Overview

overview

10

Static

static

5

My-Skidded...in.zip

windows11-21h2-x64

1

My-Skidded...f2.exe

windows11-21h2-x64

8

My-Skidded...Us.vbs

windows11-21h2-x64

1

My-Skidded...AT.exe

windows11-21h2-x64

10

My-Skidded...UN.exe

windows11-21h2-x64

10

My-Skidded...no.exe

windows11-21h2-x64

6

My-Skidded...!!.zip

windows11-21h2-x64

1

My-Skidded...MK.exe

windows11-21h2-x64

My-Skidded...ck.vbs

windows11-21h2-x64

1

My-Skidded...it.exe

windows11-21h2-x64

7

My-Skidded... 2.bat

windows11-21h2-x64

3

My-Skidded...OR.vbs

windows11-21h2-x64

1

My-Skidded...ge.exe

windows11-21h2-x64

My-Skidded...ck.exe

windows11-21h2-x64

10

My-Skidded...BR.exe

windows11-21h2-x64

My-Skidded...ba.vbs

windows11-21h2-x64

1

My-Skidded...ad.exe

windows11-21h2-x64

My-Skidded...BR.exe

windows11-21h2-x64

6

My-Skidded...AL.exe

windows11-21h2-x64

6

My-Skidded...en.exe

windows11-21h2-x64

6

My-Skidded...in.exe

windows11-21h2-x64

6

My-Skidded...BR.exe

windows11-21h2-x64

My-Skidded...64.exe

windows11-21h2-x64

My-Skidded...64.exe

windows11-21h2-x64

10

My-Skidded...24.exe

windows11-21h2-x64

10

My-Skidded...DME.md

windows11-21h2-x64

3

My-Skidded....0.bat

windows11-21h2-x64

3

My-Skidded...as.exe

windows11-21h2-x64

My-Skidded...ll.bat

windows11-21h2-x64

My-Skidded...ks.exe

windows11-21h2-x64

My-Skidded...ua.exe

windows11-21h2-x64

My-Skidded...kz.bat

windows11-21h2-x64

8

Resubmissions

09/03/2025, 01:58

250309-cdv29swybs 10

08/03/2025, 06:55

250308-hp35xatjt9 10

08/03/2025, 04:53

250308-fh1ebssky5 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    My-Skidded-malwares-main.zip

  • Size

    106.4MB

  • Sample

    250308-hp35xatjt9

  • MD5

    d01f58a973cfceca5abbb124f8e580ff

  • SHA1

    b60fd4d18c92322819300af17bc44e798d0ddef4

  • SHA256

    d5395f121277d2b38f4173c7df0a20a3de99edfcfe2aa697080cc81170eb76ab

  • SHA512

    81d6c94f56d53cd7fa29f5c1d9f8077a176b07b9a2c859b8525f6451660fb906dd960b71358ff870019990f541e816489c131a96b1fb2b7c66178a04ed35904d

  • SSDEEP

    3145728:Sg2PlA+mrMHCwbc/bAjXC0P5JCe94RWQRVBCXD7:SJlmxTAj7PtGR9RVBE3

Score
10/10
asyncratberbewcybergatedcratexelastealergh0stratjigsawlummamarsstealermetasploitnjratorcusphorphiexpurplefoxquasarragnarlockerredlineremcossalitysnakekeyloggersquirrelwafflestormkittyxloaderxmrigxwormzharkbot2 moneyahmedaugust crypter toolz grace stubcyberdefaultffffivemgolazohackedjavaneufoffice04pukedroblox executorschoolwenzcordratчучундраeidobackdoorbootkitbotnetcollectioncredential_accesscryptonedefense_evasiondiscoverydownloaderexecutionimpactinfostealerkeyloggerloadermacromacro_on_actionminerpackerpersistenceprivilege_escalationransomwareratrootkitspywarestealerthemidatrojanupxvmprotectworm

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:51848

otherwise-puzzle.gl.at.ply.gg:51848
Mutex

qsSOINsibBjw

Attributes
  • delay

    3

  • install

    true

  • install_file

    dwn.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/0GcVDftp

Extracted

Family

cybergate

Version

v1.07.5

Botnet

ahmed

C2

allahouakbar.no-ip.biz:100

Mutex

U70D500V1OA427

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Grattis! din dator har nu blivit 2 GHz snabbare :)

  • message_box_title

    Windows booster

  • password

    webstar

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7148398804:AAESLKl9fVODMrpM8H4Wkq1Zbm-83PcMLro/sendMessage?chat_id=2135869667

Extracted

Family

redline

C2

185.196.9.26:6302

38.180.203.208:14238

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://49.235.129.88:80/UaAe

Attributes
  • headers User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MASP)

Extracted

Family

cybergate

Version

v1.05.1

Botnet

cyber

C2

sonytester.no-ip.biz:99

Mutex

SA237HSP65QY45

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Winbooterr

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Wait For Server Comming Up Again.

  • message_box_title

    FAIL 759.

