Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    410897f36809104096c8b600eb3a0444.exe

  • Size

    1.1MB

  • MD5

    410897f36809104096c8b600eb3a0444

  • SHA1

    18e8b8e65471f7f19b3612ba93a20bd6a702e7dc

  • SHA256

    1cf0ed57e906c3779244c8b9c1f5482db0f92e67c2055dce9fa90dc8fbef65ed

  • SHA512

    479e8b2a06d8861f8bb1ca9d5271149408853dcccb5c93a1e7a0d72e2a01af47131cd91d50e1edbd5bc2c0edcdfdf07f56c8f6c04fd3c12edc67389cd75664d0

  • SSDEEP

    12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

  Score

  10^/10

  dcratdefense_evasionexecutioninfostealerpersistencerattrojan

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Dcrat family

    dcrat

  • Modifies WinLogon for persistence

    persistence

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass

    defense_evasiontrojan

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Drops file in System32 directory

  behavioral1behavioral2

• • Target

    41234e0118ba1cfc06b88d347f3a53f5.exe

  • Size

    885KB

  • MD5

    41234e0118ba1cfc06b88d347f3a53f5

  • SHA1

    a0bc5bbd988def1d53cb8b74d6a19084ebec1a92

  • SHA256

    7eaf3845dc36309ef1b4dbcf87058d55bbe2b9bdad969d53c9bf6f250981dd6f

  • SHA512

    25f929d3197123654edfd7ba2dcad5dcc0c2fab2743c9e7b80ed2b419326f5666799d6866ed76d51f7fce1a48e1d67c0454f5a9f699c04c590366c27c313d49c

  • SSDEEP

    12288:GlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:GlNCv6XJ5BClaXfD9vUha+u

  Score

  10^/10

  dcratinfostealerrat

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Dcrat family

    dcrat

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  behavioral3behavioral4

• • Target

    412f4448e99979a1ce810cdf392b6abb.exe

  • Size

    597KB

  • MD5

    412f4448e99979a1ce810cdf392b6abb

  • SHA1

    1b8382397ac991d6c915bd00ff51594f88f4067b

  • SHA256

    6a5a315d1878a62da0fcf7679833cf9c9a171b46ffb2b769e92bf30046f26b14

  • SHA512

    0a6967c7cfa7be78773b469bbffbce9a3cf76b6c059fa31142e95acf09f3ab66409aa577df327044759257c7cd281d683131aaa85ca81f7ddf00e064332ec39d

  • SSDEEP

    6144:btT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3ri8:t6u7+487IFjvelQypyfy7i8

  Score

  10^/10

  collectioncredential_accessdiscoverypersistencespywarestealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral5behavioral6

• • Target

    414a1d40006fffeb00666df68e3457f2db0ca7e9045535cc5de3c88c9e7fcc6f.exe

  • Size

    552KB

  • MD5

    242e593726fda21393dceef813665056

  • SHA1

    9fae5838ef0a3462353eb5f72f58c7fbb484ebb7

  • SHA256

    414a1d40006fffeb00666df68e3457f2db0ca7e9045535cc5de3c88c9e7fcc6f

  • SHA512

    bbcd9c3bf1d6f3df0d3c5908ede9dd93af131d34098b730085b08bf86ea5bba949469d8d2a623d0036e549d140fa2050552e02d8cfdf7c410c20c2b5258ba7e3

  • SSDEEP

    6144:uLzBDCmu5mmVPHVeSLe6VlWT8b9IQfnIFEQLk6dKAsbbs9kG:oxc/VnPVle8zCE8KAsCkG

  Score

  1^/10
  behavioral7behavioral8

• • Target

    414cb3c4ac2d42889d7c55565afc0f57d2a0e9f7a186b5d5d8e5118fd3f976da.exe

  • Size

    2.0MB

  • MD5

    db87424723d41b8b4075c1e0cb33e01b

  • SHA1

    a88fe56ef8789d939da5fff58b871b2028b64eed

  • SHA256

    414cb3c4ac2d42889d7c55565afc0f57d2a0e9f7a186b5d5d8e5118fd3f976da

  • SHA512

    ed970d754b3472098cec36bd7f6ad26254e4e0ddced625b3f93963b5eb275b626a1e5eeb08a6b573b60aa15946fd275f3743ceb6a37c94b1bf888f38907d4db7

