General

  • Target

    250602-q2am5a1ygx.bin

  • Size

    466.8MB

  • Sample

    250602-q72nss1zf1

  • MD5

    72364945b46c400678b30759b1cdda52

  • SHA1

    55c1e9725dab3925e63943c5aa4329d6fee0012d

  • SHA256

    bd5ee1f6ebe18c36a0168c43f459f54fd133d35244b269e4ecef5bd2a484c72b

  • SHA512

    13a9ef2c624bde874181a33f21cf62f4ffa52a8a7e958a729088b7fab1462f4d71775934b10b1b1ac678f6e18d9f2832c33440aec8dbfe815348345bf8bbc42b

  • SSDEEP

    12582912:V3JuitJi1QjcTh6WzDfCP/Hs+6IQ23CvC9n6Vy8QC+xk:V3IiC1Q6hbzWPvs+TQICoOy//a

Malware Config

Extracted

Family

orcus

C2

192.168.171.129:10134

pont9245.ddns.net:7777

147.185.221.16:18244

hostip00.duckdns.org:10134

91.218.65.24:10134

s7vety-27063.portmap.host:27063

kissmyasshole.myddns.me:1012

Mutex

186d21ec80e143edb3384fa80d4ee7f8

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Extracted

Family

orcus

Botnet

Roblox script injector

C2

youcantfindmelol.ddns.net:10134

Mutex

de0e17d469cc46849280a8cd4d643763

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Java\Java.exe

  • reconnect_delay

    10000

  • registry_keyname

    Java

  • taskscheduler_taskname

    Java Updater

  • watchdog_path

    Temp\Java Updater.exe

Extracted

Family

orcus

Botnet

NEW

C2

122.186.23.243:10134

Mutex

c7798e5973374c92859ce651077d0576

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %windir%\Desktop Window Manager.exe

  • reconnect_delay

    10000

  • registry_keyname

    Program

  • taskscheduler_taskname

    Windows

  • watchdog_path

    AppData\OrcusWatchdog.exe

Extracted

Family

orcus

Botnet

EMVLATEST

C2

3.tcp.eu.ngrok.io:22028

Mutex

699ea505fbd445a7924b6888db7a5f2a

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Windows Security\Microsoft Defender.exe

  • reconnect_delay

    10000

  • registry_keyname

    javaservice

  • taskscheduler_taskname

    win10service

  • watchdog_path

    AppData\javaforwin.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

friendlyman69.ddns.net:55042

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    lsass.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:5555

hostz.hopto.org:5555

172.65.175.19:443

127.0.0.1:7000

council-amp.gl.at.ply.gg:59436

28.ip.gl.ply.gg:65453

Mutex

Nyv6QFoXtqKjtLri

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    DMA Driver.exe

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

C2

90.120.50.244:2518

127.0.0.1:2518

Mutex

6baeca53-6eec-4a83-8679-c479f2f1a649

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-11-20T17:31:41.353489336Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2518

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    6baeca53-6eec-4a83-8679-c479f2f1a649

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    90.120.50.244

  • primary_dns_server

    8.8.8.8

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

xworm

C2

studies-license.gl.at.ply.gg:48057

dpwekwpd-58261.portmap.io:58261

127.0.0.1:7000

127.0.0.1:2321

133.23.21.222:2321

28.ip.gl.ply.gg:65453

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1367163929452613703/0Ot4VsdGUKWdMg4T-pgsrzxgFAOyvGEFGDEYD7_CrEfiWkjJTQFitsIjIZavpL8rfypz