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

thomas-drops.gl.at.ply.gg:45773

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Version

im523

Botnet

puked

C2

147.185.221.20:47570

Mutex

20006afb0ec33f2e48c8c1f17d4d3382

Attributes
  • reg_key

    20006afb0ec33f2e48c8c1f17d4d3382

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

чучундра

C2

hakim32.ddns.net:2000

safety-bronze.gl.at.ply.gg:4444
Mutex

27b92504703b09d3ee2dae0873e8e3f3

Attributes
  • reg_key

    27b92504703b09d3ee2dae0873e8e3f3

  • splitter

    |'|'|

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

C2

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    -YFLE4M

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

xloader

Version

2.6

Campaign

eido

Decoy

revellbb.com

tempranillowine.net

viralstrategies.info

blacktxu.com

flfththirdbank.com

vaoex.com

theselfdirectedinvestor.com

vinadelmar.travel

othersidejimmythemonkey.com

jaguar-landrovercenter-graz.com

supremeosterreich.com

chatsubs.com

free99.design

serviciosmvs.com

bongmecams.xyz

malikwoodson.com

onlinegamebox.club

694624.com

yeezyzapatos.club

istanbul-hairtransplant.com

Extracted

Family

xworm

Version

5.0

C2

outside-sand.gl.at.ply.gg:31300

185.7.214.108:4411

185.7.214.54:4411
Mutex

zaeAeDtYkBFrvT6Y

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

njrat

Version

im523

Botnet

school

C2

167.71.56.116:22764

Mutex

872de6721af0b6833a743205be97e089

Attributes
  • reg_key

    872de6721af0b6833a743205be97e089

  • splitter

    |'|'|

Extracted

Family

lumma

C2

https://commisionipwn.shop/api

https://stitchmiscpaew.shop/api

https://ignoracndwko.shop/api

https://grassemenwji.shop/api

https://charistmatwio.shop/api

https://basedsymsotp.shop/api

https://complainnykso.shop/api

https://preachstrwnwjw.shop/api

https://hookybeamngwskow.xyz/api

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.43.241:4782

73.62.14.5:4782
Mutex

0d40e7a7-49fe-45a6-9c6d-b8affa11f503

Attributes
  • encryption_key

    6095BF6D5D58D02597F98370DFD1CCEB782F1EDD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhost

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

C2

dez3452-33187.portmap.host:33187

dez345-37245.portmap.host:37245
Mutex

f0e53bcd-851e-44af-8fd5-07d8ab5ed968

Attributes
  • encryption_key

    65439CE7DEF3E0FAF01C526FEA90388C9FD487A1

  • install_name

    java.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    java ©

  • subdirectory

    Programfiles

Extracted

Family

quasar

Version

1.4.1

Botnet

ROBLOX EXECUTOR

C2

192.168.50.1:4782

10.0.0.113:4782

LETSQOOO-62766.portmap.host:62766

89.10.178.51:4782
Mutex

90faf922-159d-4166-b661-4ba16af8650e

Attributes
  • encryption_key

    FFEE70B90F5EBED6085600C989F1D6D56E2DEC26

  • install_name

    windows 3543.exe

  • log_directory

    roblox executor

  • reconnect_delay

    3000

  • startup_key

    windows background updater

  • subdirectory

    windows updater

Extracted

Family

marsstealer

Botnet

Default

C2

kenesrakishev.net/wp-admin/admin-ajax.php

Extracted

Family

orcus

Botnet

FIVEM

C2

198.50.242.157:3846

Mutex

7c8e6bec5a514abfa98e8c7d116e215a

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\GoogleChromeUpt\Updater.exe

  • reconnect_delay

    10000

  • registry_keyname

    ChromeStarter

  • taskscheduler_taskname

    Start

  • watchdog_path

    AppData\ChromeDEV.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

WenzCordRat

C2

nickhill112-22345.portmap.host:22345

Mutex

7ee1db41-359a-46b2-bba3-791dc7cde5e1

Attributes
  • encryption_key

    985DB7D034DB1B5D52F524873569DDDE4080F31C

  • install_name

    WenzCord.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update.exe

  • subdirectory

    SubDir

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://onion1.host:443/temper/PGPClient.exe

Extracted

Family

asyncrat

Version

0.5.8

Botnet

2 MONEY

C2

twart.myfirewall.org:14143

Mutex

udn3BZ1Fqt3jtiZx

Attributes
  • delay

    30

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

njrat

Version

Hallaj PRO Rat [Fixed]

Botnet

FFF

C2

tibiaserver.ddns.net:2323

Mutex

64805e9b9efcd75e104b05fad0cb2a4c

Attributes
  • reg_key

    64805e9b9efcd75e104b05fad0cb2a4c

  • splitter

    boolLove

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Extracted

Family

remcos

Botnet

GOLAZO

C2

agosto14.con-ip.com:7772

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-KKPQTN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      My-Skidded-malwares-main.zip

    • Size

      106.4MB

    • MD5

      d01f58a973cfceca5abbb124f8e580ff

    • SHA1

      b60fd4d18c92322819300af17bc44e798d0ddef4

    • SHA256

      d5395f121277d2b38f4173c7df0a20a3de99edfcfe2aa697080cc81170eb76ab

    • SHA512

      81d6c94f56d53cd7fa29f5c1d9f8077a176b07b9a2c859b8525f6451660fb906dd960b71358ff870019990f541e816489c131a96b1fb2b7c66178a04ed35904d

    • SSDEEP

      3145728:Sg2PlA+mrMHCwbc/bAjXC0P5JCe94RWQRVBCXD7:SJlmxTAj7PtGR9RVBE3

    Score
    1/10
    behavioral1

    • Target

      My-Skidded-malwares-main/6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe

    • Size

      8.6MB

    • MD5

      57c4e3c3fe4cad4179e3d2203aec90b6

    • SHA1

      12c1262f5aadb9cb11d266681841ffdebf85fe17

    • SHA256

      6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2

    • SHA512

      7e9cb1752924945212198100141cab9ed65b702535ebbbf587a1d0decc736a79e50849ba621c2f21505a8a855bb122277093768dab005194b3972b943b557499

