Overview

overview

10

Static

static

10

niha-main/OmNom.exe

windows10-ltsc_2021-x64

10

niha-main/alfa.exe

windows10-ltsc_2021-x64

8

niha-main/derq.exe

windows10-ltsc_2021-x64

10

niha-main/...af.exe

windows10-ltsc_2021-x64

7

niha-main/...dr.exe

windows10-ltsc_2021-x64

7

niha-main/...ra.exe

windows10-ltsc_2021-x64

10

niha-main/kiprea2.exe

windows10-ltsc_2021-x64

10

niha-main/kkk.exe

windows10-ltsc_2021-x64

10

niha-main/...as.exe

windows10-ltsc_2021-x64

10

niha-main/...wr.exe

windows10-ltsc_2021-x64

10

niha-main/...ij.exe

windows10-ltsc_2021-x64

10

niha-main/...12.exe

windows10-ltsc_2021-x64

10

niha-main/...sr.exe

windows10-ltsc_2021-x64

10

niha-main/...as.exe

windows10-ltsc_2021-x64

10

niha-main/opiww1.exe

windows10-ltsc_2021-x64

10

niha-main/...na.exe

windows10-ltsc_2021-x64

10

niha-main/...t1.exe

windows10-ltsc_2021-x64

10

niha-main/...ad.exe

windows10-ltsc_2021-x64

niha-main/...ed.exe

windows10-ltsc_2021-x64

8

niha-main/pypdwat.exe

windows10-ltsc_2021-x64

7

niha-main/...12.exe

windows10-ltsc_2021-x64

10

niha-main/robobob.exe

windows10-ltsc_2021-x64

10

niha-main/swi.exe

windows10-ltsc_2021-x64

10

niha-main/thiakdc.exe

windows10-ltsc_2021-x64

10

niha-main/...ka.exe

windows10-ltsc_2021-x64

8

niha-main/time.exe

windows10-ltsc_2021-x64

10

niha-main/vosemOO.exe

windows10-ltsc_2021-x64

10

niha-main/wint1.exe

windows10-ltsc_2021-x64

10

niha-main/wint2.exe

windows10-ltsc_2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    niha-main.zip

  • Size

    42.1MB

  • Sample

    250416-3yfq7a1pv4

  • MD5

    92f0ee4c4634d10a4fb721bf88ec0403

  • SHA1

    af77e578336746a4ce7652346d162e616b831c41

  • SHA256

    1723094c0826db0bdeb23310afd13d750d2083d23af16e5f9c04b813a4b97dc1

  • SHA512

    0b3c4e329c6a95b46ac42ebc8bca9ca41bff659df2bffd3a34f90bad1e6c2b3218e178efedb997a39cc606c2b71ea143e903014e7e3919113a983c0044a8aef1

  • SSDEEP

    786432:jw6AhjLw84ubV4BjVzHnOg7G6ZBw84ubV4BjVzHnOg7G6g/I7xNw5zYlhr4mfnc6:06AhjLN4uB4BJz1GIBN4uB4BJz1GNMS0

Score
10/10
dcratlummaquasarvidarxmrig44092f208b9d513597fdce9121dd5dc0b67a308257f21ac98cb4828b3f69a282fe765de57643ac9d227ea7737a97bb87officecredential_accessdefense_evasiondiscoveryexecutioninfostealerminerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

vidar

Version

13.4

Botnet

44092f208b9d513597fdce9121dd5dc0

C2

https://t.me/f07nd

https://steamcommunity.com/profiles/76561199843252735
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