  • SSDEEP

    24576:7L81USHF/mAhAdMywT1KBgvJRtlpLklKuVy2NtD:w9Wdxk1KBClpP

  Score

  3^/10

  discovery
  behavioral10behavioral9

• • Target

    414f523f34e87006f31ca4b703886d3b.exe

  • Size

    28KB

  • MD5

    414f523f34e87006f31ca4b703886d3b

  • SHA1

    e27871b4cb2d7315fa3d2b698ac23ddb94e408a6

  • SHA256

    474b1b39afa99d3cc1f1932ba8e27580f74b8d2d7e7b6a97655deaa20d0a029d

  • SHA512

    05163bb4a3c03b00f207f6115cdbb64bc46d620bb05c35f5d111da9020fae8b72898e40e63c6225608073d9d7057ef168f1797c3b5156e4fb842723842705400

  • SSDEEP

    384:IE0WnRVi0Emqtpo0farhJqt0+JCZolDFLvDuNrCeJE3WN5hWUy14oAPwPnro3lc8:liJY0i1J3/ilJ7k5NbW54drtY

  Score

  10^/10

  limeratdiscoveryrat

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat

  • Limerat family

    limerat

  • Legitimate hosting services abused for malware hosting/C2

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  behavioral11behavioral12

• • Target

    415b778406bbdc705f1962ded94e90d0.exe

  • Size

    984KB

  • MD5

    415b778406bbdc705f1962ded94e90d0

  • SHA1

    978d2e0051ce04c78f60f312a9389d31ed346d82

  • SHA256

    77c664a6cd94c282ecfa0c4f8fa7b101dee5a74b424fbfee3290a9d0315a1bfe

  • SHA512

    d11ef00e5661474983be3d32afc695d9eeb5fbddefb99c05b5d84d6bb85cdafde98ff34d07a65c2b36adb0b6d93ce25111b2cea59ccc6dea65682580d5ddd3a9

  • SSDEEP

    12288:LzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:LzZvuGD2PvA5YxwmbZB6Uv

  Score

  10^/10

  dcratinfostealerpersistencerat

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Dcrat family

    dcrat

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral13behavioral14

• • Target

    4175909fcd35882461a1cfd784f7c967.exe

  • Size

    17.7MB

  • MD5

    4175909fcd35882461a1cfd784f7c967

  • SHA1

    97c039024a434f8605ca06df16ee7355fd380e0d

  • SHA256

    34a347012a452bb37b3da0cead9eaf007ec0e82a26b90ee1155ca8135bccd537

  • SHA512

    ccf29163313a378c4d908e1ac400afc6299e5a2046b206f0eed46ccd0779f9bcb2a0162bb86db64504c71cfeb76df056dca621a4e1f267e28258ce5c10721c57

  • SSDEEP

    393216:8YGbY6iHonlQCe88BYdY3SHFPJXFODKSblmnTCAc:87Y2CCe4dAmFOmSJme5

  Score

  7^/10

  persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Adds Run key to start application

    persistence
  behavioral15behavioral16

• • Target

    417e4b08378988e057831e5c3a74fd18014fc5fe2402e8aa3746e020a467ce74.exe

  • Size

    2.0MB

  • MD5

    4b8d35a4a07f02739e201501d8dfd5e3

  • SHA1

    095c2562f09a21b02208117cdbeb95ba846d35fe

  • SHA256

    417e4b08378988e057831e5c3a74fd18014fc5fe2402e8aa3746e020a467ce74

  • SHA512

    b8b8cc646817aa95f3f581006588058563571ecb96c28fd2fe6dfecf9ca9126a9ae09df26092d72cad244d1867463d38ee66205d4efbca13b87fbe5c897975b3

