Overview

overview

10

Static

static

10

void/0394b...43.exe

windows7-x64

3

void/0394b...43.exe

windows10-2004-x64

3

void/0aa21...0f.elf

ubuntu-24.04-amd64

1

void/250bb...13.exe

windows7-x64

6

void/250bb...13.exe

windows10-2004-x64

6

void/257ff...b4.exe

windows7-x64

1

void/257ff...b4.exe

windows10-2004-x64

8

void/37208...92.elf

debian-9-mips

1

void/43958...0d.exe

windows7-x64

10

void/43958...0d.exe

windows10-2004-x64

10

void/469a3...1b.ps1

windows7-x64

8

void/469a3...1b.ps1

windows10-2004-x64

10

void/5a099...8b.exe

windows7-x64

1

void/5a099...8b.exe

windows10-2004-x64

1

void/72cb9...de.elf

ubuntu-20.04-amd64

10

void/73055...90.exe

windows7-x64

3

void/73055...90.exe

windows10-2004-x64

3

การ�...��.exe

windows7-x64

8

การ�...��.exe

windows10-2004-x64

8

void/7ac64...d2.exe

windows7-x64

1

void/7ac64...d2.exe

windows10-2004-x64

8

void/7b380...cc.dmg

macos-10.15-amd64

1

Brew/Brew

macos-10.15-amd64

4

void/7dec8...a.html

windows7-x64

3

void/7dec8...a.html

windows10-2004-x64

3

void/80e6e...e3.exe

windows7-x64

3

void/80e6e...e3.exe

windows10-2004-x64

3

void/82231...6b.exe

windows7-x64

1

void/82231...6b.exe

windows10-2004-x64

8

void/8732e...71.exe

windows7-x64

1

void/8732e...71.exe

windows10-2004-x64

8

void/8c55a...97.elf

debian-9-mipsel

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08

  • Size

    66.0MB

  • Sample

    250320-ywptvsxyfz

  • MD5

    c16a4350adcf178d59431acb20b7de46

  • SHA1

    3a050c1a2a91e42c96635f860da57e8a80b6935b

  • SHA256

    037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08

  • SHA512

    b02673ae74d7ac60b9f1ab314300b9aae967267df106154e59b017fa99033a505e620a998952e1344de6fd59dd77ee9c78aac0d016c072b1f30b351a612cf29e

  • SSDEEP

    1572864:esy8oDJztDnendZL0mB6B0veVP+MoE7tMfaUz8H1BqFuMId:48+JdedNB66YP+VOtMfaUz87Xd

Score
10/10
medusalockermimikatzneshtaprometei_elfremcosvipkeyloggerremotehostzynovabotnetcollectiondiscoveryexecutionkeyloggerlinuxmacosminerpersistenceprivilege_escalationpyinstallerstealerupx

Malware Config

Extracted

Family

remcos

Botnet

zynova

C2

michelgoodsupportingtems.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GLHI75

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

RemoteHost

C2

216.9.225.133:10890

216.9.225.133:57089

216.9.225.133:49067
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    egde

  • keylog_path

    %Temp%

  • mouse_option

    false

  • mutex

    Rmc-616IW3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    webmail.designhubconsult.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    isWG4ZIAY369

Extracted

Family

vipkeylogger

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Acess2code

Targets

    • Target

      void/0394b475234ecc6f752ecdd9f7e5ea28cebe404e5db6a8cf2f9019915c4ddf43.exe

    • Size

      487KB

    • MD5

      9bc65d45d737d9279fe8759e8beaef25

    • SHA1

      80da42ab8b168ff10639f7334321f5cb53be0ee5

    • SHA256

      0394b475234ecc6f752ecdd9f7e5ea28cebe404e5db6a8cf2f9019915c4ddf43

    • SHA512

      e3011ec1a8945553b3af0ab89706d701b8db2087916733102179f9429dd25c927eb2b0708524800bca7a6769bde62193d970cfecf7c75ad8c16814e1abd88365

    • SSDEEP

      6144:/IlSCa0RPvRz+n8Qr1D0ZGESuHabmvHOE4mCp6qtydBnP+Y4+3sAORZGFX3Xc6oJ:/200OFp+G0imvHn3Cp6qyBP+YdsvZG2

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      void/0aa210086ab837dea1a26dd45a661f7f78ea90d243c6fad74cd4772325bff20f.elf

