Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    quarantine/0frhMAb.exe

  • Size

    1.7MB

  • MD5

    971c0e70de5bb3de0c9911cf96d11743

  • SHA1

    43badfc19a7e07671817cf05b39bc28a6c22e122

  • SHA256

    67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d

  • SHA512

    a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

  • SSDEEP

    49152:PILW3W4OH2ImHQRD2H8Vs1sfh8h08GhPdYJblsacEadrrtNb24q:i+eJNbHq

  Score

  10^/10

  redlinetestprolivdiscoveryinfostealerspywarestealer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  behavioral1behavioral2

• • Target

    quarantine/7axE6Jz.exe

  • Size

    397KB

  • MD5

    ab118fd9c6e1c3813ff0ec7cd8c6539f

  • SHA1

    a03967883de5cfbe96036d13eac74bbb030903ef

  • SHA256

    57153e88e47ac7b13751e8382e021cad96481f68bfa41510ed5b402adbecd7ad

  • SHA512

    4b119738f8843025fe8c158c02a32c1e147fdbce41671c80ef58f1daec3f555fbe0248ed7174cfdebce0c5c987b616824288e3246953a79910a5504bf27fc297

  • SSDEEP

    12288:AJHH9INsFF4R0UyBSKW0lK/MNWqdgJuYuPEAo6EO:ed93PblKUNWt4Yst

  Score

  7^/10

  discoveryspywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral3behavioral4

• • Target

    quarantine/Dyshh8M.exe

  • Size

    1.4MB

  • MD5

    5487dcc2e2a5d7e109c3fd49f37a798b

  • SHA1

    1ad449a9ef2e12d905e456f9b56f97a3d0544282

  • SHA256

    b9be721252182d14fe65f1240fa16caa0238346b329fb6139e891f0c94c99ce5

  • SHA512

    ee89ea43516275c73e9227dd6f26c2ceaf717928b9b376f65e891d9eb9110f6596d0c6e8f7bf78b51e0dc3a3acaba2c77d64d8b567b49943439c28344fb21845

  • SSDEEP

    24576:gcd852wi7owRrez4QT+HKlKpypFSy22ec8HPIMKOu2Xsn+obq02OSPMmLy2SZdt:g6zRJQq5ypRX8MO9XsSrFLYj

  Score

  3^/10

  discovery
  behavioral5behavioral6

• • Target

    quarantine/GEFwbK0.exe

  • Size

    162B

  • MD5

    1b7c22a214949975556626d7217e9a39

  • SHA1

    d01c97e2944166ed23e47e4a62ff471ab8fa031f

  • SHA256

    340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

  • SHA512

    ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

  Score

  3^/10

  discovery
  behavioral7behavioral8

• • Target

    quarantine/I8L5Xon.exe

  • Size

    162B

  • MD5

    1b7c22a214949975556626d7217e9a39

  • SHA1

    d01c97e2944166ed23e47e4a62ff471ab8fa031f

  • SHA256

    340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

  • SHA512

    ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

  Score

  3^/10

  discovery
  behavioral10behavioral9

• • Target

    quarantine/IxZcQMy.exe

  • Size

    162B

  • MD5

    1b7c22a214949975556626d7217e9a39

  • SHA1

    d01c97e2944166ed23e47e4a62ff471ab8fa031f

  • SHA256

    340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

  • SHA512

    ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

  Score

  3^/10

  discovery
  behavioral11behavioral12

• • Target

    quarantine/am_no.bat

  • Size

    2KB

  • MD5

    189e4eefd73896e80f64b8ef8f73fef0

  • SHA1

    efab18a8e2a33593049775958b05b95b0bb7d8e4

  • SHA256

    598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

  • SHA512

    be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

  Score

  10^/10

  amadeylummasystembcvidar092155a4d2cdir7amcredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealertrojangcleanerhealerredlinetestprolivdropperevasioninfostealerloader

