Overview

overview

10

Static

static

10

250514-jzbn3sfj5s.zip

windows10-2004-x64

1

241105-dtx...ed.zip

windows10-2004-x64

1

d91912b4b9...37.rar

windows10-2004-x64

1

08751be484...2d.dll

windows10-2004-x64

10

0a9f79abd4...51.exe

windows10-2004-x64

3

0di3x.exe

windows10-2004-x64

10

2019-09-02...10.exe

windows10-2004-x64

10

2c01b00772...eb.exe

windows10-2004-x64

7

31.exe

windows10-2004-x64

10

3DMark 11 ...on.exe

windows10-2004-x64

3

42f9729255...61.exe

windows10-2004-x64

10

5da0116af4...18.exe

windows10-2004-x64

10

6306868794.bin.zip

windows10-2004-x64

1

69c56d12ed...6b.exe

windows10-2004-x64

10

905d572f23...50.exe

windows10-2004-x64

10

948340be97...54.exe

windows10-2004-x64

10

95560f1a46...f9.dll

windows10-2004-x64

3

Archive.zi...3e.exe

windows10-2004-x64

8

CVE-2018-1...oC.swf

windows10-2004-x64

3

DiskIntern...en.exe

windows10-2004-x64

3

E2-2020111...59.zip

windows10-2004-x64

1

ForceOp 2....ce.exe

windows10-2004-x64

7

HYDRA.exe

windows10-2004-x64

10

KLwC6vii.exe

windows10-2004-x64

1

Keygen.exe

windows10-2004-x64

10

Lonelyscre...ox.exe

windows10-2004-x64

3

LtHv0O2KZDK4M637.exe

windows10-2004-x64

10

Magic_File...ja.exe

windows10-2004-x64

3

Malware

windows10-2004-x64

1

OnlineInstaller.exe

windows10-2004-x64

8

REVENGE-RAT.js.zip

windows10-2004-x64

1

b2bd3de3e5...bb.zip

windows10-2004-x64

1

Resubmissions

20/05/2025, 20:23

250520-y572ss1qv8 10

20/05/2025, 20:10

250520-yx65jabr7v 10

14/05/2025, 08:25

250514-kbrwtsfk31 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    250514-jzbn3sfj5s.bin

  • Size

    132.7MB

  • Sample

    250520-y572ss1qv8

  • MD5

    66fa7c70d638ba002fcbf87ed31d380d

  • SHA1

    930d1641372c6d12f52918bedec34d472ee76576

  • SHA256

    a4c7e0fa5387a8d4bf68638494b6a8c0b7299798cb87788edd70963256895e37

  • SHA512

    bc0155a7d83350b87649f66103c1113a12c22c558b533921918ecd025e95f02ba56e54d970bc2f3e1eb71c5e73e102541142d4606067857c986012650ce84658

  • SSDEEP

    3145728:0zGH+Jz1JK98MKpj7u77i5E8Nx2N5J1ynZ6o6mO/P3pfUqY:0yHGJ498fVgG/xYwpk35e

Score
10/10
agentteslaasyncratazorultbabylonratcobaltstrikedanabotdarkcometdharmaformbookgozihakbitmodiloadernjratqakbotraccoonrevengeratrmssmokeloaderwarzoneratxredzeppelinzloader07/0409/042020nov125/0330541989686920224hackhackedinsert-coinmainnullsamayspx129systemvictimexdsdddyt159073433926.02.2020i0qiw9zagilenetaspackv2backdoorbankerbotnetcredential_accesscryptonedefense_evasiondiscoveryexecutionimpactinfostealerkeyloggerlateral_movementpackerpersistenceprivilege_escalationransomwareratrezer0rm3spywarestealertrojanupx

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php
Attributes
  • build_id

    19

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

C2

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

revengerat

Botnet

Victime

C2

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php
Attributes
  • build_id

    103

rc4.plain

Extracted

Family

revengerat

Botnet

samay

C2

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

zloader

Botnet

09/04

C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php
Attributes
  • build_id

    140

rc4.plain

Extracted

Family

zloader

Botnet

07/04

C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php
Attributes
  • build_id

    131

rc4.plain

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.91.237.42:8443/__utm.gif

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    47.91.237.42,/__utm.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    60000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)