Extracted

Family

orcus

Botnet

NOOB NONAME

C2

26.223.23.213:25565

Mutex

378fcdd4ef824c7db5946dd1cf8ec64f

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    Temp\OrcusWatchdog.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://zhongsijiacheng.com/wp-content/jn5/

exe.dropper

http://artistascitizen.com/wp-content/Bx3cr6/

exe.dropper

http://ombchardin.com/archive/V/

exe.dropper

https://apsolution.work/magneti-marelli-zkkmb/toq7Eiy/

exe.dropper

https://happycheftv.com/wp-admin/z6uGcbY/

exe.dropper

https://careercoachconnection.com/tenderometer/4K/

exe.dropper

https://tacademicos.com/content/JbF68i/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.toteteca.com/qzkiodlofm/5555555555.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://zenithcampus.com/l/yQ/

exe.dropper

http://hbprivileged.com/cgi-bin/kcggF/

exe.dropper

http://localaffordableroofer.com/ralphs-receipt-f2uhf/qTT5DC/

exe.dropper

https://johnhaydenwrites.com/track_url/P/

exe.dropper

https://nahlasolimandesigns.com/nahla3/d/

exe.dropper

https://football-eg.com/web_map/n/

exe.dropper

https://vietnhabienhoa.com/wordpress/QUTy/

Targets

    • Target

      uploaded/057c3508b21674c3ab95c4c0f26a7195a6aba8d35464dfc97d96452479d430de.exe

    • Size

      2.7MB

    • MD5

      2648c64711a910797ec85e145d45fe3e

    • SHA1

      bca3cd7091f73be66213f7aac1bef1be1527bfb2

    • SHA256

      057c3508b21674c3ab95c4c0f26a7195a6aba8d35464dfc97d96452479d430de

    • SHA512

      129d8f7afbf4d05568df05319b2e684235e3392e3928252ad35c227abe22870114c6d343fded5ecbf98d105f16c7ddc0eb0487020f1b7efa785dcacd1c203e82

    • SSDEEP

      49152:ROnDZlOiVb/3pYBZpUh0QuM5enR/Iy1TqjUC6R5SAq6Iex20AB4T2zQbk3G4QZDv:ROzJVb/3QGgnR/Iy1TEUnbqiI0AB4XkC

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      uploaded/0f0d2abea57c5403fb538eef2e42d5003.exe

    • Size

      409KB

    • MD5

      3d6531f8f4eb1b41f62e8a55f033735f

    • SHA1

      aa250187efbbb4254d14949d862b41c6125b452c

    • SHA256

      f7f8ca0ae4af42baa3586561ce73cea45445e439eec867091704a696de334e96

    • SHA512

      505bb32692f7e65106dc55eb8fdb9eb0b4b095d1fbc6b3c33d496fbd9f540e7c05c0f42df3401c7d1933f0f48fb51844e61c5b6bdbf29a2d2ff273366076a121

    • SSDEEP

      12288:P//ZbUXN0kCD9pZ4QQxCQDrX2t9xqkHE7J:P3Zbm0BZvQxCgrXS9f6

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/0fec46875e62cf4c572c4cc4cc7e84374.exe

    • Size

      73KB

    • MD5

      c0bae473a586ca639fd3f0e2113ae32c

    • SHA1

      562c4595d866f71de81d72f2a1356dd0b266aa2f

    • SHA256

      d423b582ccf801825bf5a60d1c0a0ffdf5b06704507f327873d4790029753ffe

    • SHA512

      947863e46bb0a1275343a7383d6708dcacc1e53e9e6ff6c1006f527d838f7836670af9a446a01c11c01b292e8096ce8f3b51de7d8d142a17c691342ba00d3309

    • SSDEEP

      1536:Hj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtP43KBp:3bFMzTFq+N48UxpP

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/1.exe

    • Size

      913KB

    • MD5

      c02308ef085b976898fa42b065254aa2

    • SHA1

      95e03e7644a56af5fefc12c32b2c86b2c20fe5af

    • SHA256

      6b4adc3f05b6f7968d826b26b6a472ad3906a5b659eae167bd3a922415c6133d

    • SHA512

      e64ee710eb5fedb7d7220a8876b64945a76f70e2880100b30d340e346d0880a98085c8c183f2796f6c706347de030124daeb5a8fcda7aff578bf1cb88ee484e5

    • SSDEEP

      24576:X+5T4MROxnFm5bHKTlQZrZlI0AilFEvxHizS9:u50MiAZrZlI0AilFEvxHi

    Score
    6/10
    • Drops desktop.ini file(s)

