0.2.K59gVXTgGv.exe.2f72050.0.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.2.K59gVXTgGv.exe.2f72050.0.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.2f72050.0.unpack | Windows_Trojan_Njrat_30f3c220 | unknown | unknown | - 0x46c1:$a1: get_Registry
- 0x60e6:$a3: Download ERROR
- 0x63d8:$a5: netsh firewall delete allowedprogram "
|
0.2.K59gVXTgGv.exe.2f72050.0.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x62ce:$a1: netsh firewall add allowedprogram
- 0x64c8:$b1: [TAP]
- 0x646e:$b2: & exit
- 0x643a:$c1: md.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.2f72050.0.unpack | MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen | - 0x63d8:$s1: netsh firewall delete allowedprogram
- 0x62ce:$s2: netsh firewall add allowedprogram
- 0x6438:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x60c2:$s4: Execute ERROR
- 0x6122:$s4: Execute ERROR
- 0x60e6:$s5: Download ERROR
- 0x647e:$s6: [kl]
|
0.2.K59gVXTgGv.exe.4015f19.4.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.2.K59gVXTgGv.exe.4015f19.4.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.4015f19.4.unpack | Windows_Trojan_Njrat_30f3c220 | unknown | unknown | - 0x46c1:$a1: get_Registry
- 0x60e6:$a3: Download ERROR
- 0x63d8:$a5: netsh firewall delete allowedprogram "
|
0.2.K59gVXTgGv.exe.4015f19.4.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x62ce:$a1: netsh firewall add allowedprogram
- 0x64c8:$b1: [TAP]
- 0x646e:$b2: & exit
- 0x643a:$c1: md.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.4015f19.4.unpack | MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen | - 0x63d8:$s1: netsh firewall delete allowedprogram
- 0x62ce:$s2: netsh firewall add allowedprogram
- 0x6438:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x60c2:$s4: Execute ERROR
- 0x6122:$s4: Execute ERROR
- 0x60e6:$s5: Download ERROR
- 0x647e:$s6: [kl]
|
0.2.K59gVXTgGv.exe.6900000.9.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.314dc30.1.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.2.K59gVXTgGv.exe.314dc30.1.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.314dc30.1.unpack | Windows_Trojan_Njrat_30f3c220 | unknown | unknown | - 0x46c1:$a1: get_Registry
- 0x60e6:$a3: Download ERROR
- 0x63d8:$a5: netsh firewall delete allowedprogram "
|
0.2.K59gVXTgGv.exe.314dc30.1.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x62ce:$a1: netsh firewall add allowedprogram
- 0x64c8:$b1: [TAP]
- 0x646e:$b2: & exit
- 0x643a:$c1: md.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.314dc30.1.unpack | MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen | - 0x63d8:$s1: netsh firewall delete allowedprogram
- 0x62ce:$s2: netsh firewall add allowedprogram
- 0x6438:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x60c2:$s4: Execute ERROR
- 0x6122:$s4: Execute ERROR
- 0x60e6:$s5: Download ERROR
- 0x647e:$s6: [kl]
|
0.2.K59gVXTgGv.exe.3f41529.3.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.2.K59gVXTgGv.exe.3f41529.3.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.3f41529.3.unpack | Windows_Trojan_Njrat_30f3c220 | unknown | unknown | - 0x46c1:$a1: get_Registry
- 0x60e6:$a3: Download ERROR
- 0x63d8:$a5: netsh firewall delete allowedprogram "
|
0.2.K59gVXTgGv.exe.3f41529.3.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x62ce:$a1: netsh firewall add allowedprogram
- 0x64c8:$b1: [TAP]
- 0x646e:$b2: & exit
- 0x643a:$c1: md.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.3f41529.3.unpack | MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen | - 0x63d8:$s1: netsh firewall delete allowedprogram
- 0x62ce:$s2: netsh firewall add allowedprogram
- 0x6438:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x60c2:$s4: Execute ERROR
- 0x6122:$s4: Execute ERROR
- 0x60e6:$s5: Download ERROR
- 0x647e:$s6: [kl]
|
0.2.K59gVXTgGv.exe.40d5ef0.5.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.6900000.9.raw.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.401f560.8.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
0.2.K59gVXTgGv.exe.401f560.8.unpack | JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.401f560.8.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.401f560.8.unpack | JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | |
0.2.K59gVXTgGv.exe.401f560.8.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.2.K59gVXTgGv.exe.401f560.8.unpack | INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen | - 0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
|
0.2.K59gVXTgGv.exe.401f560.8.unpack | INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen | - 0x2593f:$s1: \VPN\NordVPN
- 0x25925:$s2: \VPN\OpenVPN
- 0x25907:$s3: \VPN\ProtonVPN
|
0.2.K59gVXTgGv.exe.401f560.8.unpack | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen | - 0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
|
0.2.K59gVXTgGv.exe.401f560.8.unpack | MALWARE_Win_StormKitty | Detects StormKitty infostealer | ditekSHen | - 0x1018c:$x3: StormKitty
- 0x198ca:$s1: GetBSSID
- 0x197ca:$s2: GetAntivirus
- 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x24f7d:$s6: "encrypted_key":"(.*?)"