  • watermark

    305419896

Extracted

Family

revengerat

Botnet

INSERT-COIN

C2

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

srpmx.ddns.net:5552

Mutex

c6c84eeabbf10b049aa4efdb90558a88

Attributes
  • reg_key

    c6c84eeabbf10b049aa4efdb90558a88

  • splitter

    |'|'|

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

HACK

C2

43.229.151.64:5552

Mutex

6825da1e045502b22d4b02d4028214ab

Attributes
  • reg_key

    6825da1e045502b22d4b02d4028214ab

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Extracted

Family

babylonrat

C2

sandyclark255.hopto.org

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

C2

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707
Mutex

adweqsds56332

Attributes
  • delay

    5

  • install

    true

  • install_file

    prndrvest.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

warzonerat

C2

sandyclark255.hopto.org:5200

Extracted

Family

darkcomet

Botnet

2020NOV1

C2

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6XT818D

Attributes
  • InstallPath

    excelsl.exe

  • gencode

    n7asq0Dbu7D2

  • install

    true

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    true

  • reg_key

    office

rc4.plain

Extracted

Family

smokeloader

Version

2017

C2

http://92.53.105.14/

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://bit.do/fqhHT
exe.dropper

http://bit.do/fqhHT

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi

Attributes
  • build

    300869

  • exe_type

    loader

Extracted

Family

gozi

Botnet

86920224

C2

https://sibelikinciel.xyz

Attributes
  • build

    300869

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Extracted

Family

formbook

Version

4.1

Campaign

i0qi

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Extracted

Family

qakbot

Version

324.141

Botnet

spx129

Campaign

1590734339

C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Extracted

Family

danabot

C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247
rsa_pubkey.plain

Targets

    • Target

      250514-jzbn3sfj5s.bin

    • Size

      132.7MB

    • MD5

      66fa7c70d638ba002fcbf87ed31d380d

    • SHA1

      930d1641372c6d12f52918bedec34d472ee76576

    • SHA256

      a4c7e0fa5387a8d4bf68638494b6a8c0b7299798cb87788edd70963256895e37

    • SHA512

      bc0155a7d83350b87649f66103c1113a12c22c558b533921918ecd025e95f02ba56e54d970bc2f3e1eb71c5e73e102541142d4606067857c986012650ce84658

    • SSDEEP

      3145728:0zGH+Jz1JK98MKpj7u77i5E8Nx2N5J1ynZ6o6mO/P3pfUqY:0yHGJ498fVgG/xYwpk35e

    Score
    1/10
    behavioral1

    • Target

      241105-dtxrgatbpg_pw_infected.zip

    • Size

      132.7MB

    • MD5

      136b5aad00be845ec166ae8f6343b335

    • SHA1

      e51860dfb734c9715b6c9b74d9c582abe03ca90c

    • SHA256

      38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

    • SHA512

      ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42

    • SSDEEP

      3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz

    Score
    1/10
    behavioral2

    • Target

      d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337

    • Size

      143.9MB

    • MD5

      c572596b2caadbc11672ff12af226635

    • SHA1

      57a176459d3f24cf94810efbb6511abca2e7dce2

    • SHA256

      d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337

    • SHA512

      d112c32cab043308c8707350679af122a3af504386e3f7ee846c72edbc2e2fd2e825023d5bc0e793853a065df159dfd35c8e32e5370b03cdfa59ab7aa05cd5c6