    • Target

      uploaded/123.exe

    • Size

      903KB

    • MD5

      264e7741729c68da987f40f4cd19a36f

    • SHA1

      16dc103026652605229355ced92127fd1c85bbc2

    • SHA256

      94ad5e95fc0167221e93b241d4890649158fb8a59272d9e96ad741d3b7e51fff

    • SHA512

      e2d5bd4fd3e08f69cb225e5c72d2a515770292df59c14c6f20c45cc1736145dc148ab2a05ff78ab560a84ca696fb7937a9a8d193696a2b8337eabc5f07ed9168

    • SSDEEP

      12288:00XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCVyrO12nIMmJPepjikbQ7dG1lF/:qPF4MROxnFNHrrcI0AilFEvxHPmooo

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Orcurs Rat Executable

    • Target

      uploaded/1546d38e814b5348b877ade61fa7cc0f7.exe

    • Size

      73KB

    • MD5

      2bbc55048c13c64ff4f381d02fd2e37d

    • SHA1

      c0de7b7c3bc33898db1134126bad349abc6eec6e

    • SHA256

      ba06a9df44bb8d2439f9ec8ef3cf7ab8349abdc9dc60593f5718785ceb4e7e76

    • SHA512

      3b9a62cb11ad5c5abc3466d4e2208242c421d801bbae4151fc36754d7c579cabe661a06ffa7bf30ad6257fa80f343ab295836281711396abffd0bdfe5dff6548

    • SSDEEP

      1536:zj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtDl3K7:LbFMzTFq+N48U1E7

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/1812b1b80810a47d68157ec25c3a44e7b.exe

    • Size

      124KB

    • MD5

      1b83cb61b35c039591f2ff3380e04d81

    • SHA1

      f70328bdcddd8b70c847db5eba6f8fe777f99397

    • SHA256

      790353165b689048a77a6aa76010b561db500d85e3d3509b1ce869204129de49

    • SHA512

      3f43b80d07db00cb204890c9b62fe0563d456d6621a2bfacdbf9568b1e03562197fec849896c804b8c2fdc2f686fa2a244ad69261d2919b74857b973fe02e733

    • SSDEEP

      3072:5hjQjOmwnvFHygjCLf85f5EuO2qixYDZFeEI7:5hjVvFSgjCLf85f5h4ixYDZFm7

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/19a972ce0137c326e9a800096bc442276468096ad02c6dec2aba37564d0e441e.exe

    • Size

      1.9MB

    • MD5

      7c282de58057bcbd9fd001d5bd5c9728

    • SHA1

      13080576fcdd77d6219c948f33e242a1a3f19efb

    • SHA256

      19a972ce0137c326e9a800096bc442276468096ad02c6dec2aba37564d0e441e

    • SHA512

      15221e1da59d05d011809d95b3c235356cebc341ba04190edee4e1143bf3a5c415809a427419cf08f8a10c0c7772bc1427412199fbd588e6adfbca285e2d9eb4

    • SSDEEP

      49152:1fDODfDFnzD1Us+kMg7ZFZrr89UfT3MF:Cr8AMF

    Score
    1/10
    • Target

      Archivo_2001_2021_49-381887.doc

    • Size

      158KB

    • MD5

      74ab40efc21fceb14a432f7c4d000b67

    • SHA1

      5fb79750ab4f78e18c3d1800be5b2e9ac0959db3

    • SHA256

      89680559595f62f12bfdd9338c525133244ea6b7f23bb9b5b798ce04232817f0

    • SHA512

      d2abd2bebf5485aeaa570b4d019c426afaa1173f4f428eafecc617072c7f86242db306098ec3081135e71c69ae18b0f28504313f5f0cdd70f8634c3d1ed8a70d

