Overview
overview
10Static
static
10uploaded/0...de.exe
windows10-2004-x64
7uploaded/0...03.exe
windows10-2004-x64
7uploaded/0...74.exe
windows10-2004-x64
5uploaded/1.exe
windows10-2004-x64
6uploaded/123.exe
windows10-2004-x64
10uploaded/1...f7.exe
windows10-2004-x64
5uploaded/1...7b.exe
windows10-2004-x64
6uploaded/1...1e.exe
windows10-2004-x64
1Archivo_20...87.doc
windows10-2004-x64
6Refusal-21...1.xlsm
windows10-2004-x64
10uploaded/222.exe
windows10-2004-x64
10uploaded/2...29.doc
windows10-2004-x64
10uploaded/2...34.exe
windows10-2004-x64
3uploaded/2...47.exe
windows10-2004-x64
7uploaded/2...b2.exe
windows10-2004-x64
5uploaded/3...92.exe
windows10-2004-x64
3uploaded/3...a4.exe
windows10-2004-x64
10uploaded/3...02.exe
windows10-2004-x64
5uploaded/4...41.exe
windows10-2004-x64
7uploaded/5...38.exe
windows10-2004-x64
6uploaded/6...08.xls
windows10-2004-x64
10uploaded/6...bb.exe
windows10-2004-x64
5uploaded/7...77.exe
windows10-2004-x64
7uploaded/7...4d.exe
windows10-2004-x64
7uploaded/8...46.exe
windows10-2004-x64
5uploaded/8...e0.exe
windows10-2004-x64
7uploaded/8...70.exe
windows10-2004-x64
7uploaded/8...33.exe
windows10-2004-x64
3uploaded/9...ty.exe
windows10-2004-x64
3uploaded/9...5z.exe
windows10-2004-x64
8uploaded/A...-K.exe
windows10-2004-x64
6uploaded/A....0.exe
windows10-2004-x64
7General
-
Target
250602-sz9esas1cv.bin
-
Size
466.8MB
-
Sample
250602-s6y8dsdq4z
-
MD5
72364945b46c400678b30759b1cdda52
-
SHA1
55c1e9725dab3925e63943c5aa4329d6fee0012d
-
SHA256
bd5ee1f6ebe18c36a0168c43f459f54fd133d35244b269e4ecef5bd2a484c72b
-
SHA512
13a9ef2c624bde874181a33f21cf62f4ffa52a8a7e958a729088b7fab1462f4d71775934b10b1b1ac678f6e18d9f2832c33440aec8dbfe815348345bf8bbc42b
-
SSDEEP
12582912:V3JuitJi1QjcTh6WzDfCP/Hs+6IQ23CvC9n6Vy8QC+xk:V3IiC1Q6hbzWPvs+TQICoOy//a
Static task
static1
Behavioral task
behavioral1
Sample
uploaded/057c3508b21674c3ab95c4c0f26a7195a6aba8d35464dfc97d96452479d430de.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
uploaded/0f0d2abea57c5403fb538eef2e42d5003.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral3
Sample
uploaded/0fec46875e62cf4c572c4cc4cc7e84374.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral4
Sample
uploaded/1.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral5
Sample
uploaded/123.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
uploaded/1546d38e814b5348b877ade61fa7cc0f7.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral7
Sample
uploaded/1812b1b80810a47d68157ec25c3a44e7b.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral8
Sample
uploaded/19a972ce0137c326e9a800096bc442276468096ad02c6dec2aba37564d0e441e.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral9
Sample
Archivo_2001_2021_49-381887.doc
Resource
win10v2004-20250502-en
Behavioral task
behavioral10
Sample
Refusal-217432546-01212021.xlsm
Resource
win10v2004-20250502-en
Behavioral task
behavioral11
Sample
uploaded/222.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral12
Sample
uploaded/2531 2212 2020 QG-826729.doc
Resource