  • SSDEEP

    49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN8:bdxVJC9UqRzsu+8N

  Score

  10^/10

  dcratinfostealerrat

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Dcrat family

    dcrat

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  behavioral17behavioral18

• • Target

    4189a83a9b95038e6e32f05b4c69f3b4.exe

  • Size

    54KB

  • MD5

    4189a83a9b95038e6e32f05b4c69f3b4

  • SHA1

    516c5997c8102be91f6ed419e808864e0381de86

  • SHA256

    2f0fa7dd79cc0a033d55dc62043f188fdcefb4ce7aab2e1ee649d877c2321381

  • SHA512

    53c34bf3919d5cb549a403ae4e20f171e3a744e416ebbfa017413c02d3332b93e261249d5336e73abbd213af37f294b0790e49092913c6d3d556e7d9b4597ec2

  • SSDEEP

    1536:FOpwLVcvsG+yiZodvTlhJX3eye5IybOCoDGbfV:F4wLyvky6opTTt33MSN6rV

  Score

  10^/10

  defense_evasionevasionpersistenceprivilege_escalationtrojan

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • Modifies Windows Defender Real-time Protection settings

    defense_evasiontrojan

  • Modifies Windows Defender notification settings

    defense_evasiontrojan

  • Modifies firewall policy service

    defense_evasion

  • Modifies security service

    defense_evasion

  • UAC bypass

    defense_evasiontrojan

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Identifies Xen via ACPI registry values (likely anti-VM)

    defense_evasion

  • Disables Task Manager via registry modification

    defense_evasion

  • Disables use of System Restore points

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Modifies Security services

    Modifies the startup behavior of a security service.

    defense_evasion
  behavioral19behavioral20

• • Target

    41c0c0017e07c3984ced9121a820b070.exe

  • Size

    45KB

  • MD5

    41c0c0017e07c3984ced9121a820b070

  • SHA1

    7b327566eb0d06339f8741f59575ac9e88b49b1d

  • SHA256

    89777f33cb0634f313f70c521458b7107575afaef6157e63eb6b5ca2862976a7

  • SHA512

    57cf65570c57285c6d51c3ca751639711fc0d3d5536746e0442af773f7b77409cec19c9c379a79f72b87395ea5ea7e77457dd59a839c0b058cd982b804a36e53

  • SSDEEP

    768:vuwCfTg46YbWUn8jjmo2qrDKjGKG6PIyzjbFgX3ilJkuXK+4aBDZSx:vuwCfTgp/2OKYDy3bCXSlJtK+PdSx

  Score

  10^/10

  asyncratdefaultdiscoveryrat

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat
  behavioral21behavioral22

• • Target

    41dc6460e6f99bd865a3456e9c0348c8.exe

  • Size

    35KB

  • MD5

    41dc6460e6f99bd865a3456e9c0348c8

  • SHA1

    53e57c20f37d27d72d3e950c5820306df1276cb6

  • SHA256

    9120702296c18b9df13b6b7556ce965b70bb76c011850e3a85d9af186256462a

  • SHA512

    9652e7fa688d39bbe996fa27a8b400a6661150c83069425606ea82fbb66af6da5461667d7aa9fa49bc4ed8c7de68ad192f62d1728b744546dea746e4320364b0

  • SSDEEP

    384:W4Ln0QH2AnOAd6LXjD4xB/Z+XmXi3LRGpkFTBLTz9I/RFZwrJi+K5kViso6LtVdo:9ZSW+X/4xBcW2LXF19I5Z6LOjhofbJ+