    • SSDEEP

      49152:FBtiVC1wE+5WhANOgkImhsSWUlqiFEJ3QqkfqV8+PYfjKp9uMuqtwtpi4gmmZRwx:Fd

    Score
    8/10
    bootkitdefense_evasiondiscoverypersistenceupx

    • Disables RegEdit via registry modification

      defense_evasion

    • Disables Task Manager via registry modification

      defense_evasion

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral2

    • Target

      My-Skidded-malwares-main/AmongUs.vbs

    • Size

      38B

    • MD5

      c6de988249ec5c2a7798c2f8ed5f92fb

    • SHA1

      35b6884ad4e7fb1e7d8c5136e647668f4c097ea5

    • SHA256

      123c88eab37140ca3b7751294cada28e7c73f3712b1eaa78ec89c69b29c18127

    • SHA512

      58538eaaee47c1dcf8511d1de8dadd86fc34f1ba8a5444468c744ab5b2cd072b96c62bb0a2e27c1603c07d4a7461d19f9a348f19d079ad4a3bad76f4f9e572e3

    Score
    1/10
    behavioral3

    • Target

      My-Skidded-malwares-main/AnaRAT.exe

    • Size

      6.0MB

    • MD5

      b300d99faf11ac3c6d3609c34f39ad5b

    • SHA1

      039310584b1e8fb43a08a865f3ab1b64610c8013

    • SHA256

      b8af724789e01cb47a661d40a22a5ec93a2f1499d0ace4cd5e1d7d9fffa89246

    • SHA512

      2158ca82f753258c4abee3bf425f91bd26a79fcf7c53cbb98fd5980a53d678613258367a5f10117547f3d900456d78a0e4a7c85b0f1806948e8e5b767ccb26d0

    • SSDEEP

      49152:xqU/dfDJH/bKaPMNNteROzxRwF0UCLhCkpMn8HmWIos0/Noyos5rQLiMCPSsAm6o:x1dfDy

    Score
    10/10
    asyncratgh0stratnjratpurplefoxremcosstormkitty2 moneyaugust crypter toolz grace stubfffgolazoneufcollectiondefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratrootkitspywarestealertrojanupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • Modifies WinLogon for persistence

      persistence

    • Njrat family

      njrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Purplefox family

      purplefox

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Modifies Windows Firewall

      defense_evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral4

    • Target

      My-Skidded-malwares-main/CRINGE-DO-NOT-RUN.exe

    • Size

      1.4MB

    • MD5

      ccb5b4eb6761383280df907ff6a51483

    • SHA1

      320cd5a840ad1c407a1a4178b0fb6d9b3bb4b57f

    • SHA256

      e58e7d353aacfc1beb849048c31e88fb8c528f9c42e0bb4afe487ff6d03bb245

    • SHA512

      c2a92c9bd369615017d58e222f1a9eb79ba7ae9db12d38874929cc4b7eef15469e5a090be135d2d4d8c41ba43bc8b17b52fd5dc733074ad75fb71c7fc5ddfcc2

    • SSDEEP

      24576:5MZhxQ9OIm7RNMqIkSqswv4E4+DAmIM3dbyIjH50t5UQxZZF+rLpR4fm0cFR1UOS:0qJoCWsMDAytbyAH2zn0ZVUE23

    Score
    10/10
    salitybackdoordefense_evasiondiscoverytrojanupx
    behavioral5

    • Target

      My-Skidded-malwares-main/Cirno.exe

    • Size

      829KB

    • MD5

      06f1165fd374b39e2a7102baa33b5197

    • SHA1

      56415c2892de1a928fbbfbcdd533121b108e1f50

    • SHA256

      1396f43eb7dfce2024c4a0b5c91a80c1d94a98e52eb7c6f2f533f44e9acc6b70

    • SHA512

      455434788dff51a6b9fc9bf0040740680ea42870d11c83d1ed8b74bc1d2bc7aa2009276f79d8a841a3544f6c0c38954ef026fca7041abaf39d62eaf54e4bdfc8

    • SSDEEP

      12288:JDbpr2trUqUeBhfUHzXC+cHJ8XeSb++MnaTXv0d28i10kaj/29T:JDdsrsG5UHulCXR+xaTXh1qj/

    Score
    6/10
    bootkitdiscoverypersistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral6

    • Target

      My-Skidded-malwares-main/Cool Game MAKR 2022!!.zip

    • Size

      80KB

    • MD5

      b95c8ab34fed4c23e7d0a45a92949c2a

    • SHA1

      dc0bda10dd63578940b2c6c415ea0a4096372f15

    • SHA256

      0a4bb1b8ec32f23c0e07fa12bc36aaddf9a083e3710a875859db045335f2b430

    • SHA512

      3ff4c9e433aecd924d4c119f0e3c557b3127c35ec2314513d7966fb0816385ff592523bda385ac614b323ba55557a8fbaf40c5d6e6402cc81f4182eac0c1be93

    • SSDEEP

      1536:DfQt4uHx2BQlhrGzgEoUXShjaSxil7HocMXSp7THtq1RlfPAn4dN5m5PVG+oXY:LQFKQXrYScrHwSFylkAmDG+B