win10v2004-20250502-en
Behavioral task
behavioral13
Sample
uploaded/25f2c4054d0680fd51f2cf860055f2234.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral14
Sample
uploaded/2bb792ea1927ddd3a5a245eaf96c06ca2598191f670750c24d5b9ed47f20e147.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral15
Sample
uploaded/2e5473aa5ebf01ac5ce00c7ad537ddcb2.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral16
Sample
uploaded/387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral17
Sample
uploaded/3c8ec4a8a8c3b1fbabc577576da5b70f5ddf3460b68775f3fbfa4fc07b6a7fa4.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral18
Sample
uploaded/3ca0877ae8c3c628acfe78c6847f770fe20f02790f69749216cc703ab0618002.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral19
Sample
uploaded/4c6265723661653d2fdab12a0d5d7e841.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral20
Sample
uploaded/5b518173a571366bfdce5cdd282738a38.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral21
Sample
uploaded/6a4af3ace8066e79a1020e27b2c1cc3f81d6cd8d68d1329e67b93e44b9d3d008.xls
Resource
win10v2004-20250502-en
Behavioral task
behavioral22
Sample
uploaded/6fecc453c515bb03d82132650d3d4c6bb.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral23
Sample
uploaded/70730f33f4db9f15399c6e4a510a5c4eec3bf100206535155001a2b3adbb3077.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral24
Sample
uploaded/70e835f3140dc2fbc211273727a8a8b4d.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral25
Sample
uploaded/83682a6a473ca2135d14cbc52c584fb46.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral26
Sample
uploaded/882f4c1313d37351d72004caa3ef1aee0.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral27
Sample
uploaded/8e751b8765f733f3f7682fd1247a27a70.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral28
Sample
uploaded/8f6b416bb42a3f168bf083c67687bd533.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral29
Sample
uploaded/93h9j2xi5z-safety.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral30
Sample
uploaded/93h9j2xi5z.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral31
Sample
uploaded/AC27_Build3001-UP7-K.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral32
Sample
uploaded/ATR Tool 2.0.exe
Resource
win10v2004-20250502-en
Malware Config
Extracted
orcus
192.168.171.129:10134
pont9245.ddns.net:7777
147.185.221.16:18244
hostip00.duckdns.org:10134
91.218.65.24:10134
s7vety-27063.portmap.host:27063
kissmyasshole.myddns.me:1012
186d21ec80e143edb3384fa80d4ee7f8
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Extracted
orcus
Roblox script injector
youcantfindmelol.ddns.net:10134
de0e17d469cc46849280a8cd4d643763
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Java\Java.exe
-
reconnect_delay
10000
-
registry_keyname
Java
-
taskscheduler_taskname
Java Updater
-
watchdog_path
Temp\Java Updater.exe
Extracted
orcus
NEW
122.186.23.243:10134
c7798e5973374c92859ce651077d0576
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%windir%\Desktop Window Manager.exe
