Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    Ultra Mega Null DDoS Panel (added API Function in v2.39).exe

  • Size

    22.4MB

  • MD5

    317c5fe16b5314d1921930e300d9ea39

  • SHA1

    65eb02c735bbbf1faf212662539fbf88a00a271f

  • SHA256

    d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40

  • SHA512

    31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031

  • SSDEEP

    49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6

  Score

  10^/10

  cobaltstrikelockbitmarsstealermimikatzquasarragnarlockersquirrelwafflexwormdefaultoffice04backdoorbootkitcredential_accessdefense_evasiondiscoverydownloaderexecutionimpactpersistenceprivilege_escalationpyinstallerransomwareratspywarestealertrojan

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike

  • Cobaltstrike family

    cobaltstrike

  • Detect Xworm Payload

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit

  • Lockbit family

    lockbit

  • Mars Stealer

    An infostealer written in C++ based on other infostealers.

    stealermarsstealer

  • Marsstealer family

    marsstealer

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz

  • Mimikatz family

    mimikatz

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • RagnarLocker

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    ransomwareragnarlocker

  • Ragnarlocker family

    ragnarlocker

  • Rule to detect Lockbit 3.0 ransomware Windows payload

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

    downloadersquirrelwaffle

  • Squirrelwaffle family

    squirrelwaffle

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (8300) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Squirrelwaffle payload

  • mimikatz is an open source tool to dump credentials on Windows

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    defense_evasion

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  behavioral1