Overview

overview

10

Static

static

10

0a36d74a14...04.exe

windows10-2004-x64

8

0b8b9525ea...96.exe

windows10-2004-x64

1

0bcbf39901...03.exe

windows10-2004-x64

10

0e5e999136...e7.exe

windows10-2004-x64

10

0fc0de254b...ce.exe

windows10-2004-x64

10

1a47c4fd5a...a8.exe

windows10-2004-x64

7

1a6ed538d9...ed.exe

windows10-2004-x64

7

1ac9b17068...d7.exe

windows10-2004-x64

8

1be6fdb2df...e9.exe

windows10-2004-x64

10

2bbbb9b0cd...b2.exe

windows10-2004-x64

10

2cda90e9e8...33.exe

windows10-2004-x64

3

2d58b1a373...aa.exe

windows10-2004-x64

5

2e966d3480...2e.exe

windows10-2004-x64

7

3a0297561d...1c.exe

windows10-2004-x64

10

3a90ad3258...8d.exe

windows10-2004-x64

6

3e76598b80...50.exe

windows10-2004-x64

10

4a5b5eb5a4...36.exe

windows10-2004-x64

10

4b482e8492...8c.exe

windows10-2004-x64

6

4bd46a2850...9c.exe

windows10-2004-x64

10

4cca8b360d...0a.exe

windows10-2004-x64

10

4e31114ffd...f7.exe

windows10-2004-x64

10

5ac2fcc4da...83.exe

windows10-2004-x64

10

5b25182d96...14.exe

windows10-2004-x64

7

5ddb366ead...46.exe

windows10-2004-x64

9

5f1364d246...bc.exe

windows10-2004-x64

10

6e0c9935ea...65.exe

windows10-2004-x64

1

6ea27426ff...08.exe

windows10-2004-x64

4

7dad12bd22...d2.exe

windows10-2004-x64

8

7db9e09e8b...71.exe

windows10-2004-x64

3

7e9af10bfe...5a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    urls.zip

  • Size

    43.3MB

  • Sample

    250409-kbbvlsvl17

  • MD5

    5cefc528c37f11068f27d882b6a3e504

  • SHA1

    3149727d08e7ff917864586d855e6291feff88e2

  • SHA256

    a6b304da706f65520019273d5f35dc9ede582febfe9e9a1d87c482eb46433256

  • SHA512

    458e62eb767971fba935090f5edce0494c67774c0cd2a9a25f1670be77871606eee4b190b610b5977af8d0e64eefa063a018ebf1c953229774795ee160d19db5

  • SSDEEP

    786432:cnL92A+kKV8jXv9FlamoEnuVxxOzTRMq5vfFVEu92scOGMycfOkeSxiY+El2usvs:cnL1PkyXvTweuVrOSq5ysROkM2Uvs

Score
10/10
asyncratblankgrabberlummameduzaquasarredosdruremcosstormkittyvidarxworm6d7ea8e36c0dacb43ab944072818f484alinaadefaulte32c7e36b331d3417c4efa7bbd76e7bbseo2.0v6���s�÷dbootkitcollectiondefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

85.235.74.64:8808

Mutex

7yds7qDAzvmH

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

65.109.33.151:7666

g574h9hd9.loseyourip.com:1605
Mutex

xPSPu8uFVOcl9Vzx

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • telegram

    https://api.telegram.org/bot7489241322:AAGq_LvlBfZeerXR2im9ji5u9t22wzfpoqc/sendMessage?chat_id=8123259652

