asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

urls.zip
Size

43.3MB
Sample

250409-j8kncavlw9
MD5

5cefc528c37f11068f27d882b6a3e504
SHA1

3149727d08e7ff917864586d855e6291feff88e2
SHA256

a6b304da706f65520019273d5f35dc9ede582febfe9e9a1d87c482eb46433256
SHA512

458e62eb767971fba935090f5edce0494c67774c0cd2a9a25f1670be77871606eee4b190b610b5977af8d0e64eefa063a018ebf1c953229774795ee160d19db5
SSDEEP

786432:cnL92A+kKV8jXv9FlamoEnuVxxOzTRMq5vfFVEu92scOGMycfOkeSxiY+El2usvs:cnL1PkyXvTweuVrOSq5ysROkM2Uvs

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

85.235.74.64:8808

Mutex

7yds7qDAzvmH

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

65.109.33.151:7666

g574h9hd9.loseyourip.com:1605

Mutex

xPSPu8uFVOcl9Vzx

Attributes

Install_directory
%AppData%
install_file
XClient.exe
telegram
https://api.telegram.org/bot7489241322:AAGq_LvlBfZeerXR2im9ji5u9t22wzfpoqc/sendMessage?chat_id=8123259652

aes.plain

Extracted

Family

redosdru

http://cfejb.img48.wal8.com/img48/547795_20160531214058/146599473159.gif

Extracted

Family

lumma

https://supplyedtwoz.click/api

https://ripehungryde.click/api

Extracted

Family

meduza

Botnet

SEO2.0

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
SEO2.0
extensions
.txt; .doc; .xlsx
grabber_maximum_size
4194304
port
15666
self_destruct
false

Extracted

Family

vidar

Version

12.5

Botnet

6d7ea8e36c0dacb43ab944072818f484

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ALINAA

youtubevideos.duckdns.org:6

Mutex

QSR_MUTEX_c50LUXwDkjFdsHNXKw

Attributes

encryption_key
IyL3NZsArZqP2e5avVTp
install_name
csrssss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
csrsss
subdirectory
microsoftsa

Extracted

Family

remcos

Botnet

��s�÷d

190.6.65.2:25158

microsoft.bnctechnology.space:36546

microsoft.bnctechnology.space:541

Attributes

audio_folder
?§J?°Û¤ù
audio_record_time
5
connect_delay
60
connect_interval
60
copy_file
Virtual.exe
copy_folder
Oracle
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%Temp%
keylog_crypt
true
keylog_file
Microsofts.dat
keylog_flag
false
keylog_folder
Microsoft
mouse_option
false
mutex
juyrkrgj-UGC846
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
ºI?
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

vidar

Version

12.5

Botnet

e32c7e36b331d3417c4efa7bbd76e7bb

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Extracted

Family

remcos

Botnet

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-4RRCFB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104
- Size
  
  7.5MB
- MD5
  
  f5920d004575641148f6d1b7108d330b
- SHA1
  
  38ed6696492bcfc67250e952c25cd93948b0baf2
- SHA256
  
  0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104
- SHA512
  
  db1f6d70e4896c795de66afeb2a4aa53b05bc88407d535028c7edb00f18d777d866c84c004c6a9d42592af0766a9567f54fa3ed49d98f92ebaa623bb3f2daef0
- SSDEEP
  
  196608:cYQCwVzNurErvI9pWjgN3ZdahF0pbH1AYtWtQsNo/03WK:UVpurEUWjqeWxi6rbK
Score

8^/10

collection defense_evasion discovery execution spyware stealer upx
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  0b8b9525ead4b3ebf6e5ba923057432a809d70b8beecb07df329ad23bf5a0c96
- Size
  
  976KB
- MD5
  
  dfe01b4c77de115ff3eb147eb486d5c2
- SHA1
  
  c752fcf0a8f2192571a10ad9f910318c37dae4c0
- SHA256
  
  0b8b9525ead4b3ebf6e5ba923057432a809d70b8beecb07df329ad23bf5a0c96
- SHA512
  
  a82aa2c5b5400c65b1cb71f20c0ad88fb5b3600fdce1a27c4feccdc48e5e9e5880cd39958e5de273b459cd85d12760e60900a74358554f32b77f67362c85777c
- SSDEEP
  