-
reconnect_delay
10000
-
registry_keyname
Program
-
taskscheduler_taskname
Windows
-
watchdog_path
AppData\OrcusWatchdog.exe
Extracted
orcus
EMVLATEST
3.tcp.eu.ngrok.io:22028
699ea505fbd445a7924b6888db7a5f2a
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Windows Security\Microsoft Defender.exe
-
reconnect_delay
10000
-
registry_keyname
javaservice
-
taskscheduler_taskname
win10service
-
watchdog_path
AppData\javaforwin.exe
Extracted
asyncrat
0.5.7B
Default
friendlyman69.ddns.net:55042
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
lsass.exe
-
install_folder
%AppData%
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Extracted
xworm
5.0
127.0.0.1:5555
hostz.hopto.org:5555
172.65.175.19:443
127.0.0.1:7000
council-amp.gl.at.ply.gg:59436
28.ip.gl.ply.gg:65453
Nyv6QFoXtqKjtLri
-
Install_directory
%Userprofile%
-
install_file
DMA Driver.exe
Extracted
nanocore
1.2.2.0
90.120.50.244:2518
127.0.0.1:2518
6baeca53-6eec-4a83-8679-c479f2f1a649
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-11-20T17:31:41.353489336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2518
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6baeca53-6eec-4a83-8679-c479f2f1a649
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
90.120.50.244
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
xworm
studies-license.gl.at.ply.gg:48057
dpwekwpd-58261.portmap.io:58261
127.0.0.1:7000
127.0.0.1:2321
133.23.21.222:2321
28.ip.gl.ply.gg:65453
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Extracted
umbral
https://discord.com/api/webhooks/1367163929452613703/0Ot4VsdGUKWdMg4T-pgsrzxgFAOyvGEFGDEYD7_CrEfiWkjJTQFitsIjIZavpL8rfypz
Extracted
orcus
NOOB NONAME
26.223.23.213:25565
378fcdd4ef824c7db5946dd1cf8ec64f
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
Temp\OrcusWatchdog.exe
Extracted
http://www.toteteca.com/qzkiodlofm/5555555555.jpg
Extracted
http://zenithcampus.com/l/yQ/
http://hbprivileged.com/cgi-bin/kcggF/
http://localaffordableroofer.com/ralphs-receipt-f2uhf/qTT5DC/
https://johnhaydenwrites.com/track_url/P/
https://nahlasolimandesigns.com/nahla3/d/
https://football-eg.com/web_map/n/
https://vietnhabienhoa.com/wordpress/QUTy/
Targets
-
-
Target
uploaded/057c3508b21674c3ab95c4c0f26a7195a6aba8d35464dfc97d96452479d430de.exe
-
Size
2.7MB
-
MD5
2648c64711a910797ec85e145d45fe3e
-
SHA1
bca3cd7091f73be66213f7aac1bef1be1527bfb2
-
SHA256
057c3508b21674c3ab95c4c0f26a7195a6aba8d35464dfc97d96452479d430de
-
SHA512
129d8f7afbf4d05568df05319b2e684235e3392e3928252ad35c227abe22870114c6d343fded5ecbf98d105f16c7ddc0eb0487020f1b7efa785dcacd1c203e82
-
SSDEEP
49152:ROnDZlOiVb/3pYBZpUh0QuM5enR/Iy1TqjUC6R5SAq6Iex20AB4T2zQbk3G4QZDv:ROzJVb/3QGgnR/Iy1TEUnbqiI0AB4XkC
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
uploaded/0f0d2abea57c5403fb538eef2e42d5003.exe
-
Size
409KB
-
MD5
3d6531f8f4eb1b41f62e8a55f033735f
-
SHA1
aa250187efbbb4254d14949d862b41c6125b452c
-
SHA256
f7f8ca0ae4af42baa3586561ce73cea45445e439eec867091704a696de334e96
-
SHA512