    Score
    1/10
    behavioral7

    • Target

      My-Skidded-malwares-main/DAMK.exe

    • Size

      776KB

    • MD5

      e3f963c1c96b3069a768002382ce8bde

    • SHA1

      8dc40c52456631b2daf4bd881c7e6320aa9f6503

    • SHA256

      5f577b7efb40a0acadc7499fdd12b581ac19aad7b5c6e404e2f40b2b3f191bb4

    • SHA512

      49a8800de23596bbff4eb52e74eee917976848d1bf5137baa699611ba9bdf69191cb2ebc587acd61cf0b72bcfc649609b56c13a0795a61e546b336667e9c24c8

    • SSDEEP

      12288:3Dbpr2trUqUeBhfUHzXC+cHJ8XeSb++lnaTKvgDSBCFdn0r:3DdsrsG5UHulCXR+KaTKYrJQ

    Score
    6/10
    bootkitdiscoverypersistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral8

    • Target

      My-Skidded-malwares-main/Dell_Fuck.vbs

    • Size

      11KB

    • MD5

      d18689bda39d279eae5eb55b5c38d635

    • SHA1

      f050c7dff3d124347a3e286b1179c157135e61ec

    • SHA256

      7f549b38fc1203844e9926e294a36d88fd1893acbf5dd642c2dc2717b4aa940b

    • SHA512

      04273fe5f754d7a6287b8411c6bd66b521e0226466fac0d976244dd602b38abf8bb514108bfcf66a01fe7529c31d82223ab259614e20b669cb39cb7e84b23928

    • SSDEEP

      192:JXplASJqjex+T4YhGbRm+UNy0Y2PrmrCQzCy9b0PW69hnpSbqd1w2:lrcjex0z02PrsiwbkW6hd1w2

    Score
    1/10
    behavioral9

    • Target

      My-Skidded-malwares-main/Discord Expliot Kit.exe

    • Size

      402KB

    • MD5

      8c03f9981a98007dcf7d68415680d1a0

    • SHA1

      4f4986dda199a8874b023e163de023dec27104ac

    • SHA256

      816a4880a3b1076f4e27e5f26324035c0b1ab66c2a87b28a64f8ce03429d7f5e

    • SHA512

      b4d4eda5bb1783324f5baaf458d3d7483076db1e765dc8e65c01a2b018d7e1658907fe21adf8f5e1653360ebada03c5c9503746ff716c21a20b20d793fc35079

    • SSDEEP

      12288:a6Wq4aaE6KwyF5L0Y2D1PqLZeqhBkEFY9ddNdgYaTW3DB:4thEVaPqLDkFiYaTkB

    Score
    7/10
    credential_accessdiscoveryransomwarespywarestealerupx

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Sets desktop wallpaper using registry

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10

    • Target

      My-Skidded-malwares-main/ERROR 2.bat

    • Size

      168B

    • MD5

      3dc2bbaa5933fd52865ce234646e0d28

    • SHA1

      9adec1cacca35ba4e9d796ba2e8afd838ba22f6d

    • SHA256

      439ba9dd4db80cc434308cddce9efc4d22d2cd4ec405cf51119f6da9497ae515

    • SHA512

      b686d38a699645fa46ba30daf6beb56055271e1ae3dc1a3e175442e6e2a02d78c15156f7e3a936a2e413baa9bc2e1ab4de3cee785adc8c2d0ff234523d3bd68e

    Score
    3/10
    behavioral11

    • Target

      My-Skidded-malwares-main/ERROR.vbs

    • Size

      104B

    • MD5

      c09a5859ec345c4f98eb3c946f11b567

    • SHA1

      19f196840caab2cbcaafd5304aba889ac92c8e7f

    • SHA256

      fc848ef688b22ca73811168409f96bc4a55396ae8d4efb39b552682bd24a8947

    • SHA512

      744ccec862f1b6e137e0db4dfc70181f6b3edf05773b7bc9bd81e42037bf174e707f70315682660d7d8f9eaa102971aab1a719450e70205779311454c6616333

    Score
    1/10
    behavioral12

    • Target

      My-Skidded-malwares-main/Fello_s_Revenge.exe

    • Size

      18.4MB

    • MD5

      f8e1d9b436b1d95231ae33b44c6f165c

    • SHA1

      bd4a588b9bbcd346fd0e4818da382ca241104d17

    • SHA256

      23a6dc4cce379f0d6a85e0b2b09e66d0d0f370e9d610a84aa1810aab605a3976

    • SHA512

      963f3ca6370d36d54d9034000e33198e9cfa8d54f7c70cf67e0e9be246a30bbd2db5f927c9dbb5edfebab3e255ece6023d3a2ed72715d1842519a9d2ff45a7f6

    • SSDEEP

      393216:XpkQrjxkZI7X/exB5l7qqd6DqhDzeozX5dpYeewDuBnkeKyN:Xrr1kTz7qqAGdzpdFynkeKyN

    Score
    10/10
    asyncratberbewcybergatemetasploitredlinesalitysnakekeyloggerxwormahmeddefaultbackdoorcryptonedefense_evasiondiscoveryexecutioninfostealerkeyloggerpackerpersistenceprivilege_escalationratstealertrojanupx

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Berbew family

      berbew

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Detect Xworm Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit

    • Modifies firewall policy service

      defense_evasion

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • Sality family

      sality

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • UAC bypass

      defense_evasiontrojan

    • Windows security bypass

      defense_evasiontrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Windows security modification

      defense_evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral13

    • Target

      My-Skidded-malwares-main/Fellos RAT-Pack.exe

    • Size

      6.5MB

    • MD5

      58fe672cdb9c2f380f4ab2157a57cfa9

    • SHA1

      de2869332551a4f97a1ae65000adf1edf91f0121

    • SHA256

      cf7d328ce0b9c53b4613030296421f1cc710aa391bca418b3e3566db1128cbe5

    • SHA512

      60898c5480ff869d6402901a265dd1028c170201b051db7bf485eef6a8eef2683be909ee1092c29056fd6fcac05f02f2fd6997b51a94c876fd332a7ffa8fa7cd

