Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe

  • Size

    49KB

  • MD5

    50248697e19117027d4823c6a3be6db5

  • SHA1

    fb81c35ffe11180c1d6269006db2fc775eec4741

  • SHA256

    084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e

  • SHA512

    abc04de0ee5dfc9ca1afccc6b46f9bb4b56d3d9e9ec11165dfc9d3630a597e865941c2c33f4284807f155f69d8255ac3279c418f3bdb2a7f6b4e8678ba7fd6ed

  • SSDEEP

    768:acaQRffDB31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YAD8hMWsddOC86t:acai318HxZATvnsblYO8hMWsdoC86+r

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (8302) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2

• • Target

    14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3.exe

  • Size

    87KB

  • MD5

    d77f7e460e5036f65677b24ed24c2dff

  • SHA1

    053afa00864c3c0c896e48be382436c417cabb34

  • SHA256

    14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3

  • SHA512

    f447b9b9a60f7a6fddd137a228efc7c056b989c698c85c30e6eda7c3b3990fb7a82fe2387b8fb8ee38d21704f9924a989a2a87f1d34badf20a3c89a2b9dfe3b9

  • SSDEEP

    1536:1o2ECd3kfHr9PZAKodFF2QRa/oDc10QxsSmCDo/PjsXMbyxFmwYSDfgCso:1oWd3kfr9P5QRaADc17xAKRjFr4Lo

  Score

  10^/10

  chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos

  • Chaos Ransomware

  • Chaos family

    chaos

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware
  behavioral3behavioral4

• • Target

    2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe

  • Size

    70KB

  • MD5

    193e702195e8ed5c50cc482569559462

  • SHA1

    47a5307b78fa2c60c20ce63c553aef4a6d5a3e1c

  • SHA256

    2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e

  • SHA512

    d5ae5a8bccfc08bc07834caaebaed7a6cde1911170eb8de99322bf15be3ad111b5042d6401dcb06e64a6a429eee19d964878089af205474b377b77627bb63a35

  • SSDEEP

    768:lXStkFWTBhyugDC60CPJkEBx9w7mSDh3vkkjvshT3ED18nv04ZPqpb348Uq1krHO:liMWV3gDCk6EBwT/kJbvkbuq1krj0z

  Score

  10^/10

  nefilimdiscoveryransomware

  • Nefilim

    Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

    ransomwarenefilim

  • Nefilim family

    nefilim

  • Renames multiple (180) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  behavioral5behavioral6

• • Target

    2e6f094748124800d8cf6bdb28bb8aa4caa066923cf3e9778dae8bcb2b6e85ec.exe

  • Size

    42KB

  • MD5

    790cd1ca1e1e862544d527a807a1e6b1

  • SHA1

    2ee282a9f6158b0e60bf338c1e354e4667bc36b4

  • SHA256

    2e6f094748124800d8cf6bdb28bb8aa4caa066923cf3e9778dae8bcb2b6e85ec

  • SHA512

    b1c3e537e30f7e8fb53a0303b446bd1c4171b967d2365509f9ecdefcc924ba2e58ff7b67c346f727ab0ec240e953b2a374eacf7cd38944e66aed529b5b00b20d

  • SSDEEP

    768:zqj7UWPjjkzEr9npTQi/zRUNWv39Hf6F0BkfLSV3F8Ftqel59CHAOLw0:ej7ZjjkzEr9npj/WN4/6F0BkDSGtqeLm

  Score

  1^/10
  behavioral7behavioral8

• • Target

    2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea.exe

  • Size

    2.0MB

  • MD5

    d42d34d87e404aa93862a40e997f8f6d

  • SHA1

    8ea71ea5177d46c9feea0e1cd19069a3441e1758

  • SHA256

    2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea

  • SHA512

    3d17176d804b555ff1ad180ec789c73012512bfa87732d39c9927a0b9a87051fb2e41923326cf12af3cfdaacee95ede6b63f704f565accebe4d5b08fd08ccb3f

  • SSDEEP

    24576:w/iIzkQF+KpPnF1Fx+CszLyQ9lkxIQVki//47JhUhio7Z6OI93lGFtPtnNON+IjE:whBPrElwNkto7VINlGFtPtnwjjOaHo