505bb32692f7e65106dc55eb8fdb9eb0b4b095d1fbc6b3c33d496fbd9f540e7c05c0f42df3401c7d1933f0f48fb51844e61c5b6bdbf29a2d2ff273366076a121
-
SSDEEP
12288:P//ZbUXN0kCD9pZ4QQxCQDrX2t9xqkHE7J:P3Zbm0BZvQxCgrXS9f6
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
uploaded/0fec46875e62cf4c572c4cc4cc7e84374.exe
-
Size
73KB
-
MD5
c0bae473a586ca639fd3f0e2113ae32c
-
SHA1
562c4595d866f71de81d72f2a1356dd0b266aa2f
-
SHA256
d423b582ccf801825bf5a60d1c0a0ffdf5b06704507f327873d4790029753ffe
-
SHA512
947863e46bb0a1275343a7383d6708dcacc1e53e9e6ff6c1006f527d838f7836670af9a446a01c11c01b292e8096ce8f3b51de7d8d142a17c691342ba00d3309
-
SSDEEP
1536:Hj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtP43KBp:3bFMzTFq+N48UxpP
-
-
-
Target
uploaded/1.exe
-
Size
913KB
-
MD5
c02308ef085b976898fa42b065254aa2
-
SHA1
95e03e7644a56af5fefc12c32b2c86b2c20fe5af
-
SHA256
6b4adc3f05b6f7968d826b26b6a472ad3906a5b659eae167bd3a922415c6133d
-
SHA512
e64ee710eb5fedb7d7220a8876b64945a76f70e2880100b30d340e346d0880a98085c8c183f2796f6c706347de030124daeb5a8fcda7aff578bf1cb88ee484e5
-
SSDEEP
24576:X+5T4MROxnFm5bHKTlQZrZlI0AilFEvxHizS9:u50MiAZrZlI0AilFEvxHi
Score6/10-
Drops desktop.ini file(s)
-
-
-
Target
uploaded/123.exe
-
Size
903KB
-
MD5
264e7741729c68da987f40f4cd19a36f
-
SHA1
16dc103026652605229355ced92127fd1c85bbc2
-
SHA256
94ad5e95fc0167221e93b241d4890649158fb8a59272d9e96ad741d3b7e51fff
-
SHA512
e2d5bd4fd3e08f69cb225e5c72d2a515770292df59c14c6f20c45cc1736145dc148ab2a05ff78ab560a84ca696fb7937a9a8d193696a2b8337eabc5f07ed9168
-
SSDEEP
12288:00XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCVyrO12nIMmJPepjikbQ7dG1lF/:qPF4MROxnFNHrrcI0AilFEvxHPmooo
-
Orcus family
-
Orcurs Rat Executable
-
-
-
Target
uploaded/1546d38e814b5348b877ade61fa7cc0f7.exe
-
Size
73KB
-
MD5
2bbc55048c13c64ff4f381d02fd2e37d
-
SHA1
c0de7b7c3bc33898db1134126bad349abc6eec6e
-
SHA256
ba06a9df44bb8d2439f9ec8ef3cf7ab8349abdc9dc60593f5718785ceb4e7e76
-
SHA512
3b9a62cb11ad5c5abc3466d4e2208242c421d801bbae4151fc36754d7c579cabe661a06ffa7bf30ad6257fa80f343ab295836281711396abffd0bdfe5dff6548
-
SSDEEP
1536:zj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtDl3K7:LbFMzTFq+N48U1E7
-
-
-
Target
uploaded/1812b1b80810a47d68157ec25c3a44e7b.exe
-
Size
124KB
-
MD5
1b83cb61b35c039591f2ff3380e04d81
-
SHA1
f70328bdcddd8b70c847db5eba6f8fe777f99397
-
SHA256
790353165b689048a77a6aa76010b561db500d85e3d3509b1ce869204129de49
-
SHA512
3f43b80d07db00cb204890c9b62fe0563d456d6621a2bfacdbf9568b1e03562197fec849896c804b8c2fdc2f686fa2a244ad69261d2919b74857b973fe02e733
-
SSDEEP
3072:5hjQjOmwnvFHygjCLf85f5EuO2qixYDZFeEI7:5hjVvFSgjCLf85f5h4ixYDZFm7
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
uploaded/19a972ce0137c326e9a800096bc442276468096ad02c6dec2aba37564d0e441e.exe
-
Size
1.9MB
-
MD5
7c282de58057bcbd9fd001d5bd5c9728
-
SHA1
13080576fcdd77d6219c948f33e242a1a3f19efb
-
SHA256
19a972ce0137c326e9a800096bc442276468096ad02c6dec2aba37564d0e441e
-
SHA512
15221e1da59d05d011809d95b3c235356cebc341ba04190edee4e1143bf3a5c415809a427419cf08f8a10c0c7772bc1427412199fbd588e6adfbca285e2d9eb4