185.39.17.228:2222

Mutex

Ydk1X4Lv2vMBhqqaAS

Attributes
  • encryption_key

    uzKKApfvzS5RRlrVPnVO

  • install_name

    csrss.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    NET framework

  • subdirectory

    SubDir

Extracted

Family

vidar

Version

13.5

Botnet

fe765de57643ac9d227ea7737a97bb87

C2

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

vidar

Version

13.4

Botnet

b67a308257f21ac98cb4828b3f69a282

C2

https://t.me/f07nd

https://steamcommunity.com/profiles/76561199843252735
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

lumma

C2

https://blacksmithz.run/yhfh

https://jawdedmirror.run/ewqd

https://changeaie.top/geps

https://lonfgshadow.live/xawi

https://mliftally.top/xasj

https://9nighetwhisper.top/lekd

https://salaccgfa.top/gsooz

https://zestmodp.top/zeda

https://owlflright.digital/qopy

https://ijawdedmirror.run/ewqd

https://liftally.top/xasj

https://nighetwhisper.top/lekd

https://usalaccgfa.top/gsooz

https://pchangeaie.top/geps

https://7blacksmithz.run/yhfh

https://twilitghtarc.live/gposzd

https://echangeaie.top/geps

https://transfosdrm.live/qwopr

https://clarmodq.top/qoxo

https://m6changeaie.top/geps

Targets

    • Target

      niha-main/OmNom.exe

    • Size

      1.3MB

    • MD5

      ffc7873930c72a5ea0107f4d5de5945b

    • SHA1

      ac8f5bf70a2043afa0cc753efca759bb4835415a

    • SHA256

      bc7f287e569ce65f3f4e04417ea1eca7eab499dd51b017ce83cf0974f922144b

    • SHA512

      d7af1f3c74c01559b05bec2266ad1988ed6540a501fd324f6aa89bd290e4d3c696e40df6be8ef3a1adbedf110a9f49c4a16ca35e9e9c0b639f3f0b94095f9a50

    • SSDEEP

      12288:++p1WbXkuEEaXMtEb4Rg68EiwKI5wzuuGhP/Sknk7HtcJEdqm2sJtPDjM5KOLXoL:+mtuaMtS+8g19qNZ6cEKHG50Tw6t

    Score
    10/10
    dcratdiscoveryexecutioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1

    • Target

      niha-main/alfa.exe

    • Size

      137KB

    • MD5

      510c893c3552e271cd3c407dae2c82b0

    • SHA1

      5a30f8ec0137a4f26d160a7ff48f6ebe7dafc383

    • SHA256

      d8bb97a2d453d659c9df7b10df2030f33dbc566da75184e312b148107ca906b0

    • SHA512

      2598a9064d7b6866b82d5a7d433c8e3cea7ea03e340d5f8fe80a3878e68b6b2fb4bb6159f6ed80a5a148a40059f282f78586af4682a452f830c4b7755ddd2a30

    • SSDEEP

      3072:aVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8QyPu:KH8RuRLlzgUd6a/AslyPu

    Score
    8/10
    credential_accessdiscoveryspywarestealer

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral2

    • Target

      niha-main/derq.exe

    • Size

      1.2MB

    • MD5

      95066cf9828ee2bc75ca7c7034f8687e

    • SHA1

      09fec1af2c49aa8cdfb7325013cadaa4ec4a42e6

    • SHA256

      15a0adcdf8163396c81aa12b1505b0658c2f4880f6f08eab6624a692fdfbda7e

    • SHA512

      4007cf6064852492a9bc269c5c9d5a49a611521bcde8bdf92b4fe1a068d0c73c93ee478fb4341909f82c5b55f9d3c9bb52817421d63b2771d986edc07e2e686d

    • SSDEEP

      24576:bh7gE1dzQw3cYNYFcQrQyEovj6B/Kkxdu98DNFIoEYO8pRfEL/Ne6:bh11hH3duFxrQ1Zdu9SIoEYLTi1r

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3

    • Target

      niha-main/inktkisaf.exe

    • Size

      27KB

    • MD5

      2ff8e057084b5c180e9b447e08d2d747

    • SHA1

      92b35c1b8f72c18dd3e945743cb93e8531d73e2b

    • SHA256

      accdada8772018e58baa0ecb3e79c507eb09c7d67f22f59e323c74b51eac9072

    • SHA512

      7ae542c6ca36e5ed934ca503f3489144e0ec7d81ad246af88bb525cb494f6725df0aa9131c72afe79ff02364dd65ec7a3ffb01846f99836feff06746193af251

