Malware Analysis Report

2025-04-14 05:12

Sample ID 250311-tkc9gaxm16
Target beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
SHA256 beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
Tags
loader guloader rat ransomware rezer0 miner blacknet blister guloader loaderbot mimikatz netfilter netwire pseudomanuscrypt quasar royal xtremerat zeppelin kandykorn hellokitty masslogger merlin mountlocker nefilim sodinokibi xmrig dridex
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

Threat Level: Known bad

The file beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9 was found to be: Known bad.

Malicious Activity Summary

loader guloader rat ransomware rezer0 miner blacknet blister guloader loaderbot mimikatz netfilter netwire pseudomanuscrypt quasar royal xtremerat zeppelin kandykorn hellokitty masslogger merlin mountlocker nefilim sodinokibi xmrig dridex

Sodinokibi family

Guloader family

NetWire RAT payload

Royal Ransomware

Detects PseudoManuscrypt payload

Masslogger family

Netwire family

mimikatz is an open source tool to dump credentials on Windows

LoaderBot executable

Kandykorn family

Detects Zeppelin payload

Dridex family

Xmrig family

Merlin family

Mimikatz family

Mountlocker family

Quasar family

BlackNET payload

Detected Mount Locker ransomware

Loaderbot family

Nefilim family

Royal family

NetFilter payload

Merlin payload

Blister family

Detect KandyKorn payload

MassLogger log file

Sodinokibi/Revil sample

XMRig Miner payload

Detect XtremeRAT payload

Blacknet family

Xtremerat family

Hellokitty family

Quasar payload

Detect Blister loader x32

Guloader payload

Netfilter family

Zeppelin family

HelloKitty ELF

Nefilim ransomware executable

NetFilter Dropper

Pseudomanuscrypt family

ReZer0 packer

Patched UPX-packed file

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2025-03-11 16:06

Signatures

BlackNET payload

Description Indicator Process Target
N/A N/A N/A N/A

Blacknet family

blacknet

Blister family

blister

Detect Blister loader x32

loader
Description Indicator Process Target
N/A N/A N/A N/A

Detect KandyKorn payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Mount Locker ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Detects PseudoManuscrypt payload

loader
Description Indicator Process Target
N/A N/A N/A N/A

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A

Dridex family

dridex

Guloader family

guloader

Guloader payload

guloader
Description Indicator Process Target
N/A N/A N/A N/A

HelloKitty ELF

Description Indicator Process Target
N/A N/A N/A N/A

Hellokitty family

hellokitty

Kandykorn family

kandykorn

LoaderBot executable

Description Indicator Process Target
N/A N/A N/A N/A

Loaderbot family

loaderbot

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Masslogger family

masslogger

Merlin family

merlin

Merlin payload

Description Indicator Process Target
N/A N/A N/A N/A

Mimikatz family

mimikatz

Mountlocker family

mountlocker

Nefilim family

nefilim

Nefilim ransomware executable

Description Indicator Process Target
N/A N/A N/A N/A

NetFilter Dropper

Description Indicator Process Target
N/A N/A N/A N/A

NetFilter payload

Description Indicator Process Target
N/A N/A N/A N/A

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netfilter family

netfilter

Netwire family

netwire

Pseudomanuscrypt family

pseudomanuscrypt

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Royal Ransomware

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Royal family

royal

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

Xtremerat family

xtremerat

Zeppelin family

zeppelin

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Patched UPX-packed file

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-11 16:06

Reported

2025-03-11 16:16

Platform

win7-20240903-en

Max time kernel

361s

Max time network

362s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

C:\Windows\System32\fontview.exe

"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\EnableApprove.fon

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-11 16:06

Reported

2025-03-11 16:16

Platform

win10v2004-20250217-en

Max time kernel

575s

Max time network

585s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2832 wrote to memory of 4892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\print.exe
PID 2832 wrote to memory of 4892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\print.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\print.exe

"C:\Windows\system32\print.exe" h9

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp

Files

memory/2832-2-0x00007FFD3C233000-0x00007FFD3C235000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zfgco1hj.p11.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2832-12-0x000001EC0D5A0000-0x000001EC0D5C2000-memory.dmp

memory/2832-13-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp

memory/2832-14-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp

memory/2832-15-0x000001EC25750000-0x000001EC25794000-memory.dmp

memory/2832-16-0x000001EC26440000-0x000001EC264B6000-memory.dmp

memory/2832-18-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp

memory/2832-19-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp

memory/2832-20-0x00007FFD3C233000-0x00007FFD3C235000-memory.dmp

memory/2832-21-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp

memory/2832-23-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp

memory/2832-26-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp

memory/2832-27-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp

memory/2832-31-0x00007FFD3C230000-0x00007FFD3CCF1000-memory.dmp