  24576:A9jAtvvDaV2jLmM8LJVYtGY9VnA7x1s1MGTRJ98JuNSJOYeNkC4i/Wb8gmN:BRJ98ASJOxaS+Qg
Score

1^/10
behavioral2
- Target
  
  0bcbf399011c69a1690f596d2b607eb835ea55e7fc9b4e8a160cd49e0713af03
- Size
  
  5.3MB
- MD5
  
  168804a10535acfc01021a74b8d07716
- SHA1
  
  67818df0d6b734dafd885eb717041e37da8a9d0c
- SHA256
  
  0bcbf399011c69a1690f596d2b607eb835ea55e7fc9b4e8a160cd49e0713af03
- SHA512
  
  1bdc3016c9caaf5afacdf2537a82c710bce75fc5c088e7f5ace76fcace355043ec4493762222bf68f28259285d46ccbed249abbc0a2fe62f2330a6149a93f482
- SSDEEP
  
  49152:a05yrkuG6WwwctHu1s/gAufgfHyZOZtIvAsIticBd2wOHYyTjEcW9CyPVhL9zffj:aSzuGgR+s/gXYfy+sI3cSJHz0q6
Score

10^/10

vidar e32c7e36b331d3417c4efa7bbd76e7bb discovery stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Suspicious use of SetThreadContext
behavioral3
- Target
  
  0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7
- Size
  
  32KB
- MD5
  
  325adebdd9f8c27cbdb7a0f8674469f4
- SHA1
  
  aec054d040cf107f43b480e00c0a86ae4c7b5b76
- SHA256
  
  0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7
- SHA512
  
  137d81da8400a5c79d4eab0cef9e77d2403f71c4d89cbbc1cf7c880c1ca477abfc74380ecdbcd7620aa10137f201e406cd4c09ab4e5e671f999790c87b87a5d1
- SSDEEP
  
  768:JpOkcFeazzw/6QIu4RJg4/F7e1gXkMGsosihCxLiNADHAgN/9VOhl:DOdFBA/6Q4RJg4/F7e1rMTXDLi6LN9VU
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  0fc0de254bc80e54c708fbd0eb0460c730283508b94108e4b2d1d70525ef3fce
- Size
  
  5.6MB
- MD5
  
  66a9fe0ffb298b4c4c390dee3bc534e9
- SHA1
  
  5dc498039926c0c342c536d3cccf1e5c1dd752d8
- SHA256
  
  0fc0de254bc80e54c708fbd0eb0460c730283508b94108e4b2d1d70525ef3fce
- SHA512
  
  a8a8c2674744069531908b69384a1a03b38991ddbabd2a0d5908add292796e0ca4ed6c16a0867d1af0e200e4b203d6d1e41b6639ba6e6df276e43bbfc262ee36
- SSDEEP
  
  98304:WDEBe6aA0c5ZUYKjYXC3UdKep9y1X+bEszBfhBVnTknrqkqXf0F9+KH4kpc+DX/P:W490cbzyEdKepwIb5zBXVnT02kSIEKYK
Score

10^/10

discovery
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
behavioral5
- Target
  
  1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8
- Size
  
  3.7MB
- MD5
  
  68b391cb055223f2693bd70eed0bb6ec
- SHA1
  
  70140b9329ef88d5612ada836dac3bad7fdff833
- SHA256
  
  1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8
- SHA512
  
  ace93dbbeb5c3aac3a045ee9478598e40057e07ffad92a41421a0e6bd1d32528950032c0b781343991160ec5f1e371ad79b44b29c3cf69a4618ee63db9e32b44
- SSDEEP
  
  98304:m6Yz0Nw2/UjBP206DrDasW4/pZ0g+jBu3T:qINIj433ncjkD
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral6
- Target
  
  1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed
- Size
  
  1.7MB
- MD5
  
  0cc5dc97283bfeee413467481e6822b4
- SHA1
  
  e60240c37dc62b6ae1795583cab43dc10bb9dce0
- SHA256
  
  1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed
- SHA512
  
  e2794ef5d4abb23ba09ad1e9884c0463dff0ac43608f1b30053949727fafdca957ad2980bb43f655940eaf215f0ac52e37f90369aa621033b4c775875cc008b0
- SSDEEP
  
  24576:9lXvnqqFQJLYYC2TU6oH+gyFlbUscwL4ie+JwcIKIgYbK1uV9279NAl5Q9AxJ//F:zfKq0lbUscwkp+jmcVg3Uha
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral7
- Target
  