    • Size

      13KB

    • MD5

      c81103eb8ad8d710266e189d02c663c0

    • SHA1

      5123360825f7440eee0ff290bf99b3eab461f7b1

    • SHA256

      0aa210086ab837dea1a26dd45a661f7f78ea90d243c6fad74cd4772325bff20f

    • SHA512

      9933145884049412d58a9308b1d18dd87a4f3104bf54deef53923a1c8cfb7c83f4504f1a6be8637f80eaf16a18ec657f1429116c981a4ac5128dea6b9bbb33ad

    • SSDEEP

      192:GHBGjC9em2ed0+k+aa+HzEb+0vSKGYd1RwBx/DdbEiqk5l++xo6daKSs5lFDJKkm:Jj/ei+k+F+HIbjSKGER2NQGD356Ak

    Score
    1/10
    behavioral3

    • Target

      void/250bb552893533d2e47ca18faa6f3026495d47bae799046c07749726f2f9c213.exe

    • Size

      943KB

    • MD5

      a280703187a30af87adfd63e267a4344

    • SHA1

      60304f3a51f32a02688b13ff424d5a4599886fc6

    • SHA256

      250bb552893533d2e47ca18faa6f3026495d47bae799046c07749726f2f9c213

    • SHA512

      e656f188bbc31c9454197cc9135ca72cf531c1d8523924d316b3e44d5393a4dd2931d83e09597b517c18c646c23f06e13d76efe0925e8fea05a7c549f7ae63a4

    • SSDEEP

      24576:3u6J33O0c+JY5UZ+XC0kGso6Fa43W/R6XErWY:Ru0c++OCvkGs9Fa4qqDY

    Score
    6/10
    collectiondiscovery

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral4behavioral5

    • Target

      void/257ffa778469d570082f7cfff1ad199a9bffffc278e9c012bea17d02393b95b4.exe

    • Size

      214KB

    • MD5

      561535d4ea4f26088f5bb93c0261be4b

    • SHA1

      5e5b7ff4650caaf0dd556e2e62154c60986a2681

    • SHA256

      257ffa778469d570082f7cfff1ad199a9bffffc278e9c012bea17d02393b95b4

    • SHA512

      772edd0ae2427b8b87c9244ce43d70a24df19b1f3173cda91735bee41e1470d6b31728989bcdbfaaea03cbbd34d4803e3135dad074a11255e1021efa18485ed9

    • SSDEEP

      3072:xPiUbLW99ZIGfsic0GC0dOiN2OPeyZU+gcdtA74Lw4bit2t81lenOsv6fn3:xPiUbLW9lsZ0GC0dOUe/0Lw4tKhy6f3

    Score
    8/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral6behavioral7

    • Target

      void/3720875269fee71bfa7b07171bc78dfedddd95d32ecf5bd7f2ade07035c25e92.elf

    • Size

      898KB

    • MD5

      743c87a17820edb35edbe6611d5473bd

    • SHA1

      c1554bbd9a724412b94b9694c073c85a68ab0d1c

    • SHA256

      3720875269fee71bfa7b07171bc78dfedddd95d32ecf5bd7f2ade07035c25e92

    • SHA512

      98e5585d9bcc962111fca65d945a2aafd1bb870cfd9057d089c773e0e6c45241842bb83ac3aa2678946c11813b6da59bdd549d36f1d5de3f934c7a73e12b800f

    • SSDEEP

      12288:qb143S0q+8eXS1/f2Wc3slC3yjTjMv+9XSJhBXEsV3b9gh4J8zMSv7MzOup8Mplp:qmShf4OTjMgXSJhBXEsVrmz9MOup1Khu

    Score
    1/10
    behavioral8

    • Target

      void/43958be574c6a890961e38fa91710b15261d9b388d08c2b899219886f2ab710d.exe

    • Size

      873KB

    • MD5

      170a1ade709d3f6fa1b3d798f36f70b6

    • SHA1

      e89757633331677e55bae075c5c5bd29744df96d

    • SHA256

      43958be574c6a890961e38fa91710b15261d9b388d08c2b899219886f2ab710d

    • SHA512

      6210601458be2a388447c28e6c70d2994365639151be1155a4a9e9021cbb2aef203ae13bc31541fd41eb693eef5af355fcc6bfefd9127907ad0b7ce74372d97e

    • SSDEEP

      24576:u1W4/xnbm4SG6LVZD6na/PyFm2/vrPJ7YcvhgwqGbPI6/VFHd:6WCbELtP3WzDbHd

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      void/469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1