    • SSDEEP

      384:9XKCifuPVcppE4KeEdAl7H0I4GSFdr0NAbybMAf3L+9tHmXel7xI:96CiWPVypE4QalMZmoZ3Hmw7

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral4

    • Target

      niha-main/iotjsjawdr.exe

    • Size

      27KB

    • MD5

      2ff8e057084b5c180e9b447e08d2d747

    • SHA1

      92b35c1b8f72c18dd3e945743cb93e8531d73e2b

    • SHA256

      accdada8772018e58baa0ecb3e79c507eb09c7d67f22f59e323c74b51eac9072

    • SHA512

      7ae542c6ca36e5ed934ca503f3489144e0ec7d81ad246af88bb525cb494f6725df0aa9131c72afe79ff02364dd65ec7a3ffb01846f99836feff06746193af251

    • SSDEEP

      384:9XKCifuPVcppE4KeEdAl7H0I4GSFdr0NAbybMAf3L+9tHmXel7xI:96CiWPVypE4QalMZmoZ3Hmw7

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral5

    • Target

      niha-main/iylksfkktra.exe

    • Size

      5.1MB

    • MD5

      cb1ab881df77d5e59c9cd71a042489dd

    • SHA1

      948c65951d6f888dacb567d9938bb21492d82097

    • SHA256

      23fa323eea0a8a6367e810996a54337197c1750a9a0a53c306c8c4022dd94780

    • SHA512

      84a1030a3d2f55ad6fc576bb122d98428485986c1fe4bbd41e13ac1ce588dc3f1034fbe18139f23f9422d520815b4e437b6ac7b78960d0b6c52c56acb87f9c31

    • SSDEEP

      98304:JiGUZDIMGpNQVgB6W9Yj1FbFKGZkZk0a51wYKZpptRA3x9JEY0UiHO5RcrNkjR:KGpNfB8pFbFK1G0a5k7A3LJGUiu5WJkd

    Score
    10/10
    xmrigdefense_evasionexecutionminerpersistenceupx

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Stops running service(s)

      defense_evasionexecution

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral6

    • Target

      niha-main/kiprea2.exe

    • Size

      2.3MB

    • MD5

      bc9c39299d0b237235882f9b4f99d57a

    • SHA1

      145f608cf981af51a3dc3b289c673e25f8abd360

    • SHA256

      234835e030956fb4fc80261c06c58050f17c69a1e0120de96b585cc046a468d5

    • SHA512

      192ba62f1f2d50a384028e6c8a6c415380f7eb5b1eeedcf38e99e65e36f2237395681d62052edeec17ca451497f364088fcb95b6cef91135f24c709c9db367d1

    • SSDEEP

      24576:u7TxN+ab32/5pCw7sULd3yRsjcAYZkDLll289Gt/beglSdwwQaUEUM6t:YxNZ2/F0Rs4A+Wl2ZBVwy

    Score
    10/10
    dcratdiscoveryinfostealerratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral7

    • Target

      niha-main/kkk.exe

    • Size

      12.5MB

    • MD5

      4d9728a6c062cfa93ec0e5b18f67f436

    • SHA1

      bcf5dc9253e785c561261ccefd3b0485adaa3748

    • SHA256

      77af16a3bb1d762ceee56acc22bdf10d1945c007a4ecf6504e991f8f4e1588e9

    • SHA512

      74ea12d3537c4d520296193c9bf481a367fa382ad1d131c9d67b048911f79cfd01325da17a6eb9d88048e63b10b2bb23db98c082a68ad81d3b74576302e92537

    • SSDEEP

      393216:FMMj6uIhwiF20XBou0GmG/pUTfNF88FH8vmg2b5:CgbIBF2IaCpUTfNF8qH8vLw5

    Score
    10/10
    xmrigdefense_evasionexecutionminerpersistence

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      defense_evasionexecution

