0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack | JoeSecurity_Clipboard_Hijacker_3 | Yara detected Clipboard Hijacker | Joe Security | |
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack | JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | |
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0xb04cb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0xb3e3e:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
- 0xb581d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen | - 0xb3d78:$s1: c:\windows\system32\cmstp.exe
- 0xb3b1c:$s2: taskkill /IM cmstp.exe /F
- 0xb447b:$s2: taskkill /IM cmstp.exe /F
- 0x7a3c9:$s4: CommandToExecute
- 0xb39d8:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xb434e:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xb3c0e:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
- 0xb45a5:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
|
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack | MALWARE_Win_QuasarRAT | QuasarRAT payload | ditekSHen | - 0xb1d2c:$s3: />Log created on
- 0xc5848:$s6: grabber_
- 0xc5864:$s6: grabber_
- 0x77a58:$s8: <RunHidden>k__BackingField
- 0x76238:$s9: <keyboardHookStruct>
- 0x781b5:$s10: add_OnHotKeysDown
- 0x7850c:$s10: add_OnHotKeysDown
- 0xb8207:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
- 0xc3141:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
|
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack | MALWARE_Win_DLAgent09 | Detects known downloader agent | ditekSHen | - 0xc177b:$h1: //:ptth
- 0x7aaac:$s1: DownloadString
- 0x79d43:$s2: StrReverse
- 0x7aa8c:$s3: FromBase64String
- 0xb5097:$s3: FromBase64String
- 0xc05f4:$s3: FromBase64String
- 0x7fc7d:$s4: WebClient
- 0xb7946:$s4: WebClient
- 0xb9515:$s4: WebClient
- 0xc03ad:$s4: WebClient
|
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack | JoeSecurity_Clipboard_Hijacker_3 | Yara detected Clipboard Hijacker | Joe Security | |
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack | JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | |
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0xb41e6:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0xb7b59:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
- 0xb9538:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen | - 0xb7a93:$s1: c:\windows\system32\cmstp.exe
- 0xb7837:$s2: taskkill /IM cmstp.exe /F
- 0xb8196:$s2: taskkill /IM cmstp.exe /F
- 0x7e0e4:$s4: CommandToExecute
- 0xb76f3:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xb8069:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xb7929:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
- 0xb82c0:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
|
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack | MALWARE_Win_QuasarRAT | QuasarRAT payload | ditekSHen | - 0xb5a47:$s3: />Log created on
- 0xc9563:$s6: grabber_
- 0xc957f:$s6: grabber_
- 0x7b773:$s8: <RunHidden>k__BackingField
- 0x79f53:$s9: <keyboardHookStruct>
- 0x7bed0:$s10: add_OnHotKeysDown
- 0x7c227:$s10: add_OnHotKeysDown
- 0xbbf22:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
- 0xc6e5c:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
|
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack | MALWARE_Win_DLAgent09 | Detects known downloader agent | ditekSHen | - 0xc5496:$h1: //:ptth
- 0x7e7c7:$s1: DownloadString
- 0x7da5e:$s2: StrReverse
- 0x7e7a7:$s3: FromBase64String
- 0xb8db2:$s3: FromBase64String
- 0xc430f:$s3: FromBase64String
- 0x83998:$s4: WebClient
- 0xbb661:$s4: WebClient
- 0xbd230:$s4: WebClient
- 0xc40c8:$s4: WebClient
|
0.0.2ktrFR0W3v.exe.d90000.0.unpack | JoeSecurity_Clipboard_Hijacker_3 | Yara detected Clipboard Hijacker | Joe Security | |
0.0.2ktrFR0W3v.exe.d90000.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.0.2ktrFR0W3v.exe.d90000.0.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.0.2ktrFR0W3v.exe.d90000.0.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
0.0.2ktrFR0W3v.exe.d90000.0.unpack | JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | |
0.0.2ktrFR0W3v.exe.d90000.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0xec258:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