-
SSDEEP
49152:1fDODfDFnzD1Us+kMg7ZFZrr89UfT3MF:Cr8AMF
Score1/10 -
-
-
Target
Archivo_2001_2021_49-381887.doc
-
Size
158KB
-
MD5
74ab40efc21fceb14a432f7c4d000b67
-
SHA1
5fb79750ab4f78e18c3d1800be5b2e9ac0959db3
-
SHA256
89680559595f62f12bfdd9338c525133244ea6b7f23bb9b5b798ce04232817f0
-
SHA512
d2abd2bebf5485aeaa570b4d019c426afaa1173f4f428eafecc617072c7f86242db306098ec3081135e71c69ae18b0f28504313f5f0cdd70f8634c3d1ed8a70d
-
SSDEEP
3072:OL1QUTdcrrXyQBsc0vWJVi4IrwVdmZVT2Vq:OLC9PII4R2V
Score6/10-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-
-
-
Target
Refusal-217432546-01212021.xlsm
-
Size
25KB
-
MD5
7a0ca2f162b86659f47411d39f8be75e
-
SHA1
8ee78da95af22a1d01d3ec035eaccdeb5be44276
-
SHA256
70a5d9ef163f6e6c7e32c366363d7d4e9a6cbb06df84802edd177acb907fe092
-
SHA512
c22ffe07d03a3d605e77da77d4a8f5425bc32ae7da5bf1abe558b265f8cd396d83f4f438b620611f65b6d0383e75cf197d75807036f733123cc820f5ee471a95
-
SSDEEP
384:4Mfowh92aGcoKKRR6xt7k5SV8m2ylTQ8aoVT0QNuzWKP8WZoms:4MflhQaGc7SsFk5S6f6TfW+u7DZRs
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
uploaded/222.exe
-
Size
907KB
-
MD5
9474c8c2696babee986e8ae1bc46bd78
-
SHA1
1bcbfc24030a8e09c15055ad90685cac7af24cb1
-
SHA256
b2f324d6ae851aa65773d233201d58ac5230d525281afd1775e0b82514ac9645
-
SHA512
bf03529601fb0a935188c6efd72e5d752aed5c23085ade870a385c47b746b8ce9927527c78ab61c28a4d4b8cf23217b1e74e76ee6e1644d85439646a216f5153
-
SSDEEP
24576:ocI4MROxnFj3qxXFHXRrZlI0AilFEvxHiW8F:ocrMi1mRhrZlI0AilFEvxHiW
-
Orcus family
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
-
-
Target
uploaded/2531 2212 2020 QG-826729.doc
-
Size
213KB
-
MD5
cf288a156f60cf132cf14c617b41a154
-
SHA1
b4dbb03f48b651d2a81849a12049a9ac9f5295a2
-
SHA256
3a15b42c4692483aedb912298719b52e5513cf3d2a58ffca07c78fa8c48b536c
-
SHA512
f694cfad3e816fc7af937a6eca905ae4c1fa71fc1be1a2c4f56b9060bdfc2eb0fee520698b80bb92bdbfffedd13c50946a5e08f1f8e863a259629e9e419b754c
-
SSDEEP
3072:O9ufstRUUKSns8T00JSHUgteMJ8qMD7gRyHYbwRe/dNx0tcn15rJDMsIxS:O9ufsfgIf0pLxbwQlNx0tw15rJDMsIxS
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
-
-
Target
uploaded/25f2c4054d0680fd51f2cf860055f2234.exe
-
Size
162KB
-
MD5
91106264680a5cc064c550a62c8650c7
-
SHA1
67758edc66f1160728b82ab7608bb0cf1ad7fc5a
-
SHA256
b3fb1ae7923313ad51ec2101c28fd1f1417cc987f33272227fdc1745c5e5261b
-
SHA512
4a5dc892381f09c7628f71c386756026ca432e4614e26a46309fdd9d2453c76643f58ebe8e61cc0d567cb563a0ab484f18b85c90afa9b65aef14863fc166dbf3
-
SSDEEP
3072:0LzOI+8oz3Y+u1gb2KoTJBJsHZ4AYsRmwRCRJJI3itUWJNem6q:0H2zTu1gbAvMZ4A9RPLpy
Score3/10 -
-
-
Target
uploaded/2bb792ea1927ddd3a5a245eaf96c06ca2598191f670750c24d5b9ed47f20e147.exe
-
Size
9.8MB
-
MD5
23e735b01c2f68b79d9e6cd8ac8e42f4
-
SHA1
b3edba909b2fbdd8d0217bb956f3ee500f9ab137
-
SHA256
2bb792ea1927ddd3a5a245eaf96c06ca2598191f670750c24d5b9ed47f20e147
-
SHA512
44a0a253919ef8a956799bfd3fcd4e40dcbe21ef493a98597d798ed8c53f7d4e801b7f43c182d3df970f185696d46dcc05bb1f94895a863875da94ce282837ff
-
SSDEEP
196608:JGtFyDDwRv5DFUhA7yUjCaoQLXtN9rEs2oLkdDPbrTOjJ/XY2a8nH36CJ5:otFyDDwRvl6hTjaoALAoL6DzrTYvvaK5
