Overview

overview

10

Static

static

10

aad3df1234...37.exe

windows7-x64

10

aad3df1234...37.exe

windows10-2004-x64

10

ab06bf4a0d...cc.exe

windows7-x64

1

ab06bf4a0d...cc.exe

windows10-2004-x64

1

ab80995d69...63.exe

windows7-x64

3

ab80995d69...63.exe

windows10-2004-x64

3

ab89f9e5fc...7b.exe

windows7-x64

10

ab89f9e5fc...7b.exe

windows10-2004-x64

10

abb1032f39...43.exe

windows7-x64

8

abb1032f39...43.exe

windows10-2004-x64

8

abc1b491cb...91.exe

windows7-x64

10

abc1b491cb...91.exe

windows10-2004-x64

10

ac0a0426d7...47.exe

windows7-x64

10

ac0a0426d7...47.exe

windows10-2004-x64

10

ac52997095...5e.exe

windows7-x64

10

ac52997095...5e.exe

windows10-2004-x64

10

ac8a85c32f...dc.exe

windows7-x64

7

ac8a85c32f...dc.exe

windows10-2004-x64

7

acab91c3e0...45.exe

windows7-x64

10

acab91c3e0...45.exe

windows10-2004-x64

10

acb1d9172e...3e.exe

windows7-x64

10

acb1d9172e...3e.exe

windows10-2004-x64

10

acde31a22d...68.exe

windows7-x64

10

acde31a22d...68.exe

windows10-2004-x64

10

acfc2067aa...53.exe

windows7-x64

10

acfc2067aa...53.exe

windows10-2004-x64

10

ad45afe99d...e3.exe

windows7-x64

7

ad45afe99d...e3.exe

windows10-2004-x64

7

adab89a1b7...6f.exe

windows7-x64

3

adab89a1b7...6f.exe

windows10-2004-x64

7

adb63a8b89...80.exe

windows7-x64

6

adb63a8b89...80.exe

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_42.zip

  • Size

    104.8MB

  • Sample

    250322-gz5aaatjz7

  • MD5

    aeb1c2de31ea79557bf5a31295004f81

  • SHA1

    71751833da7f0eb077ecb9ff20a974f7adfbc6f9

  • SHA256

    894a461e0d709023ba6ec45f748b38a79ae12cf398702244ef2ffa93dd644133

  • SHA512

    9995ba922ed90f6c88e86fcfd7320794713256cd00892e0e910dbea5da1c635486c54fc4018a910a31f6f30124f1e5bf4cb0a350197653e4e21c75436b433649

  • SSDEEP

    3145728:0eYnaEboUKD9VVpMdZuYeQRjhnEao4Z5l1TRZbT:0Vna/pkzrEafLb

Score
10/10
dcratnjratorcusremcosumbralxwormhackedhostmybotneufжертва 1collectiondefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealerthemidatrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1350902635443523687/lJeYqUfLKM8wCIRqHAOIGO2Smr6DBrcNB-r0iPVi2SRQImLGf0VUTptVQXsmIvu2eTJY

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:5552

moumenmehdi.ddns.net:4444
Mutex

6db02a3191823528cdb584f157562167

Attributes
  • reg_key

    6db02a3191823528cdb584f157562167

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

127.0.0.1:6522

Mutex

60c28f2ec9c1d3d7f391e11534af955e

Attributes
  • reg_key

    60c28f2ec9c1d3d7f391e11534af955e

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

orcus

Botnet

жертва 1

C2

127.0.0.1

Mutex

a8fc40d91cc642de81d3bcf287f9a643

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    03/20/2025 16:11:32

  • plugins

    AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgNwAzADkAMgBlADAANgBiAGIAMwBkAGYANAA3ADYAMABiAGQAZAA5ADYAYwBlADMAMQBkAGYANAAyADgAYwBkAAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDUANQBkAGUAYgBkAGEAZgAwAGQANwBmADQAMgBhADMAYgBkADkAZgBhADIAOAA2ADgAYgBmAGQAZQBjADAANgABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIGUANwBiADUAOAAyAGIAMgA1AGQAOQBkADQANQBkAGUAOABmADIAMgA4ADcAYgA0AGIAMgA2AGUAZQA2ADgAMAACAAYG

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

xworm

Version

5.0

C2

ring-staffing.gl.at.ply.gg:32707

Mutex

elbD0YZaBQfsICaU

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      aad3df12348dcf9b2bd4c1b1f7cba937.exe

    • Size

      227KB

    • MD5

      aad3df12348dcf9b2bd4c1b1f7cba937

    • SHA1

      98e781980a89d77cfbd266e98de28c3a88c04b66

    • SHA256

      bada765d60e5c646ce6286023fb474c9136c4d31c33f2d1efb08b831c08e29c9

    • SHA512

      5636ed03df0561b9e769e3e0191ff9344e56c28a14007c734fea9f53d739b18ce3dbd3261e6b505dbd235871273fa7cabe5b6d798e5eed6361f0e5a5209a9dc7