0.0.2ktrFR0W3v.exe.d90000.0.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer | detects Windows exceutables potentially bypassing UAC using eventvwr.exe | ditekSHen | - 0x377a0:$s1: \Classes\mscfile\Shell\Open\command
- 0x37812:$s2: eventvwr.exe
|
0.0.2ktrFR0W3v.exe.d90000.0.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0xefbcb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
- 0xf15aa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.0.2ktrFR0W3v.exe.d90000.0.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen | - 0xefb05:$s1: c:\windows\system32\cmstp.exe
- 0xef8a9:$s2: taskkill /IM cmstp.exe /F
- 0xf0208:$s2: taskkill /IM cmstp.exe /F
- 0xb6156:$s4: CommandToExecute
- 0xef765:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xf00db:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xef99b:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
- 0xf0332:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
|
0.0.2ktrFR0W3v.exe.d90000.0.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x37ad2:$r1: Classes\Folder\shell\open\command
- 0x3790e:$k1: DelegateExecute
- 0x85010:$k1: DelegateExecute
- 0xec6cc:$k1: DelegateExecute
|
0.0.2ktrFR0W3v.exe.d90000.0.unpack | MALWARE_Win_QuasarRAT | QuasarRAT payload | ditekSHen | - 0xedab9:$s3: />Log created on
- 0x1015d5:$s6: grabber_
- 0x1015f1:$s6: grabber_
- 0xb37e5:$s8: <RunHidden>k__BackingField
- 0xb1fc5:$s9: <keyboardHookStruct>
- 0xb3f42:$s10: add_OnHotKeysDown
- 0xb4299:$s10: add_OnHotKeysDown
- 0xf3f94:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
- 0xfeece:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
|
0.0.2ktrFR0W3v.exe.d90000.0.unpack | MALWARE_Win_DLAgent09 | Detects known downloader agent | ditekSHen | - 0xfd508:$h1: //:ptth
- 0xb6839:$s1: DownloadString
- 0xb5ad0:$s2: StrReverse
- 0x3720b:$s3: FromBase64String
- 0xb6819:$s3: FromBase64String
- 0xf0e24:$s3: FromBase64String
- 0xfc381:$s3: FromBase64String
- 0xbba0a:$s4: WebClient
- 0xf36d3:$s4: WebClient
- 0xf52a2:$s4: WebClient
- 0xfc13a:$s4: WebClient
|
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | JoeSecurity_Clipboard_Hijacker_3 | Yara detected Clipboard Hijacker | Joe Security | |
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | |
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0xb62d0:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer | detects Windows exceutables potentially bypassing UAC using eventvwr.exe | ditekSHen | - 0x1818:$s1: \Classes\mscfile\Shell\Open\command
- 0x188a:$s2: eventvwr.exe
|
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen | - 0xb9c43:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
- 0xbb622:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
|
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen | - 0xb9b7d:$s1: c:\windows\system32\cmstp.exe
- 0xb9921:$s2: taskkill /IM cmstp.exe /F
- 0xba280:$s2: taskkill /IM cmstp.exe /F
- 0x801ce:$s4: CommandToExecute
- 0xb97dd:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xba153:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xb9a13:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
- 0xba3aa:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
|
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x1b4a:$r1: Classes\Folder\shell\open\command
- 0x1986:$k1: DelegateExecute
- 0x4f088:$k1: DelegateExecute
- 0xb6744:$k1: DelegateExecute
|
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | MALWARE_Win_QuasarRAT | QuasarRAT payload | ditekSHen | - 0xb7b31:$s3: />Log created on
- 0xcb64d:$s6: grabber_
- 0xcb669:$s6: grabber_
- 0x7d85d:$s8: <RunHidden>k__BackingField
- 0x7c03d:$s9: <keyboardHookStruct>
- 0x7dfba:$s10: add_OnHotKeysDown
- 0x7e311:$s10: add_OnHotKeysDown
- 0xbe00c:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
- 0xc8f46:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
|
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack | MALWARE_Win_DLAgent09 | Detects known downloader agent | ditekSHen | - 0xc7580:$h1: //:ptth
- 0x808b1:$s1: DownloadString
- 0x7fb48:$s2: StrReverse
- 0x1283:$s3: FromBase64String
- 0x80891:$s3: FromBase64String
- 0xbae9c:$s3: FromBase64String
- 0xc63f9:$s3: FromBase64String
- 0x85a82:$s4: WebClient
- 0xbd74b:$s4: WebClient
- 0xbf31a:$s4: WebClient
- 0xc61b2:$s4: WebClient
|
Click to see the 39 entries |