cryptolocker

General

Target

The-MALWARE-Repo-master.zip
Size

121.3MB
Sample

250118-se5abswmby
MD5

be2f06e08241e418152c6ce91176085b
SHA1

145e7527506be10c6f25e7b3c231ccc38f044bee
SHA256

c738c78fd727e661119899099f61ada68dd59df7c9b66c0810f4549a906a6c8f
SHA512

cd86644e1875ee4b48c6c233a45e5a0516e1a8515b6b86973c8dfcc53a0caf74cbfab6ebb819f61c109310153aeed112cb0fa7dee0e04317613dc5f26f5a7a23
SSDEEP

3145728:wNl3aFs1C4SA2hlHf9Rfi5xuT+FAiilgJcPdlwCzCLfH:wNl3aFW2h9/fiqaiiilpwCzCL/

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Geforce

C2

startitit2-23969.portmap.host:1604

Mutex

b9584a316aeb9ca9b31edd4db18381f5

Attributes

reg_key
b9584a316aeb9ca9b31edd4db18381f5
splitter
Y262SUCZ4UJJ

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

40.32.0.40

32.0.40.32

0.40.32.0

96.194.151.156

0.31.0.136

79.194.172.156

0.32.0.136

12.12.12.0

190.236.184.149

0.133.0.136

165.236.83.146

0.134.0.136

140.236.106.146

0.135.0.136

251.236.125.146

rsa_pubkey.plain

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Targets

- Target
  
  The-MALWARE-Repo-master.zip
- Size
  
  121.3MB
- MD5
  
  be2f06e08241e418152c6ce91176085b
- SHA1
  
  145e7527506be10c6f25e7b3c231ccc38f044bee
- SHA256
  
  c738c78fd727e661119899099f61ada68dd59df7c9b66c0810f4549a906a6c8f
- SHA512
  
  cd86644e1875ee4b48c6c233a45e5a0516e1a8515b6b86973c8dfcc53a0caf74cbfab6ebb819f61c109310153aeed112cb0fa7dee0e04317613dc5f26f5a7a23
- SSDEEP
  
  3145728:wNl3aFs1C4SA2hlHf9Rfi5xuT+FAiilgJcPdlwCzCLfH:wNl3aFW2h9/fiqaiiilpwCzCL/
Score

10^/10

cryptolocker bootkit defense_evasion discovery macro macro_on_action persistence ransomware
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Cryptolocker family
  cryptolocker
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1
- Target
  
  The-MALWARE-Repo-master/Banking-Malware/DanaBot.exe
- Size
  
  2.7MB
- MD5
  
  48d8f7bbb500af66baa765279ce58045
- SHA1
  
  2cdb5fdeee4e9c7bd2e5f744150521963487eb71
- SHA256
  
  db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
- SHA512
  
  aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd
- SSDEEP
  
  49152:bbevayZlMTWkygVy0nQZfVY2BtZzpPL4PuQ65+6Dv7m0KXTn:bbexZlMQcEVY2BtZzpPL4WQI9U
Score

10^/10

danabot banker botnet discovery trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot family
  danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Blocklisted process makes network request
- Loads dropped DLL
behavioral2
- Target
  
  The-MALWARE-Repo-master/Banking-Malware/Emotet.zip
- Size
  
  102KB
- MD5
  
  510f114800418d6b7bc60eebd1631730
- SHA1
  
  acb5bc4b83a7d383c161917d2de137fd6358aabd
- SHA256
  
  f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89
- SHA512
  
  6fe51c58a110599ea5d7f92b4b17bc2746876b4b5b504e73d339776f9dfa1c9154338d6793e8bf75b18f31eb677afd3e0c1bd33e40ac58e8520acbb39245af1a
- SSDEEP
  
  3072:N3HIYWf7q41qPhYhIYCjvqSrBlh2iui/EJEZ6yQ:N3HfWf75qPhYhIdjvqS4McJIW
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
behavioral3