Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    void/0394b475234ecc6f752ecdd9f7e5ea28cebe404e5db6a8cf2f9019915c4ddf43.exe

  • Size

    487KB

  • MD5

    9bc65d45d737d9279fe8759e8beaef25

  • SHA1

    80da42ab8b168ff10639f7334321f5cb53be0ee5

  • SHA256

    0394b475234ecc6f752ecdd9f7e5ea28cebe404e5db6a8cf2f9019915c4ddf43

  • SHA512

    e3011ec1a8945553b3af0ab89706d701b8db2087916733102179f9429dd25c927eb2b0708524800bca7a6769bde62193d970cfecf7c75ad8c16814e1abd88365

  • SSDEEP

    6144:/IlSCa0RPvRz+n8Qr1D0ZGESuHabmvHOE4mCp6qtydBnP+Y4+3sAORZGFX3Xc6oJ:/200OFp+G0imvHn3Cp6qyBP+YdsvZG2

  Score

  3^/10

  discovery
  behavioral1behavioral2

• • Target

    void/0aa210086ab837dea1a26dd45a661f7f78ea90d243c6fad74cd4772325bff20f.elf

  • Size

    13KB

  • MD5

    c81103eb8ad8d710266e189d02c663c0

  • SHA1

    5123360825f7440eee0ff290bf99b3eab461f7b1

  • SHA256

    0aa210086ab837dea1a26dd45a661f7f78ea90d243c6fad74cd4772325bff20f

  • SHA512

    9933145884049412d58a9308b1d18dd87a4f3104bf54deef53923a1c8cfb7c83f4504f1a6be8637f80eaf16a18ec657f1429116c981a4ac5128dea6b9bbb33ad

  • SSDEEP

    192:GHBGjC9em2ed0+k+aa+HzEb+0vSKGYd1RwBx/DdbEiqk5l++xo6daKSs5lFDJKkm:Jj/ei+k+F+HIbjSKGER2NQGD356Ak

  Score

  1^/10
  behavioral3

• • Target

    void/250bb552893533d2e47ca18faa6f3026495d47bae799046c07749726f2f9c213.exe

  • Size

    943KB

  • MD5

    a280703187a30af87adfd63e267a4344

  • SHA1

    60304f3a51f32a02688b13ff424d5a4599886fc6

  • SHA256

    250bb552893533d2e47ca18faa6f3026495d47bae799046c07749726f2f9c213

  • SHA512

    e656f188bbc31c9454197cc9135ca72cf531c1d8523924d316b3e44d5393a4dd2931d83e09597b517c18c646c23f06e13d76efe0925e8fea05a7c549f7ae63a4

  • SSDEEP

    24576:3u6J33O0c+JY5UZ+XC0kGso6Fa43W/R6XErWY:Ru0c++OCvkGs9Fa4qqDY

  Score

  6^/10

  collectiondiscovery

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral4behavioral5

• • Target

    void/257ffa778469d570082f7cfff1ad199a9bffffc278e9c012bea17d02393b95b4.exe

  • Size

    214KB

  • MD5

    561535d4ea4f26088f5bb93c0261be4b

  • SHA1

    5e5b7ff4650caaf0dd556e2e62154c60986a2681

  • SHA256

    257ffa778469d570082f7cfff1ad199a9bffffc278e9c012bea17d02393b95b4

  • SHA512

    772edd0ae2427b8b87c9244ce43d70a24df19b1f3173cda91735bee41e1470d6b31728989bcdbfaaea03cbbd34d4803e3135dad074a11255e1021efa18485ed9

  • SSDEEP

    3072:xPiUbLW99ZIGfsic0GC0dOiN2OPeyZU+gcdtA74Lw4bit2t81lenOsv6fn3:xPiUbLW9lsZ0GC0dOUe/0Lw4tKhy6f3

  Score

  8^/10

  execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution
  behavioral6behavioral7

• • Target

    void/3720875269fee71bfa7b07171bc78dfedddd95d32ecf5bd7f2ade07035c25e92.elf

  • Size

    898KB

  • MD5

    743c87a17820edb35edbe6611d5473bd

  • SHA1

    c1554bbd9a724412b94b9694c073c85a68ab0d1c

  • SHA256

    3720875269fee71bfa7b07171bc78dfedddd95d32ecf5bd7f2ade07035c25e92

  • SHA512

    98e5585d9bcc962111fca65d945a2aafd1bb870cfd9057d089c773e0e6c45241842bb83ac3aa2678946c11813b6da59bdd549d36f1d5de3f934c7a73e12b800f