aes.plain
aes.plain

Extracted

Family

redosdru

C2

http://cfejb.img48.wal8.com/img48/547795_20160531214058/146599473159.gif

Extracted

Family

lumma

C2

https://supplyedtwoz.click/api

https://ripehungryde.click/api

Extracted

Family

meduza

Botnet

SEO2.0

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    SEO2.0

  • extensions

    .txt; .doc; .xlsx

  • grabber_maximum_size

    4194304

  • port

    15666

  • self_destruct

    false

Extracted

Family

vidar

Version

12.5

Botnet

6d7ea8e36c0dacb43ab944072818f484

C2

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ALINAA

C2

youtubevideos.duckdns.org:6

Mutex

QSR_MUTEX_c50LUXwDkjFdsHNXKw

Attributes
  • encryption_key

    IyL3NZsArZqP2e5avVTp

  • install_name

    csrssss.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    csrsss

  • subdirectory

    microsoftsa

Extracted

Family

remcos

Botnet

���s�÷d

C2

190.6.65.2:25158

microsoft.bnctechnology.space:36546

microsoft.bnctechnology.space:541
Attributes
  • audio_folder

    ?§J?°Û¤ù

  • audio_record_time

    5

  • connect_delay

    60

  • connect_interval

    60

  • copy_file

    Virtual.exe

  • copy_folder

    Oracle

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %Temp%

  • keylog_crypt

    true

  • keylog_file

    Microsofts.dat

  • keylog_flag

    false

  • keylog_folder

    Microsoft

  • mouse_option

    false

  • mutex

    juyrkrgj-UGC846

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    ºI?

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

vidar

Version

12.5

Botnet

e32c7e36b331d3417c4efa7bbd76e7bb

C2

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Extracted

Family

remcos

Botnet

V6

C2

107.173.4.16:2560

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-4RRCFB

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104

    • Size

      7.5MB

    • MD5

      f5920d004575641148f6d1b7108d330b

    • SHA1

      38ed6696492bcfc67250e952c25cd93948b0baf2

    • SHA256

      0a36d74a1458e8ca334d0c8169ec320e9d7735853a4c0c74660b578a13ee3104

    • SHA512

      db1f6d70e4896c795de66afeb2a4aa53b05bc88407d535028c7edb00f18d777d866c84c004c6a9d42592af0766a9567f54fa3ed49d98f92ebaa623bb3f2daef0

    • SSDEEP

      196608:cYQCwVzNurErvI9pWjgN3ZdahF0pbH1AYtWtQsNo/03WK:UVpurEUWjqeWxi6rbK

    Score
    8/10
    collectiondefense_evasiondiscoveryexecutionspywarestealerupx

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      0b8b9525ead4b3ebf6e5ba923057432a809d70b8beecb07df329ad23bf5a0c96

    • Size

      976KB

    • MD5

      dfe01b4c77de115ff3eb147eb486d5c2

    • SHA1

      c752fcf0a8f2192571a10ad9f910318c37dae4c0

    • SHA256

      0b8b9525ead4b3ebf6e5ba923057432a809d70b8beecb07df329ad23bf5a0c96

    • SHA512

      a82aa2c5b5400c65b1cb71f20c0ad88fb5b3600fdce1a27c4feccdc48e5e9e5880cd39958e5de273b459cd85d12760e60900a74358554f32b77f67362c85777c

    • SSDEEP

      24576:A9jAtvvDaV2jLmM8LJVYtGY9VnA7x1s1MGTRJ98JuNSJOYeNkC4i/Wb8gmN:BRJ98ASJOxaS+Qg

    Score
    1/10
    behavioral2

    • Target

      0bcbf399011c69a1690f596d2b607eb835ea55e7fc9b4e8a160cd49e0713af03

    • Size

      5.3MB

    • MD5

      168804a10535acfc01021a74b8d07716

    • SHA1

      67818df0d6b734dafd885eb717041e37da8a9d0c

    • SHA256

      0bcbf399011c69a1690f596d2b607eb835ea55e7fc9b4e8a160cd49e0713af03

    • SHA512

      1bdc3016c9caaf5afacdf2537a82c710bce75fc5c088e7f5ace76fcace355043ec4493762222bf68f28259285d46ccbed249abbc0a2fe62f2330a6149a93f482

    • SSDEEP

      49152:a05yrkuG6WwwctHu1s/gAufgfHyZOZtIvAsIticBd2wOHYyTjEcW9CyPVhL9zffj:aSzuGgR+s/gXYfy+sI3cSJHz0q6

    Score
    10/10
    vidare32c7e36b331d3417c4efa7bbd76e7bbdiscoverystealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7

    • Size

      32KB

    • MD5

      325adebdd9f8c27cbdb7a0f8674469f4

    • SHA1

      aec054d040cf107f43b480e00c0a86ae4c7b5b76

    • SHA256

      0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7

    • SHA512

      137d81da8400a5c79d4eab0cef9e77d2403f71c4d89cbbc1cf7c880c1ca477abfc74380ecdbcd7620aa10137f201e406cd4c09ab4e5e671f999790c87b87a5d1