|
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack | Windows_Trojan_Njrat_30f3c220 | unknown | unknown | - 0x64c1:$a1: get_Registry
- 0x7ee6:$a3: Download ERROR
- 0x81d8:$a5: netsh firewall delete allowedprogram "
|
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x80ce:$a1: netsh firewall add allowedprogram
- 0x82c8:$b1: [TAP]
- 0x826e:$b2: & exit
- 0x823a:$c1: md.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack | MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen | - 0x81d8:$s1: netsh firewall delete allowedprogram
- 0x80ce:$s2: netsh firewall add allowedprogram
- 0x8238:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x7ec2:$s4: Execute ERROR
- 0x7f22:$s4: Execute ERROR
- 0x7ee6:$s5: Download ERROR
- 0x827e:$s6: [kl]
|
0.2.K59gVXTgGv.exe.40d5ef0.5.raw.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack | JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack | JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack | INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen | - 0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
|
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack | INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen | - 0x2593f:$s1: \VPN\NordVPN
- 0x25925:$s2: \VPN\OpenVPN
- 0x25907:$s3: \VPN\ProtonVPN
|
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen | - 0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
|
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack | MALWARE_Win_StormKitty | Detects StormKitty infostealer | ditekSHen | - 0x1018c:$x3: StormKitty
- 0x198ca:$s1: GetBSSID
- 0x197ca:$s2: GetAntivirus
- 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x24f7d:$s6: "encrypted_key":"(.*?)"
|
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack | Windows_Trojan_Njrat_30f3c220 | unknown | unknown | - 0x64c1:$a1: get_Registry
- 0x7ee6:$a3: Download ERROR
- 0x81d8:$a5: netsh firewall delete allowedprogram "
|
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x80ce:$a1: netsh firewall add allowedprogram
- 0x82c8:$b1: [TAP]
- 0x826e:$b2: & exit
- 0x823a:$c1: md.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack | MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen | - 0x81d8:$s1: netsh firewall delete allowedprogram
- 0x80ce:$s2: netsh firewall add allowedprogram
- 0x8238:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x7ec2:$s4: Execute ERROR
- 0x7f22:$s4: Execute ERROR
- 0x7ee6:$s5: Download ERROR
- 0x827e:$s6: [kl]
|
0.2.K59gVXTgGv.exe.3f158fa.7.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
0.2.K59gVXTgGv.exe.3f158fa.7.unpack | JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3f158fa.7.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3f158fa.7.unpack | JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | |
0.2.K59gVXTgGv.exe.3f158fa.7.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.2.K59gVXTgGv.exe.3f158fa.7.unpack | INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen | - 0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
|
0.2.K59gVXTgGv.exe.3f158fa.7.unpack | INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen | - 0x2593f:$s1: \VPN\NordVPN
- 0x25925:$s2: \VPN\OpenVPN
- 0x25907:$s3: \VPN\ProtonVPN
|
0.2.K59gVXTgGv.exe.3f158fa.7.unpack | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen | - 0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
|
0.2.K59gVXTgGv.exe.3f158fa.7.unpack | MALWARE_Win_StormKitty | Detects StormKitty infostealer | ditekSHen | - 0x1018c:$x3: StormKitty
- 0x198ca:$s1: GetBSSID
- 0x197ca:$s2: GetAntivirus
- 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x24f7d:$s6: "encrypted_key":"(.*?)"
