Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

VirusSign....9d.exe

windows10-ltsc 2021-x64

10

VirusSign....1a.exe

windows10-ltsc 2021-x64

10

VirusSign....ee.exe

windows10-ltsc 2021-x64

VirusSign....d1.exe

windows10-ltsc 2021-x64

10

VirusSign....a2.exe

windows10-ltsc 2021-x64

10

VirusSign....4c.exe

windows10-ltsc 2021-x64

10

VirusSign....90.exe

windows10-ltsc 2021-x64

10

VirusSign....c7.exe

windows10-ltsc 2021-x64

VirusSign....36.exe

windows10-ltsc 2021-x64

8

VirusSign....f8.exe

windows10-ltsc 2021-x64

10

VirusSign....33.exe

windows10-ltsc 2021-x64

10

VirusSign....f5.exe

windows10-ltsc 2021-x64

10

VirusSign....19.exe

windows10-ltsc 2021-x64

8

VirusSign....ab.exe

windows10-ltsc 2021-x64

10

VirusSign....5f.exe

windows10-ltsc 2021-x64

10

VirusSign....11.exe

windows10-ltsc 2021-x64

10

VirusSign....5c.exe

windows10-ltsc 2021-x64

VirusSign....a0.exe

windows10-ltsc 2021-x64

8

VirusSign....ae.exe

windows10-ltsc 2021-x64

10

VirusSign....b2.exe

windows10-ltsc 2021-x64

10

VirusSign....7d.exe

windows10-ltsc 2021-x64

10

VirusSign....96.exe

windows10-ltsc 2021-x64

7

VirusSign....e4.exe

windows10-ltsc 2021-x64

8

VirusSign....3a.exe

windows10-ltsc 2021-x64

10

VirusSign....47.exe

windows10-ltsc 2021-x64

10

VirusSign....19.dll

windows10-ltsc 2021-x64

8

VirusSign....50.exe

windows10-ltsc 2021-x64

10

VirusSign....e1.exe

windows10-ltsc 2021-x64

8

VirusSign....9b.exe

windows10-ltsc 2021-x64

10

VirusSign....33.exe

windows10-ltsc 2021-x64

10

VirusSign....b9.exe

windows10-ltsc 2021-x64

10

VirusSign....08.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VirusSign.2023.11.29.7z

  • Size

    541.0MB

  • Sample

    250210-e7c5na1qhs

  • MD5

    20c711d16b44c50d6ccc99a1581bd7ca

  • SHA1

    26636c1e650639e39def5562c3534675025ac890

  • SHA256

    241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

  • SHA512

    ff864d9fda1a5c5b44a0682534e8d0a36c164442871e3bb3373267e5be34756fa179cd6ff107fd733c961d72a645a6c6fc935133374547d227c04163b5d8cd19

  • SSDEEP

    12582912:TBoTXG2+KlRmQ3uHgM8un/Se2iWscQZc5unIXLzmANFcP:TBoTXG2+KOhn/SeAD55OANFi

Score
10/10
berbewblackmoondcratfakeavfloxifgh0stratkpotmetasploitmydoomneconydnjratprivateloaderquasarriseprosalityurelasxredjustice03rataspackv2backdoordefense_evasiondiscoveryfakeavpersistenceprivilege_escalationratspywarethemidatrojanupxvmprotectworm

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Extracted

Family

quasar

Version

1.4.1

Botnet

RAT

C2

86.92.48.225:4782

Mutex

218b5d30-8a5d-4352-9c76-056d27e61f60

Attributes
  • encryption_key

    1C9A32B4C004169DEB374CC7F1499E07EB4B57E7

  • install_name

    A.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    A

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

172.31.1.65:4444

Extracted

Family

quasar

Version

1.4.0

Botnet

justice03

C2

cachedump.cachnetdotcom.com:8088

service.bentleyalumni.com:8088
Mutex

087a70cc-5f9e-4341-bbd7-a21f49a0d34c

Attributes
  • encryption_key

    D942865FEB382403D197679E65C3FAA18791B934

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    600000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      VirusSign.2023.11.29/03ceea0ec59f89c49ba4357a83738d9d

