Overview
overview
10Static
static
10be6660f0cb...af.exe
windows7-x64
10be6660f0cb...af.exe
windows10-2004-x64
10becefadddd...9e.exe
windows7-x64
1becefadddd...9e.exe
windows10-2004-x64
1c50a2f764e...ff.exe
windows7-x64
10c50a2f764e...ff.exe
windows10-2004-x64
10c9883d323f...75.exe
windows7-x64
10c9883d323f...75.exe
windows10-2004-x64
10cc41f8538c...ef.exe
windows7-x64
10cc41f8538c...ef.exe
windows10-2004-x64
10cd59232c79...ca.exe
windows7-x64
10cd59232c79...ca.exe
windows10-2004-x64
10cd63e31ac9...bb.exe
windows7-x64
10cd63e31ac9...bb.exe
windows10-2004-x64
10ce35733ce2...ea.exe
windows7-x64
8ce35733ce2...ea.exe
windows10-2004-x64
8cf8aa638e3...3e.exe
windows7-x64
10cf8aa638e3...3e.exe
windows10-2004-x64
10d25e7c5f45...61.exe
windows7-x64
d25e7c5f45...61.exe
windows10-2004-x64
d48d59ae3f...e2.exe
windows7-x64
7d48d59ae3f...e2.exe
windows10-2004-x64
10d6ddf456f9...b4.exe
windows7-x64
1d6ddf456f9...b4.exe
windows10-2004-x64
1dbaa0d613d...5a.exe
windows7-x64
10dbaa0d613d...5a.exe
windows10-2004-x64
10dbb4048ea0...bc.exe
windows7-x64
8dbb4048ea0...bc.exe
windows10-2004-x64
8dc1188e495...84.exe
windows7-x64
9dc1188e495...84.exe
windows10-2004-x64
9dcb399030d...df.exe
windows7-x64
7dcb399030d...df.exe
windows10-2004-x64
10General
-
Target
czxczc.zip
-
Size
46.1MB
-
Sample
250311-jzs85axj12
-
MD5
3f9c71c4bb3893b54348f89b52d1a5ff
-
SHA1
aedd643857ad781decc22e18f24100c1868edb6e
-
SHA256
242c30685ccdc13d7018d55be7885a45226f41e59823d13aff20c791dc3764a5
-
SHA512
96a9e56812d6509c1009f3d360b9a8f785e8f8e689b9250793831eb6a80ddc7dcce50e914a2504a0253021aa06d227b800320e03ba6b86c81c6394d23ef7aad0
-
SSDEEP
786432:AOHDyeg9U0Kh+m2Q2ACu6BM30UGnOwqHsYV5Z+huLs6ujbVfO4Q30Uo30UpCACW:AOH+Q+m2QJRJ3wqHtV5khuI6ujpf5eJM
Behavioral task
behavioral1
Sample
be6660f0cb82b31a71ed8e383244e85ff881749b97ebad0806017351d8229daf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
be6660f0cb82b31a71ed8e383244e85ff881749b97ebad0806017351d8229daf.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
becefadddd4747997c651d85e420a744d675e13b9604c4338dd88c63f3390f9e.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
becefadddd4747997c651d85e420a744d675e13b9604c4338dd88c63f3390f9e.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
c50a2f764ee11a1417cbef69a9212ab188c207cf5b4fa0092345e20fd2159aff.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
c50a2f764ee11a1417cbef69a9212ab188c207cf5b4fa0092345e20fd2159aff.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
c9883d323f76b9e9bb3b8462786e51e5f1234b782e14aff683dc18d1d2936b75.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
c9883d323f76b9e9bb3b8462786e51e5f1234b782e14aff683dc18d1d2936b75.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
cc41f8538c683d5bc60bcb27f1860b973b9401746aa2eece645deef2b18fb5ef.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
cc41f8538c683d5bc60bcb27f1860b973b9401746aa2eece645deef2b18fb5ef.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral11