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack | JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack | JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | |
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack | INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen | - 0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack | INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen | - 0x2593f:$s1: \VPN\NordVPN
- 0x25925:$s2: \VPN\OpenVPN
- 0x25907:$s3: \VPN\ProtonVPN
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen | - 0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack | MALWARE_Win_StormKitty | Detects StormKitty infostealer | ditekSHen | - 0x1018c:$x3: StormKitty
- 0x198ca:$s1: GetBSSID
- 0x197ca:$s2: GetAntivirus
- 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x24f7d:$s6: "encrypted_key":"(.*?)"
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | |
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | Windows_Trojan_Njrat_30f3c220 | unknown | unknown | - 0x320f0:$a1: get_Registry
- 0x67370:$a1: get_Registry
- 0x33b15:$a3: Download ERROR
- 0x68d95:$a3: Download ERROR
- 0x33e07:$a5: netsh firewall delete allowedprogram "
- 0x69087:$a5: netsh firewall delete allowedprogram "
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | RAT_njRat | Detects njRAT | Kevin Breen <kevin@techanarchy.net> | - 0x332df:$s1: 7C 00 27 00 7C 00 27 00 7C
- 0x6855f:$s1: 7C 00 27 00 7C 00 27 00 7C
- 0x33cfd:$s2: netsh firewall add allowedprogram
- 0x68f7d:$s2: netsh firewall add allowedprogram
- 0x3325f:$s3: Software\Microsoft\Windows\CurrentVersion\Run
- 0x684df:$s3: Software\Microsoft\Windows\CurrentVersion\Run
- 0x23577:$s4: yyyy-MM-dd
- 0x23b55:$s4: yyyy-MM-dd
- 0x28b30:$s4: yyyy-MM-dd
- 0x587f7:$s4: yyyy-MM-dd
- 0x58dd5:$s4: yyyy-MM-dd
- 0x5ddb0:$s4: yyyy-MM-dd
- 0x33e67:$v1: cmd.exe /k ping 0 & del
- 0x690e7:$v1: cmd.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x33cfd:$a1: netsh firewall add allowedprogram
- 0x68f7d:$a1: netsh firewall add allowedprogram
- 0x33ef7:$b1: [TAP]
- 0x69177:$b1: [TAP]
- 0x290d0:$b2: & exit
- 0x33e9d:$b2: & exit
- 0x5e350:$b2: & exit
- 0x6911d:$b2: & exit
- 0x33e69:$c1: md.exe /k ping 0 & del
- 0x690e9:$c1: md.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
- 0x5e362:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen | - 0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
- 0x5a8e3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen | - 0x2773f:$s1: \VPN\NordVPN
- 0x5c9bf:$s1: \VPN\NordVPN
- 0x27725:$s2: \VPN\OpenVPN
- 0x5c9a5:$s2: \VPN\OpenVPN
- 0x27707:$s3: \VPN\ProtonVPN
- 0x5c987:$s3: \VPN\ProtonVPN
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen | - 0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x5b11b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x5b18d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x5b217:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x5b2a9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x5b313:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x5b385:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x5b41b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
- 0x5b4ab:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | MALWARE_Win_StormKitty | Detects StormKitty infostealer | ditekSHen | - 0x11f8c:$x3: StormKitty
- 0x4720c:$x3: StormKitty
- 0x1b6ca:$s1: GetBSSID
- 0x5094a:$s1: GetBSSID
- 0x1b5ca:$s2: GetAntivirus
- 0x5084a:$s2: GetAntivirus
- 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x5bdcb:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x26d7d:$s6: "encrypted_key":"(.*?)"