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      niha-main/liladertoas.exe

    • Size

      1.2MB

    • MD5

      fb6eede5676170649acf18a7592e31b9

    • SHA1

      307d63950342a8c52b704f00a890e417f30a64d0

    • SHA256

      a5d85bbc4f5e7fc7517103696b45c827e778ccfb426f6055c4638c06047c8056

    • SHA512

      30f4201aa1471a0cacb3116900952e8f5364aba8851e21657b920855e0d53b1285011f49cbad68feb4ba168bcffdcd3084316fd42819985ba034164284e67715

    • SSDEEP

      24576:+qvZRJ4/vasZikDu5nmiiDg0Zc+m67speg0LVLt4cunulbHjdlv:5T+ZUkSQiKg0Zh7meglMVjD

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral9

    • Target

      niha-main/lporjgjsawr.exe

    • Size

      1.2MB

    • MD5

      211abdc535db8358f23a5b3caffdd404

    • SHA1

      4db8889d202e059d0c4e7d754c136ec17c14fb98

    • SHA256

      a1bd476d66ea3cd64a1cba6f16228290771949bea573436b9c91526ec3324a0b

    • SHA512

      dbff7e7448852b8efe6d7f5437e8dbca6b0bb8341dca739b5c7adb12b74365f501db5a77e23c4218f5409350b835779f624bb8d8ebe07de8b7611052e7ac82e8

    • SSDEEP

      24576:r5vJUjOWRUm2OpW2NckpC3ZLnCZmmebFX6+KYJvAxn2X80VH/Sq:rNJhWWm26WSu3FCZm7bFvG1s

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10

    • Target

      niha-main/mbyoitksfjkyij.exe

    • Size

      546KB

    • MD5

      2c4d06873fcee3b44881720f6160d8df

    • SHA1

      c6b69f693180fe1b51747c2195127b3baa254db1

    • SHA256

      90e8153867291a018f0622ae5eea663921a12b48ca92d12316823b24750db7ac

    • SHA512

      767a3c24155cebea64879f879ff6e63cf8fa81c069d43efd75cb8c5e886764248c47175ca4de1de3d599ab0d6aa22ccde1ecf87f14d86979947517a865517072

    • SSDEEP

      6144:ngPKe4uv5kZunvs0bZqBUOxGSEK0C2bsJJuWgvdPuwtJNL5+RXu9Y01bX4wgIKe7:ngTnFXChMvdPvJNLWuTJJMA+0FZ6

    Score
    10/10
    dcratdiscoveryinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral11

    • Target

      niha-main/mixerat12.exe

    • Size

      12.5MB

    • MD5

      4d9728a6c062cfa93ec0e5b18f67f436

    • SHA1

      bcf5dc9253e785c561261ccefd3b0485adaa3748

    • SHA256

      77af16a3bb1d762ceee56acc22bdf10d1945c007a4ecf6504e991f8f4e1588e9

    • SHA512

      74ea12d3537c4d520296193c9bf481a367fa382ad1d131c9d67b048911f79cfd01325da17a6eb9d88048e63b10b2bb23db98c082a68ad81d3b74576302e92537

    • SSDEEP

      393216:FMMj6uIhwiF20XBou0GmG/pUTfNF88FH8vmg2b5:CgbIBF2IaCpUTfNF8qH8vLw5

    Score
    10/10
    xmrigdefense_evasionexecutionminerpersistence

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      defense_evasionexecution

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      niha-main/nerialtersr.exe

    • Size

      1.2MB

    • MD5

      3e53d26a3ed58bf81c813ac849722914

    • SHA1

      a37fb5115c5701c725ebfeb9d70aa35529cc52c8

    • SHA256

      f5a00c671dce68fd126316573a5483cd836abdb9d8816ce44bb6dc02fedb0b70

    • SHA512

      44a2e9dfed195042b0ff8a8e8255e8d09e8efa0e5a5187397d4f9aab9e2401eed48085d60ea79fdbb2c2540986676d7f589b7d5ab570f29ef6b64a2eb28ace48