    • SSDEEP

      196608:JXN6Jm1BFYcVWj7gKLWCPP/31b8XN6Jm1I:Nh1cl7gKRP39Yh1

    Score
    10/10
    cybergatedcratnjratcyberhackeddefense_evasiondiscoveryexecutioninfostealerpersistenceratstealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Njrat family

      njrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral14

    • Target

      My-Skidded-malwares-main/KonataMBR.exe

    • Size

      788KB

    • MD5

      92354a4cf04fcebdd16f2465158562fb

    • SHA1

      c9f51999fdd20f254312f3d9cdb6186235662fc3

    • SHA256

      67ccdbe6425aefa7dc15347ebc4b233da90c2edf533c96d9811f50c3669393e4

    • SHA512

      63b860b8e5deee962d00bb2aff82fa6c128c6a5c14e57dcef45d7084473f9aa4aa3fd90403ac41041ab9adf520dd64c5cababe31a3ba26b6e712335e3a199766

    • SSDEEP

      12288:JDbpr2trUqUeBhfUHzXC+cHJ8XeSb++lnaTLNv5yogXsg6fv:JDdsrsG5UHulCXR+KaTLNUoilm

    Score
    6/10
    bootkitdiscoverypersistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral15

    • Target

      My-Skidded-malwares-main/KonoSuba.vbs

    • Size

      130KB

    • MD5

      b611a6c8c3f2decf002d1fe949fbb18f

    • SHA1

      a3ba057001409328ecb65cf00d26f4d160b64472

    • SHA256

      27921097bf91f095abb9fb717dc75961ba4aad047911f2a65fae8859e389229d

    • SHA512

      d8178fc491f45f5bde0aa0ffb40172c69fbbe761165b7c1265ee189cdeb976985bc4f915dfdf9348fb18e322a52dc9d130de162c6b5bc47cfd501420991f7cdd

    • SSDEEP

      3072:Smba7w5VxGTGztLOBbVR2E3wyNJb7SVzPYi1OOyBlqQII85fC9zzzjbZYmtLzEwT:7ba7w5VxGTGztLOBbVR2E3wyNJb7SVz8

    Score
    1/10
    behavioral16

    • Target

      My-Skidded-malwares-main/MarisaFumoDownload.exe

    • Size

      825KB

    • MD5

      e3558be7928053af8b9ccc60a57a40fc

    • SHA1

      253f2b018c5aaa38cd038256af9b72bd397aece1

    • SHA256

      125263fbc1a517f7302ee91bfaa548767719243b4f9dcaad33c13974fe9f4591

    • SHA512

      3152ef4c7a544f282cf4ac356adf1d4ad753a0eb3ad12bf7af66174acae700e5a8d40302305b7acddc867e834829cf430efefe7a070fd17751e7571e5d5099be

    • SSDEEP

      12288:WDbpr2trUqUeBhfUHzXC+cHJ8XeSb++6naTmvtCQomfU37uwzNiVEjZ5HX:WDdsrsG5UHulCXR+PaTmPc3q2I853

    Score
    6/10
    bootkitdiscoverypersistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral17

    • Target

      My-Skidded-malwares-main/MarisaMBR.exe

    • Size

      585KB

    • MD5

      6c21116078b7a90e7cf1492805a548dc

    • SHA1

      17c7bc8d17b42b258557e23ae7b0b68ba732c5a0

    • SHA256

      88b3be30c450d7cf75bbbae7c5367bb230b8c343b8d8fe02eddf9f96c82f2496

    • SHA512

      b6e756f480f219e636ee5d55a78c5e1ccd847ce9fa8a73f5e0209ecc4bfe8b8e4f129c1ac413f49990d7bce18817ea60aedd6fde9be430d7a34795baaeee8447

    • SSDEEP

      12288:1Dbpr2trUqUeBhfUHzXC+cHJ8XeSb++MnaTmv0:1DdsrsG5UHulCXR+xaTm

    Score
    6/10
    bootkitdiscoverypersistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral18

    • Target

      My-Skidded-malwares-main/Marlon2210FACEREVEAL.exe

    • Size

      949KB

    • MD5

      1c56b9afef7d10fd1f4770537edc69f0

    • SHA1

      5babf7a11f145efa9aa70513e6c19dffc0159a88

    • SHA256

      166334e461c59caa5b53983c01438e3ecc7158608d718ade859c943f0b5c0114

    • SHA512

      298f94da49b72b2d6bc25f5a3b24bf911a7c0da112365aa6d4684cd77e614ebcb487a88d6dba1c3834265f9c2be6f1efa3fd88c5ad0628bf159772e9710539fb

    • SSDEEP

      12288:lDbpr2trUqUeBhfUHzXC+cHJ8XeSb++DnaTgv/Wn75w:lDdsrsG5UHulCXR+YaTgC2

    Score
    6/10
    bootkitdiscoverypersistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral19