    • SSDEEP

      768:JpOkcFeazzw/6QIu4RJg4/F7e1gXkMGsosihCxLiNADHAgN/9VOhl:DOdFBA/6Q4RJg4/F7e1rMTXDLi6LN9VU

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      0fc0de254bc80e54c708fbd0eb0460c730283508b94108e4b2d1d70525ef3fce

    • Size

      5.6MB

    • MD5

      66a9fe0ffb298b4c4c390dee3bc534e9

    • SHA1

      5dc498039926c0c342c536d3cccf1e5c1dd752d8

    • SHA256

      0fc0de254bc80e54c708fbd0eb0460c730283508b94108e4b2d1d70525ef3fce

    • SHA512

      a8a8c2674744069531908b69384a1a03b38991ddbabd2a0d5908add292796e0ca4ed6c16a0867d1af0e200e4b203d6d1e41b6639ba6e6df276e43bbfc262ee36

    • SSDEEP

      98304:WDEBe6aA0c5ZUYKjYXC3UdKep9y1X+bEszBfhBVnTknrqkqXf0F9+KH4kpc+DX/P:W490cbzyEdKepwIb5zBXVnT02kSIEKYK

    Score
    10/10
    discovery

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    behavioral5

    • Target

      1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8

    • Size

      3.7MB

    • MD5

      68b391cb055223f2693bd70eed0bb6ec

    • SHA1

      70140b9329ef88d5612ada836dac3bad7fdff833

    • SHA256

      1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8

    • SHA512

      ace93dbbeb5c3aac3a045ee9478598e40057e07ffad92a41421a0e6bd1d32528950032c0b781343991160ec5f1e371ad79b44b29c3cf69a4618ee63db9e32b44

    • SSDEEP

      98304:m6Yz0Nw2/UjBP206DrDasW4/pZ0g+jBu3T:qINIj433ncjkD

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral6

    • Target

      1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed

    • Size

      1.7MB

    • MD5

      0cc5dc97283bfeee413467481e6822b4

    • SHA1

      e60240c37dc62b6ae1795583cab43dc10bb9dce0

    • SHA256

      1a6ed538d9ee30c5d1988968896c7028f99b24f43e5abbae96cc63281bcd8bed

    • SHA512

      e2794ef5d4abb23ba09ad1e9884c0463dff0ac43608f1b30053949727fafdca957ad2980bb43f655940eaf215f0ac52e37f90369aa621033b4c775875cc008b0

    • SSDEEP

      24576:9lXvnqqFQJLYYC2TU6oH+gyFlbUscwL4ie+JwcIKIgYbK1uV9279NAl5Q9AxJ//F:zfKq0lbUscwkp+jmcVg3Uha

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral7

    • Target

      1ac9b17068a19f093e347bafa92112dc8f1a935ba176aadbf58e57f35e4beed7

    • Size

      8.2MB

    • MD5

      e4fadec5b188419bd211e44fd9390553

    • SHA1

      4511db0d03e3036a8007bdc2edd6dfd330d22ac1

    • SHA256

      1ac9b17068a19f093e347bafa92112dc8f1a935ba176aadbf58e57f35e4beed7

    • SHA512

      c4105b51ec6f7e33ff72350c5b6a841da4edbf7b34f9edf878658fe506af3fa49eefb4196e6cf1423f42789b7a98e30931dae27986c7ee7ab7a3cc9f6accf83a

    • SSDEEP

      98304:62SiUluTRGIurErvz81LpWjjUa50ZtPvYRt2e4GFNGjfzfbIbApJocSpXqjEBKh5:6RkurErvI9pWjgfPvzm6gs/SEjE44fri

    Score
    8/10
    discoveryexecutionupx

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral8

    • Target

      1be6fdb2df40e128e25bd4959ae3fa83c634ced9f51ab2994c209dcadc9adde9

    • Size

      962KB

    • MD5

      537a48917e6a989d2670d2e8c16d8ae6

    • SHA1

      aed910a754a7a6142ba008be84519fce2e4048a7

    • SHA256

      1be6fdb2df40e128e25bd4959ae3fa83c634ced9f51ab2994c209dcadc9adde9

    • SHA512

      cb7ea19a27e355cc923e88abf44a8e4e99f5505c2ffcb90c1a9d8a27bd4ab69eca197e33a26563df74edc38cd44a53bfd01f7bfe168b654bcf79f243a42febf4