  1ac9b17068a19f093e347bafa92112dc8f1a935ba176aadbf58e57f35e4beed7
- Size
  
  8.2MB
- MD5
  
  e4fadec5b188419bd211e44fd9390553
- SHA1
  
  4511db0d03e3036a8007bdc2edd6dfd330d22ac1
- SHA256
  
  1ac9b17068a19f093e347bafa92112dc8f1a935ba176aadbf58e57f35e4beed7
- SHA512
  
  c4105b51ec6f7e33ff72350c5b6a841da4edbf7b34f9edf878658fe506af3fa49eefb4196e6cf1423f42789b7a98e30931dae27986c7ee7ab7a3cc9f6accf83a
- SSDEEP
  
  98304:62SiUluTRGIurErvz81LpWjjUa50ZtPvYRt2e4GFNGjfzfbIbApJocSpXqjEBKh5:6RkurErvI9pWjgfPvzm6gs/SEjE44fri
Score

8^/10

discovery execution upx
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral8
- Target
  
  1be6fdb2df40e128e25bd4959ae3fa83c634ced9f51ab2994c209dcadc9adde9
- Size
  
  962KB
- MD5
  
  537a48917e6a989d2670d2e8c16d8ae6
- SHA1
  
  aed910a754a7a6142ba008be84519fce2e4048a7
- SHA256
  
  1be6fdb2df40e128e25bd4959ae3fa83c634ced9f51ab2994c209dcadc9adde9
- SHA512
  
  cb7ea19a27e355cc923e88abf44a8e4e99f5505c2ffcb90c1a9d8a27bd4ab69eca197e33a26563df74edc38cd44a53bfd01f7bfe168b654bcf79f243a42febf4
- SSDEEP
  
  12288:JUWa+xLShYrHJhP669jTLA8qVyTsYYUfnEBiTguMu/duCnAAq982xklWinP7BTsx:Rx4YrLLRTLFmuB17wkXTJZZhj0Mn49
Score

10^/10

remcos v6 discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral9
- Target
  
  2bbbb9b0cdbb3a1f26ce3357d9119edf008e4894c881351f89989a67d0a192b2
- Size
  
  388KB
- MD5
  
  f12d4e2433c71141f74d0d2daaa58e65
- SHA1
  
  54074f62b7d490f23d43e016a23cda14fbcf46ce
- SHA256
  
  2bbbb9b0cdbb3a1f26ce3357d9119edf008e4894c881351f89989a67d0a192b2
- SHA512
  
  2e3e2a1b372737cb666e477b60a66f6e835e105300c6adace4e09a328b7fc4bfc5cdf9c1ca18c48bb1b5e6726e65c9f7db8e5cfe9cccab341030141b8a28d062
- SSDEEP
  
  6144:C5+tFTHqFP74ZmbkAcVI0zkjLws+NC3AVswW6gt6Q2u9Eqkj92BckQ:PtFTHqFdkAQzkjLP0C3Ksy2kj92BcJ
Score

10^/10

lumma discovery stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Suspicious use of SetThreadContext
behavioral10
- Target
  
  2cda90e9e87c9db37ba5015909a7efb45fbe3a351ec9ca7a5359204e801dcb33
- Size
  
  194KB
- MD5
  
  fee99bf0086921bdac7c3b2c9b9a0615
- SHA1
  
  966e97390d1ea49e4b474d18011625bd3036cb40
- SHA256
  
  2cda90e9e87c9db37ba5015909a7efb45fbe3a351ec9ca7a5359204e801dcb33
- SHA512
  
  005794fb686125ab90dbff4422973ac4a376d6facd3d4e484a9617ce73727f01660e61a61c2a4215c5b1d724253e413989792dbb5b6accd225f12f8f0e0d3b76
- SSDEEP
  
  3072:WUwhUxDRwEiRLL8o3hXcODPJKGBt3ZXHpcGH/qC5Y:W7eDHidv3hXzJ5BVZXJcGHCz
Score

3^/10

discovery
behavioral11
- Target
  
  2d58b1a3735269002d5499c67bd32c3b800fd1c44ca78d19ac3d21df84832faa
- Size
  
  3.2MB
- MD5
  
  1b2b87de7549f186e86c2b03c9860cd8
- SHA1
  
  5692dfe0616ef404a1f174020ec8d2e49f2a1894
- SHA256
  
  2d58b1a3735269002d5499c67bd32c3b800fd1c44ca78d19ac3d21df84832faa
- SHA512
  
  c262e92d36ab170da2a228a10b94f3d3f0ca5e339bbfce72cb8c7640a37400b9aec7035098c18f6fee09e40a570ced6696c626cc6ee7d97ce8e4b5651c107c73
- SSDEEP
  