    • Size

      951B

    • MD5

      991bfc052219f7e9b6e77e2268c08947

    • SHA1

      c6e8df55948ed92caa0401c28dfeb474c02136ef

    • SHA256

      469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b

    • SHA512

      bf7a963c06de9f3f66eb568f94bdeda1ea0236c39d8db768e7ecb942018fc1d7effc42295acebb114b7f40bdae5d72756eb1413d7221577bf202051fb7123fd4

    Score
    10/10
    executionvipkeyloggercollectiondiscoverykeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      void/5a099db04b83c828b23e283d7bead0eed7e6c2e415a2632d5546bf776a54ac8b.exe

    • Size

      101KB

    • MD5

      f1cc8b78d3563f4ac67ee37cf178d0c2

    • SHA1

      9000bb467edf6ba327d246732da5deb11c4c98c6

    • SHA256

      5a099db04b83c828b23e283d7bead0eed7e6c2e415a2632d5546bf776a54ac8b

    • SHA512

      cde27e3b6164a7809e69d53509394962b662d977d7c762fc1274c8adcb6ee6a38c200e126ae3399eaea163ce60dbabb7e1e28767349b8abd12e58d9f606d6420

    • SSDEEP

      1536:m6qLwNNe3sdXkgco0+UlponBzwP+48RPmxCRLXvXrAArfBm:GwasCo0P/MweOWXvXhf4

    Score
    1/10
    behavioral13behavioral14

    • Target

      void/72cb96390164439710b0ab64f8b0e211d49875a0f4ea402da22a0269794891de.elf

    • Size

      425KB

    • MD5

      841f9057c3afebc6891904d6c336c8d6

    • SHA1

      3200284f8e23c5179adef69a6e199225ad782b69

    • SHA256

      72cb96390164439710b0ab64f8b0e211d49875a0f4ea402da22a0269794891de

    • SHA512

      ddd922538baaaff054c1b42e146a9ef813200cce10ec5ca4a21e386c49e54c1555c4c34e35ea0ed2ada138fb42f8a334eef72f11414c82a4bcfa165078d3cd12

    • SSDEEP

      6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgb:25WOSACZSV6eKRH5EPiamb4DsDwwcr

    Score
    10/10
    prometei_elfbotnetdiscoveryminerpersistenceprivilege_escalationstealerupx

    • Prometei

      Prometei is a multiplatform botnet used to mine cryptocurrency.

      botnetminerprometei_elf

    • Prometei_elf family

      prometei_elf

    • Deletes itself

    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

      stealer

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

      persistenceprivilege_escalation

    • Write file to user bin folder

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral15

    • Target

      void/7305516a3c2ef76a10be8dc65d0de1d446ad157abd51e84a2e0f3979fc6c4490.exe

    • Size

      482KB

    • MD5

      fe0922629876d13f93e9a8f81096efda

    • SHA1

      3d7952efb304631143789c28b576da342f410178

    • SHA256

      7305516a3c2ef76a10be8dc65d0de1d446ad157abd51e84a2e0f3979fc6c4490

    • SHA512

      54e1073dbf26d6250b98a97aa0646871b91ef37924f7b7300ae681253945b841079f9f4db5c796f309e077158f41926bc78328e74c1032c94f69841a21a041c1

    • SSDEEP

      12288:x13ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQCGS:jak/mBXTV/R0nEF76gFZVG

    Score
    3/10
    discovery
    behavioral16behavioral17

    • Target

      การชำระเงินครั้งสุดท้าย.exe

    • Size

      534.1MB

    • MD5

      1ae0ac77abe471e283caf507ed6905a4

    • SHA1

      915f92c9765b879b46657c3bd844a14716c0da91

    • SHA256

      45c1e714a86a000cf4792052b7487309922bfc92953e77c3b6aac19c424dac2b

    • SHA512

      3dc2c37bddb89101db509e239b98826b1365f7c0151a746d16aa859308a6a1235d9c97a7a50c63dbc4e62d60eb35235602ddf8cbbb6349ac6b919a61bbe6bf58

    • SSDEEP

      12288:qi9pXxw2qAJwI1s+pTFr9S1iUe6a10F8F5qg96GqKHaWWCQyaFZqT20jf:q+L51s+xFrQFt45qlGqmaWfQFFN0

