Overview

overview

10

Static

static

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4ds.zip

  • Size

    221.1MB

  • Sample

    201122-hr1cc24nk2

  • MD5

    0c1df79aedd19bad104f962cfa9495a2

  • SHA1

    62f9b3c0e8d3f29663c2bafde2602d7cda044fcc

  • SHA256

    4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d

  • SHA512

    b1f89e94914584186da5f6cd2755b35c134402f66f1c0d6dea22feafe84fe5b96f6e46460edce3c1c5a8ce0d0f766f6921b8c196e97172fcdbeeb0057b6f36db

Score
10/10
hawkeye_rebornm00nd3v_loggerrevengeratzloader07/0409/0425/03guestinsert-coinmainsamaysystemvictimexdsdddyt26.02.2020bootkitcryptonediscoverykeyloggermacropackerpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php
rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

C2

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

revengerat

Botnet

Victime

C2

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php
rc4.plain

Extracted

Family

revengerat

Botnet

samay

C2

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

zloader

Botnet

09/04

C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php
rc4.plain

Extracted

Family

zloader

Botnet

07/04

C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php
rc4.plain

Extracted

Family

revengerat

Botnet

INSERT-COIN

C2

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

revengerat

Botnet

Guest

C2

178.17.174.71:3310

Mutex

RV_MUTEX-HxdYuaWVCGnhp

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    mor440ney@yandex.com
  • Password:
    castor123@

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    mor440ney@yandex.com
  • Password:
    castor123@
Mutex

245f77ec-c812-48df-870b-886d22992db6

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:mor440ney@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Targets

    • Target

      bootstrap.min.js

    • Size

      36KB

    • MD5

      55093a3d1ac85ac5734e104d4f2de030

    • SHA1

      7d6acbbe3b1589d11873954e95e674f178cbaaf7

    • SHA256

      abbb8724a9c69848de604e65aad7a5f6ae3fd7ef2c071b84b41b9cabfabbf2a4

    • SHA512

      373ae6189df34c585a26e1662026b131352327c08ae7ae1ab5c108ac94deecacd89afa2e3b955682f03caf097eb909edb82118fe73013f32b18878ee7ada9ace

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral1

    • Target

      cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7.exe

    • Size

      1.1MB

    • MD5

      82b5c0acec3a7946f002c9e555a7125f

    • SHA1

      f48992935c658b5685fedc7c8d5ee4b12c19ba6a

    • SHA256

      cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7

    • SHA512

      e802adf79040570783e77643b4b75853c61e583272aaafc85f7df29fc9b1b42d37753e172a6865082701fde423ce2aa3f19ab3e346126bf0ffb1fae3b360bbd0

    Score
    10/10
    revengeratgueststealertrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • RevengeRat Executable

      stealer

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      ch/index.html

    • Size

      57KB

    • MD5

      f2ee9a40cf33ebf2319b55311777aea1

    • SHA1

      200e696b1e4b8cacf5e87eee2d7c1072b015b53c

    • SHA256

      61aff9ecf65c84242a4fce680ebc80ec15c3f56472d22ca2d83be9cac95c64c2

    • SHA512

      d8794362aa53ce35fc20fc395e76ecf78c371595029efd73909db446148fa251a70fdcd34ab67bdd0f1e0ac08e08651306bd15224d44755ed86e32cb4f003a3f

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral3

    • Target

      ch/jquery-1.js

    • Size

      93KB

    • MD5

      00f66eada2c54b64a3f632747ce1fe2d

    • SHA1

      a4837154098ac13ccd72e08fd25d7bcf76826986

    • SHA256

      100a135d8e7d5ebf1fe83b0b16da1d8d8b2321acdc4d5c24a1f9a7df53b23cf1

    • SHA512

      11220e328a367f1086d0369686d09206badfd2cce18cdbc7420b4aca9785054ad7576f156b6039444f762f6a46a58ac7cefdc0f2bf031f215f59a8d6ae8e254d

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral4

    • Target

      ch/retreaver.js

    • Size

      15KB

    • MD5

      68ec33788ed08f7c0fdd73cbd52c2050

    • SHA1

      8e05b9eb9954164dd41b115dfe9f1d57a2860fc8

    • SHA256

      71a861100e206eeee88876cd5313553e0fdc07046cce33a1a96b96d9485070e1

    • SHA512

      2bfd61e5aa56d37f7778be5db6bbcec88dd3683cc364317b058fac3ae4c018ba156b16344a6fbe94b41933b42ce059d53afa82aa6656540574f45dff3e24e0a3