    • Size

      1.9MB

    • MD5

      03ceea0ec59f89c49ba4357a83738d9d

    • SHA1

      7851ca7fd0ead9363ab894060eb13a83e9001755

    • SHA256

      7254af0b6420ae255900a85f566cf246de688254bff23ff4e9c9c9fbef0919ad

    • SHA512

      a66548485186be305d1ae1f967e4acedd4bcfb55eea409ce0cd5972ccb96f7f36de0e95aecac7991a29ded5890f4a29cb6f90532d67ef27a177bfd5dabac004f

    • SSDEEP

      24576:YNIVyeNIVy2jUKaNIVyeNIVy2jUtc9uO2NIVyeNIVy2jUKaNIVyeNIVy2jUO:3yj1yj3uOpyj1yjH

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral1

    • Target

      VirusSign.2023.11.29/03d13a90719878d7a335bd8c5a0e4e1a

    • Size

      29KB

    • MD5

      03d13a90719878d7a335bd8c5a0e4e1a

    • SHA1

      9cb377718876d2c63c7dca22ab2cf99db12578f6

    • SHA256

      9256e4d607cc1e19d787472563b5862818027538515cea37da7aca75e4be8414

    • SHA512

      310db916e24a4c92c1291367fc1e96c8cf56d9b243bbdc59bc452c1a4539bfb2f61b1d146c487319fa7aa20ec72d32d166f502f880b171de654acb034538ab7c

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/mJW:AEwVs+0jNDY1qi/qz

    Score
    10/10
    mydoomdiscoverypersistenceupxworm

    • Detects MyDoom family

    • MyDoom

      MyDoom is a Worm that is written in C++.

      wormmydoom

    • Mydoom family

      mydoom

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral2

    • Target

      VirusSign.2023.11.29/03d2ad6a5f199b691d36e45d27801cee

    • Size

      354KB

    • MD5

      03d2ad6a5f199b691d36e45d27801cee

    • SHA1

      8e4c81f7fd5034730b3a2ff241e3fb8bea8554a8

    • SHA256

      c93d188c09bda247bcf289008d16fe700d53a6d5f302dac2c3db804e59b3cb4b

    • SHA512

      a56509135341d8dad0decd0b36e1c9af45b568838969e2d9118b66c4df9adb2755a57469ed193ed1f0c263b5651ae82e829925d27f59a97398b683d356091e93

    • SSDEEP

      6144:zJSFSXi4kb8jpQob6YAjrq/SbERvNtqBYEFJSZSRYLLCSC2u8aypgRZ/eY3g:zJlNkspNb6YMO5RWhJVR3SC2uXyp0d3g

    Score
    1/10
    behavioral3

    • Target

      VirusSign.2023.11.29/03d5f6bace8c6a0a2d14ef775d3c02d1

    • Size

      371KB

    • MD5

      03d5f6bace8c6a0a2d14ef775d3c02d1

    • SHA1

      e58e87a50be5bbc7b93af011fc316d35ed591294

    • SHA256

      b0d69301bb3d9d35a6e7a51805495162e45aceb1021fd5486f9af941814ab68e

    • SHA512

      8ae2454c737ef5c75fabef5ee5a047a50aa4caea596c043a9b96c57d4ad60fe58523bd90e32903bd892709286af6a1553a173e4e96d7e62da7b37b3f0cc78758

    • SSDEEP

      3072:0YDztpePvPKeMe8hbRdIu6dNeXZs+XBL+FhVukEB0pwGvJe2VTBpifm3FKCE:PqqakN+NQs+RLOhSiix

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral4

    • Target

      VirusSign.2023.11.29/03ed3d089e222fe691a1ce1ad04450a2

    • Size

      1.1MB

    • MD5

      03ed3d089e222fe691a1ce1ad04450a2

    • SHA1

      d04429e687f7fd84bcf234c558ee5fc140c2fd62

    • SHA256

      45bd0afb29391b80cb711efd4ae6e1fbc7749feef8f4b0dd8b3fe75a400614cf

    • SHA512

      5f7e0c38a61d77a66b984597ae3fb11c8ed3f36e28d57ef91f4a27710a078e85672200e60d1e8ca80171552d092235c758f7a893ee4d0848cbfd904373dc96fa