  • SSDEEP

    12288:qb143S0q+8eXS1/f2Wc3slC3yjTjMv+9XSJhBXEsV3b9gh4J8zMSv7MzOup8Mplp:qmShf4OTjMgXSJhBXEsVrmz9MOup1Khu

  Score

  1^/10
  behavioral8

• • Target

    void/43958be574c6a890961e38fa91710b15261d9b388d08c2b899219886f2ab710d.exe

  • Size

    873KB

  • MD5

    170a1ade709d3f6fa1b3d798f36f70b6

  • SHA1

    e89757633331677e55bae075c5c5bd29744df96d

  • SHA256

    43958be574c6a890961e38fa91710b15261d9b388d08c2b899219886f2ab710d

  • SHA512

    6210601458be2a388447c28e6c70d2994365639151be1155a4a9e9021cbb2aef203ae13bc31541fd41eb693eef5af355fcc6bfefd9127907ad0b7ce74372d97e

  • SSDEEP

    24576:u1W4/xnbm4SG6LVZD6na/PyFm2/vrPJ7YcvhgwqGbPI6/VFHd:6WCbELtP3WzDbHd

  Score

  10^/10

  vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral10behavioral9

• • Target

    void/469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1

  • Size

    951B

  • MD5

    991bfc052219f7e9b6e77e2268c08947

  • SHA1

    c6e8df55948ed92caa0401c28dfeb474c02136ef

  • SHA256

    469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b

  • SHA512

    bf7a963c06de9f3f66eb568f94bdeda1ea0236c39d8db768e7ecb942018fc1d7effc42295acebb114b7f40bdae5d72756eb1413d7221577bf202051fb7123fd4

  Score

  10^/10

  vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral11behavioral12

• • Target

    void/5a099db04b83c828b23e283d7bead0eed7e6c2e415a2632d5546bf776a54ac8b.exe

  • Size

    101KB

  • MD5

    f1cc8b78d3563f4ac67ee37cf178d0c2

  • SHA1

    9000bb467edf6ba327d246732da5deb11c4c98c6

  • SHA256

    5a099db04b83c828b23e283d7bead0eed7e6c2e415a2632d5546bf776a54ac8b

  • SHA512

    cde27e3b6164a7809e69d53509394962b662d977d7c762fc1274c8adcb6ee6a38c200e126ae3399eaea163ce60dbabb7e1e28767349b8abd12e58d9f606d6420

  • SSDEEP

    1536:m6qLwNNe3sdXkgco0+UlponBzwP+48RPmxCRLXvXrAArfBm:GwasCo0P/MweOWXvXhf4

  Score

  1^/10
  behavioral13behavioral14

• • Target

    void/72cb96390164439710b0ab64f8b0e211d49875a0f4ea402da22a0269794891de.elf

  • Size

    425KB

  • MD5

    841f9057c3afebc6891904d6c336c8d6

  • SHA1

    3200284f8e23c5179adef69a6e199225ad782b69

  • SHA256

    72cb96390164439710b0ab64f8b0e211d49875a0f4ea402da22a0269794891de

  • SHA512

    ddd922538baaaff054c1b42e146a9ef813200cce10ec5ca4a21e386c49e54c1555c4c34e35ea0ed2ada138fb42f8a334eef72f11414c82a4bcfa165078d3cd12

  • SSDEEP

    6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgb:25WOSACZSV6eKRH5EPiamb4DsDwwcr

  Score

  10^/10

  prometei_elfbotnetdiscoveryminerpersistenceprivilege_escalationupx

  • Prometei

    Prometei is a multiplatform botnet used to mine cryptocurrency.

    botnetminerprometei_elf

  • Prometei_elf family

    prometei_elf

  • Deletes itself

  • Modifies hosts file

    Adds to hosts file used for mapping hosts to IP addresses.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies systemd

    Adds/ modifies systemd service files. Likely to achieve persistence.

    persistenceprivilege_escalation

  • Write file to user bin folder

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral15

• • Target

    void/7305516a3c2ef76a10be8dc65d0de1d446ad157abd51e84a2e0f3979fc6c4490.exe

  • Size

    482KB

  • MD5

    fe0922629876d13f93e9a8f81096efda

  • SHA1

    3d7952efb304631143789c28b576da342f410178

  • SHA256

    7305516a3c2ef76a10be8dc65d0de1d446ad157abd51e84a2e0f3979fc6c4490

  • SHA512

    54e1073dbf26d6250b98a97aa0646871b91ef37924f7b7300ae681253945b841079f9f4db5c796f309e077158f41926bc78328e74c1032c94f69841a21a041c1