  49152:xGfWc3XII5HuPqI1MSz4p1FXUbeWnyeyZILXGhl392ao2ATFJ9JiabEGohnOWwLZ:+Y106uex23NlVApJGaQnOWsIc7qXjc
Score

5^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral12
- Target
  
  2e966d34801be95eae9a7f1dd5efe3885c234c473d377185f3b7af4dbbb99d2e
- Size
  
  1.6MB
- MD5
  
  fc7ba2336d7a69b388a1b103f2db8eee
- SHA1
  
  260c49e336bf3aaaba4cd49c0223a200730d3817
- SHA256
  
  2e966d34801be95eae9a7f1dd5efe3885c234c473d377185f3b7af4dbbb99d2e
- SHA512
  
  4fd2f24b99ab253579620a31565b231d3f5d2598381f5d988504468eed5d7ec560227509c571e8feb0b838e739777015b296ae045610f5767503302569f78670
- SSDEEP
  
  24576:DLILY8Xu/3y8UsG2BgYLicwnkyCHdebUKyZURQ1TgjTm:EYrC8UsGuTw3CHdeQKyZURQ1EjTm
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral13
- Target
  
  3a0297561d1cab1471cd84e4c5308f19a9a33606784938235c7ff2eaa85d001c
- Size
  
  2.6MB
- MD5
  
  a45a9d7f9d4fc7eafd45f10eae62ad88
- SHA1
  
  6955187b25889fc75d42a0a84af97c6e071eb7cb
- SHA256
  
  3a0297561d1cab1471cd84e4c5308f19a9a33606784938235c7ff2eaa85d001c
- SHA512
  
  c9858c03cb5166e12b513df7cd328a25b27bbb039cea295077f0b0cc01789c8e591ec0e63c42c56994d4f18bf8690fe3f1db55d21440af820a8b6414b14b0ab2
- SSDEEP
  
  24576:V9L8hJZ4uB+Ch0lhSMXlNnx1BLuAeQcYgHHd4pcT15Q:PL8hD4au93BLuXQtgn2f
Score

10^/10

meduza seo2.0 stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral14
- Target
  
  3a90ad325806107cadbd87ed4825ff967c3535e74433ab04fa6ff30b512b818d
- Size
  
  55KB
- MD5
  
  e021e3e1283f86e5fced161a2caae6c9
- SHA1
  
  971ed137acb51b38e80412a1752873308e0cbb28
- SHA256
  
  3a90ad325806107cadbd87ed4825ff967c3535e74433ab04fa6ff30b512b818d
- SHA512
  
  4642ef34cdc44f3f90efa7c9c86298442e77fff289e5ee99c38151bb1c8cd0017d92bfb765f440f71c5856f930c84d28b62748aa320a20083c8a4b5861dbb2ae
- SSDEEP
  
  1536:LvwIMUkn5lRjATpx6GWT4T/ajfAsLs99ODBL7:zJknVKucT/uf9A9IdH
Score

6^/10

discovery persistence upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral15
- Target
  
  3e76598b8086857c38e2016dc729fa4879136e46b6f5962ff0b042ef35666b50
- Size
  
  47KB
- MD5
  
  8fbb452d641fd2e758b3dc329cab4e5d
- SHA1
  
  5e450b9286b9ed2a496e7736624c0a955eccaa5b
- SHA256
  
  3e76598b8086857c38e2016dc729fa4879136e46b6f5962ff0b042ef35666b50
- SHA512
  
  73987c398747ff3e0343ca297580030d6afbfba91d779db121b2949f8ba0965386217dbf5922b507801275559562952f6bd7e6b8fa352c1cbc2239bd61030e1a
- SSDEEP
  
  768:Vu42BT3v1gbWUnUa6mo2qRptoa819kMy6kPIHaKqOtE0b2e3D5mWpnaCJAlhHBDn:Vu42BT3Nj2SObfHazmb2e3NHJ+vdfx
Score