    • SSDEEP

      12288:JUWa+xLShYrHJhP669jTLA8qVyTsYYUfnEBiTguMu/duCnAAq982xklWinP7BTsx:Rx4YrLLRTLFmuB17wkXTJZZhj0Mn49

    Score
    10/10
    remcosv6discoveryexecutionrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      2bbbb9b0cdbb3a1f26ce3357d9119edf008e4894c881351f89989a67d0a192b2

    • Size

      388KB

    • MD5

      f12d4e2433c71141f74d0d2daaa58e65

    • SHA1

      54074f62b7d490f23d43e016a23cda14fbcf46ce

    • SHA256

      2bbbb9b0cdbb3a1f26ce3357d9119edf008e4894c881351f89989a67d0a192b2

    • SHA512

      2e3e2a1b372737cb666e477b60a66f6e835e105300c6adace4e09a328b7fc4bfc5cdf9c1ca18c48bb1b5e6726e65c9f7db8e5cfe9cccab341030141b8a28d062

    • SSDEEP

      6144:C5+tFTHqFP74ZmbkAcVI0zkjLws+NC3AVswW6gt6Q2u9Eqkj92BckQ:PtFTHqFdkAQzkjLP0C3Ksy2kj92BcJ

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      2cda90e9e87c9db37ba5015909a7efb45fbe3a351ec9ca7a5359204e801dcb33

    • Size

      194KB

    • MD5

      fee99bf0086921bdac7c3b2c9b9a0615

    • SHA1

      966e97390d1ea49e4b474d18011625bd3036cb40

    • SHA256

      2cda90e9e87c9db37ba5015909a7efb45fbe3a351ec9ca7a5359204e801dcb33

    • SHA512

      005794fb686125ab90dbff4422973ac4a376d6facd3d4e484a9617ce73727f01660e61a61c2a4215c5b1d724253e413989792dbb5b6accd225f12f8f0e0d3b76

    • SSDEEP

      3072:WUwhUxDRwEiRLL8o3hXcODPJKGBt3ZXHpcGH/qC5Y:W7eDHidv3hXzJ5BVZXJcGHCz

    Score
    3/10
    discovery
    behavioral11

    • Target

      2d58b1a3735269002d5499c67bd32c3b800fd1c44ca78d19ac3d21df84832faa

    • Size

      3.2MB

    • MD5

      1b2b87de7549f186e86c2b03c9860cd8

    • SHA1

      5692dfe0616ef404a1f174020ec8d2e49f2a1894

    • SHA256

      2d58b1a3735269002d5499c67bd32c3b800fd1c44ca78d19ac3d21df84832faa

    • SHA512

      c262e92d36ab170da2a228a10b94f3d3f0ca5e339bbfce72cb8c7640a37400b9aec7035098c18f6fee09e40a570ced6696c626cc6ee7d97ce8e4b5651c107c73

    • SSDEEP

      49152:xGfWc3XII5HuPqI1MSz4p1FXUbeWnyeyZILXGhl392ao2ATFJ9JiabEGohnOWwLZ:+Y106uex23NlVApJGaQnOWsIc7qXjc

    Score
    5/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral12

    • Target

      2e966d34801be95eae9a7f1dd5efe3885c234c473d377185f3b7af4dbbb99d2e

    • Size

      1.6MB

    • MD5

      fc7ba2336d7a69b388a1b103f2db8eee

    • SHA1

      260c49e336bf3aaaba4cd49c0223a200730d3817

    • SHA256

      2e966d34801be95eae9a7f1dd5efe3885c234c473d377185f3b7af4dbbb99d2e

    • SHA512

      4fd2f24b99ab253579620a31565b231d3f5d2598381f5d988504468eed5d7ec560227509c571e8feb0b838e739777015b296ae045610f5767503302569f78670

    • SSDEEP

      24576:DLILY8Xu/3y8UsG2BgYLicwnkyCHdebUKyZURQ1TgjTm:EYrC8UsGuTw3CHdeQKyZURQ1EjTm

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      3a0297561d1cab1471cd84e4c5308f19a9a33606784938235c7ff2eaa85d001c