    • SSDEEP

      6144:ptu6S1vlfY/m0UU/vlf0DrBqvl8ZV4U/vlfl+9DvlEZV4U9:Djcvgm0UIveDVqvQ6IvYvc6+

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral5

    • Target

      VirusSign.2023.11.29/03f25db066e67c1882cf9aed07a1694c

    • Size

      1.1MB

    • MD5

      03f25db066e67c1882cf9aed07a1694c

    • SHA1

      f683b138af1005223478cb8e022701f3161a94d5

    • SHA256

      7beca087d9da5d3b1b88380944de31fc34d58ee85e3dfb96cf91d7c3ff1eb3d4

    • SHA512

      ae05f4382f6adb24a4afce2c24ce7f36a2f92f0748aa468f757dfdcc64bc52e298651adea93b374cfb54c0926d27bd493b470ced8a49a645873157ed2efadb13

    • SSDEEP

      24576:DbdO2TPPinJiaiaiaikd9hvToEO72Poooolllbm:AiaiaiaiahvTor7

    Score
    10/10
    salitybackdoordefense_evasiondiscoverytrojanupx
    behavioral6

    • Target

      VirusSign.2023.11.29/03f939a6959a4bd81c622c3a2d8b8690

    • Size

      88KB

    • MD5

      03f939a6959a4bd81c622c3a2d8b8690

    • SHA1

      08a4dc3846c32175e9984315b7281108a0b508a9

    • SHA256

      e9686ab38e56638155224894b93c2b2ad6b3dd91fc5e63bd75150aa6b31ceebf

    • SHA512

      bb334454717ad22484639c798c500874b7f3b3f104ce9464aa0e6dde8739ca2d8877e1f46df62f11a7f53e266a78b102e4201bf1f875875abfa1768dcac7339a

    • SSDEEP

      768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEme:BeT7BVwxfvEFwjRe

    Score
    10/10
    defense_evasiondiscoveryupx

    • Modifies visibility of file extensions in Explorer

      defense_evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7

    • Target

      VirusSign.2023.11.29/042177a10a1a4cfd26c2caef9272e0c7

    • Size

      127KB

    • MD5

      042177a10a1a4cfd26c2caef9272e0c7

    • SHA1

      7b90c4a07d1db61a781490f43277b5d47c2b8147

    • SHA256

      f5946d762f9ca7cec246ed2c17abbacb1d73d0c302054ad81683fb91d49ce819

    • SHA512

      904e9337869b586b3bf637148c24209f84bb01089afc490cb989234729653608439d83a11fde8452818294dadc447ad72c593a81ff802c3930b624ee29cc3af3

    • SSDEEP

      768:b7uHj94SaX5dbRHhdkGXP8wAQscRtlu+FAr4ygtxFsPMXXKvAE8wrJYg:3uiSC5dbpheGfnAQxh5FAr4ygGPX

    Score
    1/10
    behavioral8

    • Target

      VirusSign.2023.11.29/042994e2bb89b9bc57e079d144152b36

    • Size

      527KB

    • MD5

      042994e2bb89b9bc57e079d144152b36

    • SHA1

      a3d14e200cda0a93ab486e89951e056e3a42da5c

    • SHA256

      ed771ae414aa887d9ba8cf57f0419df7cf0d14ba1821dc31c47998d398e1e9f5

    • SHA512

      c3d7d4a2a988307efd6e84f298ce46e6e95d27e951d7e9bf519a4aab61a93edce886617b159723fc2b6e291773050ef36ff4eb2a7abc5eac1edcf456544d8dff

    • SSDEEP

      12288:zJB0lh7r6bIjPyob1NCY4mKnPB3AnS42o6sGZo:zQ7W8bnnwPqEjsEo

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral9

    • Target

      VirusSign.2023.11.29/0445405bb7106522c0b2157809e4d5f8

    • Size

      404KB

    • MD5

      0445405bb7106522c0b2157809e4d5f8

    • SHA1

      b0237e2914a12657d871b806d6baceab252e87cd

    • SHA256

      cc706aedab00da219c85afd7669f52120ccd83f6a82e18066145c8d844fc103b

    • SHA512

      0bb2152c9ae4f5dd0a10681f1f21d61e74c123e44021c0714a4b36609c7cbbb1e9f57dc7945a16b5a225d61079dfecf5be81a6c049fa9b1a596217d2c90cc266

    • SSDEEP

      6144:VoCb0tjENm+3Mpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836S5:lwcMpV6yYP4rbpV6yYPg058KS