    • SSDEEP

      24576:lASJ9kWYGPWlk/vy7CjGWXgtWnlg88tFaGFey34W7g0WzUVrokb:dWlkny7CjsWn6myV7SUVro

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral13

    • Target

      niha-main/ninahoooas.exe

    • Size

      494KB

    • MD5

      17f747e4f548af8c8357f7fee3315b01

    • SHA1

      38fa8e10208326003b8f62e6a4f842fd553638e5

    • SHA256

      f4d532afb6a34107dde801319d45be7f70a488ccf38590306f8af400f427a48d

    • SHA512

      e9e691299492f1be06b3f879447c4f4d13480dbe915fa62c42ddc9b364cfeec989979b733556e18be8841730c119aa2f050e716e301ac149b424286c64e60522

    • SSDEEP

      12288:Q5p1UZ32H10rH5ZVZEsh8ZskmY5a4JNXuOwhDt/K:Q5pOZGHOrH5RLG64JNXQ1l

    Score
    10/10
    discovery

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    behavioral14

    • Target

      niha-main/opiww1.exe

    • Size

      1.2MB

    • MD5

      1fab93dd33fbcf2a6a9df834d6437078

    • SHA1

      edbb7be19ae5796d75c64419fa6f79f0482c777b

    • SHA256

      6aa02822e2ca0aef2423f75d6eaaddca426cd2fef2c3a0e584cb2a1ef22320e9

    • SHA512

      a56360009e23a61e872ff052659c0730110c0da246111236a47d2b3513640eedfd4728a18684a9a748cba64f40f9b201afdeb676834dbe507c35e70593ae0318

    • SSDEEP

      24576:5vUh6LIZVQ8ed631F23+m478pwmLwqsFboMd7TtL4ZEYYsbKHbFJswFSdzJ:1UDQ8fFgOmBlLwJbFd/tL9YXG7FJswFo

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral15

    • Target

      niha-main/plorestoana.exe

    • Size

      288KB

    • MD5

      19cac7f665330a905dc26b6d59425e36

    • SHA1

      b5a872558c2bf1956ba9c45b1413e557e1134d48

    • SHA256

      9c2ae6de49a57584466471cd3f0c4ed2d816751b9899a50c059f66a196e95b2d

    • SHA512

      77580673a7415559da2fedcf74ba90ffb16180ec16d565f06d0637a2b95206fcc9083ae316e190b41b327f85e51d4b58300a10cedb443cb0cc3d7986f1bde1b8

    • SSDEEP

      6144:Q7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbktn:ulJtTF9zVGkllbkR

    Score
    10/10
    quasarofficediscoveryspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral16

    • Target

      niha-main/poratertosat1.exe

    • Size

      1.2MB

    • MD5

      f7f7f269fceb64a5ef7ea92adea8ab30

    • SHA1

      6de1f57599c3454925e43486ff9c1d1f11254fb9

    • SHA256

      b88e93ca450ccbf3a9be887c75ae3910cdd314b65b265d02d090fc2b31afd377

    • SHA512

      b1160156cd960e09be9701da4442af284406f67a13ead177995000b0b0497c941783917ede26a5ce4e101ead2715bcc0bf600e4199107afc143ee56e79ba6026

    • SSDEEP

      24576:7yneN5qJR3K9eU0qDmQ18B3ovmLal1ccoMnjuFTkSIe:BMJFNxBhL01kMCFTF

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17

    • Target

      niha-main/pothgkjad.exe

    • Size

      546KB

    • MD5

      f9f18ab6cd212c1fd2b7cf9049d476a1

    • SHA1

      efac68c4d79f148bbee9f008a78597dcdb8648d7

    • SHA256

      1d22b61fa54861a486ff195783d0b790d51c20ba8ad859c6f622c7d86c91365e

    • SHA512

      ec5a40a1a481354c7df5bbfcd8b08548d3ff1d1f17fcf6370bcd1a9ed94a8e4eaae00fc28467e0b1d8b7452cdd8da9efbe2a683d793eff618612ec20284c700a