    Score
    8/10
    bootkitransomwarespyware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware
    behavioral5

    • Target

      chrome-assests/a.html

    • Size

      350B

    • MD5

      420b6966af9d8dfd4095737a873509a2

    • SHA1

      ef780ca200a3405e866d685ec9284c009219508a

    • SHA256

      e6a8fd43ffc04efccf17110152db69265190e18c9484de4cb82fd5e63cf264c3

    • SHA512

      3484c523ee19961dde0f89ebf5f3d99c8b000d63c68d82919fb1563c81f5959f6ef69b37d3ec952b40007b27d2ab436058fe4138ff784e254e267cc1de587033

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral6

    • Target

      chrome-assests/ie10-viewport-bug-workaround.html

    • Size

      377B

    • MD5

      f1eb316adbfa88081b8f3b840c852ace

    • SHA1

      459bd301af4d287e87985dea4870115fafa07d9c

    • SHA256

      a48aca6a9cd0818f3c3705fb1669f476e3641d32d2f526f6b7ced6af4c37d1b2

    • SHA512

      b4a48cef527e182b18de977af2a617dbebc8333f7ea39c7f0066e6bad31ea8f380a54f5f7b61e42aae0e40f432f8040673179e5a566f474da39179a0e083c847

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral7

    • Target

      chrome-assests/iframe.js

    • Size

      756B

    • MD5

      51f2059c15e716929279d6228e840e63

    • SHA1

      edeafad8f89b9d5bc581eeacdc3df1b35f25abe3

    • SHA256

      ce1ccd32bbc00409aa9be94095994d43b6cefd8ae38764bac0a355ed3b313b67

    • SHA512

      3b3a95cc742f0d72a7ca1dc636fd6bbdd942df5d177ec4fb9f175c4cf94ec08c835084d0fbeaf0d65a3440dd4600e52ce2fbec6a019ef34b978074e058b67cc6

    Score
    1/10
    behavioral8

    • Target

      chrome-assests/img-1.svg

    • Size

      592B

    • MD5

      12af80dc28ea71eb770848a8e1ff0128

    • SHA1

      51c66b1d86ac47d15f927b8c98b6500846ba00c1

    • SHA256

      436689aed9f4d6744d69ab3df2b9e34ab6279d7a38f0e5adcc266f6cb5fc53f0

    • SHA512

      7ac6acff383eeadb5fb033a8162ec80e05b03a17611d8e6636f0c855b41bccadc4b122d30abf82fa16aa00eb436edf084a3d16849246fc929e565ded47e3fb22

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral9

    • Target

      chrome-assests/img-11.svg

    • Size

      910B

    • MD5

      3241bc7d3efc81ef70052993a80bf49d

    • SHA1

      7f88961516a4198cbb11b216667c2dae94dfc103

    • SHA256

      7443a8aab83f372ce9993ca88a2dd189d915016b7c89649e0f36e44d00d3e865

    • SHA512

      48b343a36b895e1aad7fad68f3e1916f62cd68214b2d65985010d8fb9e6849b0221122b59d037cc9909cade4a549327e99b4c0b545446e83abccc42f67c4a0b2

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral10

    • Target

      chrome-assests/img-12.svg

    • Size

      592B

    • MD5

      60b657fb273d057aa8a5b0c3babf1f5d

    • SHA1

      a6e3a06223c7a32545641c4ed7601aa1e9439e34

    • SHA256

      88e74b30174f5005ac34d11b3e575e73377c75e9b787932d0be05cb215db80e9

    • SHA512

      b1db14eea14f5474a7ef24accce61559343aa5b5123ffc24db1545d4489858cabf7fe8726fa30bef23f9b4f21f97bb5b83ee8f3e78f49338ddb5a92abd8f3e5a

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral11

    • Target

      chrome-assests/img-2.svg

    • Size

      583B

    • MD5

      e4709b0fd98d81c7e39a378bdd289033

    • SHA1

      ef561f46ae3ed3e4597f1a95d464b7549af163f9

    • SHA256

      3897a8ee5fcd4f6bb05756c5e46862ad6b0a62607ab1972ad6db60cedf0b3be6

    • SHA512

      731baee4bf2134fe18f5e783a12005cea1edf0916009560b2875a7104717c295ffd02d5d62a9afd6ac0d99c416c565bc2121e8b64cbc5e97a89a7320224e5be1