  Score

  10^/10

  xwormrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral23behavioral24

• • Target

    4202cc1a54d458c6b3a7579733cc35c1.exe

  • Size

    1.6MB

  • MD5

    4202cc1a54d458c6b3a7579733cc35c1

  • SHA1

    db3f6aee406b73fb0a831cf988b98282d7516918

  • SHA256

    545876aff174a4c02160e0c1b7e3d513f9010daa140b1e287883e2387aca8a96

  • SHA512

    b2423ec0ed40f7de79b0e8248858354e1d5fee95b66f72612048aace23e1e0d39945cd769ff7866adbc41cbb7f90983f438f8667ddff6fbc8445eb76ba2fac92

  • SSDEEP

    24576:Msm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:MD8Jijt+xpS/ekYmLGdhEAf7bCcjE

  Score

  10^/10

  dcratexecutioninfostealerrat

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Dcrat family

    dcrat

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  behavioral25behavioral26

• • Target

    4227543d6caf9c96a1ecdceb233e7a0b225f1dcb7baf02087183829d55361f7e.exe

  • Size

    5.5MB

  • MD5

    7f7385efa4f3d9aca3969f1b37c1d2bf

  • SHA1

    1dd769bb96cf7c3eed8fa45b0396d3dfdd8c6d07

  • SHA256

    4227543d6caf9c96a1ecdceb233e7a0b225f1dcb7baf02087183829d55361f7e

  • SHA512

    83258a578fb0dd34321bf5d25505440a85b8ef3e10edb1e7e5974cd0a0501acf47ae140c9791304b928c281bc58022bbff56083f6a1d4cbd8ad4d8e212a1107f

  • SSDEEP

    98304:gsE3+83BZM7IaS+LQzrIir31CK0TW7KKZk5O3oIkXliTGoSVu:c+81gKUW725O350iGoSVu

  Score

  10^/10

  xmrigminer

  • Xmrig family

    xmrig

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral27behavioral28

• • Target

    424fdd032528ca656b1513d1ca79a17116a6770be9d2f05a4e203c95d0b4dd46.exe

  • Size

    936KB

  • MD5

    69ba1c008b0f8ea902c7e445b5ac3d6e

  • SHA1

    81bab9899e1437d5ee91d8cb9e0037a39af89220

  • SHA256

    424fdd032528ca656b1513d1ca79a17116a6770be9d2f05a4e203c95d0b4dd46

  • SHA512

    64f015ac5e171aebfa1d09aa834309f51dca72164f5e798b0703a127376941d767b26bb25ad4443311331be0b4c5b20ded8725dec1fc11bea4fcde5ed5ce6bf2

  • SSDEEP

    24576:9dtP2cbksTpugRNJI5kFMJF9OWjwjLOjZXr:+gq1r

  Score

  10^/10

  nanocorediscoverykeyloggerpersistencespywarestealertrojan

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore

  • Nanocore family

    nanocore

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral29behavioral30

• • Target

    4255dacb3601f46615055d9d23a538cd.exe

  • Size

    43KB

  • MD5

    4255dacb3601f46615055d9d23a538cd

  • SHA1

    ec34d0c3dc3116f32eee59fc6b84ea0be8030529

  • SHA256

    47dacc41ba9109e87ed4b26564fd6c20b4dfd7c457d0b5b2a32bf45b132da3df

  • SHA512

    084feb9bf61e3641ade20c5c2c2049ec5d4ba1ce85ed5dcbd16c16b4d2dda1c15bdc86ba5ecf86d54676dd5efbe12c147e1e5dba87d29df64aba11a640b15505

  • SSDEEP

    384:eZyDwNU1SoycwJmz0ZmhYYNE4OmMbycXzRpO9D9O5UE5QzwBlpJNakkjh/TzF7p0:kXqglcwJZQE/RycX3vQO+dK+L

  Score

  10^/10

  njrathackeddiscoverypersistencetrojan

  • Njrat family

    njrat

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral31behavioral32