    • SSDEEP

      3145728:mdmtZSmWUMbLPnDwOqs0ykYmO67RUQ0UEsYf2XH:hSmhMbL/N0y4z0UdH

    Score
    1/10
    behavioral3

    • Target

      08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe

    • Size

      144KB

    • MD5

      9e9bb42a965b89a9dce86c8b36b24799

    • SHA1

      e2d1161ac7fa3420648ba59f7a5315ed0acb04c2

    • SHA256

      08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d

    • SHA512

      e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8

    • SSDEEP

      3072:ep1qwbk6Wbh/UR++pz1OBrNtZtHpspurmxwPtnneZY:epoP6WV/C116rNbtHpsYrmSP1neZY

    Score
    10/10
    zloadermain26.02.2020botnetdiscoverypersistencetrojan

    • Zloader family

      zloader

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

    • Size

      355KB

    • MD5

      b403152a9d1a6e02be9952ff3ea10214

    • SHA1

      74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5

    • SHA256

      0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51

    • SHA512

      0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8

    • SSDEEP

      6144:Fs3o0YvJiTQLmCUmLG0HhLjSKHkYp6dDERdBHMlU8LF:Fs3FmDL5P6YpaAt8LF

    Score
    3/10
    discovery
    behavioral5

    • Target

      0di3x.exe

    • Size

      111KB

    • MD5

      bd97f762750d0e38e38d5e8f7363f66a

    • SHA1

      9ae3d7053246289ff908758f9d60d79586f7fc9f

    • SHA256

      d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158

    • SHA512

      d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39

    • SSDEEP

      1536:4SYTPSLUTRZaEioqsQRPRXplmbH50B+dLDOZrZRzKZvJj5RmLFs8hN:43OLUra1oqxvplQ50BrStJ9RmLFs

    Score
    10/10
    smokeloaderbackdoordiscoverytrojan
    behavioral6

    • Target

      2019-09-02_22-41-10.exe

    • Size

      251KB

    • MD5

      924aa6c26f6f43e0893a40728eac3b32

    • SHA1

      baa9b4c895b09d315ed747b3bd087f4583aa84fc

    • SHA256

      30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

    • SHA512

      3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

    • SSDEEP

      6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF

    Score
    10/10
    smokeloaderbackdoordiscoverytrojan
    behavioral7

    • Target

      2c01b007729230c415420ad641ad92eb.exe

    • Size

      1.3MB

    • MD5

      daef338f9c47d5394b7e1e60ce38d02d

    • SHA1

      c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e

    • SHA256

      5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58

    • SHA512

      d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4

    • SSDEEP

      24576:W85y6Jwdt8jtWoJpXWHALGX+C1Co3aP8jvuC7g6zwm4m53Sb21SR:HXsSGuC/MIvuC5kFm53Sy1SR

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      31.exe

    • Size

      12.5MB

    • MD5

      af8e86c5d4198549f6375df9378f983c

    • SHA1

      7ab5ed449b891bd4899fba62d027a2cc26a05e6f

    • SHA256

      7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

    • SHA512

      137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

    • SSDEEP

      393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r

    Score
    10/10
    agenttesladanabotdharmaformbookgoziqakbotraccoon86920224spx1291590734339i0qiw9zagilenetbankercryptonedefense_evasiondiscoveryexecutionimpactkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot family

      danabot

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Gozi family

      gozi

    • Qakbot family

      qakbot

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V1 payload

    • Raccoon family

      raccoon

    • AgentTesla payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Formbook payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      defense_evasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Renames multiple (74) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Looks for VMWare Tools registry key

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      3DMark 11 Advanced Edition.exe

    • Size

      11.6MB

    • MD5

      236d7524027dbce337c671906c9fe10b

    • SHA1

      7d345aa201b50273176ae0ec7324739d882da32e

    • SHA256

      400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

    • SHA512

      e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

    • SSDEEP

      196608:8YG+5pO1Ppb1rAMQQkIscfAb3mO5iW8uO2Kq1TIxz2HU6QPXJ0M2m9b/hE4:8/Bv1zsG2fm2bTcWBIXJHVrW4

    Score
    3/10
    discovery
    behavioral10

    • Target

      42f972925508a82236e8533567487761.exe

    • Size

      3.7MB

    • MD5

      9d2a888ca79e1ff3820882ea1d88d574

    • SHA1

      112c38d80bf2c0d48256249bbabe906b834b1f66

    • SHA256

      8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

    • SHA512

      17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

    • SSDEEP

      98304:Nn1CVf+y/EFc7DvOUxlpq2JdnQ+O2M7hlXKUmkbtT2TMI:A/EqaUFqItO2M7PXKUmkbtT2T

    Score
    10/10
    asyncratbabylonratdarkcometnjratwarzonerat2020nov1nulldefense_evasiondiscoveryinfostealerpersistenceprivilege_escalationrattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

      trojanbabylonrat

    • Babylonrat family

      babylonrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Njrat family

      njrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Async RAT payload

      rat

    • Warzone RAT payload

      rat

    • Disables RegEdit via registry modification

      defense_evasion

    • Disables Task Manager via registry modification

      defense_evasion

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

    • Size

      669KB

    • MD5

      ead18f3a909685922d7213714ea9a183

    • SHA1

      1270bd7fd62acc00447b30f066bb23f4745869bf

    • SHA256

      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    • SHA512

      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    • SSDEEP

      6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

    Score
    10/10
    discoverypersistenceransomwareupx

    • Renames multiple (211) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral12