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral12

    • Target

      chrome-assests/img-3.svg

    • Size

      2KB

    • MD5

      b70fff9713e620fe6d13a4e232d4fd7a

    • SHA1

      e0a80e09216267ab5b92f68fc1b6348dfeb48223

    • SHA256

      0ebc28a19f72eb6c0265e2277ba4fa154b3b94d5be0c5128a474b8eb7982c7a6

    • SHA512

      c08bb14948fd377e4091f1ef508abb6456eca7a1feefb4870a0760c44b8c5f4037688c103e2a15b432cd39efcdbf2f220d93a504b0cdc787ff45e537d9d7209c

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral13

    • Target

      chrome-assests/img-4.svg

    • Size

      666B

    • MD5

      77fd42086aef0f6ac1629be6f939a17f

    • SHA1

      86ac79b75c39e85da4598785e4394102cfda60e2

    • SHA256

      da1d9c7852bb6ffd74973e6ea5c0a80d117289233a96f5572a19b6d7b7d1c9cd

    • SHA512

      a13b08e9ee4a269b147ad9f3bc2687898482d88dac664e9bf256cfa3e3e055bdf3b4428e2762ea5844fffc1761f88c4089a0fa7b00c613ca360ce70310992015

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral14

    • Target

      hyundai steel-pipe- job 8010(1).exe

    • Size

      721KB

    • MD5

      0999a03694a1c97a43ac0de89cbf355e

    • SHA1

      0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d

    • SHA256

      8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b

    • SHA512

      6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9

    Score
    10/10
    hawkeye_rebornm00nd3v_loggerbootkitkeyloggerransomwarespywarestealertrojan

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

      keyloggertrojanstealerspywarehawkeye_reborn

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

      stealerspywarem00nd3v_logger

    • M00nD3v Logger Payload

      Detects M00nD3v Logger payload in memory.

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      hyundai steel-pipe- job 8010.exe

    • Size

      721KB

    • MD5

      0999a03694a1c97a43ac0de89cbf355e

    • SHA1

      0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d

    • SHA256

      8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b

    • SHA512

      6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9

    Score
    10/10
    hawkeye_rebornm00nd3v_loggerkeyloggerspywarestealertrojan

    • HawkEye Reborn

      HawkEye Reborn is an enhanced version of the HawkEye malware kit.

      keyloggertrojanstealerspywarehawkeye_reborn

    • M00nd3v_Logger

      M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

      stealerspywarem00nd3v_logger

    • M00nD3v Logger Payload

      Detects M00nD3v Logger payload in memory.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      ie.svg

    • Size

      769B

    • MD5

      aab795251934d2063ba9df1c539706db

    • SHA1

      3fd39edb2aa407eb4e10dc08f899f1e41690291c

    • SHA256

      a1cef33ec4d98a1bf01a70ebb04e7ebc695910ba9c258aca0bb5214bf9af98d3

    • SHA512

      80de8f68c8f15f523b78c50ed4fb053eccca8d2c78db7fa99a8b16650f7ca0aed698fce13629f6ac24cdad536d6c4dedb3be37b7ecbec064feeb0c2d911b98b8

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral17

    • Target

      index(1).html

    • Size

      5KB

    • MD5

      7bee8e169793eb18193d767b4e16c720

    • SHA1

      ab952de835bffe6ba978cf99c55a700e479608f6

    • SHA256

      d19aebcffd70663042c75c24fec8c2a308d8e199e568cf22fc47a95690637da3

    • SHA512

      0d0116931641173d582c29fa72eff02ab7b4f788fedc75cc9a10b34ce2eba942f23f3b83c7907afdc43688e41f87240b186623c9b3980699c2599b54f68f4e3a

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral18

    • Target

      index(10).html

    • Size

      7KB

    • MD5

      565cf6557ee64a77fe15385373ac3d83

    • SHA1

      0739b5e23e7e30649139421b11b6d289cd2510e7

    • SHA256

      60b111c927851655d541894649f04e4723e1f16b200b14c4b0c08700745c4e91

    • SHA512

      510b5eddd1f7b4ced204e1b26f4cd852d7e5c1a508a808c688dc91fc1b0ea4e52f54d8108c8d550369397af37a65dbd6ed05ff8005ece2b0e0902491cd376168

    Score
    1/10
    behavioral19

    • Target

      index(11).html

    • Size

      98KB

    • MD5

      8c322ed467ef41c0e709fb02f5b72c82

    • SHA1

      9d370ead145f80c04e2a53a6683103a972d34ee0

    • SHA256

      8b0b9ed969fc04412fe395bc3291074fc25f2efa7b1254143c57f0763d568e0e

    • SHA512

      cb73796263bfd29e82465785bfdf9ff200bc7a691825ee8da92496e41c18435cb72ad9f9dbb9733186f162e901f7210ba9feead4eb6436a1d8aa40b19d657186