    • SSDEEP

      3::

    Score
    1/10
    behavioral18

    • Target

      niha-main/potphbksed.exe

    • Size

      137KB

    • MD5

      9d6c51f4f9e0132ea410b8db3c241be6

    • SHA1

      8aa67a34b626f61e6ab053f8a51e7c5142865fe4

    • SHA256

      61d2f6f7051c9b06c87e7c6f8c596b8e4d88382278e4d34d81520bc47e2cba31

    • SHA512

      479dd4703e0b462d7c0cfee5bdcaed97d8888f6c1fb04aad6e6d1a098b5a61701dd19a2635c64cb4cc77038445e5e498fdf8af75d728e5a58988047d3c4e2790

    • SSDEEP

      3072:aVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8QLGu:KH8RuRLlzgUd6a/AslLGu

    Score
    8/10
    credential_accessdiscoveryspywarestealer

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral19

    • Target

      niha-main/pypdwat.exe

    • Size

      29KB

    • MD5

      3ace4cb9af0f0a2788212b3ec9dd4a4e

    • SHA1

      2914bd74b5553f5f4dbd5f7b23bc00d04a2c77cb

    • SHA256

      121bfcb759e561bca3f63777498646c80d030a92dac5a27c7c9cc8f5581e672e

    • SHA512

      76ecc354b1fb5bf93f18bbe9f85401ef40e0826f7eea73a0cb5afda5d69ec384a459c07b6cc2386176888978d2dbb9bac9360e249114c59799de0984bbba5c56

    • SSDEEP

      384:EhEy+hzv91UqVY8+JppEhKe+Ej7sI4GSFdX9NAb/QX22r5A/w/o0el7xI:IEy+hT91UqVY8+XpEh6CMs7gx/o17

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    behavioral20

    • Target

      niha-main/rigosae12.exe

    • Size

      1.2MB

    • MD5

      52901f56572b54a5a5ffc84b29b548cf

    • SHA1

      e333f08071a030e5be8c027c8865344685c714b5

    • SHA256

      8e56b583e67701fdc8977f24f48401a0376cdd651499a71f22b769fce5f14f71

    • SHA512

      e72d6de9bb920876d84ac9a635928225e13053bc898bbcd4dc238dd563666ae4e8993acd256fa54915c04f2d905eb359893c44b3e07d8c36f3b648275fa2060f

    • SSDEEP

      24576:s0kO7G7CGAJ99yWDzYZGws3KkvqQDMfm6racVckKp1YGleqEpgXgub:sv+y0svkvqxkcZfGwub

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral21

    • Target

      niha-main/robobob.exe

    • Size

      1.2MB

    • MD5

      e04d87c8c7694a041186851cdb666628

    • SHA1

      6a48de9916339c2e0c1c46241698c66fc948c303

    • SHA256

      9037ed37efabed5f4b94bd10af86986dc28bc74bf313154a012f54e924215a27

    • SHA512

      42419efd4e8477103928f1b6deb7898d99d1df5ee8d0a640c70d434aa0888e2ec972ad0e2a27917d127b1acca43a9dd18bd24bdfe211a81ca4ba0be1075b8bf0

    • SSDEEP

      24576:x08/C9RakBKRcYFbXVH8hxqMtV5XLGMrxUstsQ2c:5gRdc2YFblcfqM5XSMrxUm2c

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral22

    • Target

      niha-main/swi.exe

    • Size

      1.2MB

    • MD5

      ba6c9c5dcdd6ea9aeb9b5e4997ca42e1

    • SHA1

      9fce4a1a8bc704c713e85bc158cba723616374a7

    • SHA256

      827bdd6c7ce56d06b2418f180bf603231c8a18e5c02c9218c87e8c68def351c9

    • SHA512

      c1c34574b2ae70be5773e8a8984bcf1289bd89d24a193e4f3920d14d015df39f58c120d32589b84c55fa7d25b2de1c4484da15f39fbe6e23ba0606d46c95bd3a