  Score

  1^/10
  behavioral10behavioral9

• • Target

    34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea.exe

  • Size

    92KB

  • MD5

    21c2b2d0bfc15b3d4bc72263f9db5547

  • SHA1

    9f65f98ae2b418425a1d98b8d86bef88edab4d7c

  • SHA256

    34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea

  • SHA512

    aeeb64dc1130f6e5ccf6ab9abedf01e2a59e149f4897a44b02c32f816ddd1d1698a59447f7ce03dab966972f7714977b49f4b7e0fd258b0bedd936ac1926060a

  • SSDEEP

    1536:lBwl+KXpsqN5vlwWYyhY9S4AE4SLlaSXrgKcQ48bcWHpOZ2yr+e72eIGZZyb1j:vw+asqN5aW/hL6dhamQoBU4yTi17j

  Score

  10^/10

  dharmacredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Dharma family

    dharma

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (319) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Drops file in System32 directory

  behavioral11behavioral12

• • Target

    37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe

  • Size

    1.3MB

  • MD5

    af24c3030002d1487c6455fdb1a09eec

  • SHA1

    72732ddefce71c13297df596267260a5d8e892f3

  • SHA256

    37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c

  • SHA512

    470a0cf695add143555eaa45f3fe5c462edb1cea2cd1589b19f55029b488fae58da2bd588bf79cdb16eeb4518bc7b7189eba764d611d008b1b27145ca0e8a2e3

  • SSDEEP

    24576:Auh7HYGSWwFda6lBbXUqcTGKcr5YrcRBlBnNmkE9pneHiAvuQnL1mp/DVmu6KUi0:Dhkkw7LNNmTDqnRmJDx61i0

  Score

  10^/10

  pandastealerdefense_evasiondiscoverypersistenceprivilege_escalationransomwarespywarestealer

  • Panda Stealer payload

  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer

  • Pandastealer family

    pandastealer

  • Renames multiple (497) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Modifies Windows Firewall

    defense_evasion

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral13behavioral14

• • Target

    3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe

  • Size

    80KB

  • MD5

    e3269531cf93d040b08074bfb31b72a0

  • SHA1

    45b6d89dcea02cc90ae054d72ec80a2eb1036a7e

  • SHA256

    3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859

  • SHA512

    e4de5613557ff15f23e2c28763fee6443c81351401974389e1c01cb979efc81c0ff397b85ba3fc6f0204f7c5e0c7617617130d38b441748446e72a0fbb7a12b0

  • SSDEEP

    1536:NE+VYVYMC2F7Aoter2j1lYgpM2HT02F4mHI5PsOqy:2+G3eaj0g+2HT025Hs

  Score

  10^/10

  blackmatterdiscoveryransomwareupx

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • Blackmatter family

    blackmatter

  • Renames multiple (196) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral15behavioral16

• • Target

    49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe

  • Size

    44KB

  • MD5

    7977bc8781a00875b4d465bc2a90d5d4

  • SHA1

    9f4b2858edcff694fee76636bf8cf33a366fc237

  • SHA256

    49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24

  • SHA512

    245d65b9301b759097cded2a2f078e4e41c7b68e303a71fccd465a6fa230b48e13e571c4e57e03710934a5e6b9536ed634e0edc502ba35433b02147760e5f05b

  • SSDEEP

    768:0AxEin+Z8W9KCZLhaY4m9lUOmMayPpfHlynRUhMgAA9dEmCJ:7xESW9KC1hxJ9lJPQLH

  Score

  10^/10

  chaosdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos

  • Chaos Ransomware

  • Chaos family

    chaos

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Disables Task Manager via registry modification

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware
  behavioral17behavioral18

• • Target

    4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f.exe

  • Size

    1.9MB

  • MD5

    4f85eec9e23dc664c814cea272dcd5b8

  • SHA1

    4eda594a01aee9622604924ffecfa9dbd6135bc0

  • SHA256

    4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f

  • SHA512

    97fdf815bb43f7fbfff03b6ca9e7a94d72a17faa0667091951b0be2a1ea3757f6f051e16c9a583f808b5df3fcbea525c570729b120499d1a47c530c7f179db18

  • SSDEEP

    12288:6s2cBCtdB3+j+3EEQ5NX2l0Y/iaJDdI+VrzrzzczNzzE:6s2Jtn3aOEN5NX2l0Y/iaJDn

  Score

  3^/10

  discovery
  behavioral19behavioral20

• • Target

    5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c.exe

  • Size

    54KB

  • MD5

    1f6297e052951ae79aaec997dbb202d4

  • SHA1

    ab27665f5b886bf553b2c9a91c65e2abca5c1d01

  • SHA256

    5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c

  • SHA512

    4cf533b824503cd1783f583c9f100e67f84578afac31b7b2b1c23192f4504d457ae7f522d53c40b62b59daafd5ad92580a9b67baad612f20f74d6712c8e94e00