    Score
    8/10
    discoveryexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral18behavioral19

    • Target

      void/7ac644fc3b59f9ae6995a9cc57c39aee97ac89b3d25652c29c9a3269a02db2d2.exe

    • Size

      214KB

    • MD5

      d4791c1c75fb06fcd21665f57211f4b7

    • SHA1

      217ff98cbed165b61818e64bfbfb35c11834fe99

    • SHA256

      7ac644fc3b59f9ae6995a9cc57c39aee97ac89b3d25652c29c9a3269a02db2d2

    • SHA512

      a4cc7c6290bb3fce35b92812b2eff9bc94de2397d9f59edf9fc4db94afe666ca7eb605bf65fd387e06d3b0e694a8198f1a29a373d4fa0861578d62ddbccc8e64

    • SSDEEP

      3072:CPiUbLW99ZIGfsic0GC0dOiN2OPeyZU+gcdtA74Lw4bit2t81lenOMb6Kn3:CPiUbLW9lsZ0GC0dOUe/0Lw4tKho6K3

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral20behavioral21

    • Target

      void/7b380357933497fe52439da94472b6cc7564fe5c852def28d4843c1a15792bcc.dmg

    • Size

      731KB

    • MD5

      dd2832f4bf8f9c429f23ebb35195c791

    • SHA1

      66692b1b7b888606f66c7eb7c501969512b3db25

    • SHA256

      7b380357933497fe52439da94472b6cc7564fe5c852def28d4843c1a15792bcc

    • SHA512

      1ad7518a1992fe82c6edde463457eb3ea91f606c307666fd17fd279fa223876cc7a1cc272fb24d71a154f337f91a929e23d2706718248a4d990f08935c89190d

    • SSDEEP

      12288:wAhXJ8ZOP0q6kO3t+0fWuK7/upvm3ffFSR1JnGNg4ZVLvoHQANNogh2:wAhWOcq6kSwP71P94nkg8Va3Nog

    Score
    1/10
    behavioral22

    • Target

      Brew/Brew

    • Size

      897KB

    • MD5

      ec7f737de77d8aa8eece7e355e4f49b9

    • SHA1

      bda795abc4f59a27e2bde15f9a65029e43df9036

    • SHA256

      d4e86dbffd226e2aa5efeedd3159e4c72422238860939b370605ec1f07034f96

    • SHA512

      7affc3b3bc1521f0aab1b6f1941ca9205940e3efdae25f04af40f50294a2a02ba892488c1c16cd421999cd47d3fe206e75f9e4122ed656700898ea0532389ee1

    • SSDEEP

      24576:x1w4S05ovKgvTSWNf/7VoQLXkNv1CTqc6VeGAg:x1w4JSSYVf/7VoQLXkNv1CTqc6VeGA

    Score
    4/10
    execution
    behavioral23

    • Target

      void/7dec88c2ec34b8483abc44e98ec843877cc5ae88e094c90d46bbabfafdf3749a.html

    • Size

      10KB

    • MD5

      ff5e80953341f1cb01a5d31fffcad2c3

    • SHA1

      cf2b440681ce3c658ff734517a16cc13afa7ede5

    • SHA256

      7dec88c2ec34b8483abc44e98ec843877cc5ae88e094c90d46bbabfafdf3749a

    • SHA512

      bfe9629f07e9755b2df63d632f7eca214c29fc3d701c77ccf4b1eaa7f9ec518af01d141065af38bd242223344c518b57dbf8c9c43d669a191bfdeb22703a9509

    • SSDEEP

      192:PN2x2BvekROFASf+mhf7h6RyfVah9OLgmiMMpIFaHU2y92N:AxeJROFASthDERKgIAUn2N

    Score
    3/10
    discovery
    behavioral24behavioral25

    • Target

      void/80e6e20e66c60f7392af8f501b07f8a10893f8c426acd6bdb42ea50738e6fae3.exe

    • Size

      482KB

    • MD5

      063e90515a6ebdb7a455ba042109205a

    • SHA1

      e370bb5c976a1c95fbce040ac1ba6a1fdac31495

    • SHA256

      80e6e20e66c60f7392af8f501b07f8a10893f8c426acd6bdb42ea50738e6fae3

    • SHA512

      20270413d8d77edfa8c5bfb593b407c05c5d9188b3c5b7c1d688e9db864ac976627ad16965b95971b7d5a01e50e1933e530ffcec721d540bd30b67874ce2cf67