- 0x5bffd:$s6: "encrypted_key":"(.*?)"
|
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack | MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen | - 0x33e07:$s1: netsh firewall delete allowedprogram
- 0x69087:$s1: netsh firewall delete allowedprogram
- 0x33cfd:$s2: netsh firewall add allowedprogram
- 0x68f7d:$s2: netsh firewall add allowedprogram
- 0x33e67:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x690e7:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x33af1:$s4: Execute ERROR
- 0x33b51:$s4: Execute ERROR
- 0x68d71:$s4: Execute ERROR
- 0x68dd1:$s4: Execute ERROR
- 0x33b15:$s5: Download ERROR
- 0x68d95:$s5: Download ERROR
- 0x33ead:$s6: [kl]
- 0x6912d:$s6: [kl]
|
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack | JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack | JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | |
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen | - 0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
|
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack | INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen | - 0x2773f:$s1: \VPN\NordVPN
- 0x27725:$s2: \VPN\OpenVPN
- 0x27707:$s3: \VPN\ProtonVPN
|
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen | - 0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
|
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack | MALWARE_Win_StormKitty | Detects StormKitty infostealer | ditekSHen | - 0x11f8c:$x3: StormKitty
- 0x1b6ca:$s1: GetBSSID
- 0x1b5ca:$s2: GetAntivirus
- 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x26d7d:$s6: "encrypted_key":"(.*?)"
|
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | |
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | Windows_Trojan_Njrat_30f3c220 | unknown | unknown | - 0x64c1:$a1: get_Registry
- 0x7ee6:$a3: Download ERROR
- 0x81d8:$a5: netsh firewall delete allowedprogram "
|
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | RAT_njRat | Detects njRAT | Kevin Breen <kevin@techanarchy.net> | - 0x76b0:$s1: 7C 00 27 00 7C 00 27 00 7C
- 0x80ce:$s2: netsh firewall add allowedprogram
- 0x7630:$s3: Software\Microsoft\Windows\CurrentVersion\Run
- 0x2cbbe:$s4: yyyy-MM-dd
- 0x2d19c:$s4: yyyy-MM-dd
- 0x32177:$s4: yyyy-MM-dd
- 0x8238:$v1: cmd.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x80ce:$a1: netsh firewall add allowedprogram
- 0x82c8:$b1: [TAP]
- 0x826e:$b2: & exit
- 0x32717:$b2: & exit
- 0x823a:$c1: md.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0x32729:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen | - 0x2ecaa:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
|
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen | - 0x30d86:$s1: \VPN\NordVPN
- 0x30d6c:$s2: \VPN\OpenVPN
- 0x30d4e:$s3: \VPN\ProtonVPN
|
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen | - 0x2f4e2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x2f554:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x2f5de:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x2f670:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x2f6da:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x2f74c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x2f7e2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x2f872:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
|
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | MALWARE_Win_StormKitty | Detects StormKitty infostealer | ditekSHen | - 0x1b5d3:$x3: StormKitty
- 0x24d11:$s1: GetBSSID
- 0x24c11:$s2: GetAntivirus
- 0x30192:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x303c4:$s6: "encrypted_key":"(.*?)"
|
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack | MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen | - 0x81d8:$s1: netsh firewall delete allowedprogram
- 0x80ce:$s2: netsh firewall add allowedprogram
- 0x8238:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x7ec2:$s4: Execute ERROR
- 0x7f22:$s4: Execute ERROR
- 0x7ee6:$s5: Download ERROR
- 0x827e:$s6: [kl]
|
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | |
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | Windows_Trojan_Njrat_30f3c220 | unknown | unknown | - 0x320f0:$a1: get_Registry
- 0x67380:$a1: get_Registry
- 0x9c600:$a1: get_Registry
- 0x33b15:$a3: Download ERROR
- 0x68da5:$a3: Download ERROR
- 0x9e025:$a3: Download ERROR
- 0x33e07:$a5: netsh firewall delete allowedprogram "
- 0x69097:$a5: netsh firewall delete allowedprogram "
- 0x9e317:$a5: netsh firewall delete allowedprogram "
|
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | RAT_njRat | Detects njRAT | Kevin Breen <kevin@techanarchy.net> | - 0x332df:$s1: 7C 00 27 00 7C 00 27 00 7C
- 0x6856f:$s1: 7C 00 27 00 7C 00 27 00 7C
- 0x9d7ef:$s1: 7C 00 27 00 7C 00 27 00 7C
- 0x33cfd:$s2: netsh firewall add allowedprogram
- 0x68f8d:$s2: netsh firewall add allowedprogram
- 0x9e20d:$s2: netsh firewall add allowedprogram
- 0x3325f:$s3: Software\Microsoft\Windows\CurrentVersion\Run
- 0x684ef:$s3: Software\Microsoft\Windows\CurrentVersion\Run
- 0x9d76f:$s3: Software\Microsoft\Windows\CurrentVersion\Run
- 0x23577:$s4: yyyy-MM-dd
- 0x23b55:$s4: yyyy-MM-dd
- 0x28b30:$s4: yyyy-MM-dd
- 0x58807:$s4: yyyy-MM-dd
- 0x58de5:$s4: yyyy-MM-dd
- 0x5ddc0:$s4: yyyy-MM-dd
- 0x8da87:$s4: yyyy-MM-dd
- 0x8e065:$s4: yyyy-MM-dd
- 0x93040:$s4: yyyy-MM-dd
- 0x33e67:$v1: cmd.exe /k ping 0 & del
- 0x690f7:$v1: cmd.exe /k ping 0 & del
- 0x9e377:$v1: cmd.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x33cfd:$a1: netsh firewall add allowedprogram
- 0x68f8d:$a1: netsh firewall add allowedprogram
- 0x9e20d:$a1: netsh firewall add allowedprogram
- 0x33ef7:$b1: [TAP]
- 0x69187:$b1: [TAP]
- 0x9e407:$b1: [TAP]
- 0x290d0:$b2: & exit
- 0x33e9d:$b2: & exit
- 0x5e360:$b2: & exit
- 0x6912d:$b2: & exit
- 0x935e0:$b2: & exit
- 0x9e3ad:$b2: & exit
- 0x33e69:$c1: md.exe /k ping 0 & del
- 0x690f9:$c1: md.exe /k ping 0 & del
- 0x9e379:$c1: md.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
- 0x5e372:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
- 0x935f2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen | - 0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
- 0x5a8f3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
- 0x8fb73:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
|
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen | - 0x2773f:$s1: \VPN\NordVPN
- 0x5c9cf:$s1: \VPN\NordVPN
- 0x91c4f:$s1: \VPN\NordVPN
- 0x27725:$s2: \VPN\OpenVPN
- 0x5c9b5:$s2: \VPN\OpenVPN
- 0x91c35:$s2: \VPN\OpenVPN
- 0x27707:$s3: \VPN\ProtonVPN
- 0x5c997:$s3: \VPN\ProtonVPN
- 0x91c17:$s3: \VPN\ProtonVPN
|
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen | - 0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x5b12b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x903ab:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x5b19d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x9041d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x5b227:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x904a7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x5b2b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x90539:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x5b323:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x905a3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x5b395:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x90615:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x5b42b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x906ab:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
|
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | MALWARE_Win_StormKitty | Detects StormKitty infostealer | ditekSHen | - 0x11f8c:$x3: StormKitty
- 0x4721c:$x3: StormKitty
- 0x7c49c:$x3: StormKitty
- 0x1b6ca:$s1: GetBSSID
- 0x5095a:$s1: GetBSSID
- 0x85bda:$s1: GetBSSID
- 0x1b5ca:$s2: GetAntivirus
- 0x5085a:$s2: GetAntivirus
- 0x85ada:$s2: GetAntivirus
- 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x5bddb:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x9105b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x26d7d:$s6: "encrypted_key":"(.*?)"
- 0x5c00d:$s6: "encrypted_key":"(.*?)"
- 0x9128d:$s6: "encrypted_key":"(.*?)"