    • Target

      6306868794.bin.zip

    • Size

      698KB

    • MD5

      b63a1d3001cc1a5bcc2104ecb8eb5d53

    • SHA1

      d04ebc24cc00ea67870c9eef92de7c5adf4c65d5

    • SHA256

      56b423e8f7e99ce24a6250507b1ac9e4476837a32f0518ebc5474eaeb9ecaa78

    • SHA512

      29be52929db5bd0e8d85e10696c08ded581213c5e2e97eb3e72e32ddc5861aa8f9c6d20a1ec9a81c442a4319491500dc91345c6879651b5cc546294cd12f0b2e

    • SSDEEP

      12288:OZVZvijaJxMV5DH6Asfuez5GxNmHUguf4OkEokPhuDIX7dCjBb3RcN7VI:2iGJxMV5ThsGeFykCf4OIiusXhCh3RcM

    Score
    1/10
    behavioral13

    • Target

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

    • Size

      80KB

    • MD5

      8152a3d0d76f7e968597f4f834fdfa9d

    • SHA1

      c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

    • SHA256

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

    • SHA512

      eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

    • SSDEEP

      1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

    Score
    10/10
    hakbitcredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

    • Disables service(s)

      defense_evasionexecution

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Hakbit family

      hakbit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral14

    • Target

      905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

    • Size

      21KB

    • MD5

      6fe3fb85216045fdf8186429c27458a7

    • SHA1

      ef2c68d0b3edf3def5d90f1525fe87c2142e5710

    • SHA256

      905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

    • SHA512

      d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

    • SSDEEP

      384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

    Score
    10/10
    revengeratexecutionstealertrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • Revengerat family

      revengerat

    • RevengeRat Executable

      stealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in System32 directory

    behavioral15

    • Target

      948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe

    • Size

      17KB

    • MD5

      aa0a434f00c138ef445bf89493a6d731

    • SHA1

      2e798c079b179b736247cf20d1346657db9632c7

    • SHA256

      948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654

    • SHA512

      e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952

    • SSDEEP

      384:rnhZ7/5eOHY9FmMoEIPJvnbisVK8ysLu2s2:bhdQOS8EIRmIa2

    Score
    10/10
    revengeratpersistencestealertrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • Revengerat family