    • Target

      My-Skidded-malwares-main/Marlon2210KeyGen.exe

    • Size

      949KB

    • MD5

      2ea42ce76ee468ccb44de2c5aeda2c4f

    • SHA1

      d3a207b088eee1c9630f51d5d6b9ab9b9dd2d0e9

    • SHA256

      13af6af4a44368987fd47e93b12603cf9e8e569975f628de513176add985b5b6

    • SHA512

      53a2c333b60dd89c3ce8574ad1ff7fad4e3eb6bbbdb7ee7d08fb6f5a6ab5beb2eb6a1e90121f662b6609582bd1f1d6fdd096d0b373d057831d50929b6976160e

    • SSDEEP

      12288:jDbpr2trUqUeBhfUHzXC+cHJ8XeSb++DnaTgv/:jDdsrsG5UHulCXR+YaTg

    Score
    6/10
    bootkitdiscoverypersistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral20

    • Target

      My-Skidded-malwares-main/Megumin.exe

    • Size

      585KB

    • MD5

      42290305664ed813bfa8ca2e19e95c0c

    • SHA1

      d995102a7f80134526c915dd59351628c91fc2f4

    • SHA256

      659d0b6efbf8aa8eb49a2e1c6ec9cc5e33f2617a607f2bcf7a70465febbd5744

    • SHA512

      8ddf065acab28522f6cde0698b769f4078e167c9bdc1e88f6c0974b21668c07d44e4c83bf7a1863b1837b782213e04e59d07ba2cde6bb34f7f159d1242bec5e5

    • SSDEEP

      12288:1Dbpr2trUqUeBhfUHzXC+cHJ8XeSb++MnaT2v0:1DdsrsG5UHulCXR+xaT2

    Score
    6/10
    bootkitdiscoverypersistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral21

    • Target

      My-Skidded-malwares-main/NazrinMBR.exe

    • Size

      585KB

    • MD5

      edd65f78ef00c65c4c1aaf6b0008bb6e

    • SHA1

      15c89a818f1f77e37c5834ef0c1206ae503b88fe

    • SHA256

      39f10bd32de22b4495d01191017485261a937ed1b60373720ae831feed973031

    • SHA512

      0cf6ad704170fcd7c3b62ad2a7015e9f5ce520fe26533a83729b4bc9554d2b2bc7038afb84fe1207379d9af983f9bee263fa1b78fcea46ddac77785fa7d173dd

    • SSDEEP

      12288:1Dbpr2trUqUeBhfUHzXC+cHJ8XeSb++6naT5v0:1DdsrsG5UHulCXR+PaT5

    Score
    6/10
    bootkitdiscoverypersistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral22

    • Target

      My-Skidded-malwares-main/PCCooker2.0_x64.exe

    • Size

      24.5MB

    • MD5

      a5ca2d3b20cf191139a47d7261916d9e

    • SHA1

      5d56e08cc55731f96db03911dba96dcdf22bcac8

    • SHA256

      ab6b0c8a2fd898517ff036b9fc94ce581febdab5a69433f491fb70bc55ee1833

    • SHA512

      e008b76d8040ef039424e6f7eec37b866fc7ab71d1cb11d839b4d4449758b3b8174249c353d1726ed736cb9c854cafda7648aee7a12c93d8a8e0cd0013a0c3ad

    • SSDEEP

      49152:qnUSstktA/zuJuuS6FDlUhBKds9he3qUtM9l58uRgG+vTD7o9qa910rUo29xqcUt:ql

    Score
    10/10
    asyncratdcratnjratremcosstormkittyxloaderaugust crypter toolz grace stubdefaultpukedчучундраeidodefense_evasiondiscoveryexecutioninfostealerloaderransomwareratspywarestealertrojanupxvmprotect

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Njrat family

      njrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader family

      xloader

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Async RAT payload

      rat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Xloader payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Modifies Windows Firewall

      defense_evasion

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Legitimate hosting services abused for malware hosting/C2

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral23

    • Target

      My-Skidded-malwares-main/PCCooker_x64.exe

    • Size

      22.4MB

    • MD5

      317c5fe16b5314d1921930e300d9ea39

    • SHA1

      65eb02c735bbbf1faf212662539fbf88a00a271f

    • SHA256

      d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40

    • SHA512

      31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031

    • SSDEEP

      49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6

    Score
    10/10
    dcratexelastealerlummamarsstealernjratorcusphorphiexquasarragnarlockerredlinesquirrelwafflexmrigxwormzharkbotdefaultfivemjavaoffice04roblox executorschoolwenzcordratbootkitbotnetcollectioncredential_accessdefense_evasiondiscoverydownloaderexecutionimpactinfostealerloaderminerpersistenceprivilege_escalationransomwareratspywarestealerthemidatrojanworm

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Detect Xworm Payload

    • Detects ZharkBot payload

      ZharkBot is a botnet written C++.

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Exelastealer family

      exelastealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Mars Stealer

      An infostealer written in C++ based on other infostealers.

      stealermarsstealer

    • Marsstealer family

      marsstealer

    • Njrat family

      njrat

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Orcus main payload

    • Phorphiex family

      phorphiex

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • RagnarLocker

      Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

      ransomwareragnarlocker

    • Ragnarlocker family

      ragnarlocker

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SquirrelWaffle is a simple downloader written in C++.