    • SSDEEP

      3072:OL1QUTdcrrXyQBsc0vWJVi4IrwVdmZVT2Vq:OLC9PII4R2V

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Target

      Refusal-217432546-01212021.xlsm

    • Size

      25KB

    • MD5

      7a0ca2f162b86659f47411d39f8be75e

    • SHA1

      8ee78da95af22a1d01d3ec035eaccdeb5be44276

    • SHA256

      70a5d9ef163f6e6c7e32c366363d7d4e9a6cbb06df84802edd177acb907fe092

    • SHA512

      c22ffe07d03a3d605e77da77d4a8f5425bc32ae7da5bf1abe558b265f8cd396d83f4f438b620611f65b6d0383e75cf197d75807036f733123cc820f5ee471a95

    • SSDEEP

      384:4Mfowh92aGcoKKRR6xt7k5SV8m2ylTQ8aoVT0QNuzWKP8WZoms:4MflhQaGc7SsFk5S6f6TfW+u7DZRs

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    • Target

      uploaded/222.exe

    • Size

      907KB

    • MD5

      9474c8c2696babee986e8ae1bc46bd78

    • SHA1

      1bcbfc24030a8e09c15055ad90685cac7af24cb1

    • SHA256

      b2f324d6ae851aa65773d233201d58ac5230d525281afd1775e0b82514ac9645

    • SHA512

      bf03529601fb0a935188c6efd72e5d752aed5c23085ade870a385c47b746b8ce9927527c78ab61c28a4d4b8cf23217b1e74e76ee6e1644d85439646a216f5153

    • SSDEEP

      24576:ocI4MROxnFj3qxXFHXRrZlI0AilFEvxHiW8F:ocrMi1mRhrZlI0AilFEvxHiW

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Target

      uploaded/2531 2212 2020 QG-826729.doc

    • Size

      213KB

    • MD5

      cf288a156f60cf132cf14c617b41a154

    • SHA1

      b4dbb03f48b651d2a81849a12049a9ac9f5295a2

    • SHA256

      3a15b42c4692483aedb912298719b52e5513cf3d2a58ffca07c78fa8c48b536c

    • SHA512

      f694cfad3e816fc7af937a6eca905ae4c1fa71fc1be1a2c4f56b9060bdfc2eb0fee520698b80bb92bdbfffedd13c50946a5e08f1f8e863a259629e9e419b754c

    • SSDEEP

      3072:O9ufstRUUKSns8T00JSHUgteMJ8qMD7gRyHYbwRe/dNx0tcn15rJDMsIxS:O9ufsfgIf0pLxbwQlNx0tw15rJDMsIxS

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Target

      uploaded/25f2c4054d0680fd51f2cf860055f2234.exe

    • Size

      162KB

    • MD5

      91106264680a5cc064c550a62c8650c7

    • SHA1

      67758edc66f1160728b82ab7608bb0cf1ad7fc5a

    • SHA256

      b3fb1ae7923313ad51ec2101c28fd1f1417cc987f33272227fdc1745c5e5261b

    • SHA512

      4a5dc892381f09c7628f71c386756026ca432e4614e26a46309fdd9d2453c76643f58ebe8e61cc0d567cb563a0ab484f18b85c90afa9b65aef14863fc166dbf3

    • SSDEEP

      3072:0LzOI+8oz3Y+u1gb2KoTJBJsHZ4AYsRmwRCRJJI3itUWJNem6q:0H2zTu1gbAvMZ4A9RPLpy

    Score
    3/10
    • Target

      uploaded/2bb792ea1927ddd3a5a245eaf96c06ca2598191f670750c24d5b9ed47f20e147.exe

    • Size

      9.8MB

    • MD5

      23e735b01c2f68b79d9e6cd8ac8e42f4

    • SHA1

      b3edba909b2fbdd8d0217bb956f3ee500f9ab137

    • SHA256

      2bb792ea1927ddd3a5a245eaf96c06ca2598191f670750c24d5b9ed47f20e147

    • SHA512

      44a0a253919ef8a956799bfd3fcd4e40dcbe21ef493a98597d798ed8c53f7d4e801b7f43c182d3df970f185696d46dcc05bb1f94895a863875da94ce282837ff

    • SSDEEP

      196608:JGtFyDDwRv5DFUhA7yUjCaoQLXtN9rEs2oLkdDPbrTOjJ/XY2a8nH36CJ5:otFyDDwRvl6hTjaoALAoL6DzrTYvvaK5