      revengerat

    • RevengeRat Executable

      stealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe

    • Size

      260KB

    • MD5

      9e9719483cc24dc0ab94b31f76981f42

    • SHA1

      dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b

    • SHA256

      95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9

    • SHA512

      83cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309

    • SSDEEP

      6144:HP2sOvpPfQUH6+SqpcH1lH0CIuK8AWaULcka:HPXOv9RH6fEcH1h0vuLNyk

    Score
    3/10
    discovery
    behavioral17

    • Target

      Archive.zip__ccacaxs2tbz2t6ob3e.exe

    • Size

      430KB

    • MD5

      a3cab1a43ff58b41f61f8ea32319386b

    • SHA1

      94689e1a9e1503f1082b23e6d5984d4587f3b9ec

    • SHA256

      005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6

    • SHA512

      8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d

    • SSDEEP

      6144:vU9Q9tD5WuDQa4t3BMgLkzvCOnYxcEaSAOPou8BWinO8DR:8Q9tD5WyQlBBVAnYxRhr8DR

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral18

    • Target

      CVE-2018-15982_PoC.swf

    • Size

      12KB

    • MD5

      82fe94beb621a4368e76aa4a51998c00

    • SHA1

      b7c79b8f05c3d998e21d01b07b9ba157160581a9

    • SHA256

      c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb

    • SHA512

      055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27

    • SSDEEP

      192:gR6qPBBRRcrxFx/pHPn9moz7p/+tqHM41rftZDBLj9b5d/:gwqDcLx/pH/IoBiqH/BfbDBLj9b5h

    Score
    3/10
    behavioral19

    • Target

      DiskInternals_Uneraser_v5_keygen.exe

    • Size

      12.9MB

    • MD5

      17c4b227deaa34d22dd0addfb0034e04

    • SHA1

      0cf926384df162bc88ae7c97d1b1b9523ac6b88c

    • SHA256

      a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e

    • SHA512

      691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c

    • SSDEEP

      196608:zGeHGoZMYsFL0NBneaD/TuEIp8TnWh5bpe0RCQElmYzD9gXYToUdYZF0Nz6AV:yKGDYsdUBnTHLIpWnUeXQeEXU6s

    Score
    3/10
    discovery
    behavioral20

    • Target

      E2-20201118_141759.zip

    • Size

      148KB

    • MD5

      fa541ef43e1473d845aa50ccaba6aa23

    • SHA1

      df7704aec365df548379c91a721d31989d8d4ef1

    • SHA256

      948ae9b9e469c0df7478cf8840a78869299e59ffd85b581840b39abc89760001

    • SHA512

      2b8b5dda4c387ca02f31b4e7a2f5a5935163ec158b614bf042d6985fa5da1474e6ff23db4e8561a6f573e9d4482cc2de0e5e4da1a49d19108e8f27139690b8f5

    • SSDEEP

      3072:PCWcu3nJryPqmiLotuF9e0kYIMeZke4OsqprU2sz7xQL+OqmwjilD:KWcu3JrEqToUFMg1OsqxU22qL+p1MD

    Score
    1/10
    behavioral21

    • Target

      ForceOp 2.8.7 - By RaiSence.exe

    • Size

      1.0MB

    • MD5

      0a88ebdd3ae5ab0b006d4eaa2f5bc4b2

    • SHA1

      6bf1215ac7b1fde54442a9d075c84544b6e80d50

    • SHA256

      26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680

    • SHA512

      54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37

    • SSDEEP

      24576:sAOcZ1SxlW2YT6EtAcl0URqqqUeiG3STJq3n:64SK2YT6E1l0EqqqU1GwcX

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral22

    • Target

      HYDRA.exe

    • Size

      2.6MB

    • MD5

      c52bc39684c52886712971a92f339b23

    • SHA1

      c5cb39850affb7ed322bfb0a4900e17c54f95a11

    • SHA256

      f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

    • SHA512

      2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

    • SSDEEP

      49152:HnUXzRe4cjAx+L/G/3JHQZutOnmSzZniyui0EJHezdcc/DK9kTO1S:HUD8djA0LOvJdtOmSlniyuiPFePmS61S

    Score
    10/10
    smokeloaderbackdoordiscoverypersistencetrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Smokeloader family

      smokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral23

    • Target

      KLwC6vii.exe

    • Size

      17KB

    • MD5

      1ded740b925aa0c370e4e5bd02c0741f

    • SHA1

      64731e77b65da3eb192783c074afdcb6a0a245a8

    • SHA256

      a8745addaf2f95e0fe6afbc6d6712f817d4a819cf1d08bf7c0ff01822e18e1db

    • SHA512

      fdaaa6633196851725fe088fafd539eb17483555d9b926338a7caeb961354c12cabcd3f55aa51f32297ce4a884806fbc337dfa725583cc1c86b8ca6c97218d4e

    • SSDEEP

      384:fC68at8DHSXzdgcrS5RnVLeDbSbXsVKWyF5yN:p8MsIWtbeDGHY

    Score
    1/10
    behavioral24

    • Target

      Keygen.exe

    • Size

      849KB

    • MD5

      dbde61502c5c0e17ebc6919f361c32b9

    • SHA1

      189749cf0b66a9f560b68861f98c22cdbcafc566

    • SHA256

      88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b

    • SHA512

      d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

    • SSDEEP

      24576:uSdQdKdRdOdHdmHBnWs/nROBiGR4+hazer+Vufo/JxBYQ5:hH9DnR1Z+45Ufo/PBL

    Score
    10/10
    discoveryexecution

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral25

    • Target

      Lonelyscreen.1.2.9.keygen.by.Paradox.exe

    • Size

      13.4MB

    • MD5

      48c356e14b98fb905a36164e28277ae5

    • SHA1

      d7630bd683af02de03aebc8314862c512acd5656

    • SHA256

      b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c

    • SHA512

      278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b

    • SSDEEP

      196608:t7JG5fYHJl9nhdOvPuAZxFa9dfoyG5euyHvf97+pbgEtBRNBL1LFWIHWdgku7:t7BXWGldf+Au6VGBjFmJq

