Overview
overview
10Static
static
71wbVZkk.exe
windows10-2004-x64
104774321123565.msi
windows10-2004-x64
666OZJb9.exe
windows10-2004-x64
17822801754009107.exe
windows10-2004-x64
10ANgR9rR.exe
windows10-2004-x64
10BLMI6Vt.exe
windows10-2004-x64
7ByndWFN.exe
windows10-2004-x64
10E8L2DeA.exe
windows10-2004-x64
10G4gtDRI.exe
windows10-2004-x64
10LXkGFUT.exe
windows10-2004-x64
10MissedScreens.exe
windows10-2004-x64
10NylfeKX.exe
windows10-2004-x64
10OTIWCUm.exe
windows10-2004-x64
10RenT7Wg.exe
windows10-2004-x64
10XWTpdSO.exe
windows10-2004-x64
6YT1For2.exe
windows10-2004-x64
10addon.exe
windows10-2004-x64
10addon2.exe
windows10-2004-x64
7asdf23.exe
windows10-2004-x64
10beenofav.exe
windows10-2004-x64
8download.exe
windows10-2004-x64
10it4pKAE.exe
windows10-2004-x64
6max.exe
windows10-2004-x64
10nIh80ko.exe
windows10-2004-x64
10not.exe
windows10-2004-x64
3photo_2024...07.exe
windows10-2004-x64
7pic19.exe
windows10-2004-x64
6promotion.html
windows10-2004-x64
4random.exe
windows10-2004-x64
10tnhNZxh.exe
windows10-2004-x64
10yzymFGo.exe
windows10-2004-x64
10zu3sNjZ.exe
windows10-2004-x64
10General
-
Target
quarantine.rar
-
Size
139.6MB
-
Sample
250803-1cjjvafk5x
-
MD5
c17908fb9afbb5e88acb348e20d81499
-
SHA1
ef357a12b0146907a3a719f3ecec83a86d47906a
-
SHA256
7093bbe38a03cddeea9caf9dfc49943b6c2f1799963ee99a274d406c6f49ab82
-
SHA512
27dce60ad1657b02cdfb78c0b2f3a32c6b375db35f6a906cce590ea864f0334c398b9a59caecd873aa47bf36abb34cf77152058510b33c8e5f7df87a770d9707
-
SSDEEP
3145728:CoC+Zu2wf0QfoMpCeg3+ZbaAQPuQ9hqiEtKITPK:CM+Ri+ZbaAUnVEtTPK
Behavioral task
behavioral1
Sample
1wbVZkk.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
4774321123565.msi
Resource
win10v2004-20250619-en
Behavioral task
behavioral3
Sample
66OZJb9.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral4
Sample
7822801754009107.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral5
Sample
ANgR9rR.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral6
Sample
BLMI6Vt.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral7
Sample
ByndWFN.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral8
Sample
E8L2DeA.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral9
Sample
G4gtDRI.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral10
Sample
LXkGFUT.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral11
Sample
MissedScreens.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral12
Sample
NylfeKX.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral13
Sample
OTIWCUm.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral14
Sample
RenT7Wg.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral15
Sample
XWTpdSO.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral16
Sample
YT1For2.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral17
Sample
addon.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral18
Sample
addon2.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral19