    • Size

      2.6MB

    • MD5

      a45a9d7f9d4fc7eafd45f10eae62ad88

    • SHA1

      6955187b25889fc75d42a0a84af97c6e071eb7cb

    • SHA256

      3a0297561d1cab1471cd84e4c5308f19a9a33606784938235c7ff2eaa85d001c

    • SHA512

      c9858c03cb5166e12b513df7cd328a25b27bbb039cea295077f0b0cc01789c8e591ec0e63c42c56994d4f18bf8690fe3f1db55d21440af820a8b6414b14b0ab2

    • SSDEEP

      24576:V9L8hJZ4uB+Ch0lhSMXlNnx1BLuAeQcYgHHd4pcT15Q:PL8hD4au93BLuXQtgn2f

    Score
    10/10
    meduzaseo2.0stealer

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

      stealermeduza

    • Meduza Stealer payload

    • Meduza family

      meduza

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral14

    • Target

      3a90ad325806107cadbd87ed4825ff967c3535e74433ab04fa6ff30b512b818d

    • Size

      55KB

    • MD5

      e021e3e1283f86e5fced161a2caae6c9

    • SHA1

      971ed137acb51b38e80412a1752873308e0cbb28

    • SHA256

      3a90ad325806107cadbd87ed4825ff967c3535e74433ab04fa6ff30b512b818d

    • SHA512

      4642ef34cdc44f3f90efa7c9c86298442e77fff289e5ee99c38151bb1c8cd0017d92bfb765f440f71c5856f930c84d28b62748aa320a20083c8a4b5861dbb2ae

    • SSDEEP

      1536:LvwIMUkn5lRjATpx6GWT4T/ajfAsLs99ODBL7:zJknVKucT/uf9A9IdH

    Score
    6/10
    discoverypersistenceupx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral15

    • Target

      3e76598b8086857c38e2016dc729fa4879136e46b6f5962ff0b042ef35666b50

    • Size

      47KB

    • MD5

      8fbb452d641fd2e758b3dc329cab4e5d

    • SHA1

      5e450b9286b9ed2a496e7736624c0a955eccaa5b

    • SHA256

      3e76598b8086857c38e2016dc729fa4879136e46b6f5962ff0b042ef35666b50

    • SHA512

      73987c398747ff3e0343ca297580030d6afbfba91d779db121b2949f8ba0965386217dbf5922b507801275559562952f6bd7e6b8fa352c1cbc2239bd61030e1a

    • SSDEEP

      768:Vu42BT3v1gbWUnUa6mo2qRptoa819kMy6kPIHaKqOtE0b2e3D5mWpnaCJAlhHBDn:Vu42BT3Nj2SObfHazmb2e3NHJ+vdfx

    Score
    10/10
    asyncratdefaultdiscoveryrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat
    behavioral16

    • Target

      4a5b5eb5a4e1ba423df24c110fc43f7b3428d2126e99fd9c170b9dfb2baf7236

    • Size

      427KB

    • MD5

      03e902a46625ad87713cdf2d04d4d05b

    • SHA1

      1f0a4f0d8aad592ac799bb2248f018f0fd84f99f

    • SHA256

      4a5b5eb5a4e1ba423df24c110fc43f7b3428d2126e99fd9c170b9dfb2baf7236

    • SHA512

      e8f352de685aea2560c2b6082ffc41f2935b04236ac84e37de0b083006a2f98214147fbba35ccc49c4e4cd61d56088e99db36b40b75fb1b5851026fd37ef093b

    • SSDEEP

      12288:F6UT+Wr2tQHkO+8d7zg/GZ1h8/SZN8IRnJ:8Unr2+HkORd7zae1hYIJJ

    Score
    10/10
    vidar6d7ea8e36c0dacb43ab944072818f484discoverystealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      4b482e8492e8c1943330745899214b29bfd2582000371243400d854838dfb88c

    • Size

      2.5MB

    • MD5

      00ba12848375131325b23c2f4702f734

    • SHA1

      a861409df382894ad7a5ce066d61b409eb67b28e

    • SHA256

      4b482e8492e8c1943330745899214b29bfd2582000371243400d854838dfb88c

    • SHA512

      e87a899aeb01d626b66a0a3cd6545cb4cb4c2ab7889db8870872312103d83c4a9baa19bac9ed637bb48753a2f28f898c4dcacc32e045460026bd4b9e7ae3fab8

    • SSDEEP

      24576:+lc5ixEriBL+3y1njfVpgqO6x+xGUFyZHcLe9OX+ha1LgSaNXETaR8y3HRDCxkMs:+Op3yn5hO6OCuHXpUJhDCxfYXfYPW