    • SSDEEP

      6144:+loZMrrIkd8g+EtXHkv/iD4J1nsPlO2ZEc1niinz+b8e1mpii:ooZUL+EP8J1nsPlO2ZEc1niinWs3

    Score
    10/10
    umbralstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      ab06bf4a0dccbe1c178c70bf95deba79d492e6a172c99b620bd255c1b296b9cc.exe

    • Size

      2.9MB

    • MD5

      011b5a3e74882b993bfe922599242374

    • SHA1

      65667021d6b56e8eaa2d42cb0dcd40656f68e843

    • SHA256

      ab06bf4a0dccbe1c178c70bf95deba79d492e6a172c99b620bd255c1b296b9cc

    • SHA512

      fc62d28acdd62ddeae04363569398da324a3031692639ce88775083a8d53b1519fd65c32a22cf52fe36cc7db0dc822ca598c9336dff4b59eabdeef85afe520c7

    • SSDEEP

      49152:PpPkliITYbNbNWo4kSH3OqtwI/cukqXfd+/9AzXnwWJ7C3MEvRBA2FCo1Y3pa2U+:PaliIT4bNJFY3OqtjTkqXf0FgXwom8Ei

    Score
    1/10
    behavioral3behavioral4

    • Target

      ab80995d69cb5bf47eda51a98322ff63.exe

    • Size

      96KB

    • MD5

      ab80995d69cb5bf47eda51a98322ff63

    • SHA1

      1b67785cd7193c3ecb09897cd3777057d5fda31d

    • SHA256

      2b588b4e01745dfc6d4be0cf66549db6e6fc1eb96e31ec79619ae757effb4dbb

    • SHA512

      5f8ee321b0b1514a04b986b9c1999c3b1e336354bb2b52b3114f99d7557e0a54f8244615ee96b593d609408d4791923298c14d84195181eb78d7dd131b439318

    • SSDEEP

      1536:uY9wKX5ntqOz+UVAYCM+CR7kZ8hxtgY6oANza3g2xWq:3lhrpCM5R7XxtggANz32cq

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      ab89f9e5fc235d4e0bf6b72be96e777b.exe

    • Size

      5.9MB

    • MD5

      ab89f9e5fc235d4e0bf6b72be96e777b

    • SHA1

      c714d6e77c07fa5c3f5ba33f5696e1c537db4a24

    • SHA256

      a51a0a522e7881f8eafb519d98f0560f0aa4ec99cea8d9766d018de6fa6085ca

    • SHA512

      7f1b46016e1af5bdb80ec16f5936c076fcb17785f5e03df23c11f203b533419f4919d3aa41f160c586a674b6e71c86b1e3552c1c46e667be002634622326dc94

    • SSDEEP

      98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4S:RyeU11Rvqmu8TWKnF6N/1wz

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      abb1032f395cf9f2e1071efc5618fb43.exe

    • Size

      93KB

    • MD5

      abb1032f395cf9f2e1071efc5618fb43

    • SHA1

      1f70f3119c9e96618f238f6af92471f87706e587

    • SHA256

      6b7910553a3211cf371a2a1a29610f699ea561ce621d9fa70304448da5173137

    • SHA512

      5dd39f40ff0e85fbb93bed1a7c34bfee3d9700fb6677411e84c82e05e4fd127906ec4492138290a26ec68e18af22c79823aa89453495988dff5c33e69ef3af1f

    • SSDEEP

      1536:63uiU16FHfTmaiM1bR+jEwzGi1dDwD9gS:63hFHfTViM1RHi1deK

    Score
    8/10
    defense_evasiondiscoverypersistenceprivilege_escalation
    behavioral10behavioral9

    • Target

      abc1b491cb9a16593d1a958407a788c05057621aa704c62194886d0ee7437391.exe

    • Size

      2.0MB

    • MD5

      cc8776c2145153cdc49c32d1665a34c7

    • SHA1

      c5da5c35857517ae1a38bd98806a5934bc38c777

    • SHA256

      abc1b491cb9a16593d1a958407a788c05057621aa704c62194886d0ee7437391

    • SHA512

      7cd486d36b6f0dad55d927e3565b10926b0c980b7185952cc2fcb946723d3fd3851bab8271be13fa9519958405526fb0dbd980135d236b40c2dbf07f014f2ff3

