe
-
Size
44KB
-
MD5
a13a4db860d743a088ef7ab9bacb4dda
-
SHA1
8461cdeef23b6357468a7fb6e118b59273ed528c
-
SHA256
69ee59cee5a1d39739d935701cfa917f75787b29e0b9bda9ada9e2642ade434c
-
SHA512
52909b5fcbf00ef4025f6051ee1b8a933fc2a0bd7a292fe25fac708f358e7c96d6d31ba263d07128d56bc614fcbd053b2fa1249024a8138baf30da8ac5f54806
-
SSDEEP
768:F/17QoluKpG4oELGtfeaWqoWhnVCjEat+ois5bfEGgQJNH:F/sKIbt1O+O5b1n
Score3/10 -
-
-
Target
The-MALWARE-Repo-master/Email-Worm/Gruel.a.exe
-
Size
100KB
-
MD5
b0feccddd78039aed7f1d68dae4d73d3
-
SHA1
8fcffb3ae7af33b9b83af4c5acbb044f888eeabf
-
SHA256
5714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6
-
SHA512
b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d
-
SSDEEP
1536:ThBfyxwMz14BSSQGRwmkwmGDAzGC6TaPAlbv/g:1BKxwMz14wSQGGUDAATaPAlbv/g
Score8/10-
Event Triggered Execution: Image File Execution Options Injection
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
-
-
Target
The-MALWARE-Repo-master/Email-Worm/Happy99.exe
-
Size
9KB
-
MD5
02dd0eaa9649a11e55fa5467fa4b8ef8
-
SHA1
a4a945192cb730634168f79b6e4cd298dbe3d168
-
SHA256
4ebe3e1af5e147c580ecce052fe7d7d0219d5e5a2f5e6d8a7f7291735923db18
-
SHA512
3bf69de674737ca15d6ff7ce73396194f3631dc4b8d32cc570adeeacdc210acee50fd64c97172ce7cc77f166c681d2ccd55955b3aca9188813b7ff6f49280441
-
SSDEEP
192:nR81cIkA5Dbaj/CaFx40Z9HnLH8bzTbjt5BNUFO:RycyhqN4u9HnLH8bnbjtpl
Score5/10-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
8Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1