Sample
cd59232c798f9a5132449a0c05bc1097aaa828442cc719301d5c007d21a884ca.exe
Resource
win7-20250207-en
Behavioral task
behavioral12
Sample
cd59232c798f9a5132449a0c05bc1097aaa828442cc719301d5c007d21a884ca.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral13
Sample
cd63e31ac9811e1b66db287a4f3c3609ee7f9932d639a1013c8b416f76b5b5bb.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
cd63e31ac9811e1b66db287a4f3c3609ee7f9932d639a1013c8b416f76b5b5bb.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral15
Sample
ce35733ce2ad981f0f879743d2cdb1bc507f662ffac519beb567601428de8dea.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
ce35733ce2ad981f0f879743d2cdb1bc507f662ffac519beb567601428de8dea.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral17
Sample
cf8aa638e3982b6f37c4a3070381663b65c0ebca89c394c06728d35ae7239a3e.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
cf8aa638e3982b6f37c4a3070381663b65c0ebca89c394c06728d35ae7239a3e.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral19
Sample
d25e7c5f45c85782f84f36e2f8ecbf749e9cde440b74c35f5ce0f83036798161.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
d25e7c5f45c85782f84f36e2f8ecbf749e9cde440b74c35f5ce0f83036798161.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral21
Sample
d48d59ae3f5d4b4ee5335361f76cfd61552d3487cfed933c082cb5fe8aef21e2.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
d48d59ae3f5d4b4ee5335361f76cfd61552d3487cfed933c082cb5fe8aef21e2.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral23
Sample
d6ddf456f939a8842e226ad1c5e712a72bc859a5ef65330c6e3f23a36cd44ab4.exe
Resource
win7-20250207-en
Behavioral task
behavioral24
Sample
d6ddf456f939a8842e226ad1c5e712a72bc859a5ef65330c6e3f23a36cd44ab4.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral25
Sample
dbaa0d613dfaed740281038e4710e81d7797bf76c166390d7d8d1bd9f8ecd25a.exe
Resource
win7-20250207-en
Behavioral task
behavioral26
Sample
dbaa0d613dfaed740281038e4710e81d7797bf76c166390d7d8d1bd9f8ecd25a.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral27
Sample
dbb4048ea093beb4c4c0900c1d67dd8a60e983d5670894498f32fbe711505dbc.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
dbb4048ea093beb4c4c0900c1d67dd8a60e983d5670894498f32fbe711505dbc.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral29
Sample
dc1188e49519c24dba922916547bef0d1b90a49631b70feeef635f0fc5c9c184.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
dc1188e49519c24dba922916547bef0d1b90a49631b70feeef635f0fc5c9c184.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral31
Sample
dcb399030d04693cb4d089c12b8ddac17c4c793e3c4328c49d00a3640f5f93df.exe
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
dcb399030d04693cb4d089c12b8ddac17c4c793e3c4328c49d00a3640f5f93df.exe
Resource
win10v2004-20250217-en
Malware Config
Extracted
xenorat
172.22.88.67
Xeno_rat_nd8912d
-
delay
5000
-
install_path
temp
-
port
4444
-