    Score
    6/10
    discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral18

    • Target

      4bd46a2850788e5697d214dd4409c063b6f9c38c886443211f22fb0ff19bff9c

    • Size

      46KB

    • MD5

      bd47ff3ae17aacbd17321862a8c50985

    • SHA1

      dfa34d645da8b4910e3fdf523622896ca54ad4f5

    • SHA256

      4bd46a2850788e5697d214dd4409c063b6f9c38c886443211f22fb0ff19bff9c

    • SHA512

      7dceaf12ca5532ba848be31f531b761549390dfddcc419f81e036509045f5c6ca432e136e77f472ff8109e9a49d7f4445beffce7fca6b418d666f2ec3e6a87e5

    • SSDEEP

      768:1eobj+cKJNNn1cBsecfc6hjMeISgFEPa9cAN66iOCh4zjivQx:1Nbj6rrLEUMFJ9P06iOC+u4x

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral19

    • Target

      4cca8b360d5053a789ea822ab80261dc6f010c1c72b0d449ca8cdcaffd2e2c0a

    • Size

      1.2MB

    • MD5

      00f33641a6c78c9e2330100a28c4a37c

    • SHA1

      31cee3fbe5a130c52145919c4bb903125069fa08

    • SHA256

      4cca8b360d5053a789ea822ab80261dc6f010c1c72b0d449ca8cdcaffd2e2c0a

    • SHA512

      ecfa5076f26ad9f13b23a7bfc78c533eb01c2e6cdf4590fe1cc4790697377b7e3b11c9ed2e5f5b9bd7f5bc6fa104f6ca83145249b159a00c203beb27a6c51f3a

    • SSDEEP

      24576:Cct8/gOkwvlKtq0p/QXA7ipUtHb8Gzg4etPxMLToY9AzqAPWMaGzs1Db:C5YsvCq0pkA7ke4GCITo2ocj1Db

    Score
    10/10
    quasaralinaadiscoveryspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      4e31114ffd1000c0242b7537d6329641dc0457dcd6590c57659326a1785ce2f7

    • Size

      1.3MB

    • MD5

      3b921ff1f40f6c6182e84a476152aaf3

    • SHA1

      19db03733444cca5868939074c002de3d4b10948

    • SHA256

      4e31114ffd1000c0242b7537d6329641dc0457dcd6590c57659326a1785ce2f7

    • SHA512

      2546f5d93d5e9a87416d880cad06a95275a9c441aef6481f5fd74cba8ecfe45d29c4486f2593f9567d5aa3e3d88eeaaf89b15f26da31f91cf869cfdb303c7ccc

    • SSDEEP

      24576:V5ZWs+OZVEWry8AFaxtFyar0HteJyUt/1T7fQlbNW6AVDnSwRC4envs:jZB1G8YYFyaQW/1v4QnSwRC4Uvs

    Score
    10/10
    remcos���s�÷ddiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

    • Target

      5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283

    • Size

      83KB

    • MD5

      299057a5ffbb5e70f8514df5f9796b9e

    • SHA1

      c9eb1364dd1220c074af581343b636995eea4288

    • SHA256

      5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283

    • SHA512

      7b898cce4b6b252fa8b7bb5be36fcf98c191e59de655fcb2733f5263adc53ad06c0fb094d7df29d6cb872825c2e0d92ca1b2509519ce9ab317804bf949ece4c2

    • SSDEEP

      1536:yAMfrTX01OrGpRZNdbv66Claewnph6Nu3qdMhXWxZiXQv6Qd+FUf9bfNhExjDkOc:ZDewnphbwxfrff9bHEhDkOed

    Score
    10/10
    stormkittypersistencestealer

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral22

    • Target

      5b25182d96ac6fca82ecb8f99198295f45bf8fceea3fb196beb2a4e7bc862714

    • Size

      1.0MB

    • MD5

      7e81e8492efb9fc3c9659110dc086afe

    • SHA1

      7fa61b56f596e96db069874559f2c295615397f6

    • SHA256

      5b25182d96ac6fca82ecb8f99198295f45bf8fceea3fb196beb2a4e7bc862714

    • SHA512

      d9e6336e5d22e6b7360118f40d8badc5d8390faa40c0bcd1c59ef1fd4a5d993acd59512b1d3cf5c0b8851dd1c59f055d6bf25b5ec1d3f9fcd6a0ea323e575390