    • SSDEEP

      24576:WYbe7OQmvXX9tqtfR/2IE8h2qbUV/Likg1m1In3Um9DFKY/nPr42mVBgZpQvY5FJ:9be7QX9tqz9E8h2rV/3g1dn3BRRfPr4E

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23

    • Target

      niha-main/thiakdc.exe

    • Size

      5.1MB

    • MD5

      cb1ab881df77d5e59c9cd71a042489dd

    • SHA1

      948c65951d6f888dacb567d9938bb21492d82097

    • SHA256

      23fa323eea0a8a6367e810996a54337197c1750a9a0a53c306c8c4022dd94780

    • SHA512

      84a1030a3d2f55ad6fc576bb122d98428485986c1fe4bbd41e13ac1ce588dc3f1034fbe18139f23f9422d520815b4e437b6ac7b78960d0b6c52c56acb87f9c31

    • SSDEEP

      98304:JiGUZDIMGpNQVgB6W9Yj1FbFKGZkZk0a51wYKZpptRA3x9JEY0UiHO5RcrNkjR:KGpNfB8pFbFK1G0a5k7A3LJGUiu5WJkd

    Score
    10/10
    xmrigdefense_evasionexecutionminerpersistenceupx

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Stops running service(s)

      defense_evasionexecution

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral24

    • Target

      niha-main/tiadktka.exe

    • Size

      137KB

    • MD5

      dc823d0f1e80400cd6ac7d8e5f68819e

    • SHA1

      5731d56f9bd7caf2a49ede09deab89dad9f6cf4d

    • SHA256

      bb0e2fb8ac8b2a967cc699f5483d7b26714d23a0c4e45263afb8973c6d18bcf1

    • SHA512

      632388cd83ad40ce342c726fece6c3c423532d837b5743d3452a62beaed1eade4994e809464a018e7303860c751b7a688caea12f7495d4092edf30af654dca8a

    • SSDEEP

      3072:aVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8QsPu:KH8RuRLlzgUd6a/AslsPu

    Score
    8/10
    credential_accessdiscoveryspywarestealer

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral25

    • Target

      niha-main/time.exe

    • Size

      1.2MB

    • MD5

      bb3990df8293f0172e92bd259b3ddb76

    • SHA1

      e8f1a871f4edb09cd7a8b6001eddf93ebf830530

    • SHA256

      865dd1c2c7d7e05aeac64fe41de44862a497a1de02e7ccb8abb01d164f9fe4db

    • SHA512

      22691bf1cd54ecacc9c3d35e21215e1f152a9ef525ff722c4586b23db0228b093e59f2e9442dcb2273fb54d71088750a6028928dd960402f718ec786d0e9369d

    • SSDEEP

      24576:ZjxCokSbLhEVn0YaqNV4L13JuvjYKsIHuHXjndNJ/O38EVVL7h:ZjVlhEGY/M5ofOHXxNpGrJ

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral26

    • Target

      niha-main/vosemOO.exe

    • Size

      770KB

    • MD5

      36529d8bbb2cc18300c2f8f0385f00b9

    • SHA1

      17e6b115f54dfcafa175acd0efaa75a2657f21d7

    • SHA256

      52c518defe564223c8d6f945b89226afddc338a1d46012ad14f62938983bb047

    • SHA512

      f32272f19ae1c648903d04c7e154a07256a122cea3141a1519adc29deeb92bd64391bbcb0993f3a6fc0ace51ae278c6495e6c29c0fb46aeab1ef4a9a0d05ba93

    • SSDEEP

      12288:RgTngo+MeFDxYGQWrqqEqJJMA+2pW3Ari4VVyZC0+1ctHNt8KF4AXD3Z6:RgTnv0xnq70JMA+23iE0n336