      SquirrelWaffle.

      downloadersquirrelwaffle

    • Squirrelwaffle family

      squirrelwaffle

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • XMRig Miner payload

      miner

    • Xmrig family

      xmrig

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • ZharkBot

      ZharkBot is a botnet written C++.

      botnetzharkbot

    • Zharkbot family

      zharkbot

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Orcurs Rat Executable

    • Renames multiple (8373) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Squirrelwaffle payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      defense_evasion

    • Stops running service(s)

      defense_evasionexecution

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral24

    • Target

      My-Skidded-malwares-main/PanKoza2.0 Discord Token Stealer 2024.exe

    • Size

      9.5MB

    • MD5

      6c21e9957b540c1fc5c6c30f991423dd

    • SHA1

      3937d74580a14bb8debd9c763fb1816cb26b881d

    • SHA256

      fd6b4896e31a516c1aceae5d2e82822dc0efdecbcebf882b2875e57ce9e26cb0

    • SHA512

      f4b7825e1cd7267b2bc9e8801c19ae72b76a0269dd0fb144303494882eb68bc4f0e2d8b6766f80252b6acd12090a6b6f0c4bc5e2c089d35a24e0a64de2bda5ba

    • SSDEEP

      196608:weurQ4kCMsjWDqYbcMtnpVGNrzUrTg6aXW/aHIFU7s39:C84keyDFcMtpcqI62WO

    Score
    10/10
    jigsawcredential_accessdefense_evasiondiscoveryexecutionmacromacro_on_actionpersistenceprivilege_escalationransomwarespywarestealerupx

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

      ransomwarejigsaw

    • Jigsaw family

      jigsaw

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Renames multiple (1246) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral25

    • Target

      My-Skidded-malwares-main/README.md

    • Size

      191B

    • MD5

      b9a9569d4bdbc50f963fa1de44704d7b

    • SHA1

      032a7f5117a6b591335ac0144eda49788010c9f4

    • SHA256

      ecf9067dae4e3ed86844c229763877afffad7eb6db0f1dba922d39dfe8d63f22

    • SHA512

      22ccbf8b7c566b19fb2fca383c7cdfe8b2786731b6840001111d9fb898903f780b5f0875c7a86aad78d725f498230bd499dc9ab16b4a0209afb9d88fa29a4d35

    Score
    3/10
    behavioral26

    • Target

      My-Skidded-malwares-main/RaM KilLEr 1.0.bat

    • Size

      3KB

    • MD5

      ce45f129d128fb1ce6e659451fc8ae48

    • SHA1

      44cccb5515797e51e51498a73d02e66f086f0040

    • SHA256

      7660ba2fc3dddcdc079e20771f4f0b1fde0c1b508f32edda841993ace2f08c40

    • SHA512

      23af808c2a413b7932668ec5d2163611e310e6d837839b0c8f96a1467c4122c702be99dfb45dbae780a026cac9a38b989b95b80f391ee9eb5d8f54044490b886

    Score
    3/10
    discovery
    behavioral27

    • Target

      My-Skidded-malwares-main/Rias.exe

    • Size

      846KB

    • MD5

      f8f811ccb9afad9bca6d6e7d0628f9ad

    • SHA1

      eafa751da7d1081de2e4e42ffba74ceefb2480a1

    • SHA256

      b9b2f46a9253743f3f6a8f13fe76ae0ae14390bae49318e72de49e78eca532e2

    • SHA512

      424eff8121080df371e6d7fefa36fef0f2d7079c733fe1eeffcc3a42758cb355f200f62761d00af75d1b4e1bb32278ad0689b4183b68f338f4752ba50f4bdb10

    • SSDEEP

      12288:VDbpr2trUqUeBhfUHzXC+cHJ8XeSb++6naTxvUdDOT206NQsBq/rS:VDdsrsG5UHulCXR+PaTxOA2fNQLr

    Score
    3/10
    discovery
    behavioral28

    • Target

      My-Skidded-malwares-main/Run All.bat

    • Size

      45B

    • MD5

      1d4de1822af1bb3991e6eb67a12a69b5

    • SHA1

      41c9d68bf5ad00072b9e6b0c02e8a71fce2dbd52

    • SHA256

      ca791170602f2254493246550438de14c3e7b61b72b8bd4079f70178a1aaa102

    • SHA512

      c59dd96701d41b281e24e602aab78bc8db77070365dea78ca2e72bc8a772121dbd110f67410490d8d1bee1b25edbf05d3517c357868f471aa7b8c652cf0ade50

    Score
    10/10
    remcossalityaugust crypter toolz grace stubbackdoorbootkitdefense_evasiondiscoveryexecutionpersistencerattrojanupx

    • Modifies firewall policy service

      defense_evasion

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • Sality family

      sality

    • UAC bypass

      defense_evasiontrojan

    • Windows security bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral29

    • Target

      My-Skidded-malwares-main/TouhouHacks.exe

    • Size

      586KB

    • MD5

      f1c4f9d91cf5e97efa0a802c780b265c

    • SHA1

      d8ca79f27a04281cc1f02f270d635d075c042814

    • SHA256

      4cf191dd97fbfef18e6386daef35b4b46861cf7f601a2f24aefe7821cca8d66d

    • SHA512

      88718c7a22039fab56161a1841a6e8901f4e2193f21b6cc6e407d2c5b2ed1f025ae02bb4fe8c0bc8ea1d38813ef2ff4e3c1b6075ec08e9b4ebba0822ca827001

    • SSDEEP

      12288:tDbpr2trUqUeBhfUHzXC+cHJ8XeSb++lnaTJ69vb:tDdsrsG5UHulCXR+KaTJy

    Score
    6/10
    bootkitdiscoverypersistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral30