  • SSDEEP

    12288:x13ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQCGS:jak/mBXTV/R0nEF76gFZVG

  Score

  3^/10

  discovery
  behavioral16behavioral17

• • Target

    การชำระเงินครั้งสุดท้าย.exe

  • Size

    534.1MB

  • MD5

    1ae0ac77abe471e283caf507ed6905a4

  • SHA1

    915f92c9765b879b46657c3bd844a14716c0da91

  • SHA256

    45c1e714a86a000cf4792052b7487309922bfc92953e77c3b6aac19c424dac2b

  • SHA512

    3dc2c37bddb89101db509e239b98826b1365f7c0151a746d16aa859308a6a1235d9c97a7a50c63dbc4e62d60eb35235602ddf8cbbb6349ac6b919a61bbe6bf58

  • SSDEEP

    12288:qi9pXxw2qAJwI1s+pTFr9S1iUe6a10F8F5qg96GqKHaWWCQyaFZqT20jf:q+L51s+xFrQFt45qlGqmaWfQFFN0

  Score

  8^/10

  discoveryexecution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  behavioral18behavioral19

• • Target

    void/7ac644fc3b59f9ae6995a9cc57c39aee97ac89b3d25652c29c9a3269a02db2d2.exe

  • Size

    214KB

  • MD5

    d4791c1c75fb06fcd21665f57211f4b7

  • SHA1

    217ff98cbed165b61818e64bfbfb35c11834fe99

  • SHA256

    7ac644fc3b59f9ae6995a9cc57c39aee97ac89b3d25652c29c9a3269a02db2d2

  • SHA512

    a4cc7c6290bb3fce35b92812b2eff9bc94de2397d9f59edf9fc4db94afe666ca7eb605bf65fd387e06d3b0e694a8198f1a29a373d4fa0861578d62ddbccc8e64

  • SSDEEP

    3072:CPiUbLW99ZIGfsic0GC0dOiN2OPeyZU+gcdtA74Lw4bit2t81lenOMb6Kn3:CPiUbLW9lsZ0GC0dOUe/0Lw4tKho6K3

  Score

  8^/10

  credential_accessdefense_evasiondiscoveryexecutionspywarestealer

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  behavioral20behavioral21

• • Target

    void/7b380357933497fe52439da94472b6cc7564fe5c852def28d4843c1a15792bcc.dmg

  • Size

    731KB

  • MD5

    dd2832f4bf8f9c429f23ebb35195c791

  • SHA1

    66692b1b7b888606f66c7eb7c501969512b3db25

  • SHA256

    7b380357933497fe52439da94472b6cc7564fe5c852def28d4843c1a15792bcc

  • SHA512

    1ad7518a1992fe82c6edde463457eb3ea91f606c307666fd17fd279fa223876cc7a1cc272fb24d71a154f337f91a929e23d2706718248a4d990f08935c89190d

  • SSDEEP

    12288:wAhXJ8ZOP0q6kO3t+0fWuK7/upvm3ffFSR1JnGNg4ZVLvoHQANNogh2:wAhWOcq6kSwP71P94nkg8Va3Nog

  Score

  1^/10
  behavioral22

• • Target

    Brew/Brew

  • Size

    897KB

  • MD5

    ec7f737de77d8aa8eece7e355e4f49b9

  • SHA1

    bda795abc4f59a27e2bde15f9a65029e43df9036

  • SHA256

    d4e86dbffd226e2aa5efeedd3159e4c72422238860939b370605ec1f07034f96

  • SHA512

    7affc3b3bc1521f0aab1b6f1941ca9205940e3efdae25f04af40f50294a2a02ba892488c1c16cd421999cd47d3fe206e75f9e4122ed656700898ea0532389ee1

  • SSDEEP

    24576:x1w4S05ovKgvTSWNf/7VoQLXkNv1CTqc6VeGAg:x1w4JSSYVf/7VoQLXkNv1CTqc6VeGA

  Score

  4^/10

  execution
  behavioral23

• • Target

    void/7dec88c2ec34b8483abc44e98ec843877cc5ae88e094c90d46bbabfafdf3749a.html

  • Size

    10KB

  • MD5

    ff5e80953341f1cb01a5d31fffcad2c3

  • SHA1

    cf2b440681ce3c658ff734517a16cc13afa7ede5

  • SHA256

    7dec88c2ec34b8483abc44e98ec843877cc5ae88e094c90d46bbabfafdf3749a

  • SHA512

    bfe9629f07e9755b2df63d632f7eca214c29fc3d701c77ccf4b1eaa7f9ec518af01d141065af38bd242223344c518b57dbf8c9c43d669a191bfdeb22703a9509