    Score
    10/10
    dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral27

    • Target

      niha-main/wint1.exe

    • Size

      1.2MB

    • MD5

      c6356309369df0f01f72b49e97c2b3ff

    • SHA1

      34a6d60a4bd9bbde3b8710af984ece7e6a7bda30

    • SHA256

      0a03ef3a9bef155265fc30c473499b07230937909a610d45313c8ce021eb4067

    • SHA512

      d697fd9f84ae8db540daf29bb6e8f7bcc63a44e9ffa667f0645a84db4433abba68ee41f6e1a15b06dcfd5cddfa7d3d41f47ba26f2b3d07ca72a4319aa99d8a7e

    • SSDEEP

      24576:fjjIir4TkHw2Ee3X7lPErgh0wG3MR8jQX62hH8i3ArGi4Uk:fjj0TlQ3X7lMrgW8R8ji6ucc5U

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral28

    • Target

      niha-main/wint2.exe

    • Size

      1.2MB

    • MD5

      32bf7a058131e710f94f17569f72ef3c

    • SHA1

      3ebb02bd64c268ac783c413e64324876efa7fc78

    • SHA256

      a0fdb10921aa2f118821c62161f727017227003b9389dc726ca29a4f27cd8b57

    • SHA512

      cf9a181a0f502387c2ba72544af2b4a60b50101d805cb65aa23a76029a49de70409dc6238e4bca4c6e1016109a4789053ed8a9b9a3b577a5cda690a9e320aa42

    • SSDEEP

      24576:j+nq5DwGpXMFTBkfQ1zZsJXTryg6RZ2hPVdQ/luJRLUChQNv76aX4y0w3z1:jT5wGpXMFTPsX6RMhPVdQNxChQNv76di

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral29

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Modify Authentication Process

1
T1556

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Modify Authentication Process

1
T1556

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

5
T1552

Credentials In Files

5
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

ratstealer44092f208b9d513597fdce9121dd5dc0officefe765de57643ac9d227ea7737a97bb87b67a308257f21ac98cb4828b3f69a282dcratvidarquasar
Score
10/10

behavioral1

dcratdiscoveryexecutioninfostealerpersistencerat
Score
10/10

behavioral2

credential_accessdiscoveryspywarestealer
Score
8/10

behavioral3

lummadiscoveryspywarestealer
Score
10/10

behavioral4

discovery
Score
7/10

behavioral5

discovery
Score
7/10

behavioral6

xmrigdefense_evasionexecutionminerpersistenceupx
Score
10/10

behavioral7

dcratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral8

xmrigdefense_evasionexecutionminerpersistence
Score
10/10

behavioral9

lummadiscoveryspywarestealer
Score
10/10

behavioral10

lummadiscoveryspywarestealer
Score
10/10

behavioral11

dcratdiscoveryinfostealerpersistencerat
Score
10/10

behavioral12

xmrigdefense_evasionexecutionminerpersistence
Score
10/10

behavioral13

lummadiscoveryspywarestealer
Score
10/10

behavioral14

discovery
Score
10/10

behavioral15

lummadiscoveryspywarestealer
Score
10/10

behavioral16

quasarofficediscoveryspywaretrojan
Score
10/10

behavioral17

lummadiscoveryspywarestealer
Score
10/10

behavioral18

Score
1/10

behavioral19

credential_accessdiscoveryspywarestealer
Score
8/10

behavioral20

discovery
Score
7/10

behavioral21

lummadiscoveryspywarestealer
Score
10/10

behavioral22

lummadiscoveryspywarestealer
Score
10/10

behavioral23

lummadiscoveryspywarestealer
Score
10/10

behavioral24

xmrigdefense_evasionexecutionminerpersistenceupx
Score
10/10

behavioral25

credential_accessdiscoveryspywarestealer
Score
8/10

behavioral26

lummadiscoveryspywarestealer
Score
10/10

behavioral27

dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer
Score
10/10

behavioral28

lummadiscoveryspywarestealer
Score
10/10

behavioral29

lummadiscoveryspywarestealer
Score
10/10