Score7/10-
Loads dropped DLL
-
-
-
Target
uploaded/2e5473aa5ebf01ac5ce00c7ad537ddcb2.exe
-
Size
73KB
-
MD5
e1a1a8ec650e500872946774b1b9c30e
-
SHA1
0622e0ab98bcd1a289732e4cad457e1474d84b4a
-
SHA256
43e54d4e4f485f789739694024b6136f5e5215172555a846608abc8f5386c19a
-
SHA512
fe659312fcb4ce55ece76bafbd61ffce5774fa51223b215276d4e1eac4176f0a717749ddc4af97d2bf7a81242d1ae5b25ae08329b245ab6a64e11fd2ccb0fa9a
-
SSDEEP
1536:sj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtfW3Kn8:KbFMzTFq+N48UVj8
-
-
-
Target
uploaded/387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092.exe
-
Size
144KB
-
MD5
c2a760c6461449ac1d5a5538242bed11
-
SHA1
59684c6261afc698c0f6a46658986f0268f4c5a0
-
SHA256
387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092
-
SHA512
b00734a77c70f18ed10049c67823316498208b32e9f662f9fa56074b862bd8606826947f8cb394ed48d0d9b88f47e7fa214153e53fbc83c60bb7075d57375dd8
-
SSDEEP
3072:/29rIyJvv9Gq9q/uNKFO+oFGqN/xJCpgDjXYQWNoF97PYJ:e98S9Gq9WM5Z2mbYQWNslY
Score3/10 -
-
-
Target
uploaded/3c8ec4a8a8c3b1fbabc577576da5b70f5ddf3460b68775f3fbfa4fc07b6a7fa4.exe
-
Size
11.8MB
-
MD5
b777cfa3f6c7d8ad118caf620908a60d
-
SHA1
46a0af09d1901ceaca3ccde27499ee1b91cdf0e1
-
SHA256
3c8ec4a8a8c3b1fbabc577576da5b70f5ddf3460b68775f3fbfa4fc07b6a7fa4
-
SHA512
f41be2c1673f8fe1f884b36a74b0e2e906702432375aab0934e7afaf329a576943a077a7369adf134136be26b823a699c025d3e5c0a7e54bf1d939a25ddf8745
-
SSDEEP
196608:54F1KIlUrJyTOZzEwLVa1XwETq4FHsm1hmKXdFL5d3IH:yF4LyTOZ3LVgXwCDFHsm1hm8dJI
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
-
-
Target
uploaded/3ca0877ae8c3c628acfe78c6847f770fe20f02790f69749216cc703ab0618002.exe
-
Size
1.4MB
-
MD5
ac28e024b3b8e7a054dfaa2883a5590b
-
SHA1
2ad3d0cb84a244acff393912c4b54c716d99c94c
-
SHA256
3ca0877ae8c3c628acfe78c6847f770fe20f02790f69749216cc703ab0618002
-
SHA512
b1c06d213b7f3753277516042f989c7ee62bd12c77736905f839531bcbd946db1010c2f96862da8362c5f7d639255e433e1220b256bd83690a265860f76e2465
-
SSDEEP
24576:2h+EpSgP3ZEgRhuRKOODzjJBwjOGfcCUWgEf0ZsMCmGJHxyAXml2SAaj:qa+PjJaEWZAsTv2AE
Score5/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
uploaded/4c6265723661653d2fdab12a0d5d7e841.exe
-
Size
409KB
-
MD5
916707fcffcec2b8ae25dd706486f469
-
SHA1
6905656c07c1185b943520ea07980f422096f0a2
-
SHA256
8e0bf3262f19da58a5e045c85d918e4a35b873dc1ac3a8c26dc7aa2fa07b59de
-
SHA512
5c8e1fe8b4b2d8a3b75e0b5bc462a2c55ab9fad090b40dbf227195be0d1de7d025a4dac3bcffe611e076a96d905ad2c02e06b64218dc906cf2684332ea7cdab6
-
SSDEEP
12288:V//ZbUXN0kCD9pZ4QQxCQDrX2t9xqkHE7o:V3Zbm0BZvQxCgrXS9fb
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
uploaded/5b518173a571366bfdce5cdd282738a38.exe
-
Size
124KB
-
MD5
d2c28ef77a6a7ef28b84df3464343350
-
SHA1
5b2d21c3a4ea1eb3f87da7a78a6fad36f47f87f8
-
SHA256
fa2e2163cadd8dfefa97026e2f8c53540c436f05c7a0c60d25fec0025d39bf65
-
SHA512
d6602c496c872f051641aee3888923302c1cc9c21c104c17ef4ca623e49ca75212ae9a2bb92adfb25c7c56439381e1310c1cdb764c0a89ef741eb23c4794dbf4
-
SSDEEP