startup_name
nothingset
Extracted
xworm
5.0
92.255.57.221:4414
92.255.85.66:7000
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
be6660f0cb82b31a71ed8e383244e85ff881749b97ebad0806017351d8229daf
-
Size
213KB
-
MD5
0684b702191e6427ad069f0b2eea4cc8
-
SHA1
80f16aedde1eb72d2a839f7f1ab6d8b5c9ffe0f3
-
SHA256
be6660f0cb82b31a71ed8e383244e85ff881749b97ebad0806017351d8229daf
-
SHA512
b4726cfa9c0209ccc6bb4a6b8c5092be1691957290db808581b514e20b07c14fcddf9f14ca75f25f57014a6b28334dacb727527d1edb790f167cd35d4e661fbb
-
SSDEEP
6144:zgu0c4uUfX8fyVV+ZRH8rq9JrKbRG1EK1:zr0tPP48rq9Jr1
-
StormKitty payload
-
Stormkitty family
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
becefadddd4747997c651d85e420a744d675e13b9604c4338dd88c63f3390f9e
-
Size
13.1MB
-
MD5
7b1602f93628785191a0f68d93e21a9d
-
SHA1
99426b0dd8ea741b538ad49e7d35c4439fc7bed1
-
SHA256
becefadddd4747997c651d85e420a744d675e13b9604c4338dd88c63f3390f9e
-
SHA512
61443153e8b4305f1ff9070a50952c88d3866304993b6c5e1207239706958a5db188cee1fd53079636e5cd519d6c457bc36bec74a0a51a4e0108bd41bc8426bd
-
SSDEEP
196608:Rb9+/BAe1d4ihvy85JZIRc3bSL1kehn4ilje:MyIZIfRka4i
Score1/10 -
-
-
Target
c50a2f764ee11a1417cbef69a9212ab188c207cf5b4fa0092345e20fd2159aff
-
Size
1.4MB
-
MD5
83a6b265f1005bddd521aaa46816e4eb
-
SHA1
501e6fcdb6fcdf13a07611c8ba5b2a6ca984bd73
-
SHA256
c50a2f764ee11a1417cbef69a9212ab188c207cf5b4fa0092345e20fd2159aff
-
SHA512
0fcff368c6c6e3cc9275c4ddbd27324b9f627a0119c2760ffb6edc996143778769db5d713504ee411ca4351f683e3120a38011b5dea6d3af6081bb272a295699
-
SSDEEP
24576:GS5fJN69Uqb5pVamw1Z8gDYgKkllGsTOehnRofCO3T3G4RRRtfBz+:GS5G9UqXm3DpKklQC2jRRtfB
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
c9883d323f76b9e9bb3b8462786e51e5f1234b782e14aff683dc18d1d2936b75
-
Size
45KB
-
MD5
0e329e5c31937eb3484eeca9fc505f8e
-
SHA1
786352c168b3d82c99f819b6b2b5a433abe26bfb
-
SHA256
c9883d323f76b9e9bb3b8462786e51e5f1234b782e14aff683dc18d1d2936b75
-
SHA512
de9baab5cc565138ef117960c311f0e9a39cfe399d8347b106e393505a8667d344178f76b67783b390f00a96e25347c28e6d1b597f118cc4e075f4858c5f0a2a
-
SSDEEP
768:SdhO/poiiUcjlJIn/lH9Xqk5nWEZ5SbTDaMWI7CPW5h:0w+jjgn9H9XqcnW85SbTFWI5
-
Detect XenoRat Payload
-
Xenorat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
cc41f8538c683d5bc60bcb27f1860b973b9401746aa2eece645deef2b18fb5ef
-
Size
1.1MB
-
MD5
990043982028299622b21e759bc3833f
-
SHA1
5a7d8544ec7eb6446cce47069e376407f2d9f66e
-
SHA256
cc41f8538c683d5bc60bcb27f1860b973b9401746aa2eece645deef2b18fb5ef
-
SHA512
fafa0f7f9dcee9012340de46853d6cf11ab610dd26bb42d66da6b83907e278957694f88b2a94c861a549dc8c179c3bff9e75f81a868e19369c316ea7c0a11e79
-
SSDEEP
12288:amc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:ah4TbLUEhZL/GspeYhkc9Soh2SfwJ
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
-
-
Target
cd59232c798f9a5132449a0c05bc1097aaa828442cc719301d5c007d21a884ca
-
Size
822KB
-
MD5
cf3c825d462bfc6fec2ae4abff2d13ab
-
SHA1
b12ba6ccbe04e300796ec4dbec485f0649c9e427