    Score
    3/10
    discovery
    behavioral26

    • Target

      LtHv0O2KZDK4M637.exe

    • Size

      10.6MB

    • MD5

      5e25abc3a3ad181d2213e47fa36c4a37

    • SHA1

      ba365097003860c8fb9d332f377e2f8103d220e0

    • SHA256

      3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9

    • SHA512

      676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681

    • SSDEEP

      196608:Lj43l1SYnShCcjEtOsZ1MJWTqHkzNcWUU5QH7MiXBhxsns3qveh1DCJv/zdM:LGzUCcUOmKoTqH0N9UV7VxHsnpjXK

    Score
    10/10
    azorultrmsaspackv2defense_evasiondiscoveryexecutioninfostealerlateral_movementpersistenceprivilege_escalationrattrojanupx

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Modifies visiblity of hidden/system files in Explorer

      defense_evasion

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Rms family

      rms

    • UAC bypass

      defense_evasiontrojan

    • Windows security bypass

      defense_evasiontrojan

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

      lateral_movement

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      defense_evasion

    • Boot or Logon Autostart Execution: Port Monitors

      Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

      persistence

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      defense_evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Stops running service(s)

      defense_evasionexecution

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral27

    • Target

      Magic_File_v3_keygen_by_KeygenNinja.exe

    • Size

      8.6MB

    • MD5

      80e5a163c5396401b58a3b24f2e00d38

    • SHA1

      589accaeeca95b8d69fa7bc14f402925dd338a6a

    • SHA256

      72fae9a9d8cfd546975fd86222bc1f7f70133d0845798a683569bb8119ffa3b1

    • SHA512

      cc0ede6416032035943522e5249ac378da4ba58ab836d13b53907567a65f0c296aa7263523ca23f1843fb86a88d123864e9385f4b97bac870a110f6fd2ddf1e6

    • SSDEEP

      196608:t5N9rzUBJGKoeyIf6Rffyo5JDXdhz10MaIjP:jN9/EJQO6FX5JDXdhZ0Ma0

    Score
    3/10
    discovery
    behavioral28

    • Target

      Malware

    • Size

      183KB

    • MD5

      28334841e31d428d689465dc64f15307

    • SHA1

      8c84f0d662d71a6e421e767e68eb60d2854f7722

    • SHA256

      53c6cfe9358749d0550adebd63c3461c12910dafbc27bff25c8a5d096dd5413d

    • SHA512

      b2985c353b32eb1de95b0ec992e7b704fdda81f9f77eb335d9d22deb479b78f0f246f65d0b659fdea26912ef23a9124cc1f5142c9cdb1b9b97cafb4d457eb8d8

    • SSDEEP

      3072:JoDuqQ45BbpadYUadYmadY5ldNowdcHUWtDtLtxtDtyjtqtWnwebS6U4dEUKda0y:eDuqQ4/bpaqUaqmaq5ldNowdcHU+hp/E

    Score
    1/10
    behavioral29

    • Target

      OnlineInstaller.exe

    • Size

      3.6MB

    • MD5

      4b042bfd9c11ab6a3fb78fa5c34f55d0

    • SHA1

      b0f506640c205d3fbcfe90bde81e49934b870eab

    • SHA256

      59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

    • SHA512

      dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

    • SSDEEP

      98304:ghXqJiXwwhwvxR7FI6wYroMUQrYeoFj6bjsKzZx7T7:ghXqsX3hs79bxiEbgKX7

    Score
    8/10
    discovery

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks for any installed AV software in registry