Sample
asdf23.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral20
Sample
beenofav.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral21
Sample
download.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral22
Sample
it4pKAE.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral23
Sample
max.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral24
Sample
nIh80ko.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral25
Sample
not.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral26
Sample
photo_2024-10-04_01-02-07.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral27
Sample
pic19.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral28
Sample
promotion.html
Resource
win10v2004-20250619-en
Behavioral task
behavioral29
Sample
random.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral30
Sample
tnhNZxh.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral31
Sample
yzymFGo.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral32
Sample
zu3sNjZ.exe
Resource
win10v2004-20250619-en
Malware Config
Extracted
stealc
system
http://141.98.6.181
-
url_path
/4c8837c73f7c4af9.php
Extracted
lumma
https://t.me/sadv1323v13q4as
https://conaqr.click/qokl
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://physicianusepeptides.com/opu
https://vishneviyjazz.ru/neco/api
https://htsfhtdrjbyy1bgxbv.cfd/vcd
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
https://t.me/RONALDOORMESSSSI
https://dravq.asia/wixj/api
https://t.me/reusmey
https://nucleji.my/ituw/api
https://mocadia.com/iuew
-
build_id
b755bfa47c1ee0187853f050cdc56231c69ef2
Extracted
vidar
14.8
048c07efd6c91e25316360e4af132958
https://t.me/dz25gz
https://steamcommunity.com/profiles/76561199880530249
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Extracted
cyber_stealer
https://paxrobot.digital/webpanel/
-
pastebin
https://pastebin.com/raw/6K66Aeyr
Extracted
vidar
14.8
c0aea96f5dc5ea23da54dbccbac6de78
https://t.me/dz25gz
https://steamcommunity.com/profiles/76561199880530249
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Extracted
xworm
5.0
hexa.dnsframe.com:66
FzSIsfqlHwWWhS56
-
Install_directory
%AppData%
-
install_file
inj.exe
Extracted
stealc
LogsDillerCloud
http://weathersouth.shop
-
url_path
/45cc90de006049c9.php
Targets
-
-
Target
1wbVZkk.exe
-
Size
1.5MB
-
MD5
2916e444c84a309f1c6242e8c8804dcb
-
SHA1
dce5636b3532798b72601b1dda64b0d05644f573
-
SHA256
39f9313b61a51d858cd6c87914ab9750133d81901595ee83d8f722bf21bf16eb
-
SHA512
e8314df963191cba948b0ccb4732f5fc9a3a7aaee5f1094e970d1cb467ed1bffdfdc6746b283cf37aae0ab44e3ce1a912f61cf6343bd17e1c64b06ec8f4691dc
-
SSDEEP
24576:NesrWUQrhUwjfSl37m9HH+/O2aAB7gj21vs86zQf7auWNjG6MbxEzfLXww7NmXR:HarhUwl9H8Hkwt6zQGuWZG6MlczAwReR
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates processes with tasklist
-
-
-
Target
4774321123565.msi
-
Size
65.5MB
-
MD5
4731557680c16f596a82754f4eb4d089
-
SHA1