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral20

    • Target

      index(2).html

    • Size

      6KB

    • MD5

      6ab776dc484b17397ad580be04b00a54

    • SHA1

      f3058f8c46c45af5baa46ee09dd3979c100fffe7

    • SHA256

      e8be9982165aa8f2b44c3bc3ac6fce1faa03266fee0a0a223433e18f18cc60cc

    • SHA512

      8259e1848fabcd0dcbe114021d1033faf766607f1955e9bd5f5b70c791bb8b2347db73dfd7672ea3c68ff490674b971424cbc5ea5bc77b243f2ed59ae22e2f6d

    Score
    1/10
    behavioral21

    • Target

      index(3).html

    • Size

      1KB

    • MD5

      053da040bef6c226a3e84c49b61cbf60

    • SHA1

      84f6a1d2f4e2190e5d28c5110fe96443b64b4873

    • SHA256

      6ea3e8640831be999b747818d9826a36de14beafb316a1b418afb04a2d092e58

    • SHA512

      fcea9322dd7963362c96b98aa927a24607eb987a15948cfb9aa7c4e36b3bbc4a7eae371558d888c3bd8523d93809d65c95f4b9587d923b7f616c67a65c30abe2

    Score
    8/10
    bootkitdiscoveryransomwarespyware

    • Executes dropped EXE

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • JavaScript code in executable

    behavioral22

    • Target

      index(4).html

    • Size

      5KB

    • MD5

      3e9329e1be2081bc1ecc6adf86960061

    • SHA1

      224f65f5cbfaedc6ab89246e066d4f97480c2669

    • SHA256

      0f8adf2edf0af48f148f10ee467a51a078cf1535e638b970baf6854fed1df019

    • SHA512

      b287a49e56c4548b8e898a855646a94809fc4ddfb062d8467ad3814850e7722928bc9b0ee49fab508f0ebbe2777155e8ea8cc3a0effa001ba3c45c521261e254

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral23

    • Target

      index(5).html

    • Size

      14KB

    • MD5

      a04ac97f975fbea37a2e385ae4a48c3d

    • SHA1

      565214f80be60a73779880381991fae1f18872ca

    • SHA256

      003e59cb295e42f6ea30a7576edb2ad902d82fee3f066eb59785a430f38a50d7

    • SHA512

      7039ec15ba0782d757874a3301c6d82982bca25ff11affae170c3a75df5cc02ac1e516d37bbc1fbb0ee190b31f970d71a4ee8a025203f8743ca01e19cec5ceb6

    Score
    1/10
    behavioral24

    • Target

      index(6).html

    • Size

      9KB

    • MD5

      8435cb7423ad89ef010d40d96b05ac41

    • SHA1

      4b444901c98b3d88184ba6fcecb4cf5401db54ad

    • SHA256

      027385f41fb1dac83bfd4c6ae4339bae6e7c8318d85b51892e3073cbe7fbde58

    • SHA512

      dc4880ec617069cce4c185551ca958a5f1b99358dfa54c2d21f2fba20732db74ab44966a6189e245ffa177706f7cb56de1d3ef0529246a4ca1714722c64fbca3

    Score
    8/10
    bootkitransomware

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral25

    • Target

      index(7).html

    • Size

      18KB

    • MD5

      4a52683398cac1b4c47b335ea2779654

    • SHA1

      14ee7fcd212bb624887dfa746aabe49bc4eef357

    • SHA256

      b9af37f8b2660e4b3b1f4bd42d7dd376d841d0dd854c1600384ed0ec8026ef37

    • SHA512

      761e25ffd4bb6b9af253401a9f2acbc8bb5f34bac5959a82527ddca30e5277ec2e577ff7ad8883fd4201249ca2ab1df89850b73cae547b65902d41a8d53af1a5

    Score
    1/10
    behavioral26

    • Target

      index(8).html

    • Size

      67KB

    • MD5

      7dfcda08bd2ab04f3e68be1d645867ec

    • SHA1

      09b3db25987716cdd64a175f3e9b7488413e7bd7

    • SHA256

      4a4991f9bfeade5b923b48cda32c9d81e61dc38cf37c9fba1273287c4d5b7415

    • SHA512

      595573d32fc3313493bab38d528c9e1112135b726c4dc15b343f3f88f0e61ea83b656505eb0c662f6ff58bc1ffa79fc336cb305d89b591b721dfb00e5a1f3c88