10^/10

asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
behavioral16
- Target
  
  4a5b5eb5a4e1ba423df24c110fc43f7b3428d2126e99fd9c170b9dfb2baf7236
- Size
  
  427KB
- MD5
  
  03e902a46625ad87713cdf2d04d4d05b
- SHA1
  
  1f0a4f0d8aad592ac799bb2248f018f0fd84f99f
- SHA256
  
  4a5b5eb5a4e1ba423df24c110fc43f7b3428d2126e99fd9c170b9dfb2baf7236
- SHA512
  
  e8f352de685aea2560c2b6082ffc41f2935b04236ac84e37de0b083006a2f98214147fbba35ccc49c4e4cd61d56088e99db36b40b75fb1b5851026fd37ef093b
- SSDEEP
  
  12288:F6UT+Wr2tQHkO+8d7zg/GZ1h8/SZN8IRnJ:8Unr2+HkORd7zae1hYIJJ
Score

10^/10

vidar 6d7ea8e36c0dacb43ab944072818f484 discovery stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Suspicious use of SetThreadContext
behavioral17
- Target
  
  4b482e8492e8c1943330745899214b29bfd2582000371243400d854838dfb88c
- Size
  
  2.5MB
- MD5
  
  00ba12848375131325b23c2f4702f734
- SHA1
  
  a861409df382894ad7a5ce066d61b409eb67b28e
- SHA256
  
  4b482e8492e8c1943330745899214b29bfd2582000371243400d854838dfb88c
- SHA512
  
  e87a899aeb01d626b66a0a3cd6545cb4cb4c2ab7889db8870872312103d83c4a9baa19bac9ed637bb48753a2f28f898c4dcacc32e045460026bd4b9e7ae3fab8
- SSDEEP
  
  24576:+lc5ixEriBL+3y1njfVpgqO6x+xGUFyZHcLe9OX+ha1LgSaNXETaR8y3HRDCxkMs:+Op3yn5hO6OCuHXpUJhDCxfYXfYPW
Score

6^/10

discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral18
- Target
  
  4bd46a2850788e5697d214dd4409c063b6f9c38c886443211f22fb0ff19bff9c
- Size
  
  46KB
- MD5
  
  bd47ff3ae17aacbd17321862a8c50985
- SHA1
  
  dfa34d645da8b4910e3fdf523622896ca54ad4f5
- SHA256
  
  4bd46a2850788e5697d214dd4409c063b6f9c38c886443211f22fb0ff19bff9c
- SHA512
  
  7dceaf12ca5532ba848be31f531b761549390dfddcc419f81e036509045f5c6ca432e136e77f472ff8109e9a49d7f4445beffce7fca6b418d666f2ec3e6a87e5
- SSDEEP
  
  768:1eobj+cKJNNn1cBsecfc6hjMeISgFEPa9cAN66iOCh4zjivQx:1Nbj6rrLEUMFJ9P06iOC+u4x
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral19
- Target
  
  4cca8b360d5053a789ea822ab80261dc6f010c1c72b0d449ca8cdcaffd2e2c0a
- Size
  
  1.2MB
- MD5
  
  00f33641a6c78c9e2330100a28c4a37c
- SHA1
  
  31cee3fbe5a130c52145919c4bb903125069fa08
- SHA256
  
  4cca8b360d5053a789ea822ab80261dc6f010c1c72b0d449ca8cdcaffd2e2c0a
- SHA512
  
  ecfa5076f26ad9f13b23a7bfc78c533eb01c2e6cdf4590fe1cc4790697377b7e3b11c9ed2e5f5b9bd7f5bc6fa104f6ca83145249b159a00c203beb27a6c51f3a
- SSDEEP
  
  24576:Cct8/gOkwvlKtq0p/QXA7ipUtHb8Gzg4etPxMLToY9AzqAPWMaGzs1Db:C5YsvCq0pkA7ke4GCITo2ocj1Db
Score

10^/10

quasar alinaa discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral20
- Target
  