|
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack | MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen | - 0x33e07:$s1: netsh firewall delete allowedprogram
- 0x69097:$s1: netsh firewall delete allowedprogram
- 0x9e317:$s1: netsh firewall delete allowedprogram
- 0x33cfd:$s2: netsh firewall add allowedprogram
- 0x68f8d:$s2: netsh firewall add allowedprogram
- 0x9e20d:$s2: netsh firewall add allowedprogram
- 0x33e67:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x690f7:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x9e377:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x33af1:$s4: Execute ERROR
- 0x33b51:$s4: Execute ERROR
- 0x68d81:$s4: Execute ERROR
- 0x68de1:$s4: Execute ERROR
- 0x9e001:$s4: Execute ERROR
- 0x9e061:$s4: Execute ERROR
- 0x33b15:$s5: Download ERROR
- 0x68da5:$s5: Download ERROR
- 0x9e025:$s5: Download ERROR
- 0x33ead:$s6: [kl]
- 0x6913d:$s6: [kl]
- 0x9e3bd:$s6: [kl]
|
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | |
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | Windows_Trojan_Njrat_30f3c220 | unknown | unknown | - 0x320f0:$a1: get_Registry
- 0x33b15:$a3: Download ERROR
- 0x33e07:$a5: netsh firewall delete allowedprogram "
|
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | RAT_njRat | Detects njRAT | Kevin Breen <kevin@techanarchy.net> | - 0x332df:$s1: 7C 00 27 00 7C 00 27 00 7C
- 0x33cfd:$s2: netsh firewall add allowedprogram
- 0x3325f:$s3: Software\Microsoft\Windows\CurrentVersion\Run
- 0x23577:$s4: yyyy-MM-dd
- 0x23b55:$s4: yyyy-MM-dd
- 0x28b30:$s4: yyyy-MM-dd
- 0x587ed:$s4: yyyy-MM-dd
- 0x58dcb:$s4: yyyy-MM-dd
- 0x5dda6:$s4: yyyy-MM-dd
- 0x33e67:$v1: cmd.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x33cfd:$a1: netsh firewall add allowedprogram
- 0x33ef7:$b1: [TAP]
- 0x290d0:$b2: & exit
- 0x33e9d:$b2: & exit
- 0x5e346:$b2: & exit
- 0x33e69:$c1: md.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
- 0x5e358:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen | - 0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
- 0x5a8d9:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
|
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen | - 0x2773f:$s1: \VPN\NordVPN
- 0x5c9b5:$s1: \VPN\NordVPN
- 0x27725:$s2: \VPN\OpenVPN
- 0x5c99b:$s2: \VPN\OpenVPN
- 0x27707:$s3: \VPN\ProtonVPN
- 0x5c97d:$s3: \VPN\ProtonVPN
|
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen | - 0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x5b111:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x5b183:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x5b20d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x5b29f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x5b309:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x5b37b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x5b411:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
- 0x5b4a1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
|
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | MALWARE_Win_StormKitty | Detects StormKitty infostealer | ditekSHen | - 0x11f8c:$x3: StormKitty
- 0x47202:$x3: StormKitty
- 0x1b6ca:$s1: GetBSSID
- 0x50940:$s1: GetBSSID
- 0x1b5ca:$s2: GetAntivirus
- 0x50840:$s2: GetAntivirus
- 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x5bdc1:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x26d7d:$s6: "encrypted_key":"(.*?)"
- 0x5bff3:$s6: "encrypted_key":"(.*?)"
|
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack | MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen | - 0x33e07:$s1: netsh firewall delete allowedprogram
- 0x33cfd:$s2: netsh firewall add allowedprogram
- 0x33e67:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x33af1:$s4: Execute ERROR
- 0x33b51:$s4: Execute ERROR
- 0x33b15:$s5: Download ERROR
- 0x33ead:$s6: [kl]
|
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | |
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | |
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | Windows_Trojan_Njrat_30f3c220 | unknown | unknown | - 0x64c1:$a1: get_Registry
- 0x3b751:$a1: get_Registry
- 0x709d1:$a1: get_Registry
- 0x7ee6:$a3: Download ERROR
- 0x3d176:$a3: Download ERROR
- 0x723f6:$a3: Download ERROR
- 0x81d8:$a5: netsh firewall delete allowedprogram "
- 0x3d468:$a5: netsh firewall delete allowedprogram "
- 0x726e8:$a5: netsh firewall delete allowedprogram "