    • Drops file in System32 directory

    behavioral30

    • Target

      REVENGE-RAT.js.zip

    • Size

      134KB

    • MD5

      98967fb850d6fe8346f8b40b74576d34

    • SHA1

      abfb33d5270ad5802f80a114069232fea625a432

    • SHA256

      ec30d04e3a22d5db309583cf59909aaff90fb2cca48b86320908057033b9f75f

    • SHA512

      b8b7c7002d550a1cac7e76c4e996a395cf4b84fb54c30646d7761c71e50eda936a9f06227b89c0ae43f4804a526f6a4a85c82cd4a666c9c4c37d66810d9a32cc

    • SSDEEP

      3072:MLo8F12TygesO04F8UQvk7w+ZlZL90VbxTeo7Azj:MLo8H2TheDF2UjvLI1Af

    Score
    1/10
    behavioral31

    • Target

      b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.zip

    • Size

      187KB

    • MD5

      e2cfccc39bd989ba47337ba94a6a5ccc

    • SHA1

      fe9bd998cdede8170ee4428004ca84632687b6f0

    • SHA256

      2b0df16d6ea20b06a52e00a4b7bb85d7b18195b28f8bee28c1672946139803c1

    • SHA512

      37e02ce284cd3800f32ff7d66aadd5835258dbab7117d4a13e32a8800f8fe13e906c5d8c8e3cbe542b8040ee0301752552236ddd901440f9f75fe7051e6f4083

    • SSDEEP

      3072:vh0Zaiex7fNDGiWFoU5qNF1kZGfJvZBnhStRVAvB2F2ukwF6Xc4q6zMICDSQIqRX:vh0ZaieXDQqNFKoJvZXqeBMQXXq6zMI8

    Score
    1/10
    behavioral32

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

5
T1547

Active Setup

1
T1547.014

Port Monitors

1
T1547.010

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

5
T1547

Active Setup

1
T1547.014

Port Monitors

1
T1547.010

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Hide Artifacts

4
T1564

Hidden Files and Directories

3
T1564.001

Hidden Users

1
T1564.002

Impair Defenses

5
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

10
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Password Policy Discovery

1
T1201

Peripheral Device Discovery

2
T1120

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

9
T1012

Remote System Discovery

1
T1018

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

9
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Remote Service Session Hijacking

1
T1563

RDP Hijacking

1
T1563.002

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Service Stop

2
T1489

Tasks

static1

main26.02.2020upxstealerxdsdddvictime25/03samaycryptonepacker09/0407/04305419896insert-coinytsystemhackedhackzloaderrevengeratcobaltstrikezeppelinnjratxredmodiloader
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

zloadermain26.02.2020botnetdiscoverypersistencetrojan
Score
10/10

behavioral5

discovery
Score
3/10

behavioral6

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral7

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral8

discoverypersistence
Score
7/10

behavioral9

agenttesladanabotdharmaformbookgoziqakbotraccoon86920224spx1291590734339i0qiw9zagilenetbankercryptonedefense_evasiondiscoveryexecutionimpactkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojan
Score
10/10

behavioral10

discovery
Score
3/10

behavioral11

asyncratbabylonratdarkcometnjratwarzonerat2020nov1nulldefense_evasiondiscoveryinfostealerpersistenceprivilege_escalationrattrojan
Score
10/10

behavioral12

discoverypersistenceransomwareupx
Score
10/10

behavioral13

Score
1/10

behavioral14

hakbitcredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer
Score
10/10

behavioral15

revengeratexecutionstealertrojan
Score
10/10

behavioral16

revengeratpersistencestealertrojan
Score
10/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
8/10

behavioral19

Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

Score
1/10

behavioral22

discovery
Score
7/10

behavioral23

smokeloaderbackdoordiscoverypersistencetrojan
Score
10/10

behavioral24

Score
1/10

behavioral25

discoveryexecution
Score
10/10

behavioral26

discovery
Score
3/10

behavioral27

azorultrmsaspackv2defense_evasiondiscoveryexecutioninfostealerlateral_movementpersistenceprivilege_escalationrattrojanupx
Score
10/10

behavioral28

discovery
Score
3/10

behavioral29

Score
1/10

behavioral30

discovery
Score
8/10

behavioral31

Score
1/10

behavioral32

Score
1/10