-
SHA256
cd59232c798f9a5132449a0c05bc1097aaa828442cc719301d5c007d21a884ca
-
SHA512
ba2f591d2d76200a6750226262b27c59ed259c9afeafbb70b79e3f7570e31e542979f0332c57ced93be19049b2eb0f226da3e7dd5deafe739260e630d92fbc00
-
SSDEEP
12288:/cZyCM9wN+BEcaVXE35MjpI4s7rql+9s0od6VZsd5t2OtOjkH:zCIza9ja4v0hkddt
-
SectopRAT payload
-
Sectoprat family
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
cd63e31ac9811e1b66db287a4f3c3609ee7f9932d639a1013c8b416f76b5b5bb
-
Size
231KB
-
MD5
dabd584c47b475f8db6fb0b34ad9e554
-
SHA1
58e743b003f171e7e9c492d5e7eb172053a5e00d
-
SHA256
cd63e31ac9811e1b66db287a4f3c3609ee7f9932d639a1013c8b416f76b5b5bb
-
SHA512
a64bf4a7e300eeb3e8fcde28eddeafe8f93e2be409c27411ca91e630b7fec2e5abae8ce86f0c4e102da87155c99fd8d842a610e4e54eb4a04d115d801b5bc8a4
-
SSDEEP
3072:cH027jVPyeWMEv2EG1GZklWiKlOVo4MIG4P/bA52luJGcU53TXbYwEKgNZ/N:cH0WjseWoEG1GZklWiKAVhtbtn3EKgL
-
StormKitty payload
-
Stormkitty family
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
ce35733ce2ad981f0f879743d2cdb1bc507f662ffac519beb567601428de8dea
-
Size
108KB
-
MD5
e214ea00c8b524f44273c00d5073b1d3
-
SHA1
3ce312fa54828a6ea3ad9f85a9cc0919fe3f42bc
-
SHA256
ce35733ce2ad981f0f879743d2cdb1bc507f662ffac519beb567601428de8dea
-
SHA512
905c7af3fe31c0edc7760b33c1a8718d2a00dffcf74b6ebaed462b02e5953c0d8a4c0c62e292b26b94b405c31b3e4d3d1b9e389e35de65489e3bc2764b909292
-
SSDEEP
3072:KhBAg9dERJjJRME5J6zxW73v3EmddXNH:KhK2dEPLP/6Fy
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
cf8aa638e3982b6f37c4a3070381663b65c0ebca89c394c06728d35ae7239a3e
-
Size
287KB
-
MD5
c40f6518162bc072da48b7458bc5d262
-
SHA1
5a42b3cfae6eab5084b3cf849633bbcc6332b4aa
-
SHA256
cf8aa638e3982b6f37c4a3070381663b65c0ebca89c394c06728d35ae7239a3e
-
SHA512
e0fae719b3bba34d103297b452ac2b5c83b5f55edb1b2b49f319904ee9e01657c06ec50200db6af776922f7cb6c771ae6900cc436f2eb2bb40e56024d0481daa
-
SSDEEP
6144:rTZL7v9ZypbeI78GlOTJm2d+ROzDgFsQIH31y+R8k:rTZKjOQO3s+z
-
Detect Xworm Payload
-
Xworm family
-
Suspicious use of SetThreadContext
-
-
-
Target
d25e7c5f45c85782f84f36e2f8ecbf749e9cde440b74c35f5ce0f83036798161
-
Size
745KB
-
MD5
02b35215328d4eebc9d0d21cc86a21ad
-
SHA1
7bcd59758934972c9d9195e53329a022496f5f74
-
SHA256
d25e7c5f45c85782f84f36e2f8ecbf749e9cde440b74c35f5ce0f83036798161
-
SHA512
2dca5bfa207f74095e994a2a038e76c2ec8075b91d941f2ee34e11bab69526539d6668c428081068629f3e8b27daea3410d3b9a2dc1705990be4aca44a0934fc
-
SSDEEP
12288:dUWlJFr/GMpjae92LoUbV4FzSmP+PZ54Gg2glW6O26jGrG6ALW+UNVox9uG:RlrljSVEzvP+5DbglWNjGrG6ALWy
Score1/10 -
-
-
Target
d48d59ae3f5d4b4ee5335361f76cfd61552d3487cfed933c082cb5fe8aef21e2
-
Size
256KB
-
MD5
7990da9941139fb5153d1ed7f5797bd7
-
SHA1
c4335993bd072db28c56c4f48ce044816f78c740
-
SHA256
d48d59ae3f5d4b4ee5335361f76cfd61552d3487cfed933c082cb5fe8aef21e2
-
SHA512
a0387b8bf00ead7f535fa9d459a19d92c93d142b9d4202561acd7084ba6dbc518a6a0ec1beecd7c2120d1be109e68b6309a96a7132de85cb1fc6b4dc8bb2f46a
-
SSDEEP