    • SSDEEP

      24576:H8RhrEtJNzrcPxtakUuy5OKwId/mz6tXn/xfg1drcUl4lbHK3:c6zrc/atMK1dfHy/kbHi

    Score
    7/10
    bootkitdiscoverypersistenceprivilege_escalationupx

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral23

    • Target

      5ddb366eada77b037e23b02034be67099372dad8ab32668381290af66ec4ba46

    • Size

      2.9MB

    • MD5

      b6455b6022597cddedc2582c4f271fd6

    • SHA1

      fccc9287d1282c769404def9208209cc3fc7aa6c

    • SHA256

      5ddb366eada77b037e23b02034be67099372dad8ab32668381290af66ec4ba46

    • SHA512

      f95d68f9fdea73f300233dd8d382266b068cfbfd311a9e286ccfe451e0aa5746217e45316c8b425bd86f85ea4bb43497e000496560b800a8d97d5318c17984ec

    • SSDEEP

      49152:lr1u1vvor6PLJKC0vqVIF/iqAifgTggtXEfCpSEYBt7beRJlUw/sw:lZsHomP9KCzVI7AYgcgt0fAmt7C7l5

    Score
    9/10
    bootkitdefense_evasiondiscoverypersistencetrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral24

    • Target

      5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc

    • Size

      990KB

    • MD5

      88d6b61f9b307ca1ba9aefbe413ca028

    • SHA1

      0a67ce5a5f48652547563812911b2d94418a0dcc

    • SHA256

      5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc

    • SHA512

      36a0c8038390bae34c05610a2396c47ef575905b205fbc4ca13dc4984a18cc42ee3d9def3664ee67fc2fe4a2f1056c59058211e1b92bdd4d5e8683d74e0a5ccf

    • SSDEEP

      12288:DpqiC/2OGAtkCP4cejGSOpRK3CnIiCSsPKplohwrsclnn:Dpo/2+ttPJLfpRK3CnHCSoWuUsE

    Score
    10/10
    discoverypersistence

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral25

    • Target

      6e0c9935ea61a09f4ced2b9a871b5f21b637a7979b21aa4ccb490a9442182865

    • Size

      155KB

    • MD5

      830f6068c5612b827e0bb600b1ac688e

    • SHA1

      4fb031f28b286a7cacca2f27cb254d8169a345d9

    • SHA256

      6e0c9935ea61a09f4ced2b9a871b5f21b637a7979b21aa4ccb490a9442182865

    • SHA512

      e5162fe2c16792ee375f3b0c00095ae9c5ff2e4775944484bf3472b9e93c75b4124b5237397183613d20a3159c04afa6cb99404aec42e5e6bcd674433bd2ddc4

    • SSDEEP

      3072:NKaVJNOe2J+ypc8TXWvHxqBuedLX6LYxmVsu1edEYdY0z:7Oe2J+yK/0kGXVxmsz

    Score
    1/10
    behavioral26

    • Target

      6ea27426ff47b4abd8a8e53f7d3452c981aa6fe86ca07ef15e45f6f8fcae3108

    • Size

      648KB

    • MD5

      0c75de86a09f97e62d23ce9f1d249f83

    • SHA1

      32b0608d5f113e55fc94684362a03ab834043663

    • SHA256

      6ea27426ff47b4abd8a8e53f7d3452c981aa6fe86ca07ef15e45f6f8fcae3108

    • SHA512

      0148478dbf00c26bae2fc17068e2f35c2a7e837afbee49998f14ee644ce9cc0f5498ee2a31573cc4ac91a1225528b50b4f2b16e2a4731752a2911f602914582b

    • SSDEEP

      12288:BLUkEKpU/uVjayp6kr4HsYlWctQayI7vTG9:BLUkEKpU/iayptrnYsQQ07

    Score
    4/10
    discovery
    behavioral27

    • Target

      7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2

    • Size

      1010KB

    • MD5

      eb217b0ac055b81266b477fe13e1676f

    • SHA1

      5347d74cd3021717c3d67105648f325613df0782

    • SHA256

      7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2

    • SHA512

      6f38c118961844c7afa13bfe81a6d40de90bee23f5933a6949495db66a196372b224f676a6ecfca135fb9e6666e2b096e27b1be33adbf95cbed2c89361af8c38