3072:AhjQjOmwnvFHygjCLf85f5EuO2qixYDZFeEQH:AhjVvFSgjCLf85f5h4ixYDZFmH
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
uploaded/6a4af3ace8066e79a1020e27b2c1cc3f81d6cd8d68d1329e67b93e44b9d3d008.xls
-
Size
173KB
-
MD5
6917d9ca4f9604ee09d08d5c33e93955
-
SHA1
dcdde605528c7678d80472df024b0b0a9846c2d6
-
SHA256
6a4af3ace8066e79a1020e27b2c1cc3f81d6cd8d68d1329e67b93e44b9d3d008
-
SHA512
c752681f5cf715ffb8b99ce1cb2c9c860dea19c428fe16d8cd3a7779f1fb40ec4dd9c3f642df226a54e5072946574e38881db615d0819d26faf4bda1bfb34b88
-
SSDEEP
3072:8Gk3hbdlylKsgqopeJBWhZFGkE+cL2NdAs7tT3O8g+nstPBXn3d1p60COnKmR4nq:xk3hbdlylKsgqopeJBWhZFVE+W2NdAs6
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
-
-
Target
uploaded/6fecc453c515bb03d82132650d3d4c6bb.exe
-
Size
73KB
-
MD5
75eefc3917333126cb56caf4500cb90b
-
SHA1
bc8540268e083379ac6d1f831dbbe4c58a4bd878
-
SHA256
89a22cb4f3cd4a8d122bf5198642cd5ddfc8fcab309e6b0ee284a8d679da6aaa
-
SHA512
ec002df43e15c841b83de648cf0195b7e8f1e9165dfc83b5fa08b2f13f9c1bc9fb97f1a90eb1792977ff3929f0200aa0d98fe5db1182b80757cf22d52d864b21
-
SSDEEP
1536:Ij0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGt7d3K3s:ebFMzTFq+N48Uhc8
-
-
-
Target
uploaded/70730f33f4db9f15399c6e4a510a5c4eec3bf100206535155001a2b3adbb3077.exe
-
Size
9.1MB
-
MD5
e31052a27988895bf8ebdc1edeb3260a
-
SHA1
f81548c4719fb228e38eb3b4e5f245ff48eaf817
-
SHA256
70730f33f4db9f15399c6e4a510a5c4eec3bf100206535155001a2b3adbb3077
-
SHA512
b2260c20369c86d844c66dacc4bfb94e4249968a753e3eaa3f46ce1548b50db434f55bd71c4cc6407d08943e707bdbd3d9e208da00edd72e2bc5fccd25ca2571
-
SSDEEP
196608:JGgFyDDwRv5DFUhA7ClLskLUJge/2bJh0N4JLmILxgnnANnJzQcaT6ixhts:ogFyDDwRvl6hRLfUJg5leN4FvLxgniJh
Score7/10-
Loads dropped DLL
-
-
-
Target
uploaded/70e835f3140dc2fbc211273727a8a8b4d.exe
-
Size
489KB
-
MD5
68975d70f5c844bc1fd923813d42b31b
-
SHA1
3d07569e46b8e026b608fa5c5e4186abf58bf02e
-
SHA256
aae4696fa35c74a7aa3e9b75ae37d4ffa9a81f64bf647c801252f3abb29c21d8
-
SHA512
4d475614543df97037f327a3ca5faa10396eff193729ecd1da87dc66f0d2386e720d55095c9df92116d9206832db424680e95d9fad02bcdca0cd31aa91ea422c
-
SSDEEP
12288:wrxZ//3SfgfZCgOAZw+i+vwnPWybFxJ8fk0:wtZ/VCgOAnAb+F
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
uploaded/83682a6a473ca2135d14cbc52c584fb46.exe
-
Size
73KB
-
MD5
58055f9b4e9693cc527a5704822bb0b1
-
SHA1
2997d16203f1bf4d512b1a4dfd41eb8965759456
-
SHA256
6d37a9d452090fd4ff8fccff8242473ffc4c7a90946faab6f31e06c5d725f5e5
-
SHA512
6e7af8314c122a9d3a51f85fc420f6429916b1202034ae873d81d13a17f74b6c2163548733b87f4529984bed374b1d4e30223b6d92c2a1218292b33f66989347
-
SSDEEP
1536:Vj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGNx3KfO:hbFMzTFq+N48URAm
-
-
-
Target
uploaded/882f4c1313d37351d72004caa3ef1aee0.exe
-
Size
409KB
-
MD5
1b83a6f8956ec912d04e30591e6c0026
-
SHA1
6e56d558efb40697afb669fd40100cd007deeeec
-
SHA256
c164cd72d5927e12bbfa5946b3f9526e27bfe37b1d57fc595c3eb3e94c40b395
-
SHA512
35e70cdadf7d80072b8092c6ea4e66d73e6f4b0d78f9a3079d3efdb40f305c58aa8865d8664698249d3ab1d0be4f3afabf02c9ac84398fa50d4e3aba350de8be
-
SSDEEP
