Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    quarantine/b8.exe

  • Size

    1.7MB

  • MD5

    245f17ccd3a5b4c2dff57855a5eded43

  • SHA1

    77520d7d6af51cb528a04a2322a1b2eb8a208712

  • SHA256

    2ff3326936c92c2c2943505546d4e16fa9f501f6c31ecd1de182089a7ccd5fec

  • SHA512

    72775b15b8f6ec6a002f1e79fd1fa50a42ab35f1bf6fccec341dc41c280522efdd05308ae743f411db53c238270b7dd1c8520a6e123e029db2bcf32f497febb9

  • SSDEEP

    49152:+pz3wiamt8UPYQu6KNHBHGPV/+xd+rF40OkH:+pUiawQVH8PVW3+rokH

  Score

  10^/10

  tofseediscoverytrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    quarantine/random.dllMain

  • Size

    5KB

  • MD5

    86967dbf5dbc9c92a2b956523c48ba2a

  • SHA1

    b6ee88ab3dd8a15170287ac1bcf56666e634d4c6

  • SHA256

    ee507f1d0eff16455d347fea45e479c8a3e9add5bcbbd2877d1458377bc6b47c

  • SHA512

    e131965a6bd0e69aa6810c9f709c28588beb0503a85be92603d2b337aa20f7a9b7223b47df96f0bdb37bf0b31c8a680fcaeea84df4f0a8d0f605aa87decbea6f

  • SSDEEP

    96:1j9jwIjYj5jDK/D5DMF+C8tZqXKHvpIkdNPrRY9PaQxJbKVQnx/IR:1j9jhjYj9K/Vo+n+aHvFdNPr69ieJTnu

  Score

  3^/10

  discovery
  behavioral3behavioral4

• • Target

    quarantine/random.exe

  • Size

    3.8MB

  • MD5

    5a4ab597ed3024a1aaf6922eba22b724

  • SHA1

    65285af68a9a8e469f0cc6b2ae9f3ac4bff3bdad

  • SHA256

    16a6b52e068795ff9be36e5867d35d062e096533f96b923ace6733ea6a00d247

  • SHA512

    7f638727760491f71cf48d20ceebb05644a19f1ced9835b53719358e7cb8c522e18afbacc566d9a95d14033c3758c2b1bb053ef72e59de088a7dcadec2f5efc0

  • SSDEEP

    49152:JdyX6fLadkiCgWkHv59D7Kh6T0lcCditCF66b5gdVh/Qdfv1x57vzzg5HFfmmaZh:dmdtvHvjD7K6T0GhtzRQZvyFfzr8

  Score

  10^/10

  gcleanerdefense_evasiondiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral5behavioral6

• • Target

    quarantine/random_2.exe

  • Size

    4.5MB

  • MD5

    3a4289dc27c4a103a6710d371bc7f857

  • SHA1

    6fce6d7d150cdc05e5e4d5baa579dbbab80993f2

  • SHA256

    d287e0e7967728b65d0da4bf0df4b1694ca953784a09100d58bf97aaf80ecc25

  • SHA512

    f18a2ac2bd6ee559028dc95a7fe4919e6eb421d7fc630f73e06ebb020fa364f5ecfb3a2c292d0742d5745967d8b949dd87ff6e7962d28a77f426cf33450ac37d

  • SSDEEP

    98304:NWaOFNJFwpZU9G8YU1rPJ4PGK+hAdBAOBZ0w5HmjQhEHb:N0JFx9IU1rPypTr0w5HmjQW7

  Score

  10^/10

  gcleanerdefense_evasiondiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral7behavioral8

• • Target

    quarantine/random_3.exe

  • Size

    429KB

  • MD5

    a92d6465d69430b38cbc16bf1c6a7210

  • SHA1

    421fadebee484c9d19b9cb18faf3b0f5d9b7a554

  • SHA256

    3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77

  • SHA512

    0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

  • SSDEEP

    6144:Q/RCey1AxsmF1cQxQ3KcTN3Wz40v1fwb6prdotQ6g0MQYSE2/H9yQ+iT5gc7AOOp:Q/RCey1AxsmUQ63NmjyQ6g0MQYZc7Kb

  Score

  10^/10

  lummavidarcredential_accessdefense_evasiondiscoveryspywarestealerhealerdropperexecutionupx

  • Detect Vidar Stealer

    stealer

  • Detects Healer an antivirus disabler dropper

  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer

  • Healer family

    healer

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • .NET Reactor proctector

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral10behavioral9

• • Target

    quarantine/random_4.exe

  • Size

    21.8MB

  • MD5

    d5d0ef9a2b73195c8ff0a7e1300864d2

  • SHA1

    5250811b24e290aa4558835f473cb05cc4b4b8de

  • SHA256

    48137c18724ecc9ca9a8b9c743cbbdd8bc4791980ed16a2613bc893866fcdfa7

  • SHA512

    43b74c124bdda3aedcd80b99f6912a18b8975437194910531aa17574f010ee66abe67c3c5d56d750cd0e843066262618a05b900d648d3e79faa9b903a8259392

  • SSDEEP

    24576:m4rDuALLuIzpo4nC1rUsEq3xwPvDCLnj0KDUIw+fDFU1i95pX9vrIufPkkVf3ybM:2

  Score

  1^/10
  behavioral11behavioral12