    • SSDEEP

      49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral11behavioral12

    • Target

      ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe

    • Size

      1.6MB

    • MD5

      ea4af16c25f7941503efcfb413ecb310

    • SHA1

      dddca77691de109f0dc9c9680d3680950b4bfa51

    • SHA256

      ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947

    • SHA512

      08354124b35e61ff4b153bcf1615cc1e9320f8fb9e92e0ee56eb5e2e29d2153386822d4131a34488304b8073a697afb2a46952ea819511199b1a010ae20123e8

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral13behavioral14

    • Target

      ac52997095c1fc0e096be9465a15df5e.exe

    • Size

      115KB

    • MD5

      ac52997095c1fc0e096be9465a15df5e

    • SHA1

      6d09ddfb42ef998009d4adef84c03384bcad7a00

    • SHA256

      fa9bf6ee9b2b7008afd2836f4c231d18f20aa612bffbe7e05fa912294cc01b40

    • SHA512

      68cc5a9b14a927881a8bedf16a325fa27d0496d6e8b581d6d41c009e64ce3ceda6a781ab75bf875cf00fa39a8d1a26951fbf4932ca35d7cca18af4d575088570

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDQgY:P5eznsjsguGDFqGZ2rDtY

    Score
    10/10
    njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      ac8a85c32fe38766e828c75433d3224b193745001ab6adf37a374acf29aff5dc.exe

    • Size

      219KB

    • MD5

      6c8906d6dc989a4e2c6fe7ff12de1dd8

    • SHA1

      3ff383a8634a0c707aa52f35fb0c87106d8bcba4

    • SHA256

      ac8a85c32fe38766e828c75433d3224b193745001ab6adf37a374acf29aff5dc

    • SHA512

      b3588457ef1e80f1cd63242180c632d65bfd3460ef3ba8443b9eabe375dcbf9eb596ffc00b0e95cbb104b33ba61fd183726b2dad29c9c458419a93729e1fdda2

    • SSDEEP

      3072:QArRIzPm7i7x2KhtCqE5bpcqiieyAd9g8QwyZ0+tvCiJ86AR+xx7CG9eeIUVM:r4PO62KI5dcdield9grw0BH866cZeVx

    Score
    7/10
    collectiondiscoveryspywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      acab91c3e070c3fdc13dbdd5414d88bc3bf021b99c5d8e4ad291da68b701cc45.exe

    • Size

      1.2MB

    • MD5

      b72cb4fc6352f3c73d2ce44a6a7283cc

    • SHA1

      820c462b9f86be10b3d36c9c9c18a79bdebac8cc

    • SHA256

      acab91c3e070c3fdc13dbdd5414d88bc3bf021b99c5d8e4ad291da68b701cc45

    • SHA512

      90455c4935e5436e76f3f99c95084fa77cdea33a058b6794971ff5bff3f45ab3005f9a97195916a42b2f1048534caed1cf7ab29067914dd84e5bd82b6c34eda3

    • SSDEEP

      24576:B1QcHlC7WjMPqsBsOOJ6uFWn2uuJbWV99NOyWIbQ+/bRm:B1/ClPOJRWnZobk9ocQ+DR

    Score
    10/10
    dcratinfostealerratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral19behavioral20

    • Target

      acb1d9172ea43bdfd5be9ec2bbfb5d3e.exe

    • Size

      23KB

    • MD5

      acb1d9172ea43bdfd5be9ec2bbfb5d3e

    • SHA1

      d37af6b97063efcee814ab57e8138059eba02481

    • SHA256

      8d7c987ecfa34c13b8b1b1ec3a65762f6ba44f16399742c13308c1dfb027e316

    • SHA512

      64657f42d83fd530a1ef798e34f20322170bfaca786d60a49189e29ab3a79dc9407eee01b84ff45840613954453459c969449d78db3f0dbb918778cf01432d69

    • SSDEEP

      384:u8aSyS9gB3Y1KIay2X8cLZI6XgxsGJVPpmRvR6JZlbw8hqIusZzZNR:h589tXvRpcnu4

    Score
    10/10
    njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral21behavioral22

    • Target

      acde31a22deb5a8a7cc7420109f2224c007039ecb0733d25f0fd83c15a465768.exe

    • Size

      864KB

    • MD5

      75cceff4c1f8fd2c9a73bd523df79b43

    • SHA1

      d035fc55c6045ce22945080c2f50c21237aafe74

    • SHA256

      acde31a22deb5a8a7cc7420109f2224c007039ecb0733d25f0fd83c15a465768

    • SHA512

      e0cc4ac1d987efd28d4029b2c67159cccf7c6c07b07c7ffaceb480f78c4db2145287b6ef418ae93548f6d67a16780eb695581e882cd0772d533298ed3dcb1c3d

    • SSDEEP

      12288:sp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRzwAY3/:spugRNJI1D39dlfGQrFUxwAe/

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      acfc2067aaf7bc306045845d1e965153.exe