3c0ffb29d6354f97642adf3f830f49edbc77b55c
-
SHA256
c6f46fe74cafd8f5e1d06ac29e8bd2245f2fd5b529cd0205bfa7b7f94c48ee9c
-
SHA512
cfd55f1c782f1fdd79b2932b703d405dc787f8b96f2c6988bc81f92d0c9198e37aff68f890a3e0a0528adc07bc1bbfdefd33337bdd36e014aa590ffd4f02409d
-
SSDEEP
1572864:zhTkzFjmr10gAp5b9SDCqubL6frD0wsZ3O2QnywKte:z65j9vvb91o30wsZ3wnyBe
Score6/10-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
66OZJb9.exe
-
Size
2.6MB
-
MD5
8abb917fb086213581c20a177115ca6d
-
SHA1
2fca5d9d27f619eb347d90f41db85573be2b23cd
-
SHA256
83b0358b39a8feb433b10a23a24dc8357aeaa82c02410ab3c736f329b26eed75
-
SHA512
ab37ebb60f9181a3a74df490a0e8c0d42272605b26baf22f01e93ed33369312400d02703d44204a58ee694f89b877348a0136569e1bb8035b53b439322c45bc1
-
SSDEEP
49152:ART8xrC4yovNCG/D0A/qkz+5v/kQ8htSEY:mT8xHYGl+5Eg
Score1/10 -
-
-
Target
7822801754009107.exe
-
Size
825KB
-
MD5
5ea006803bba64c15fe68791a8db5005
-
SHA1
f10dd374c76e194c8b7e0381a80db57281a1e77b
-
SHA256
7b232254d4b4be67111e92f5c2e34bc331403393c2d019b31e256ca7d798cd08
-
SHA512
abb8a1832786925e65fb51560b0c37eaca550b76208d72d7830e0ecf467d4e601b8259deee443bc55c992736d47afddb9f2aaf20b72ea8e52173fc3e2f17481a
-
SSDEEP
24576:R3pUDihK+O9H9d7TW9qJuoj3wwU7FuGOeYt4xzz:J2iKZnd7TWsJVjA1FuDcz
-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm family
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates processes with tasklist
-
-
-
Target
ANgR9rR.exe
-
Size
9.1MB
-
MD5
cdb8c182b9ea3f50bbcb2466a1ab8fca
-
SHA1
4059d1cf3c4c4f19e2ff91e9f8eb9d4d24ca37cb
-
SHA256
804a1ffd65f960a6496e7bddece38105885b49cdebab4cfe42a4e0e1ac2d3c45
-
SHA512
511db6f1502fd599052e760fe5049c89e9a223f6ec58e63a608b3722a6e0c4c2514766820b65d50fbded9bf4b3305a2e990c56576546fbcde7e45c4223823ff5
-
SSDEEP
98304:2+y1oeWpK+1u48LY6sf4mn6za9GQv3LdDBpqYWV/VVYQHmvjxsKZStlio02:2+y1oeWk+YdsaDc/5KlTt
Score10/10-
Xmrig family
-
XMRig Miner payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Suspicious use of SetThreadContext
-
-
-
Target
BLMI6Vt.exe
-
Size
5.9MB
-
MD5
18f61fb41cb22c02901f8da15b337530
-
SHA1
5fe5ff8914689b57485c83393d001e6958e4df96
-
SHA256
565ba37db962f10ea77fab2be20b5d65672a72c7bbda35cf5538a236a3f63337
-
SHA512
ec3b688d9c93a571401b813ab4bcfab399f551194f3a339c7f6b4da25e4c5e73334034b23398a9922e2564d3fdd56576a77883f4e58a68a2de250a44faf26678
-
SSDEEP
98304:KkUgq9FJJbgkI4UtB10wkUgq9FJJbgkI4UtB10H66pmTrXxXStZOruS70bnII:Kz3gkOt3z3gkOtC660rzuS7eII
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
ByndWFN.exe
-
Size
3.6MB
-
MD5
f009ae83feb420c47ef346008b3ca475
-
SHA1
6ed0172df9dcb7e583499fddcfe046527265c049
-
SHA256
921815985f45f0e1fde6f90d6d192311791d97c2fc646d1e713e1d1cb2591415
-
SHA512
d98959627e690ba91afbc9a712e71287703c1b08cc160a949465fec4b867509b85e727099a2225770bc9016b543794c0b5eb213ba9936bd523ebc1392d6fda12
-
SSDEEP
98304:MJ174y1k/idOS+ckqU6hK3e3/rqZ24bPCNlAiGzZ7:G1vk/zTck361vu0NqiGzZ7
-
Asyncrat family
-
StormKitty payload
-
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist
-
-
-
Target
E8L2DeA.exe
-
Size
2.0MB
-
MD5
60d848309aaa2d6d9e4db4c7ec962e96
-
SHA1
fdd6360afe6fc42db6511c249dc41b7772d1803f
-
SHA256
64de8a72d2466f2dd7111fed4668e6a0f6eaf075b744f07b68be78324aedada7
-
SHA512
fa4ddeb0a4d9664b141d6467701efdda3eb70f736ed6004017e7c51c705144a3f15b2ff196495b2620550007dad3c5063dd302d637bfa72d34ff3f7c9ffb31ff
-
SSDEEP
49152:UhTCFkGtB8C7FbIWAxsbSF9qCvnsAoG4AagsUcr:Uh0rBTsF9zvnNffcr
-
Lumma family
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-
-
-
Target
G4gtDRI.exe
-
Size
2.2MB
-
MD5
a534782b2e6a654da9790ef8a4424f99
-
SHA1
acfd307e57ddf260c2ddcdc90f1cc814190b1018
-
SHA256
524a74f9c7e94b4a2b944a09493e31c2824bb2918a8b1ebfa2a760e3fdf1dfd6
-
SHA512
c86b98ff416eb06e59797758548b39863f5a4c4ef687966f7ac0271348d874157e8d3775d6ec1825c572363413638e2a157044ef2c191e43e567187d8ba977f9
-
SSDEEP
49152:1hTCFkGtB8C7FbIWAxsbSF9qCvnsAMOmqNpeU:1h0rBTsF9zvnNMOmqn
Score10/10-
Stealc family
-
Suspicious use of SetThreadContext
-
-
-
Target
LXkGFUT.exe
-
Size
2.4MB
-
MD5
d24ede505e02ad770880e44224fe5f47
-
SHA1
6691d03c2d30b7fd3213f2f15f361efa02d1ef46
-
SHA256
1ff9694c0c8b60ff6bef904d9f002b7ce4a27563be57b550a6acaca5f83f9dc3
-
SHA512
6d2d6111e147ab49ec603a71fd717dd79fd4eae1b2a6178359aa6a71191ce2319e060a69f43188116be54d04d1dab71302278c689b2abd341f492c452a50956a
-
SSDEEP
49152:OhTCFkGtB8C7FbIWAxsbSF9qCvnsAPoO5tF3S5brxn:Oh0rBTsF9zvnNbrF3Sj
-
Stealc family
-
Suspicious use of SetThreadContext
-
-
-
Target
MissedScreens.exe
-
Size
1.0MB
-
MD5
fb21a54676498cc1dc015087115f4b19
-
SHA1
bab68f7addef92be0246fbd71bf19342cdeb8215
-
SHA256
4c7ca365cc180460ba51c1b7bb5e9a990b5b80e8151090be1f916b973178e956
-
SHA512
3154a9d9e2b759888b3249073c8b663203884803cc263ae77e407b88e1addb0cb10544be1e66d2922880c390bf40595dcae58ebbe16686b328c85ad62f4bd75b
-
SSDEEP
24576:ItY3pa6IBfWbdaQ3V2MjXqSqSke3OC1EADrTJGXqePaOicGNamGa1JP:5phMWRaejXnrj6ADJCqeinOpq
-
Lumma family
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist
-
-
-
Target
NylfeKX.exe
-
Size
2.5MB
-
MD5
e2a7e0f883399b10afffc3154222e940
-
SHA1
d7e8c9744adab158a2923e268fb24454c36983f6
-
SHA256
5ec6b3c4729d44eb7e7efc05f66bc5f465a91c954e19cb9e144b5476c1cdbd95
-
SHA512
8242329516c2c609c0754e1da3dfe6bb0b3d37472d7fdbd0f5ce61edd7e2c120b9424e435023db0be91a5f62eb0a13b1ddb208b09f08aac9c4062d264982df4d
-
SSDEEP
49152:nMaQs3+eyx0gnhdNBBqVpzZOBVon/FdM7OViNvVxxx+d+S8BQOkHD3+tl:7seyrd0qJ
-
Detect Vidar Stealer
-
Vidar family
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of SetThreadContext
-
-
-
Target
OTIWCUm.exe
-
Size
653KB
-
MD5
cba69e9fc5ae9a6504d2be6836e79d6e
-
SHA1
6c934508963c665e9d1a7d582e8e16088d90ef0d
-
SHA256
c5dd750bd4bbbad2ad935ee7533bbf369da0ca85fc72af62d1e4639134fbd47e
-
SHA512
95663768273d3cafeb8f89fef701f57a933df9d2bb038179aebf649d8f15beffe262fe5665cc76ec64ac244147fbba5caa3be87eb5c8de12fa8e1c568e01d9bb
-
SSDEEP
12288:iRAcrxjPCr1lhEIAgLMhsFA6IW3UEGdNEqmlrC95ztq:imcrgrXhEIA1QACUVdCqmFMtq