    • SSDEEP

      12288:p13ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQgS:7ak/mBXTV/R0nEF76gFZH

    Score
    3/10
    discovery
    behavioral26behavioral27

    • Target

      void/82231216bb55678a4bc192c1f0f180121ffc0a6278dcd1d6d9db8bea784ccf6b.exe

    • Size

      214KB

    • MD5

      369fb99dbae23164166f27bf37e6fef2

    • SHA1

      2a039fcb0b93ba7a69c7428740b0a09cd3347f53

    • SHA256

      82231216bb55678a4bc192c1f0f180121ffc0a6278dcd1d6d9db8bea784ccf6b

    • SHA512

      f7e201c34ca4d1ed8720ef082085190fb5be81f3848c27a4f172eea0ab19f5cd876bc2b8f5157548e65c1834a542c35611c6e8adea957ce204494e5f38118058

    • SSDEEP

      3072:QH4u04ZWd2RwqL908aj9OrNmm0eiZU++0dFAYIzwpbsN2t86dNvPW6nnH:QHb04ZWdzqp08aj9OOeBNzwpTVuUH

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral28behavioral29

    • Target

      void/8732ecc7dd6bb49a644d7ca3edadd316657b2508a013da09db0f5b3c5c036c71.exe

    • Size

      214KB

    • MD5

      8acb4f89e07d831d97f1b1dacf9b4ede

    • SHA1

      3dabaf70318f378057844ea9b817e65edd705c91

    • SHA256

      8732ecc7dd6bb49a644d7ca3edadd316657b2508a013da09db0f5b3c5c036c71

    • SHA512

      46a369a33d345fa892a38a2fa2cb5e7f03b0b061d16a32d3a960d6fc99cbc7096155e71747218499e573f4babf03ec8d956ed55c993494b4f09b1c7dc5480ec6

    • SSDEEP

      3072:YPiUbLW99ZIGfsic0GC0dOiN2OPeyZU+gcdtA74Lw4bit2t81lenOcf6Nn3:YPiUbLW9lsZ0GC0dOUe/0Lw4tKha6N3

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral30behavioral31

    • Target

      void/8c55a86afc661db10bbe1a1d2ab249a5b30fc1fe4b6738ad3ed69546ea045897.elf

    • Size

      152KB

    • MD5

      9dcd963800c5abd92f3068685406d188

    • SHA1

      e37b241b0f106d5f10cf5079f21b8bf707f88b5a

    • SHA256

      8c55a86afc661db10bbe1a1d2ab249a5b30fc1fe4b6738ad3ed69546ea045897

    • SHA512

      01fdd1c7c4eb65b8a4171c3b91e61eb5d27a260a7bc2459711dfe16ba3b29e3760dfd42ec00af32e0ab25309ac0c1cd5364f9515b200cf2a4910a7821d036f5f

    • SSDEEP

      1536:5KrP2E3+ME0vMON4p5sjm2JOCabDrFti35bmXJ4Sl2jp9sElAWShr8h:58+E3XtvMqPl10ogIVR28

    Score
    7/10
    discovery

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

4
T1059

AppleScript

1
T1059.002

PowerShell

3
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

XDG Autostart Entries

1
T1547.013

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

XDG Autostart Entries

1
T1547.013

Create or Modify System Process

1
T1543

Systemd Service

1
T1543.002

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

zynovaupxremotehostpyinstallerremcosmedusalockerneshtamimikatz
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

Score
1/10

behavioral4

collectiondiscovery
Score
6/10

behavioral5

collectiondiscovery
Score
6/10

behavioral6

Score
1/10

behavioral7

execution
Score
8/10

behavioral8

Score
1/10

behavioral9

vipkeyloggerdiscoveryexecutionkeyloggerstealer
Score
10/10

behavioral10

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer
Score
10/10

behavioral11

execution
Score
8/10

behavioral12

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

prometei_elfbotnetdiscoveryminerpersistenceprivilege_escalationstealerupx
Score
10/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discoveryexecution
Score
8/10

behavioral19

discoveryexecution
Score
8/10

behavioral20

Score
1/10

behavioral21

execution
Score
8/10

behavioral22

Score
1/10

behavioral23

execution
Score
4/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

Score
1/10

behavioral29

execution
Score
8/10

behavioral30

Score
1/10

behavioral31

execution
Score
8/10

behavioral32

discovery
Score
7/10