    Score
    1/10
    behavioral27

    • Target

      index(9).html

    • Size

      119KB

    • MD5

      33b72c6dc00dd802f5e2d53cbe5c613a

    • SHA1

      450ed8acb15133ed843576e735cc171e77c6fe53

    • SHA256

      027bb852118f95abe8945905a2ceb945b2051c14418f0f47cb9db097ccd97a36

    • SHA512

      fb734e720d5043f887e0a8d66b01cae4a3c5028712a28452406cf0d1d629e2c4205d623286f8aa193b5d269ae8f545d860ae0a65cebedf77e6a887dff7163370

    Score
    1/10
    behavioral28

    • Target

      index.html

    • Size

      26KB

    • MD5

      3e198c8b972a962aabf0a2bbe26c1029

    • SHA1

      236dd9eadccb3aff18f910867d4231b38f8b77c8

    • SHA256

      13ac02b44e2c48890c00ea16afe1d2e2918fa9cd9f20ae2782efb8c1c0c61425

    • SHA512

      7ba8f027e23edac3e51f5e5a8f18431d03086582d034e09321ae2c539011639805463766ee520c9c8bef7b89e004c2c03c7178c0b7a953850a763aa39046d240

    Score
    1/10
    behavioral29

    • Target

      index2.html

    • Size

      6KB

    • MD5

      a81d96c7ec17e2508e1516ced7f8d52a

    • SHA1

      88ecb602f5badab8cda2ba2307c74eae9532b411

    • SHA256

      9ac684e2d75d94e79155f364c62af51055c2475fe9f9672b302aa9bd4651d695

    • SHA512

      7d22f5530fa4c810e892f4de84a563979664f97e70fd2a8b42ad9fb5581247f05e8529cda617af7cee26fd3d9d78498795bc745569b04c626b3500b84a6e3ffe

    Score
    1/10
    behavioral30

    • Target

      infected dot net installer.exe

    • Size

      1.7MB

    • MD5

      6eb2b081d12ad12c2ce50da34438651d

    • SHA1

      2092c0733ec3a3c514568b6009ee53b9d2ad8dc4

    • SHA256

      1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104

    • SHA512

      881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b

    Score
    8/10
    persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral31

    • Target

      inps_979.xls

    • Size

      228KB

    • MD5

      56fc044937a072471fdd8d63b874e04a

    • SHA1

      738552f8db33ac0271aa860775815f3d1b291980

    • SHA256

      59afe59cdbebf60434bd78270826ca9689c3765264dfcace312b89c606c0a962

    • SHA512

      dbaf2e36ec17d474c829d847705de796bea153b784c8e894d4ff7bebb3bfcdf01447d97f217d9303e0eed5aa9b39046b75b2581331be28771582af2ea48c960b

    Score
    1/10
    behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

19
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

46
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

7
T1012

System Information Discovery

6
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Tasks

static1

stealermacromain26.02.2020upxxdsdddvictime25/03samaycryptonepacker09/0407/04insert-coinytsystemrevengeratzloader
Score
10/10

behavioral1

bootkitransomware
Score
8/10

behavioral2

revengeratgueststealertrojan
Score
10/10

behavioral3

bootkitransomware
Score
8/10

behavioral4

bootkitransomware
Score
8/10

behavioral5

bootkitransomwarespyware
Score
8/10

behavioral6

bootkitransomware
Score
8/10

behavioral7

bootkitransomware
Score
8/10

behavioral8

Score
1/10

behavioral9

bootkitransomware
Score
8/10

behavioral10

bootkitransomware
Score
8/10

behavioral11

bootkitransomware
Score
8/10

behavioral12

bootkitransomware
Score
8/10

behavioral13

bootkitransomware
Score
8/10

behavioral14

bootkitransomware
Score
8/10

behavioral15

hawkeye_rebornm00nd3v_loggerbootkitkeyloggerransomwarespywarestealertrojan
Score
10/10

behavioral16

hawkeye_rebornm00nd3v_loggerkeyloggerspywarestealertrojan
Score
10/10

behavioral17

bootkitransomware
Score
8/10

behavioral18

bootkitransomware
Score
8/10

behavioral19

Score
1/10

behavioral20

bootkitransomware
Score
8/10

behavioral21

Score
1/10

behavioral22

bootkitdiscoveryransomwarespyware
Score
8/10

behavioral23

bootkitransomware
Score
8/10

behavioral24

Score
1/10

behavioral25

bootkitransomware
Score
8/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

persistence
Score
8/10

behavioral32

Score
1/10