-
Detects DonutLoader
-
DonutLoader
DonutLoader is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
-
Donutloader family
-
Accesses Microsoft Outlook profiles
-
-
-
Target
RenT7Wg.exe
-
Size
2.9MB
-
MD5
6324d8dbdd20dfaf29eec1bb89ac24ce
-
SHA1
bea0c0e65d5ab280f808cdce41c357cc5d63b270
-
SHA256
9403483ce844b8392bc6e3251c206a23b08c107692e2a9e6639fb2c4aac9d818
-
SHA512
1a1ee55ebc94191e55609dc7c94764a1c70b86629257ac31891035731c3711f4a209d174e0167d1892524c0ca5ceef360e86de32aedf839099548e9b654415b6
-
SSDEEP
49152:If1nWgHSrSE3Vgyd01IK1qcMoE8HPBlmBXd8EMKlfiEMKlfM:I1n2rSEFgU01IU3PBlmdRMKlfFMKlfM
-
Lumma family
-
Suspicious use of SetThreadContext
-
-
-
Target
XWTpdSO.exe
-
Size
14.4MB
-
MD5
9150bde0969203f935c2ae81135e4764
-
SHA1
4c3abf891dcb065037fa9a6efb4967edf64196c4
-
SHA256
18cdd5c10e889950e068591e866b80a28a3fef7e0b97274220bd4d481cf08842
-
SHA512
3facbdd89e6a88e4cc21ce28abd13e82a7218df82320ede8d0531045a1ea074ef31c03620e70e714502a7165a0c7ec33b67848c35409ed5b5a620ec51e8fe6ac
-
SSDEEP
196608:mEsdHcCi/UR4JITS+NBVucIfq123b8geEoo3YNr2VbQGmvYs5gtT:m18p/URdNaVfqb4bIJ2VbQGLs5gt
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
YT1For2.exe
-
Size
2.9MB
-
MD5
e5ce3951f82531943d68b4eb1a8e13c2
-
SHA1
c761a375ba038cc5e59874a0039cd9fa3c92f522
-
SHA256
01cb5a170ccb486184841f7adf57026bf18fdd25d71824ebe40161256a3f1f9b
-
SHA512
3b920601e61b9860ba80d98bc2f5ace2a2ed0be0c8f361c323c9494c965ce908f5699e1e2ffb3e0b34aed399bee074f9bd0c23ed62bce86fae6c5a3a86a705cc
-
SSDEEP
49152:rd7H1c8dtr3HCxuZ4zNXfbLLZULEPSP3TGZL:rd7Vc8dtr3HCsENXfbmPD+
-
Cyber_stealer family
-
Detects CyberStealer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
addon.exe
-
Size
5.0MB
-
MD5
dfebae0723785e459af1b215894f9cad
-
SHA1
bfb0d7379fb582e9ca9d0561988f085f884b1878
-
SHA256
75bdf61a7b2f8e0a5d8c19a9444fc28c4b6a622c284dba09ecc4a12fe3add107
-
SHA512
bd85b7e008074799753646366da4b4f6ec82534c21bc077eee8f26bc29c534871e7a3fb4f8312f5040c1545110ab8312edbe1bb3e6ed49effa740d63b3656632
-
SSDEEP
98304:sfMG2apJ57gyfIcGaz74lSptB2EH/GWboelM9ENwjUP5+fedH:s6OQcGazKSJ2EH/pdieiRmdH
-
Disables service(s)
-
Modifies Windows Defender notification settings
-
Xmrig family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Possible privilege escalation attempt
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Modifies file permissions
-
Checks whether UAC is enabled
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
-
-
Target
addon2.exe
-
Size
88KB
-
MD5
40367f463be9d1f23dd8911416501c07
-
SHA1
45961dc939761bcfe691c8a1d8ae8f25b45f2414
-
SHA256
d5ef6d909de11f6551bdb6dcc9dcaec52052ecbeb74306090976764a19a005b8
-
SHA512
3c2ef5b2dd3264c5778ed188d4fecfd6a129b15d2bb13020f7f77d3f7e585e7570deec6236fb0f3c17f5c3bef0e81defc26ccd9ac3249047510aa3b17b2d9893
-
SSDEEP
1536:/jgXAXCl8L9DJ1qRbhYJPVe0EP5zN/80XhP9V:/jgXkC4d1wbhYJPVe0EP5zN/80Xh3
Score7/10-
Executes dropped EXE
-
ConfuserEx .NET packer
Detects ConfuserEx .NET packer.