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral10

    • Target

      VirusSign.2023.11.29/045d80d0973c5d854927b589b123f733

    • Size

      242KB

    • MD5

      045d80d0973c5d854927b589b123f733

    • SHA1

      8781c053f09e31ef827f8e30aa971d8471ba91ff

    • SHA256

      c20b26d34fae3e115911a7ce3c9e6b5e2bfca9453418f54ab5c8ae422fa6ee14

    • SHA512

      943ac15b49f0077b087068ef9f89609f653a37958f2a4532a0072f605fb9252ef5566fbe6af58aa1f6147955452b310584bf84d4e89774f46ce68617c12a1bca

    • SSDEEP

      3072:qVHgCc4xGvbwcU9KQ2BBAHmaPxIVopb5ESvi5PZGIFj:bCc4xGxWKQ2BonxQPDl

    Score
    10/10
    discovery

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral11

    • Target

      VirusSign.2023.11.29/047c2b7237010e343732b699d4b346f5

    • Size

      295KB

    • MD5

      047c2b7237010e343732b699d4b346f5

    • SHA1

      cd111bb6034b8060b52386874e474a4bf724b9d3

    • SHA256

      d18a6a465d2b78ec839a8030f2d52766e99063f09b44a19c3777fe35cb9cee37

    • SHA512

      7d82331332e136656baf54c93895eec91465a95ba15e9cf657d3c66abb7ca83b3a9ab53da9fd440c0242df3d64d556b743cdccb5bb6613a4f6d8ed4a8e585275

    • SSDEEP

      3072:nvQziSNphV8UiEoO5Q1UkY1UkVHe1rUtst76UtoUtFVgtRQ2c+tlB5xpWJLM77OM:vRSDkOoO+1PY1PRe19V+tbFOLM77OLY

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral12

    • Target

      VirusSign.2023.11.29/047c7fed39ef255fecdd70e9a870ae19

    • Size

      201KB

    • MD5

      047c7fed39ef255fecdd70e9a870ae19

    • SHA1

      e4a67366dad976acc98df8ae22b7f57908bce6b7

    • SHA256

      66cdae03bb8c51a27b91bfe1d9050ced4e460187e24b0e57a1c293ee0ed7d31e

    • SHA512

      535222afefe3de7da26fa260206928fe0aa5864b7820d0e00c941522dee4c0a7272f059a2483b83922263e7e5776cfbc19d2e655976f6fb5c02aa354b045e62c

    • SSDEEP

      3072:n4CgWgTsDAJJRjOV2/pwb5ryT5tlDhB2IFTLFZhh2D+0caj3kyRACAbpn:n4Cg3JJF35tlDhB2Cn9ozO

    Score
    8/10
    discoverypersistenceprivilege_escalation

    • Downloads MZ/PE file

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral13

    • Target

      VirusSign.2023.11.29/0483b1eb3211b96e7272d3dea3753eab

    • Size

      291KB

    • MD5

      0483b1eb3211b96e7272d3dea3753eab

    • SHA1

      1be30dd0df40201f5d37df93b3236c79e7db34b6

    • SHA256

      139487691991a3177b93f9ea6b4e484195e2cc9dac984cc909bd675ac628f1df

    • SHA512

      14aa9817681acdfeb1c3ccc5f6f34de4e56e0737aef0cc5958e6effa31aa12d03aa16f4f7bc46935b938555cd015bbf1d6bd8dd1f807c28a83e0b9548e69b562

    • SSDEEP

      6144:JPTcaPZnr3np9Zy5WKpFVE2mA13m5VyShpUCV/5TQd+lWWjsyKwlCejw7Y3ed:5TcaPZV9Zy5W+E2b13mryShpU6ZQUlOV

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral14

    • Target

      VirusSign.2023.11.29/0483de1a0d30f46fbff309fc8d87275f

    • Size

      435KB

    • MD5

      0483de1a0d30f46fbff309fc8d87275f

    • SHA1

      ac41983dc7f69ae48b292d8d88c98aa9f1351f73

    • SHA256

      c8b999b4f8ca488c929d97358751338eb9702d73839c85139b2eec5aaa5f7758

    • SHA512

      eb918b12715e8a14c3592ae782a81283351427ba259b2d76339caf230b645c3c2fdd2928d4b26b13ef97c1ce4df3366eb54a4af7a419e1ca82f5db0d3bc334b1

    • SSDEEP

      6144:IJSrqxY+gwbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/Y+mjwjOx5H:IJKSbWGRdA6sQhPbWGRdA6sQvjpxN