    • SSDEEP

      24576:OA/GdQEfRiHN7iaqCavgYCkS/Tfc8DvGyHa/d:OqEp6tKyX/TTHe

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    behavioral28

    • Target

      7db9e09e8bdcc45eafbb75b83d57503d11bf54d96c9eaa003fe8e5d518180571

    • Size

      67KB

    • MD5

      68c1a11c3b278674153e3a5dfd11c29c

    • SHA1

      d9f33a6c4e38e2cee1f9991cdbaacb4fab2e5321

    • SHA256

      7db9e09e8bdcc45eafbb75b83d57503d11bf54d96c9eaa003fe8e5d518180571

    • SHA512

      c06fcca8e8f79eeb1e57745dbdf6d7c6cb2ca2fe1c44f737302e0b8608543471fce0980fcd5e414bb49a42ac0c8c67b699d0f44b654763dfb80b248e878b538d

    • SSDEEP

      1536:wKdHN/yjGAMA0+IlzSxDyqPnas96z+XcvjQ/6rnIpF1:wYN/yGAWlz5qPnas96z+XRUnIpF1

    Score
    3/10
    discovery
    behavioral29

    • Target

      7e9af10bfe8e1ea19c39fa70805bdb1fcd14015fc9d15306635fdf65413dbb5a

    • Size

      376KB

    • MD5

      bff31507a03f149e555e0b5bc53b269b

    • SHA1

      fe7db257c1542ac1c7fdf056d925a19289f7edf3

    • SHA256

      7e9af10bfe8e1ea19c39fa70805bdb1fcd14015fc9d15306635fdf65413dbb5a

    • SHA512

      d332827ccce5a73de8f427a8ee60c71a2eeed90ef62eb85efc7a12966a703d11649e67548e0de0e4c68d652ae2736bbe7324ce038c6a93d535ad2cb0246b864c

    • SSDEEP

      6144:FOWofT8xZDm7pp0ZavtMYKdeNesPP5JDfKl17ZzRgEZBwHLCHKoZuaVpDTjVZkQ:Lo8Navt8de0sZFf217sEBwriZuKlXHJ

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Suspicious use of SetThreadContext

    behavioral30

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

5
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

8
T1012

System Information Discovery

9
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Clipboard Data

1
T1115

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks

static1

upxratdefaultblankgrabberasyncratxwormstormkittyredosdru
Score
10/10

behavioral1

collectiondefense_evasiondiscoveryexecutionspywarestealerupx
Score
8/10

behavioral2

Score
1/10

behavioral3

vidare32c7e36b331d3417c4efa7bbd76e7bbdiscoverystealer
Score
10/10

behavioral4

xwormexecutionpersistencerattrojan
Score
10/10

behavioral5

discovery
Score
10/10

behavioral6

discovery
Score
7/10

behavioral7

discovery
Score
7/10

behavioral8

discoveryexecutionupx
Score
8/10

behavioral9

remcosv6discoveryexecutionrat
Score
10/10

behavioral10

lummadiscoverystealer
Score
10/10

behavioral11

discovery
Score
3/10

behavioral12

upx
Score
5/10

behavioral13

discoverypersistence
Score
7/10

behavioral14

meduzaseo2.0stealer
Score
10/10

behavioral15

discoverypersistenceupx
Score
6/10

behavioral16

asyncratdefaultdiscoveryrat
Score
10/10

behavioral17

vidar6d7ea8e36c0dacb43ab944072818f484discoverystealer
Score
10/10

behavioral18

discovery
Score
6/10

behavioral19

xwormrattrojan
Score
10/10

behavioral20

quasaralinaadiscoveryspywaretrojan
Score
10/10

behavioral21

remcos���s�÷ddiscoverypersistencerat
Score
10/10

behavioral22

stormkittypersistencestealer
Score
10/10

behavioral23

bootkitdiscoverypersistenceprivilege_escalationupx
Score
7/10

behavioral24

bootkitdefense_evasiondiscoverypersistencetrojan
Score
9/10

behavioral25

discoverypersistence
Score
10/10

behavioral26

Score
1/10

behavioral27

discovery
Score
4/10

behavioral28

discovery
Score
8/10

behavioral29

discovery
Score
3/10

behavioral30

lummadiscoverystealer
Score
10/10