    Score
    7/10
    • Loads dropped DLL

    • Target

      uploaded/2e5473aa5ebf01ac5ce00c7ad537ddcb2.exe

    • Size

      73KB

    • MD5

      e1a1a8ec650e500872946774b1b9c30e

    • SHA1

      0622e0ab98bcd1a289732e4cad457e1474d84b4a

    • SHA256

      43e54d4e4f485f789739694024b6136f5e5215172555a846608abc8f5386c19a

    • SHA512

      fe659312fcb4ce55ece76bafbd61ffce5774fa51223b215276d4e1eac4176f0a717749ddc4af97d2bf7a81242d1ae5b25ae08329b245ab6a64e11fd2ccb0fa9a

    • SSDEEP

      1536:sj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtfW3Kn8:KbFMzTFq+N48UVj8

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092.exe

    • Size

      144KB

    • MD5

      c2a760c6461449ac1d5a5538242bed11

    • SHA1

      59684c6261afc698c0f6a46658986f0268f4c5a0

    • SHA256

      387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092

    • SHA512

      b00734a77c70f18ed10049c67823316498208b32e9f662f9fa56074b862bd8606826947f8cb394ed48d0d9b88f47e7fa214153e53fbc83c60bb7075d57375dd8

    • SSDEEP

      3072:/29rIyJvv9Gq9q/uNKFO+oFGqN/xJCpgDjXYQWNoF97PYJ:e98S9Gq9WM5Z2mbYQWNslY

    Score
    3/10
    • Target

      uploaded/3c8ec4a8a8c3b1fbabc577576da5b70f5ddf3460b68775f3fbfa4fc07b6a7fa4.exe

    • Size

      11.8MB

    • MD5

      b777cfa3f6c7d8ad118caf620908a60d

    • SHA1

      46a0af09d1901ceaca3ccde27499ee1b91cdf0e1

    • SHA256

      3c8ec4a8a8c3b1fbabc577576da5b70f5ddf3460b68775f3fbfa4fc07b6a7fa4

    • SHA512

      f41be2c1673f8fe1f884b36a74b0e2e906702432375aab0934e7afaf329a576943a077a7369adf134136be26b823a699c025d3e5c0a7e54bf1d939a25ddf8745

    • SSDEEP

      196608:54F1KIlUrJyTOZzEwLVa1XwETq4FHsm1hmKXdFL5d3IH:yF4LyTOZ3LVgXwCDFHsm1hm8dJI

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v16

Tasks

static1

upxmacromacro_on_actionroblox script injectornewemvlatestratdefaultaspackv2noob nonameorcusasyncratneshtadarkcometmodiloaderxwormnanocoreumbral
Score
10/10

behavioral1

discoverypersistence
Score
7/10

behavioral2

discoverypersistenceupx
Score
7/10

behavioral3

discoverypersistenceupx
Score
7/10

behavioral4

discoveryupx
Score
5/10

behavioral5

discoveryupx
Score
5/10

behavioral6

Score
6/10

behavioral7

Score
6/10

behavioral8

orcusdiscoveryratspywarestealer
Score
10/10

behavioral9

orcusdiscoveryratspywarestealer
Score
10/10

behavioral10

discoveryupx
Score
5/10

behavioral11

discoveryupx
Score
5/10

behavioral12

bootkitdiscoverypersistenceupx
Score
6/10

behavioral13

bootkitdiscoverypersistenceupx
Score
6/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

execution
Score
10/10

behavioral17

execution
Score
10/10

behavioral18

Score
10/10

behavioral19

Score
6/10

behavioral20

orcusdiscoveryratspywarestealer
Score
10/10

behavioral21

orcusdiscoveryratspywarestealer
Score
10/10

behavioral22

execution
Score
10/10

behavioral23

execution
Score
10/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
7/10

behavioral27

discovery
Score
7/10

behavioral28

discoveryupx
Score
5/10

behavioral29

discoveryupx
Score
5/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

execution
Score
8/10