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral15

    • Target

      VirusSign.2023.11.29/0491a5abd0712b38f24778e1346c0811

    • Size

      143KB

    • MD5

      0491a5abd0712b38f24778e1346c0811

    • SHA1

      c52c80e2ca8e1cb603ebfadc19fa072aa5c61b9e

    • SHA256

      25d1d88ba68e18711498409e521fd2c13dffce179f36ae8734fea5651048d47e

    • SHA512

      48954abdb1ea32d36286bff19147c4c2a023dc84be8851504ce1fa6bf9c0894b2cd2b256a0f6f2a1c26c8c780d6168e3c7d3230c076b6a11ea67b6ed840dc768

    • SSDEEP

      3072:9XTN8IiypgTJJZIjelpxNgmFO1gdd8jH:9XTGIiPFJZBFNtF0b

    Score
    10/10
    discoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral16

    • Target

      VirusSign.2023.11.29/04a2bc0c567a80f57b48e246b635045c

    • Size

      977KB

    • MD5

      04a2bc0c567a80f57b48e246b635045c

    • SHA1

      c6e53039415dadcd205076ed04d2a5152bfbc734

    • SHA256

      b008ebcffa245240afdf97b289e63a2b994cc72a054ce1cce8aab55b2a047248

    • SHA512

      0bc726eebe8f03a4644e47a120004fce42d31900fd13254c568a4cbd8efba522663b583c4b97ebc8c48b5c43fd9933c4487ce36678760c4811d1216b0843fc43

    • SSDEEP

      24576:vBWelxqsfNMNr79DsI/AZOqXyepGbsfEcHnBx:8F/A1B8cD

    Score
    1/10
    behavioral17

    • Target

      VirusSign.2023.11.29/04b493b52f4b83a142a4979585575ea0

    • Size

      540KB

    • MD5

      04b493b52f4b83a142a4979585575ea0

    • SHA1

      61a213cef6dd2146409662b451814b6b4b012c6c

    • SHA256

      c4367220cd359d4511da5ea8ab30478184b89263711796b529832bd0458f6893

    • SHA512

      a708116d74744beeac770a0b412a2e552909185263d7120f80abc0c315ef1a45499f9ecb625eea415ec47cbaefeffec1194e5b555d99170e925fd1e23d9eb772

    • SSDEEP

      6144:zJB0PLonpe1h5fqpErm9cRLBOtFWaCfmAN/XM0PYfKRcgY3GR+InBqfH3V:zJB0lh5aILwtFPCfmARyKutGNmXV

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral18

    • Target

      VirusSign.2023.11.29/04c187920db980d8db16c5acb58049ae

    • Size

      29KB

    • MD5

      04c187920db980d8db16c5acb58049ae

    • SHA1

      80eb023fdc6fd7b7b0e576348afe0d7485007490

    • SHA256

      901cb61d59c7292bc8dae4a997c10fc46908f7cdb1bffe7b4df7a868459aec88

    • SHA512

      bf50729baa724759d57bf9d64d6d9453d03557dc0dc9e7998cff04a0a132b5133f651130bf39e2b6b0e56301b7e627e5a55101461bf5755fbcdfdf3cefd42f6b

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/T:AEwVs+0jNDY1qi/qr

    Score
    10/10
    mydoomdiscoverypersistenceupxworm

    • Detects MyDoom family

    • MyDoom

      MyDoom is a Worm that is written in C++.

      wormmydoom

    • Mydoom family

      mydoom

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral19

    • Target

      VirusSign.2023.11.29/04cdfdef32e604c59822bff2f7412eb2

    • Size

      337KB

    • MD5

      04cdfdef32e604c59822bff2f7412eb2

    • SHA1

      20e3dee726826783a7ea4834b80badd1ea626612

    • SHA256

      af3721b46e91eb79e33fda423a58be171a7ecc8baab829a35940cb4b0e976578

    • SHA512

      fbbe8867d7f8adbcc4d52a21e304486cda4efb11e0dfd35e022c0f23a5c6abaf2503951ca9938da64a40549985c09462dc6fe8e1efe6a762f3871f1eced0a902

    • SSDEEP

      3072:hJ0OcTRw/F6ufgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:hJ0pErf1+fIyG5jZkCwi8r