  4e31114ffd1000c0242b7537d6329641dc0457dcd6590c57659326a1785ce2f7
- Size
  
  1.3MB
- MD5
  
  3b921ff1f40f6c6182e84a476152aaf3
- SHA1
  
  19db03733444cca5868939074c002de3d4b10948
- SHA256
  
  4e31114ffd1000c0242b7537d6329641dc0457dcd6590c57659326a1785ce2f7
- SHA512
  
  2546f5d93d5e9a87416d880cad06a95275a9c441aef6481f5fd74cba8ecfe45d29c4486f2593f9567d5aa3e3d88eeaaf89b15f26da31f91cf869cfdb303c7ccc
- SSDEEP
  
  24576:V5ZWs+OZVEWry8AFaxtFyar0HteJyUt/1T7fQlbNW6AVDnSwRC4envs:jZB1G8YYFyaQW/1v4QnSwRC4Uvs
Score

10^/10

remcos ��s�÷d discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral21
- Target
  
  5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283
- Size
  
  83KB
- MD5
  
  299057a5ffbb5e70f8514df5f9796b9e
- SHA1
  
  c9eb1364dd1220c074af581343b636995eea4288
- SHA256
  
  5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283
- SHA512
  
  7b898cce4b6b252fa8b7bb5be36fcf98c191e59de655fcb2733f5263adc53ad06c0fb094d7df29d6cb872825c2e0d92ca1b2509519ce9ab317804bf949ece4c2
- SSDEEP
  
  1536:yAMfrTX01OrGpRZNdbv66Claewnph6Nu3qdMhXWxZiXQv6Qd+FUf9bfNhExjDkOc:ZDewnphbwxfrff9bHEhDkOed
Score

10^/10

stormkitty persistence stealer
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral22
- Target
  
  5b25182d96ac6fca82ecb8f99198295f45bf8fceea3fb196beb2a4e7bc862714
- Size
  
  1.0MB
- MD5
  
  7e81e8492efb9fc3c9659110dc086afe
- SHA1
  
  7fa61b56f596e96db069874559f2c295615397f6
- SHA256
  
  5b25182d96ac6fca82ecb8f99198295f45bf8fceea3fb196beb2a4e7bc862714
- SHA512
  
  d9e6336e5d22e6b7360118f40d8badc5d8390faa40c0bcd1c59ef1fd4a5d993acd59512b1d3cf5c0b8851dd1c59f055d6bf25b5ec1d3f9fcd6a0ea323e575390
- SSDEEP
  
  24576:H8RhrEtJNzrcPxtakUuy5OKwId/mz6tXn/xfg1drcUl4lbHK3:c6zrc/atMK1dfHy/kbHi
Score

7^/10

bootkit discovery persistence privilege_escalation upx
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral23
- Target
  
  5ddb366eada77b037e23b02034be67099372dad8ab32668381290af66ec4ba46
- Size
  
  2.9MB
- MD5
  
  b6455b6022597cddedc2582c4f271fd6
- SHA1
  
  fccc9287d1282c769404def9208209cc3fc7aa6c
- SHA256
  
  5ddb366eada77b037e23b02034be67099372dad8ab32668381290af66ec4ba46
- SHA512
  
  f95d68f9fdea73f300233dd8d382266b068cfbfd311a9e286ccfe451e0aa5746217e45316c8b425bd86f85ea4bb43497e000496560b800a8d97d5318c17984ec
- SSDEEP
  
  49152:lr1u1vvor6PLJKC0vqVIF/iqAifgTggtXEfCpSEYBt7beRJlUw/sw:lZsHomP9KCzVI7AYgcgt0fAmt7C7l5
Score

9^/10

bootkit defense_evasion discovery persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  defense_evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral24
- Target
  
  5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc
- Size
  
  990KB
- MD5
  
  88d6b61f9b307ca1ba9aefbe413ca028
- SHA1
  
  0a67ce5a5f48652547563812911b2d94418a0dcc
- SHA256
  
  5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc
- SHA512
  
  36a0c8038390bae34c05610a2396c47ef575905b205fbc4ca13dc4984a18cc42ee3d9def3664ee67fc2fe4a2f1056c59058211e1b92bdd4d5e8683d74e0a5ccf
- SSDEEP
  
  12288:DpqiC/2OGAtkCP4cejGSOpRK3CnIiCSsPKplohwrsclnn:Dpo/2+ttPJLfpRK3CnHCSoWuUsE
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral25
- Target
  