  • SSDEEP

    768:/z7z/zxACAm8YHxxSoxS1RKRQGdGGdnQN4L6hhho9h9qfP821824x:/zp8dGdGGde4L67q9h9qfETXx

  Score

  1^/10
  behavioral21behavioral22

• • Target

    55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe

  • Size

    56KB

  • MD5

    4ab785bba778bd582b33baeac2cc9c22

  • SHA1

    23db0ae4d5b7b4fe8698583e25e50e1b89cf9411

  • SHA256

    55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715

  • SHA512

    916cc0d2e0e623a897d4d515e2148c0b08dd3c308b27b53032def045eafbd625ac2031fd5713e055f4f323a840ed534aaaa5da06586928cc2dbafb46cb276955

  • SSDEEP

    1536:bNeRBl5PT/rx1mzwRMSTdLpJyCfPAIotcQ:bQRrmzwR5JyNO

  Score

  10^/10

  phoboscredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • Phobos family

    phobos

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Renames multiple (327) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Modifies Windows Firewall

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral23behavioral24

• • Target

    56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe

  • Size

    42KB

  • MD5

    abb04a0418be9cc4618f393d7fc9d76b

  • SHA1

    dbe3b07ab1383e4d693bb6cab17ad8a7c1c5cd7b

  • SHA256

    56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659

  • SHA512

    f7bce71f01ffae675a8b8a23a8f2e4d162ccefc349beadb84ffcca890dc68ed636acf4f7d694145c779125078f6634f30aed5f5651ee6c12dc4768f7c0a0f47b

  • SSDEEP

    768:QO1oR/8VS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDsHw67ZY23IWSjNV:QgS1FKnDtkuImsHw6V73ejNV

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (2799) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Drops file in System32 directory

  behavioral25behavioral26

• • Target

    5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe

  • Size

    57KB

  • MD5

    a6092621b7db8dc1f2c1f93a9a7ced9f

  • SHA1

    d4fd035605baa14375c9a59a93849b959df36bc4

  • SHA256

    5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4

  • SHA512

    380318805a8fbed4b6e4a1270c697116de2b5a562bace4ab857e653dae5b319a5ace3a90c02f3235d6a95eec996a6632335c01df55136f051c13a01b82a5f4a4

  • SSDEEP

    1536:RNeRBl5PT/rx1mzwRMSTdLpJOycgw04NxJ:RQRrmzwR5Jhcg74L

  Score

  10^/10

  phoboscredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • Phobos family

    phobos

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Renames multiple (318) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Modifies Windows Firewall

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral27behavioral28

• • Target

    606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe

  • Size

    362KB

  • MD5

    7c3f60037ac11106ab2994058cc553c9

  • SHA1

    1a7c827670c46bdc90691605f974e7d7a0941fb1

  • SHA256

    606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4

  • SHA512

    c1e2e4bde4b1a4a739ba9408b90b4e088cd7a55f1b7595f99154a6aa0ce98ac0543f8f629aece802f21856301bac6e1b0c497eb8ea46fc0f5ba5c0afec04ae45

  • SSDEEP

    6144:aNkgpZOuI7Am6xeTH2kxEiG68N/xc2iPpz1TumNf/qP+7WzQ9qsNlN:rgXOvIUTVmxUP7lqP+6zL2

  Score

  3^/10

  discovery
  behavioral29behavioral30

• • Target

    6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe

  • Size

    71KB

  • MD5

    8f033c07f57f8ce2e62e3a327f423d55

  • SHA1

    57ac411652d7b1d9accaa8a1af5f4b6a45ef7448

  • SHA256

    6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b

  • SHA512

    f3712e7d5d55b27a4c20de07cce136e6d58ce62fa146d29b34dece6248e4456139703c50df10cb318346311cfeee0a8449d49163e821744efcde3ecfe8b880df

  • SSDEEP

    768:zncoLkaCbCq2l52DbnoPV0Yglwlu1y7e7th3BuItxn:QoLkaCb12l0DbCV6Wqyixn

  Score

  10^/10

  chaosdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos

  • Chaos Ransomware

  • Chaos family

    chaos

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Disables Task Manager via registry modification

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral31behavioral32