    Score
    10/10
    berbewnjratbackdoordiscoverypersistencetrojan

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral20

    • Target

      VirusSign.2023.11.29/04d04a21b82309118775bdaff8a4d67d

    • Size

      256KB

    • MD5

      04d04a21b82309118775bdaff8a4d67d

    • SHA1

      56ee2d322abec955c0ede91a374012dd4aaa1621

    • SHA256

      e3aeff1d7965291914e70deae3c04e7d80be856e03cdae1c991ef1866d47ed38

    • SHA512

      31b07da34a2eb064d993e76d1ed8672499a9d9b467e84e9d69046d0f487eec85f67db3dfc8f87cf963ea8fd5635b0df1eefd408116bde3876b2f8d59f2b63834

    • SSDEEP

      6144:XlKKPf+9C81NByvZ6Mxv5Rar3O6B9fZSLhZmzbBy9:1+9C8HByvNv54B9f01ZmHBy9

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral21

    • Target

      VirusSign.2023.11.29/04d25950be48329252ec8b3d53535596

    • Size

      123KB

    • MD5

      04d25950be48329252ec8b3d53535596

    • SHA1

      67a1354b37307912849be0b07a67049cc97a341f

    • SHA256

      ad983be72d099c4e0e9c9afad9f84c1d163eb1d2e01c2b0b311335d16a368d38

    • SHA512

      02aed4c430b728cad12964e4611d7eea673e2c7eae7ea9a8ea616948b4081459a308070d824ff4b5f7f52ff2669715d074c6071ee57679a3727c5f3ce2d65467

    • SSDEEP

      3072:PfU/WF6QMauSuiWNi9CO+WARJrWNZIYvQd2b:AWKauSuiWNiUBRJrW7fb

    Score
    7/10
    defense_evasiondiscoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion
    behavioral22

    • Target

      VirusSign.2023.11.29/04f06e5d9023ab4d69946c84cdc79ee4

    • Size

      212KB

    • MD5

      04f06e5d9023ab4d69946c84cdc79ee4

    • SHA1

      ab683ecaa23fa303dea85e97116e2f287aba3dca

    • SHA256

      49f0f0eb1850a62a6fcbb47c16cd8f0c66c2265a85d40900b88fed724b93cd2b

    • SHA512

      b5c486aa7483d4aa802e64059e6094bb337fc7fdbdec25a27f6fd8904e04473771cb61bd0dcc3f1829dbaa2f1da675da0034926d4cf61820791a8be9d004a9e0

    • SSDEEP

      1536:GksQqd5R9ijMi2Sg2pDteYgvyPCT0PTaDzoO0+OCUfWJbc9LF:Gld5TiF2Sx0PeT2zv0+OFWJbc9L

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral23

    • Target

      VirusSign.2023.11.29/04f43cc6be15c60aeb943bbe5bd3973a

    • Size

      128KB

    • MD5

      04f43cc6be15c60aeb943bbe5bd3973a

    • SHA1

      dc32a52d972f79f7d438d1053d005ef90318d321

    • SHA256

      7a4a52dc6ebfe359b1ec3953ca0e5590516d14805d70fe0819deed2f031eddd4

    • SHA512

      f3f8f4ba4f8c519b15f22b4473b420343b3606231eb2cf216b3526497fb0632e09489ff42268f28687c4e838f9c8f0b74613d4791cc75b89b66df58a9fb0e18d

    • SSDEEP

      3072:jaM1nl1DuJDJ9IDlRxyhTbhgu+tAcrbFAJc+i:jJh2DsDshsrtMk

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral24

    • Target

      VirusSign.2023.11.29/0517d55470df3590c88f39d41a416047

    • Size

      1.3MB

    • MD5

      0517d55470df3590c88f39d41a416047

    • SHA1

      a68551eb51f57c8b1d5ad45163ce1ba835d1ac0a

    • SHA256

      b7ed13cec9b876a24f0bcfca27b2ab5fe5f9e85f448cc9d8da20f629b2148730

    • SHA512

      2e06ad3cdb80ecec8d32dfe2ad68c7857fbba1400fd033e601d789a5a661f8a98cd3807b83bb02ea72fe9bbabbacb9a8200f85046df1aea2d85d05542305b1d0