  6e0c9935ea61a09f4ced2b9a871b5f21b637a7979b21aa4ccb490a9442182865
- Size
  
  155KB
- MD5
  
  830f6068c5612b827e0bb600b1ac688e
- SHA1
  
  4fb031f28b286a7cacca2f27cb254d8169a345d9
- SHA256
  
  6e0c9935ea61a09f4ced2b9a871b5f21b637a7979b21aa4ccb490a9442182865
- SHA512
  
  e5162fe2c16792ee375f3b0c00095ae9c5ff2e4775944484bf3472b9e93c75b4124b5237397183613d20a3159c04afa6cb99404aec42e5e6bcd674433bd2ddc4
- SSDEEP
  
  3072:NKaVJNOe2J+ypc8TXWvHxqBuedLX6LYxmVsu1edEYdY0z:7Oe2J+yK/0kGXVxmsz
Score

1^/10
behavioral26
- Target
  
  6ea27426ff47b4abd8a8e53f7d3452c981aa6fe86ca07ef15e45f6f8fcae3108
- Size
  
  648KB
- MD5
  
  0c75de86a09f97e62d23ce9f1d249f83
- SHA1
  
  32b0608d5f113e55fc94684362a03ab834043663
- SHA256
  
  6ea27426ff47b4abd8a8e53f7d3452c981aa6fe86ca07ef15e45f6f8fcae3108
- SHA512
  
  0148478dbf00c26bae2fc17068e2f35c2a7e837afbee49998f14ee644ce9cc0f5498ee2a31573cc4ac91a1225528b50b4f2b16e2a4731752a2911f602914582b
- SSDEEP
  
  12288:BLUkEKpU/uVjayp6kr4HsYlWctQayI7vTG9:BLUkEKpU/iayptrnYsQQ07
Score

4^/10

discovery
behavioral27
- Target
  
  7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2
- Size
  
  1010KB
- MD5
  
  eb217b0ac055b81266b477fe13e1676f
- SHA1
  
  5347d74cd3021717c3d67105648f325613df0782
- SHA256
  
  7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2
- SHA512
  
  6f38c118961844c7afa13bfe81a6d40de90bee23f5933a6949495db66a196372b224f676a6ecfca135fb9e6666e2b096e27b1be33adbf95cbed2c89361af8c38
- SSDEEP
  
  24576:OA/GdQEfRiHN7iaqCavgYCkS/Tfc8DvGyHa/d:OqEp6tKyX/TTHe
Score

8^/10

discovery
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral28
- Target
  
  7db9e09e8bdcc45eafbb75b83d57503d11bf54d96c9eaa003fe8e5d518180571
- Size
  
  67KB
- MD5
  
  68c1a11c3b278674153e3a5dfd11c29c
- SHA1
  
  d9f33a6c4e38e2cee1f9991cdbaacb4fab2e5321
- SHA256
  
  7db9e09e8bdcc45eafbb75b83d57503d11bf54d96c9eaa003fe8e5d518180571
- SHA512
  
  c06fcca8e8f79eeb1e57745dbdf6d7c6cb2ca2fe1c44f737302e0b8608543471fce0980fcd5e414bb49a42ac0c8c67b699d0f44b654763dfb80b248e878b538d
- SSDEEP
  
  1536:wKdHN/yjGAMA0+IlzSxDyqPnas96z+XcvjQ/6rnIpF1:wYN/yGAWlz5qPnas96z+XRUnIpF1
Score

3^/10

discovery
behavioral29
- Target
  
  7e9af10bfe8e1ea19c39fa70805bdb1fcd14015fc9d15306635fdf65413dbb5a
- Size
  
  376KB
- MD5
  
  bff31507a03f149e555e0b5bc53b269b
- SHA1
  
  fe7db257c1542ac1c7fdf056d925a19289f7edf3
- SHA256
  
  7e9af10bfe8e1ea19c39fa70805bdb1fcd14015fc9d15306635fdf65413dbb5a
- SHA512
  
  d332827ccce5a73de8f427a8ee60c71a2eeed90ef62eb85efc7a12966a703d11649e67548e0de0e4c68d652ae2736bbe7324ce038c6a93d535ad2cb0246b864c
- SSDEEP
  
  6144:FOWofT8xZDm7pp0ZavtMYKdeNesPP5JDfKl17ZzRgEZBwHLCHKoZuaVpDTjVZkQ:Lo8Navt8de0sZFf217sEBwriZuKlXHJ
Score

10^/10

lumma discovery stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Suspicious use of SetThreadContext
behavioral30