-
-
-
Target
asdf23.exe
-
Size
2.9MB
-
MD5
bbd4e99043070958d60ad5a420784340
-
SHA1
b08212ac93b791f3b36d14d1e26a1a524c45f8fb
-
SHA256
6c3d08160b73465975aa415810a8bb73584eefa335e9828a380f63120e33732d
-
SHA512
57c64fe80d547c2052dc705f001a8311d1fdbf13b4eb664cda631df6146fe1c17ca44d00075deb0859435a3ec66565dba4d67ae208636a8d3ccdafbc990b2d8c
-
SSDEEP
49152:Sf1nWgHSrSE3Vgyd01IK1qcMoE8HPBlmBXdFj3VPLIpGK7j3VPLIpGK8:u1n2rSEFgU01IU3PBlmdB8pnl8pn8
-
Lumma family
-
Suspicious use of SetThreadContext
-
-
-
Target
beenofav.exe
-
Size
5.1MB
-
MD5
a6c4d382d5770baee2a38856e23f009d
-
SHA1
602df9a98bec13b264e304fc385195c049f7ff1b
-
SHA256
559a02d646440f445d294b92135b1c5f2679fdfdea393a546daef48da74778c6
-
SHA512
214a2645422beb8cafe055561bbbfd19c2003888a5054cabe154b42aa01c61358e0b5fcebb43dfdeab28406c23f90b63fb4af9850fdfe24e2b7e095856adac23
-
SSDEEP
49152:KFFz8dc2C+OWckHl7+S/ZM82pZmNbbF8C9rXnJZowVEFXi3dX7OIyEH7gzN8WKmq:KfaKDZmU8SFKH7gzNbc07vTupv
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates processes with tasklist
-
-
-
Target
download.exe
-
Size
3.1MB
-
MD5
f4be2c32460d8da27064d9248a43f8ef
-
SHA1
bac01a3083b51acfa6ce2c3ed465899ece4c8ab5
-
SHA256
61ac11057cea39a92465c3cb3ed7aa1e73a396d16b546b1e1a7f7a9fa0672f5a
-
SHA512
09f5e52f75d16ace52b2c61c1c7e27c562af3c3443e6e4bb3439e1b718d7258e3cce563bb712e56b375a44468f7144a99ea373d651ce1e178026dd6db5e4aaaf
-
SSDEEP
98304:cJ3La1r2yp6SGDUEr675PAFNiNvCgpzmIQH/GmejtcHj:iKrMht8PAFcNKhIQTe5c
-
Detect SalatStealer payload
-
Salatstealer family
-
UAC bypass
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
it4pKAE.exe
-
Size
1.8MB
-
MD5
9f3099886dbae9aed0f97a4c158a9ae2
-
SHA1
28988a0ffd7aee2f2d65e6b568b9a91e3554326e
-
SHA256
0bfdfa05249c3c0e41ee54ebfc41b2b1937fc70c6a5afac39f880a9f27f948e6
-
SHA512
e89b42b16520b30f4c29cda53f34692acba42d4738ed08be10ca4d28876778ac2261f4b8ce4401524c301eda986073fd8e348364d1e49fba2487bfe1f375a82c
-
SSDEEP
49152:MVZ2FTvoqTUbGz9GbI32k0wZs0d6FkVnNJTNg3rbRbP:M20N06FkVnXxA
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
max.exe
-
Size
3.4MB
-
MD5
6e39393234411caaad0534ba8f6bb442
-
SHA1
eff8b625e0af1723d384b976d527f26ae7308736
-
SHA256
c028368451eaf98221b52f208b14b779834286c186f0e161c0987f035089737a
-
SHA512
380e7eca35346b7af4b8729d3db8910150ef210c90cc09d89656a06a25ad727dfdeb0b7b4f1254d8b3b88a0918313002fa91a5eb59bff079868d0070c41940c0
-
SSDEEP