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Detect Vidar Stealer

    stealer

  • Detects Healer an antivirus disabler dropper

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer

  • Healer family

    healer

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • Modifies Windows Defender Real-time Protection settings

    defense_evasiontrojan

  • Modifies Windows Defender TamperProtection settings

    evasiontrojan

  • Modifies Windows Defender notification settings

    defense_evasiontrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc

  • Systembc family

    systembc

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Downloads MZ/PE file

  • Sets service image path in registry

    persistence

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Windows security modification

    defense_evasiontrojan

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Boot or Logon Autostart Execution: Authentication Package

    Suspicious Windows Authentication Registry Modification.

    persistenceprivilege_escalation

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral13behavioral14

• • Target

    quarantine/download.php

  • Size

    3.7MB

  • MD5

    63b6337ffee0f98a1e86086a9053192e

  • SHA1

    f70c12174b65aaefaeb90b74151b10bc75a13d01

  • SHA256

    4fe34666349dc7430da4acd480420156a551230e0d59d2b2ef49db9e2074c376

  • SHA512

    41cf1713df50e9427cbfb0c6556bff38947c4ef462507c588f32cb74f49aced32818f965172bfdf6513cd5a1ba39bf32236c4a6f6b4be26bc21729e4c842e1cf

  • SSDEEP

    98304:Kg2Rmmrayt5HbFijOHMVixQo1tNZXWPn9EwRKzfOcui:K5Rm8aswOHMIxQetNZXWP95ofOch

  Score

  10^/10

  amadeyhealerlummaredlinestealcsystembc092155a4d2cdrenotestprolivdefense_evasiondiscoverydropperevasionexecutioninfostealerpersistenceprivilege_escalationspywarestealertrojan

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • Amadey family

    amadey

  • Detects Healer an antivirus disabler dropper

  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer

  • Healer family

    healer

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • Modifies Windows Defender Real-time Protection settings

    defense_evasiontrojan

  • Modifies Windows Defender TamperProtection settings

    evasiontrojan

  • Modifies Windows Defender notification settings

    defense_evasiontrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Stealc family

    stealc

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc

  • Systembc family

    systembc

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Downloads MZ/PE file

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    defense_evasiontrojan

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Boot or Logon Autostart Execution: Authentication Package

    Suspicious Windows Authentication Registry Modification.

    persistenceprivilege_escalation

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral15

• • Target

    quarantine/imfsCjY.exe

  • Size

    162B

  • MD5

    1b7c22a214949975556626d7217e9a39

  • SHA1

    d01c97e2944166ed23e47e4a62ff471ab8fa031f

  • SHA256

    340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

  • SHA512

    ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

  Score

  3^/10

  discovery
  behavioral16behavioral17

• • Target

    quarantine/kablenet.exe

  • Size

    277B

  • MD5

    d8243ccef58efc84a689a703e9e28ea0

  • SHA1

    82ea4b52e378f4efaa0084b00d676ffa6bbc2236

  • SHA256

    d772f666c8c2870b534f593f68820b2524e78460ef67417572dab81e0d23c4d1

  • SHA512

    ccdfa72d1e71984f6e531a3f6c099be8d2e6620a2db1a98f326ec0ccf169e1f759e0d1198a2a0e238b19ff42325503ab5481498080a61d59d24dddab07c46764

  Score

  3^/10

  discovery
  behavioral18behavioral19

• • Target

    quarantine/ninite22.exe

  • Size

    277B

  • MD5

    d8243ccef58efc84a689a703e9e28ea0

  • SHA1

    82ea4b52e378f4efaa0084b00d676ffa6bbc2236

  • SHA256

    d772f666c8c2870b534f593f68820b2524e78460ef67417572dab81e0d23c4d1

  • SHA512

    ccdfa72d1e71984f6e531a3f6c099be8d2e6620a2db1a98f326ec0ccf169e1f759e0d1198a2a0e238b19ff42325503ab5481498080a61d59d24dddab07c46764