    • SSDEEP

      24576:P7vr4B9f01ZmQvrb91v92W9C05wkEPSOdKkrzEoxrC9toC9Dq9onk8:TkB9f0VP91v92W805IPSOdKgzEoxrlQ3

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral25

    • Target

      VirusSign.2023.11.29/053bfcaa44a2c180bee9c2547b910919

    • Size

      172KB

    • MD5

      053bfcaa44a2c180bee9c2547b910919

    • SHA1

      29cf0e2ea1f96e63f9dc95a65472e09c426efaf0

    • SHA256

      0996d643e97498e74b5e3d18b879e311bd9abae06a3d9ec3a12dbfc9c8ef42e6

    • SHA512

      ccd89b7baf453571f166e9b3c154dd0109f5fc0a02ec77b8797be60d2853c8e54d24aa5dff629967c57fee6f98a5e7b607005129f7dc626b7c556a0da2e3370f

    • SSDEEP

      3072:z7XAA0vXXGNOrw/MpcjtcKZkjXlDA5PtuO6o0BZ2gBM3/7juNyfMFS:HAAiXXHcpcBXRBO6oiZyiNyfgS

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral26

    • Target

      VirusSign.2023.11.29/054c96f764aef24cbdccec3be12e2350

    • Size

      257KB

    • MD5

      054c96f764aef24cbdccec3be12e2350

    • SHA1

      b9ef88aa7d8c48329e101f5562035bfc94128365

    • SHA256

      f649ce3fcab3a71c0b6a2e8d583357a0174d9656020a3be0ceee4e8f010dc098

    • SHA512

      2be4fea9781a7d201e124a2cf315b3ac89a6f473709043b0c277df8e1d3bea5230fad46414b96abbc04d5af21dff95868b9ef581b9151ec3b4db28e9d3941afb

    • SSDEEP

      3072:SD8upQxYGLKJnRyfQzJIonOGq+NRwoutkTy27zh5cl:iTWK9RuSJhDwoSkTl7zjK

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral27

    • Target

      VirusSign.2023.11.29/0563721a9ecf7d25f720e2069e24c7e1

    • Size

      54KB

    • MD5

      0563721a9ecf7d25f720e2069e24c7e1

    • SHA1

      60c2cab8484a4ca7887b67b288c4d0feb5028035

    • SHA256

      6a91e8651dcb818febc70bbb34818a59ee08dbeff6d5cc9886803d2c4404d392

    • SHA512

      93005dfdd9737e2e910686e281f86f603526bfd79b063951ba310e156b62571d082065a88481fcad07b5c2666da4c5625082b058d1e31ca7f3f8b3ea9dc2d79d

    • SSDEEP

      1536:qFs5BfLwpYPCXNS5l3QmU1iKI+58Plm7K:C8BfLw+jl35U1p8dm7K

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral28

    • Target

      VirusSign.2023.11.29/05639c84db366253210163a5c6c5f69b

    • Size

      364KB

    • MD5

      05639c84db366253210163a5c6c5f69b

    • SHA1

      a6eae64366a6c171f10324e164760f8eba5c76d7

    • SHA256

      9c62f841d57be4567a1c0c767d186ec5f33411a61bfaed1dd7b5e0678a59d3a4

    • SHA512

      81bbd81771ec28dcffef0afb9d117677100a468a482b82a082466162c8ed902e5e8a3a28e08827693b05e2834080b1f5e2740b15de03feea881532f06ebe36c0

    • SSDEEP

      6144:ZcxSGuYNh/817qKn0U0KNh/817OfJIRh/817qKn0U0KNh/817:ZOuOhQT0UdhQCfJKhQT0UdhQ

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral29

    • Target

      VirusSign.2023.11.29/0576f4bbcb57c686dbfc66760a969b33

    • Size

      109KB

    • MD5

      0576f4bbcb57c686dbfc66760a969b33

    • SHA1

      8218cf48a6215f22c5dd0b476696fb7bcf5d1f2e

    • SHA256

      884e757aea8afcd615131f9debd05036be089b35ee81d3a61da26583afa8f46d

    • SHA512

      81ee495c58a4534165ed97335af060b5408f8b8b69346e059836df996086c0dc99d575b7222e519182558a424f64f5bd34b3e4c7cf194416a5eb56cdcbec8325