|
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | RAT_njRat | Detects njRAT | Kevin Breen <kevin@techanarchy.net> | - 0x76b0:$s1: 7C 00 27 00 7C 00 27 00 7C
- 0x3c940:$s1: 7C 00 27 00 7C 00 27 00 7C
- 0x71bc0:$s1: 7C 00 27 00 7C 00 27 00 7C
- 0x80ce:$s2: netsh firewall add allowedprogram
- 0x3d35e:$s2: netsh firewall add allowedprogram
- 0x725de:$s2: netsh firewall add allowedprogram
- 0x7630:$s3: Software\Microsoft\Windows\CurrentVersion\Run
- 0x3c8c0:$s3: Software\Microsoft\Windows\CurrentVersion\Run
- 0x71b40:$s3: Software\Microsoft\Windows\CurrentVersion\Run
- 0x2cbd8:$s4: yyyy-MM-dd
- 0x2d1b6:$s4: yyyy-MM-dd
- 0x32191:$s4: yyyy-MM-dd
- 0x61e58:$s4: yyyy-MM-dd
- 0x62436:$s4: yyyy-MM-dd
- 0x67411:$s4: yyyy-MM-dd
- 0x8238:$v1: cmd.exe /k ping 0 & del
- 0x3d4c8:$v1: cmd.exe /k ping 0 & del
- 0x72748:$v1: cmd.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x80ce:$a1: netsh firewall add allowedprogram
- 0x3d35e:$a1: netsh firewall add allowedprogram
- 0x725de:$a1: netsh firewall add allowedprogram
- 0x82c8:$b1: [TAP]
- 0x3d558:$b1: [TAP]
- 0x727d8:$b1: [TAP]
- 0x826e:$b2: & exit
- 0x32731:$b2: & exit
- 0x3d4fe:$b2: & exit
- 0x679b1:$b2: & exit
- 0x7277e:$b2: & exit
- 0x823a:$c1: md.exe /k ping 0 & del
- 0x3d4ca:$c1: md.exe /k ping 0 & del
- 0x7274a:$c1: md.exe /k ping 0 & del
|
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0x32743:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
- 0x679c3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen | - 0x2ecc4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
- 0x63f44:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
|
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen | - 0x30da0:$s1: \VPN\NordVPN
- 0x66020:$s1: \VPN\NordVPN
- 0x30d86:$s2: \VPN\OpenVPN
- 0x66006:$s2: \VPN\OpenVPN
- 0x30d68:$s3: \VPN\ProtonVPN
- 0x65fe8:$s3: \VPN\ProtonVPN
|
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen | - 0x2f4fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x6477c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
- 0x2f56e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x647ee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
- 0x2f5f8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x64878:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
- 0x2f68a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x6490a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
- 0x2f6f4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x64974:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
- 0x2f766:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x649e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
- 0x2f7fc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x64a7c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
- 0x2f88c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
- 0x64b0c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
|
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | MALWARE_Win_StormKitty | Detects StormKitty infostealer | ditekSHen | - 0x1b5ed:$x3: StormKitty
- 0x5086d:$x3: StormKitty
- 0x24d2b:$s1: GetBSSID
- 0x59fab:$s1: GetBSSID
- 0x24c2b:$s2: GetAntivirus
- 0x59eab:$s2: GetAntivirus
- 0x301ac:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x6542c:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
- 0x303de:$s6: "encrypted_key":"(.*?)"
- 0x6565e:$s6: "encrypted_key":"(.*?)"
|
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack | MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen | - 0x81d8:$s1: netsh firewall delete allowedprogram
- 0x3d468:$s1: netsh firewall delete allowedprogram
- 0x726e8:$s1: netsh firewall delete allowedprogram
- 0x80ce:$s2: netsh firewall add allowedprogram
- 0x3d35e:$s2: netsh firewall add allowedprogram
- 0x725de:$s2: netsh firewall add allowedprogram
- 0x8238:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x3d4c8:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x72748:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
- 0x7ec2:$s4: Execute ERROR
- 0x7f22:$s4: Execute ERROR
- 0x3d152:$s4: Execute ERROR
- 0x3d1b2:$s4: Execute ERROR
- 0x723d2:$s4: Execute ERROR
- 0x72432:$s4: Execute ERROR
- 0x7ee6:$s5: Download ERROR
- 0x3d176:$s5: Download ERROR
- 0x723f6:$s5: Download ERROR
- 0x827e:$s6: [kl]
- 0x3d50e:$s6: [kl]
- 0x7278e:$s6: [kl]
|
Click to see the 157 entries |