  Score

  3^/10

  discovery
  behavioral20behavioral21

• • Target

    quarantine/pic2.jpg

  • Size

    334KB

  • MD5

    bee1a863ac59625fc5e26f467aebe4cd

  • SHA1

    7dcabb6a5183d1f1ee1cadabaedb054de882adf1

  • SHA256

    ba3f81366dc74cf3b0257e094c1a8dec2804a975c0476eae5acf0e473d3a03b3

  • SHA512

    34afa4e856aa5f42212e3d50b27345c291f77a1c4c97af966b63348a127a9fb80bd5d50206d9a46d67e2b3506e93004733516ffcd36803beea31927f9cda8d96

  • SSDEEP

    6144:R+vpbKWD9fE2puwKtWbHZyCa4i9U0d2MRNMO+XqqVixdkG9M5JD5Ds:R+tLtE2p9KtIgyPMROQ+GM5Ds

  Score

  7^/10

  discoveryspywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral22behavioral23

• • Target

    quarantine/pic3.jpg

  • Size

    159KB

  • MD5

    0ea1a068ec89f5bb4afd9751b8f0870b

  • SHA1

    fc528ec63da19524d1f4ba7a5fda49a94d67d105

  • SHA256

    3a2d68520beaa0fb116027a0727f19ef31e6b127dc0ce437600866cbf84ef97f

  • SHA512

    2ec7f2ac9b949512e671285b0dc8119326473aab4f98b81864c936dfde1fe66ad6c190f8040d892cf0e0efc25ec46a6ef1c58871ce60da44a79a36f5d4573b8e

  • SSDEEP

    3072:8ahKyd2n3155GWp1icKAArDZz4N9GhbkrNEk10kigT:8ahO1p0yN90QEO

  Score

  8^/10

  discoveryexecutionpersistence

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral24

• • Target

    quarantine/random.exe

  • Size

    938KB

  • MD5

    c558d98f9db4189dd16f53be21cda0a5

  • SHA1

    877d90ade73ff75ede6e7aa8ac5dd18d754fa693

  • SHA256

    abee781314dab00f92f104f009701a129ceb06e0f4071b85323db474c2b3952d

  • SHA512

    7127d65ad9ca2149f8bf0e9de8fcbb90e567509f5c7787f3b6f05c69c4bd9db2fea64c4d2b27eadb53c8bae7d8efb9a20b014c9b2b7870f80f53f589b5289a83

  • SSDEEP

    24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8aebl:zTvC/MTQYxsWR7aeb

  Score

  10^/10

  healerdefense_evasiondiscoverydropperevasionexecutiontrojan

  • Detects Healer an antivirus disabler dropper

  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer

  • Healer family

    healer

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • Modifies Windows Defender Real-time Protection settings

    defense_evasiontrojan

  • Modifies Windows Defender TamperProtection settings

    evasiontrojan

  • Modifies Windows Defender notification settings

    defense_evasiontrojan

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Windows security modification

    defense_evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral25behavioral26

• • Target

    quarantine/ssystemfiktums.exe

  • Size

    277B

  • MD5

    d8243ccef58efc84a689a703e9e28ea0

  • SHA1

    82ea4b52e378f4efaa0084b00d676ffa6bbc2236

  • SHA256

    d772f666c8c2870b534f593f68820b2524e78460ef67417572dab81e0d23c4d1

  • SHA512

    ccdfa72d1e71984f6e531a3f6c099be8d2e6620a2db1a98f326ec0ccf169e1f759e0d1198a2a0e238b19ff42325503ab5481498080a61d59d24dddab07c46764

  Score

  3^/10

  discovery
  behavioral27behavioral28

• • Target

    quarantine/xqWgymz.exe

  • Size

    1.7MB

  • MD5

    971c0e70de5bb3de0c9911cf96d11743

  • SHA1

    43badfc19a7e07671817cf05b39bc28a6c22e122

  • SHA256

    67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d

  • SHA512

    a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

  • SSDEEP

    49152:PILW3W4OH2ImHQRD2H8Vs1sfh8h08GhPdYJblsacEadrrtNb24q:i+eJNbHq

  Score

  10^/10

  redlinetestprolivdiscoveryinfostealerspywarestealer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  behavioral29behavioral30