98304:I0QhdHodJ0/o7Uc28hbOCFHlt7M0q9C+uSNpGQ:xKNSi/9c2Kq0gN8Q
Score10/10-
Detect Socks5Systemz Payload
-
Socks5systemz family
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
nIh80ko.exe
-
Size
3.1MB
-
MD5
fd5fb0f0bbaf8fa2428fd448d548cc8e
-
SHA1
ebc7d6dbb1f5b6b2145b9f09b59935ef5b29ebab
-
SHA256
d8c3a11c8dcf88acb82fc8b5f115a58c5c2506a82c0c23223f3b8fd26387db7f
-
SHA512
789bee8f2ba2c4e0225f84d5b123b710f182b439ab3af88d398dfd4cc43f1968b87e0d82b0ae9d045c4ce17a4a2ed346c23576d34a93ec976fa123f71a3f9487
-
SSDEEP
98304:lk6Usu3jXx+e/3F4VpaNHOIfAEiCY8DQ5aH:WLsuTUuqVoygQEH
Score10/10-
Detect SalatStealer payload
-
Salatstealer family
-
-
-
Target
not.exe
-
Size
21KB
-
MD5
927a612a91e7584987585deb6c1b149b
-
SHA1
3e018f009f560736aa39a95f32411526ca3b453b
-
SHA256
85aca151f0faf9b0ccb54a242b6fa4587ad4706d67121aec520a7e445226f31d
-
SHA512
d382b4f71ccd196f0cab74fd9506a4060092cf9625e09f0f1b07bed12374594121eb13dcfee5fe2ccd46e6e257820e5beedc1c23666f10386ebbfc1f28a62e71
-
SSDEEP
384:S7XYDA6KmxcV6lp4fcV2o3Y4bjbEohGkSPwAeje1eOLR57zQccp04yvfVT:e6KccVsp40p9jnEkkkqR5gpq7VT
Score3/10 -
-
-
Target
photo_2024-10-04_01-02-07.exe
-
Size
12.3MB
-
MD5
e9f9d21c885fbd6fd1b505bb5a29fc94
-
SHA1
565d12f0f271221bf4d588a5404919045eb231cf
-
SHA256
78e22d9b8b259b67bff21d4bf23ad13c5956b7ccba1da8bc7c7de99d46d5945a
-
SHA512
64700afa4ceb9bd8dbe3ddd846ce7a691e91c5d5277e3d815008b58eb6ae2043377b110960a460f670baba248f426a51c1a3a0ace9cf0c2ab7b984d6061bbafb
-
SSDEEP
393216:Ki/z1LF9dM/ISGL2Vmd6my0Gzaj1raxbWO4SsuP:Ki/RpT6ISGyVmdaE1raxbW6s
Score7/10-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
pic19.jpg
-
Size
5.4MB
-
MD5
d9986ca8fe6b3d6518cd2b73480c7135
-
SHA1
125f612be0e3e2897fb9a39de1cac079c2f7d2cb
-
SHA256
07be062cb448e8b62a8c424fc9c744d066f561e3873610f0ce9ebf5b87af912d
-
SHA512
4375c0ca44f062030d5a24b8f9225a8ca97b8bb0ffa48fdb4af0c61af792c27fa21ee59539458402b95d5120f045f29815a82b432e437b50b57ee479cd1a5d65
-
SSDEEP
49152:vSF80cJ9COm5F1xNrXVKLnrHzUNy6IXdaIwQDOcLfj+urDmXL3ZB0SdT4J5Yx1NH:mxh8nrNNXjLAbT4DNXrhTbK
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
promotion.exe
-
Size
189B
-
MD5
c9f6f82c0b1e2d6eb40294f876eac55e
-
SHA1
abe89f9bfb756bbdfb2f535420e10bb5625eb4e2
-
SHA256
9dcc361cf979ea9471e1076ab30724c665229614d2d7432dfe9127c8b6d3a443
-
SHA512
c9ad3aa05ef29513c47732c46f626674f9b55d9b3b8bd8ce2699b17e4ab02d07a2549505024e1031feb286d92ac4affbdbf8fad07a4b849757c0a62efb535b93