12288:2//ZbUXN0kCD9pZ4QQxCQDrX2t9xqkHE7/:23Zbm0BZvQxCgrXS9fo
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
uploaded/8e751b8765f733f3f7682fd1247a27a70.exe
-
Size
489KB
-
MD5
2a4b8fa83e620ebb4fc21488efc16bbe
-
SHA1
cfc0f3c3a5b015ac235d98245c9d5633749cce38
-
SHA256
aa169fb465a49976694ffa3d8795d73dab23bc3e11209ddc70aa07577e675d4b
-
SHA512
647b8ee84ea10262e29307a9ba7b3a055bab4211ce801cf22baf264cd8507533d7370ef1ec12e5576c129b20ee3d547fa06c005722a181e8f226855d5a3560ba
-
SSDEEP
12288:grxZ//3SfgfZCgOAZw+i+vwnPWybFxJ8fkw:gtZ/VCgOAnAb+l
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
uploaded/8f6b416bb42a3f168bf083c67687bd533.exe
-
Size
162KB
-
MD5
cadd9f366736a8c6a36e6f092672217c
-
SHA1
3d75c189ebbf5066c66e16c15e92f249925e95d0
-
SHA256
12087c047dbf2d70e90611276bcb454052ab21643806d90ef2873fd050a97759
-
SHA512
7caf3555e36fa73f19b6919b0695a3003ab734105550847cba112b9ac69133235edd0b41110d0361a45a94f171debad8afd4f45613e76b1eda95331e7575e17e
-
SSDEEP
3072:tLzOI+8oz3Y+u1gb2KoTJBJsHZ4AYsRmwRCRJJI3itUWJNesifV:tH2zTu1gbAvMZ4A9RPLpD
Score3/10 -
-
-
Target
uploaded/93h9j2xi5z-safety.exe
-
Size
191KB
-
MD5
52460816c25831fd3af5874295804258
-
SHA1
57465181cc7ac631b6dc2c5af016751ba48f7211
-
SHA256
08cfd565e6c1b0df6b97b2f0d4a1db78726d3fee08409d05fc628aeb7218a8df
-
SHA512
ad6b6e92c37575af4d0bdf51faea8b5ea81698494ecd343f8495ceb662fbe0a6a8c5e3caf2e7fb52055dab92ba3d83bb8e22528989f4c7c02a92abfdfed92d61
-
SSDEEP
1536:gLuVjANSoxkARpL2uZhRmod5LZLK1VmTf:gwjANH4OmmRjj
Score3/10 -
-
-
Target
uploaded/93h9j2xi5z.exe
-
Size
195KB
-
MD5
442e1bca83142fd1bea2ba9981e5a879
-
SHA1
58ff6e1a61419242e5d3f5d23b5ae674b4424b2c
-
SHA256
043d231d940ab029f8325d828de3b02c13db7df44cbbe4f062068296e2e193a5
-
SHA512
365363000faf521319801f883e58bf8072d7106929687a59a84d78a8fa68bbd6ffacbeb7600d8721031ca6b883ec691b33d7227434d7c1442608176746e10d31
-
SSDEEP
1536:WApeiDam0X6krbcTn2uZhRmod5LZLK1VmTf:WAVDam0hbcT2OmmRjj
Score8/10-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
uploaded/AC27_Build3001-UP7-K.exe
-
Size
764KB
-
MD5
785382bfcb2e6d9846c103eeb100d17f
-
SHA1
315342b99c45e1519756bfc496fca8fc88a9fc54
-
SHA256
e1c91d5cf10150965a98834642fd7c3cefb83cbb8a30e6edcb409641d0da46f3
-
SHA512
13cda7b0d08062f7b9aae6d3e626d1c4e2e23e2dae18ef6b94dd91f9e5f42214450224d72eac111c6702fed28e4d94363d2d35da09ac6720c61cd622a24d2125
-
SSDEEP
12288:fZJIvntAvasMjvHQFSZT7vGDZXn2nsoemhygU/uAB5+E84YEaJbnrpp:7IPtaMjvQEJ7u9XnGsYxyuADyuw/H
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
uploaded/ATR Tool 2.0.exe
-
Size
2.5MB
-
MD5
8be31e9bba7de582c4854c683b5aa4be
-
SHA1
fc76bc8de33392f0ae36efca8a504afcd9ffe945
-
SHA256
239a024acf03ff8106556ffd3784b9142c6d51611634a035505da705c725987b
-
SHA512
762abb103a77e6f1fd790c587df5393fb4877d7f71481eeb2061c0f051f54bedee1491d0dc907088e6270aabfda9bbe10d64bb3ba91439b4e29b04d62edbf360
-
SSDEEP
49152:sDYyMKjoIA7QURY8EoS0uhLh5dpTmX//u86ofe7ecL9wkC4JO75/IkSR:QFMKjnWUoShVppKX/pPCechwke7BDa
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
3PowerShell
3Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1