    • Size

      8.1MB

    • MD5

      acfc2067aaf7bc306045845d1e965153

    • SHA1

      6016abf24790dd789a439df8e7a3ae182b0c458f

    • SHA256

      ea470bcf5b838073e39b2fcf27445025598f827f6f55d46dfc5097bae3423926

    • SHA512

      1ff78a6e0b2b9cb210d6253de913176466ae79a327498c9a45490f9b82ca638a38be8f2cac08c46a8c848f5254705c1f46b0bc93c5d53049604fff9ebf47cb61

    • SSDEEP

      196608:9+ocDHr9zPJzvIXZOXI7wHNnjlJ1KTfkryAz:KDRPxIXZqSwFxz2fkrF

    Score
    10/10
    xwormdefense_evasionratthemidatrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral25behavioral26

    • Target

      ad45afe99dea7342989cd8c888d312bd42982646671e4f4ee96f6e4ee0111ee3.exe

    • Size

      154KB

    • MD5

      77db8bf0c5ca0208277ff95b5d4ec4c0

    • SHA1

      10db798b15e701340b429174a6821be1a7c89e2f

    • SHA256

      ad45afe99dea7342989cd8c888d312bd42982646671e4f4ee96f6e4ee0111ee3

    • SHA512

      b7c866f38a90631927447652e46c89aac0ec0c441b64eadb7252462285ee1f4417fb6920a7b34abaad1d4ff5ef530c69c6c655eb5d350fd34057287e3223d898

    • SSDEEP

      1536:2mZmg5zb02q/t6jOFvDO7slsF9PS24s+lSmSWQWOxzlAuT2oLkC1N5UbsGt3kcmB:JZmCb6ROF96zMq1yLAHtUcmKyZ

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral27behavioral28

    • Target

      adab89a1b7da6ae4c96646563b0c506f.exe

    • Size

      7KB

    • MD5

      adab89a1b7da6ae4c96646563b0c506f

    • SHA1

      b20a04b6783bb1084b11db58fac6c8b212109717

    • SHA256

      9804ead50696e545955543c470bdbbe3859f714278acc47e3c9c2a092ddd9b2d

    • SHA512

      2905df01b7e30a2d1bcac38e7d02d97494854bfb3d5412e79b758a21f439436c984f312d6a5c78cd47d40df7f4402582cf6a20b1686f693c21e11920b59b2190

    • SSDEEP

      192:/LecMoaS0KtNdaLix8qiG/VunlYJLLLTu6n2qS+:/LecMoaSjzdaLiYOhPLTu6zS

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral29behavioral30

    • Target

      adb63a8b895363b63d8a2600eed8df572ad3eb28ae9a27e9331f958f4f1e3680.exe

    • Size

      27.1MB

    • MD5

      5b66662e0fcd10b168c819e9ab7426b7

    • SHA1

      dd6d4bb5ae7cb9cc5d43c5a938c280228ce6bd9f

    • SHA256

      adb63a8b895363b63d8a2600eed8df572ad3eb28ae9a27e9331f958f4f1e3680

    • SHA512

      24ec665581f190025a3bcf7fc36154308d086f69d801fa793112244fb93e87ce2dc6bd20cd6d411d723b75de37afdf71aac9853720ea6b2eeecd3960de2b7fb5

    • SSDEEP

      786432:vGOlEaoPvuMMXU2o3SIkDhSdKqlH7R32AsKpDW800m70T+eU0H:vHIPvuMwUp3SVMpHldxM80n7Q+Y

    Score
    6/10

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

hackedratmybotжертва 1umbralnjratdcratorcus
Score
10/10

behavioral1

umbralstealer
Score
10/10

behavioral2

umbralstealer
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral8

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral9

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral10

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral11

dcratinfostealerrat
Score
10/10

behavioral12

dcratinfostealerrat
Score
10/10

behavioral13

dcratexecutioninfostealerrat
Score
10/10

behavioral14

dcratexecutioninfostealerrat
Score
10/10

behavioral15

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral16

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral17

collectiondiscoveryspywarestealer
Score
7/10

behavioral18

collectiondiscoveryspywarestealer
Score
7/10

behavioral19

dcratinfostealerratspywarestealer
Score
10/10

behavioral20

dcratinfostealerratspywarestealer
Score
10/10

behavioral21

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral22

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral23

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral24

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral25

xwormdefense_evasionratthemidatrojan
Score
10/10

behavioral26

xwormdefense_evasionratthemidatrojan
Score
10/10

behavioral27

discovery
Score
7/10

behavioral28

discovery
Score
7/10

behavioral29

Score
3/10

behavioral30

Score
7/10

behavioral31

Score
6/10

behavioral32

Score
6/10