    • Target

      My-Skidded-malwares-main/Trojan.Aqua.exe

    • Size

      586KB

    • MD5

      a68f7fe8b23ba3bf3c7b1a2d124844e2

    • SHA1

      ce62cb9f97861428f89196dd3cd72c894e72c32d

    • SHA256

      f6cffcf62150d8b4ebbec9c70f348df6c47bba8336fd4f2b81cfad196acc24cb

    • SHA512

      ca52a390b50f2430cd63f34f668410528c62fb50dc34e1c22b85e0b82726653a0ee76ffb50d60c6bec9300ad8b5d6df14140bca70a61646821adb1aa133eb2ff

    • SSDEEP

      12288:CDbpr2trUqUeBhfUHzXC+cHJ8XeSb++6naTGEvb:CDdsrsG5UHulCXR+PaTGE

    Score
    6/10
    bootkitdiscoverypersistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral31

    • Target

      My-Skidded-malwares-main/Trojan.Bat.FortniteHackz.bat

    • Size

      34KB

    • MD5

      ac04b6f6fa293c4b55c4c8b49372a9ec

    • SHA1

      9dfca519218c3c10203163454f1237916b0655cc

    • SHA256

      273f4b1732968174b95b549e1fec0b61181404b820a0d8f1b8dec9c32686bd92

    • SHA512

      b560feee161c2300b3145026dd5faa0ca3b4edbcaa88a8d68854d26b0c1a6087370af5da707b2fb61c5ca0b363a5786f5e7eeba2ed1fe5ae863347f018889086

    • SSDEEP

      192:9TIqVppLuLpDq7QYfLGMV+jasHHLgLxLR44444444444444444M666666666666Q:9rVppLuLpDq7QYfLGMV+jasHHLgLxi

    Score
    8/10
    persistencespywarestealer

    • Drops file in Drivers directory

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

5
T1059

PowerShell

3
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

5
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

3
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

3
T1546

AppInit DLLs

1
T1546.010

Installer Packages

1
T1546.016

Netsh Helper DLL

1
T1546.007

Power Settings

1
T1653

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

5
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

3
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

3
T1546

AppInit DLLs

1
T1546.010

Installer Packages

1
T1546.016

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

6
T1562

Disable or Modify System Firewall

2
T1562.004

Disable or Modify Tools

3
T1562.001

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

13
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

6
T1012

Remote System Discovery

1
T1018

System Information Discovery

9
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

System Time Discovery

1
T1124

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Clipboard Data

1
T1115

Data from Local System

3
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks

static1

upx
Score
5/10

behavioral1

Score
1/10

behavioral2

bootkitdefense_evasiondiscoverypersistenceupx
Score
8/10

behavioral3

Score
1/10

behavioral4

asyncratgh0stratnjratpurplefoxremcosstormkitty2 moneyaugust crypter toolz grace stubfffgolazoneufcollectiondefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratrootkitspywarestealertrojanupx
Score
10/10

behavioral5

salitybackdoordefense_evasiondiscoverytrojanupx
Score
10/10

behavioral6

bootkitdiscoverypersistence
Score
6/10

behavioral7

Score
1/10

behavioral8

bootkitdiscoverypersistence
Score
6/10

behavioral9

Score
1/10

behavioral10

credential_accessdiscoveryransomwarespywarestealerupx
Score
7/10

behavioral11

Score
3/10

behavioral12

Score
1/10

behavioral13

asyncratberbewcybergatemetasploitredlinesalitysnakekeyloggerxwormahmeddefaultbackdoorcryptonedefense_evasiondiscoveryexecutioninfostealerkeyloggerpackerpersistenceprivilege_escalationratstealertrojanupx
Score
10/10

behavioral14

cybergatedcratnjratcyberhackeddefense_evasiondiscoveryexecutioninfostealerpersistenceratstealertrojanupx
Score
10/10

behavioral15

bootkitdiscoverypersistence
Score
6/10

behavioral16

Score
1/10

behavioral17

bootkitdiscoverypersistence
Score
6/10

behavioral18

bootkitdiscoverypersistence
Score
6/10

behavioral19

bootkitdiscoverypersistence
Score
6/10

behavioral20

bootkitdiscoverypersistence
Score
6/10

behavioral21

bootkitdiscoverypersistence
Score
6/10

behavioral22

bootkitdiscoverypersistence
Score
6/10

behavioral23

asyncratdcratnjratremcosstormkittyxloaderaugust crypter toolz grace stubdefaultpukedчучундраeidodefense_evasiondiscoveryexecutioninfostealerloaderransomwareratspywarestealertrojanupxvmprotect
Score
10/10

behavioral24

dcratexelastealerlummamarsstealernjratorcusphorphiexquasarragnarlockerredlinesquirrelwafflexmrigxwormzharkbotdefaultfivemjavaoffice04roblox executorschoolwenzcordratbootkitbotnetcollectioncredential_accessdefense_evasiondiscoverydownloaderexecutionimpactinfostealerloaderminerpersistenceprivilege_escalationransomwareratspywarestealerthemidatrojanworm
Score
10/10

behavioral25

jigsawcredential_accessdefense_evasiondiscoveryexecutionmacromacro_on_actionpersistenceprivilege_escalationransomwarespywarestealerupx
Score
10/10

behavioral26

Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

remcossalityaugust crypter toolz grace stubbackdoorbootkitdefense_evasiondiscoveryexecutionpersistencerattrojanupx
Score
10/10

behavioral30

bootkitdiscoverypersistence
Score
6/10

behavioral31

bootkitdiscoverypersistence
Score
6/10

behavioral32

persistencespywarestealer
Score
8/10