  • SSDEEP

    192:PN2x2BvekROFASf+mhf7h6RyfVah9OLgmiMMpIFaHU2y92N:AxeJROFASthDERKgIAUn2N

  Score

  4^/10

  discovery
  behavioral24behavioral25

• • Target

    void/80e6e20e66c60f7392af8f501b07f8a10893f8c426acd6bdb42ea50738e6fae3.exe

  • Size

    482KB

  • MD5

    063e90515a6ebdb7a455ba042109205a

  • SHA1

    e370bb5c976a1c95fbce040ac1ba6a1fdac31495

  • SHA256

    80e6e20e66c60f7392af8f501b07f8a10893f8c426acd6bdb42ea50738e6fae3

  • SHA512

    20270413d8d77edfa8c5bfb593b407c05c5d9188b3c5b7c1d688e9db864ac976627ad16965b95971b7d5a01e50e1933e530ffcec721d540bd30b67874ce2cf67

  • SSDEEP

    12288:p13ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQgS:7ak/mBXTV/R0nEF76gFZH

  Score

  3^/10

  discovery
  behavioral26behavioral27

• • Target

    void/82231216bb55678a4bc192c1f0f180121ffc0a6278dcd1d6d9db8bea784ccf6b.exe

  • Size

    214KB

  • MD5

    369fb99dbae23164166f27bf37e6fef2

  • SHA1

    2a039fcb0b93ba7a69c7428740b0a09cd3347f53

  • SHA256

    82231216bb55678a4bc192c1f0f180121ffc0a6278dcd1d6d9db8bea784ccf6b

  • SHA512

    f7e201c34ca4d1ed8720ef082085190fb5be81f3848c27a4f172eea0ab19f5cd876bc2b8f5157548e65c1834a542c35611c6e8adea957ce204494e5f38118058

  • SSDEEP

    3072:QH4u04ZWd2RwqL908aj9OrNmm0eiZU++0dFAYIzwpbsN2t86dNvPW6nnH:QHb04ZWdzqp08aj9OOeBNzwpTVuUH

  Score

  8^/10

  credential_accessdefense_evasiondiscoveryexecutionspywarestealer

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  behavioral28behavioral29

• • Target

    void/8732ecc7dd6bb49a644d7ca3edadd316657b2508a013da09db0f5b3c5c036c71.exe

  • Size

    214KB

  • MD5

    8acb4f89e07d831d97f1b1dacf9b4ede

  • SHA1

    3dabaf70318f378057844ea9b817e65edd705c91

  • SHA256

    8732ecc7dd6bb49a644d7ca3edadd316657b2508a013da09db0f5b3c5c036c71

  • SHA512

    46a369a33d345fa892a38a2fa2cb5e7f03b0b061d16a32d3a960d6fc99cbc7096155e71747218499e573f4babf03ec8d956ed55c993494b4f09b1c7dc5480ec6

  • SSDEEP

    3072:YPiUbLW99ZIGfsic0GC0dOiN2OPeyZU+gcdtA74Lw4bit2t81lenOcf6Nn3:YPiUbLW9lsZ0GC0dOUe/0Lw4tKha6N3

  Score

  8^/10

  execution

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution
  behavioral30behavioral31

• • Target

    void/8c55a86afc661db10bbe1a1d2ab249a5b30fc1fe4b6738ad3ed69546ea045897.elf

  • Size

    152KB

  • MD5

    9dcd963800c5abd92f3068685406d188

  • SHA1

    e37b241b0f106d5f10cf5079f21b8bf707f88b5a

  • SHA256

    8c55a86afc661db10bbe1a1d2ab249a5b30fc1fe4b6738ad3ed69546ea045897

  • SHA512

    01fdd1c7c4eb65b8a4171c3b91e61eb5d27a260a7bc2459711dfe16ba3b29e3760dfd42ec00af32e0ab25309ac0c1cd5364f9515b200cf2a4910a7821d036f5f

  • SSDEEP

    1536:5KrP2E3+ME0vMON4p5sjm2JOCabDrFti35bmXJ4Sl2jp9sElAWShr8h:58+E3XtvMqPl10ogIVR28

  Score

  7^/10

  discovery

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  behavioral32