Score4/10 -
-
-
Target
random.exe
-
Size
2.1MB
-
MD5
f0fc10f1f4491b858f6ddfdd774d1ce4
-
SHA1
480bbb2601dce53b73d6aed030290c1263246b36
-
SHA256
bd6203904057f6b8148fb59d539acd100ef914bda8f15423a8d69634d03312fe
-
SHA512
12815064fd800e2e86045b8a13700321abb80adf284af00c6117b7992a380f0d3bbf3105552c83cb9515222bf61f6aaf533e9f0c4683f11f24c9062b60eebc41
-
SSDEEP
49152:IBJaTpc8iYMUCYcY2NcZYJS+d1VP/S+Yn9WRGsX7Ib/mlk:y8TFMUbcH6Gfd1pUn9WRGXb/n
Score10/10-
Disables service(s)
-
Sets service image path in registry
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates processes with tasklist
-
-
-
Target
tnhNZxh.exe
-
Size
2.0MB
-
MD5
3551e6c1d65234ce52618b886e116606
-
SHA1
ce52244ff3ca7ca8b4cc93fa2513bdba2631afad
-
SHA256
61f37ca7debfeee417ebb8dedcae63e5eff966d216dd8c670e7e605c2caf2713
-
SHA512
020be19bb78389dccf6226116203e0c00160690475407b179e2c75af4d4360679bfc703259f35cfbc4dc2911b882b161428d991dc4d8170aca9f4c6ff6976ff1
-
SSDEEP
49152:UhTCFkGtB8C7FbIWAxsbSF9qCvnsAoG4Aagstr:Uh0rBTsF9zvnNfWr
-
Lumma family
-
Suspicious use of SetThreadContext
-
-
-
Target
yzymFGo.exe
-
Size
1.4MB
-
MD5
1a80d9a4f3d4e50bca7ef1db2941a889
-
SHA1
12f5c46fbfca23c37e97fff028aa4d0cd1ee2fe6
-
SHA256
f1d54cac98e1453caa61f3584d125756238f57a8945149006684dca0a704aeed
-
SHA512
773471e5da84098a94c4e2c1fc7959e5a463833740b56f198486c584db455aff3ee373086a6086f35af23b68a12305b9646caba78e8ef536bb4f506e018bd64c
-
SSDEEP
12288:2IbroRBKgWOLHmffUyl+dZbHa5Sh1jBCgnh0nKWxD56:29R3WOLUf6dZ/jBCgnhzWt56
-
Detect Vidar Stealer
-
Vidar family
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of SetThreadContext
-
-
-
Target
zu3sNjZ.exe
-
Size
1.7MB
-
MD5
e1e5ab289f986ffcb864fb862511077e
-
SHA1
63deb7e6e981c5aa44d09de1cf25697ed6ed2ff8
-
SHA256
08ffac6df72f6f321867bdc670ae336023402db74a327bd82bfb0e1012f7c571
-
SHA512
34153c98bdbadf9e6b576d08474b2b18e99f7f17b3e0d62fe36b90111fe624783accf28be2b743912a2c3e1c7cf29339aa23fe4986c1f2560d1b7d95f5013596
-
SSDEEP
49152:ElFF7anP/6ctv7iZWaCRsUeR2uhS9dRwPL:ElTm/VtDOIGUbISXOP
Score10/10-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
3PowerShell
3Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Ignore Process Interrupts
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
3File Deletion
3Modify Authentication Process
1Modify Registry
6Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
6Credentials In Files
5Credentials in Registry
1