    • SSDEEP

      3072:qOzE6W6Ggs7PuHH8fo3PXl9Z7S/yCsKh2EzZA/z:qEa7PQHgo35e/yCthvUz

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral30

    • Target

      VirusSign.2023.11.29/05777e787a0105c14320a2426794b5b9

    • Size

      93KB

    • MD5

      05777e787a0105c14320a2426794b5b9

    • SHA1

      d590bdf58527e51ba581920a8c65945dad008a75

    • SHA256

      8066abc449cfb2f3d87561d3d9547f7a1ce211d6db7fed509e6859c148f1ec36

    • SHA512

      285c17ca3a6282a21d5c4ac8afef207682fa729570e940790e55220675afb662e000da5cf033ab6e8c62915fdb7c59a3cb0e62b0692a2a78a32870d5923fff8c

    • SSDEEP

      1536:HwXFNxy76WBjMGn9dpJFjXgkygmd2k2tyQZvx+XGJtJNosRQWRkRLJzeLD9N0iQH:uWtJJFf9mR2Ae4XGreWSJdEN0s4WE+3

    Score
    10/10
    berbewbackdoordiscoverypersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral31

    • Target

      VirusSign.2023.11.29/057fad800b072e75d815eec284c5ea08

    • Size

      59KB

    • MD5

      057fad800b072e75d815eec284c5ea08

    • SHA1

      6836d350a68ecc2ab7df43350d60464d8492213a

    • SHA256

      fffb1c775a58e5a31d8e16b646789126ee68567e2867a5ad7910897cec7778d4

    • SHA512

      bac3048a62f54e69b46affdbe4eb1608f010f048c01106c8b9b7bf6a2e2105002bd7875ba362e6ccbb88ee73b4f334a33e890eccf00fe412330ff7ec933ab1ee

    • SSDEEP

      768:57hGhSAgUsU/T8zno410XSZXR3i6HPA7+TtioPxqv6ddoxw6agZ/1H555nf1fZMa:59kgUsU/YJrtNPovY6N1NCyVso

    Score
    10/10
    berbewbackdoordiscovery
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

8
T1112

Credential Access

Discovery

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

upxaspackv2ratbackdoorfakeavspywareratvmprotectthemidajustice03berbewnjratmydoomprivateloaderriseprodcratfloxifurelasfakeavquasarkpotblackmoonmetasploitxredgh0stratneconyd
Score
10/10

behavioral1

berbewbackdoordiscoverypersistence
Score
10/10

behavioral2

mydoomdiscoverypersistenceupxworm
Score
10/10

behavioral3

Score
1/10

behavioral4

berbewbackdoordiscoverypersistence
Score
10/10

behavioral5

berbewbackdoordiscoverypersistence
Score
10/10

behavioral6

salitybackdoordefense_evasiondiscoverytrojanupx
Score
10/10

behavioral7

defense_evasiondiscoveryupx
Score
10/10

behavioral8

Score
1/10

behavioral9

discovery
Score
8/10

behavioral10

berbewbackdoordiscoverypersistence
Score
10/10

behavioral11

discovery
Score
10/10

behavioral12

berbewbackdoordiscoverypersistence
Score
10/10

behavioral13

discoverypersistenceprivilege_escalation
Score
8/10

behavioral14

berbewbackdoordiscoverypersistence
Score
10/10

behavioral15

berbewbackdoordiscoverypersistence
Score
10/10

behavioral16

discoverypersistence
Score
10/10

behavioral17

Score
1/10

behavioral18

discovery
Score
8/10

behavioral19

mydoomdiscoverypersistenceupxworm
Score
10/10

behavioral20

berbewnjratbackdoordiscoverypersistencetrojan
Score
10/10

behavioral21

berbewbackdoordiscoverypersistence
Score
10/10

behavioral22

defense_evasiondiscoverypersistence
Score
7/10

behavioral23

discovery
Score
8/10

behavioral24

berbewbackdoordiscoverypersistence
Score
10/10

behavioral25

berbewbackdoordiscoverypersistence
Score
10/10

behavioral26

discovery
Score
8/10

behavioral27

berbewbackdoordiscoverypersistence
Score
10/10

behavioral28

discovery
Score
8/10

behavioral29

berbewbackdoordiscoverypersistence
Score
10/10

behavioral30

berbewbackdoordiscoverypersistence
Score
10/10

behavioral31

berbewbackdoordiscoverypersistence
Score
10/10

behavioral32

berbewbackdoordiscovery
Score
10/10