6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQqQ:EeGUA5YZazpXUmZhJQ
-
Nanocore family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-
-
-
Target
d6ddf456f939a8842e226ad1c5e712a72bc859a5ef65330c6e3f23a36cd44ab4
-
Size
1.1MB
-
MD5
5913a8e99883ae74355b7f9884a0e65f
-
SHA1
6f7b23c2bcf1faf83874664c6fbac6ac696c107f
-
SHA256
d6ddf456f939a8842e226ad1c5e712a72bc859a5ef65330c6e3f23a36cd44ab4
-
SHA512
4521f4eb99588f5f7bbb667561a7dc225f557d4385c90114594683eb6b2462dd8a8d8789ab70264811b6e8285586c5ab5c797f88c1c72319e77c12fbbeb87e6d
-
SSDEEP
24576:ufiwc3MdrDyK2MwMAuVh8nVWqk5BkAmfKvCjK6kVAmgjhT4j/afD63FiD9:uI3MdrGNMsnVQM14CrkVAmgjhkj/OGFO
Score1/10 -
-
-
Target
dbaa0d613dfaed740281038e4710e81d7797bf76c166390d7d8d1bd9f8ecd25a
-
Size
287KB
-
MD5
40476125649aba1930032314a87e3337
-
SHA1
92797f375048d9f578a486c90116863dd1de631c
-
SHA256
dbaa0d613dfaed740281038e4710e81d7797bf76c166390d7d8d1bd9f8ecd25a
-
SHA512
5efe796bf9b5019352c1b6a16b78f1ad0b4e56fe81550d4984467a1a93f36a37f26033a78b05aa01275846f1457c5f46b421287980883df0e93cf56f42024458
-
SSDEEP
6144:RrSO3vos85FjmSGny7h8GRv8SVUAhNaN7:RrSO3vosAFjmSGyaGRUSVUAhNaN7
-
Detect Xworm Payload
-
Xworm family
-
Suspicious use of SetThreadContext
-
-
-
Target
dbb4048ea093beb4c4c0900c1d67dd8a60e983d5670894498f32fbe711505dbc
-
Size
268KB
-
MD5
43f36a944bbcc58c7092643582ea120f
-
SHA1
91565d256a8206d82138c061f1f46291e45ebce0
-
SHA256
dbb4048ea093beb4c4c0900c1d67dd8a60e983d5670894498f32fbe711505dbc
-
SHA512
54db9a608e1cd1d5455e5f3d0fefde4fda91bdf9eaa55e6e53f697261a7d07bedb9688749de23b789fa7982e6dd921f6421e1ecc0a23437e296cd5351feb0b56
-
SSDEEP
3072:txji6fQ433xVJPLDc99m/YYYYYYYYYYYYYYYY3YYYYYYYYYYYYYYYYYYYYYYYYYb:1fp3hL4IoHKa
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
dc1188e49519c24dba922916547bef0d1b90a49631b70feeef635f0fc5c9c184
-
Size
441KB
-
MD5
c2948bf16ec4696193bfa707ac2516a3
-
SHA1
ade8504272e0a1895bde6e7bd90aa8866a4a3996
-
SHA256
dc1188e49519c24dba922916547bef0d1b90a49631b70feeef635f0fc5c9c184
-
SHA512
d7ff8df88454349ed8aea4289c75bca74abdc4cadf6b9d6f9f2660cd370949644d37dbf879998e0eaa16903b15a7fc7387bbf7aeaf406ae9653fd6ec7f957fc8
-
SSDEEP
1536:rRAgLFrz8qkxZoMwYty9wUHlDGxutVe9rpGIlBCq2nFlc15f:yqn01G9wGe1p7lBCq2w
Score9/10-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
dcb399030d04693cb4d089c12b8ddac17c4c793e3c4328c49d00a3640f5f93df
-
Size
256KB
-
MD5
d5dd8a2fd7c1bf09b44a1f2a1c8cdca1
-
SHA1
aa0ec28b8c0b0d3fc5ddfaa3d6a5319237f10640
-
SHA256
dcb399030d04693cb4d089c12b8ddac17c4c793e3c4328c49d00a3640f5f93df
-
SHA512
a83d6107ff4eb3e7a4acb46f1880a4bb0f567af705a7c31bcd7e08099f1c855db60f7e5f188a76d979759329231458ccc2d66ca993c198557020a2ef45c81fd5
-
SSDEEP
6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQqe:EeGUA5YZazpXUmZhJe
-
Nanocore family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Authentication Process
1Modify Registry
4Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
9Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
2