Malware Analysis Report

2025-04-14 05:12

Sample ID 250311-tj3sqsxm13
Target beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
SHA256 beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
Tags
loader guloader rat ransomware rezer0 miner blacknet blister guloader loaderbot mimikatz netfilter netwire pseudomanuscrypt quasar royal xtremerat zeppelin kandykorn hellokitty masslogger merlin mountlocker nefilim sodinokibi xmrig dridex
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

Threat Level: Known bad

The file beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9 was found to be: Known bad.

Malicious Activity Summary

loader guloader rat ransomware rezer0 miner blacknet blister guloader loaderbot mimikatz netfilter netwire pseudomanuscrypt quasar royal xtremerat zeppelin kandykorn hellokitty masslogger merlin mountlocker nefilim sodinokibi xmrig dridex

Nefilim family

BlackNET payload

Blacknet family

Detect Blister loader x32

Detects Zeppelin payload

Guloader family

HelloKitty ELF

Kandykorn family

Mimikatz family

Detected Mount Locker ransomware

Dridex family

Mountlocker family

NetFilter payload

Netfilter family

Sodinokibi family

Sodinokibi/Revil sample

Xmrig family

Blister family

mimikatz is an open source tool to dump credentials on Windows

Detect KandyKorn payload

Xtremerat family

Hellokitty family

MassLogger log file

Nefilim ransomware executable

NetWire RAT payload

Pseudomanuscrypt family

Quasar payload

Guloader payload

Masslogger family

Quasar family

Royal Ransomware

Detects PseudoManuscrypt payload

Detect XtremeRAT payload

LoaderBot executable

Loaderbot family

Merlin family

Merlin payload

Royal family

XMRig Miner payload

Zeppelin family

NetFilter Dropper

Netwire family

ReZer0 packer

Patched UPX-packed file

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2025-03-11 16:06

Signatures

BlackNET payload

Description Indicator Process Target
N/A N/A N/A N/A

Blacknet family

blacknet

Blister family

blister

Detect Blister loader x32

loader
Description Indicator Process Target
N/A N/A N/A N/A

Detect KandyKorn payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Mount Locker ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Detects PseudoManuscrypt payload

loader
Description Indicator Process Target
N/A N/A N/A N/A

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A

Dridex family

dridex

Guloader family

guloader

Guloader payload

guloader
Description Indicator Process Target
N/A N/A N/A N/A

HelloKitty ELF

Description Indicator Process Target
N/A N/A N/A N/A

Hellokitty family

hellokitty

Kandykorn family

kandykorn

LoaderBot executable

Description Indicator Process Target
N/A N/A N/A N/A

Loaderbot family

loaderbot

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Masslogger family

masslogger

Merlin family

merlin

Merlin payload

Description Indicator Process Target
N/A N/A N/A N/A

Mimikatz family

mimikatz

Mountlocker family

mountlocker

Nefilim family

nefilim

Nefilim ransomware executable

Description Indicator Process Target
N/A N/A N/A N/A

NetFilter Dropper

Description Indicator Process Target
N/A N/A N/A N/A

NetFilter payload

Description Indicator Process Target
N/A N/A N/A N/A

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netfilter family

netfilter

Netwire family

netwire

Pseudomanuscrypt family

pseudomanuscrypt

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Royal Ransomware

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Royal family

royal

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

Xtremerat family

xtremerat

Zeppelin family

zeppelin

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Patched UPX-packed file

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-11 16:06

Reported

2025-03-11 16:06

Platform

win7-20240729-en

Max time kernel

0s

Max time network

1s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-11 16:06

Reported

2025-03-11 16:21

Platform

win10v2004-20250217-en

Max time kernel

697s

Max time network

671s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A