| 15.0.wtqsCpda..exe.540000.3.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 15.0.wtqsCpda..exe.540000.3.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 19.0.chrome.exe.a20000.0.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 19.0.chrome.exe.a20000.0.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 18.2.chrome.exe.760000.0.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 18.2.chrome.exe.760000.0.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 18.2.chrome.exe.53f0000.7.unpack | HKTL_NET_GUID_Lime_RAT | Detects VB.NET red/black-team tools via typelibguid | Arnim Rupp | - 0x2a09:$typelibguid17: 5de018bd-941d-4a5d-bed5-fbdd111aba76
|
| 18.0.chrome.exe.760000.0.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 18.0.chrome.exe.760000.0.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
| 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
| 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
| 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
| 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
| 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
| 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
| 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x166dd:$r1: Classes\Folder\shell\open\command
- 0x16700:$k1: DelegateExecute
|
| 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x160e4:$s1: RDPClip
- 0x167cc:$s2: Grabber
- 0x162e0:$s3: Ave_Maria Stealer OpenSource
- 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x19310:$s6: /n:%temp%\ellocnak.xml
- 0x19340:$s7: Hey I'm Admin
- 0x13c50:$s8: warzone160
|
| 15.0.wtqsCpda..exe.540000.2.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 15.0.wtqsCpda..exe.540000.2.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 15.2.wtqsCpda..exe.2b22c9c.1.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 15.2.wtqsCpda..exe.2b22c9c.1.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x48dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x6510:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x6628:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x6724:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x40fa:$s2: \vboxhook.dll
- 0x45a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x44c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x4580:$s5: Minning...
- 0x4532:$s6: Regasm.exe
- 0x49de:$s7: Flood!
- 0x43c4:$s8: Rans-Status
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x2610:$a1: \Opera Software\Opera Stable\Login Data
- 0x2938:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x2280:$a3: \Google\Chrome\User Data\Default\Login Data
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x4758:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x4534:$str2: MsgBox.exe
- 0x47c4:$str4: \System32\cmd.exe
- 0x4408:$str6: Ave_Maria
- 0x3ca0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x2fa0:$str8: SMTP Password
- 0x2280:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x3c6c:$str12: \sqlmap.dll
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x4805:$r1: Classes\Folder\shell\open\command
- 0x4828:$k1: DelegateExecute
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x420c:$s1: RDPClip
- 0x48f4:$s2: Grabber
- 0x4408:$s3: Ave_Maria Stealer OpenSource
- 0x4508:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x1d78:$s8: warzone160
|
| 18.2.chrome.exe.53d0000.1.raw.unpack | HKTL_NET_GUID_Lime_RAT | Detects VB.NET red/black-team tools via typelibguid | Arnim Rupp | - 0x83d1:$typelibguid11: c1b608bb-7aed-488d-aa3b-0c96625d26c0
|
| 15.0.wtqsCpda..exe.540000.1.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 15.0.wtqsCpda..exe.540000.1.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x166dd:$r1: Classes\Folder\shell\open\command
- 0x16700:$k1: DelegateExecute
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x160e4:$s1: RDPClip
- 0x167cc:$s2: Grabber
- 0x162e0:$s3: Ave_Maria Stealer OpenSource
- 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x19310:$s6: /n:%temp%\ellocnak.xml
- 0x19340:$s7: Hey I'm Admin
- 0x13c50:$s8: warzone160
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x2610:$a1: \Opera Software\Opera Stable\Login Data
- 0x2938:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x2280:$a3: \Google\Chrome\User Data\Default\Login Data
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x4758:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x4534:$str2: MsgBox.exe
- 0x47c4:$str4: \System32\cmd.exe
- 0x4408:$str6: Ave_Maria
- 0x3ca0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x2fa0:$str8: SMTP Password
- 0x2280:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x3c6c:$str12: \sqlmap.dll
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x4805:$r1: Classes\Folder\shell\open\command
- 0x4828:$k1: DelegateExecute
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x420c:$s1: RDPClip
- 0x48f4:$s2: Grabber
- 0x4408:$s3: Ave_Maria Stealer OpenSource
- 0x4508:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x1d78:$s8: warzone160
|
| 19.2.chrome.exe.a20000.0.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 19.2.chrome.exe.a20000.0.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 19.0.chrome.exe.a20000.1.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 19.0.chrome.exe.a20000.1.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x2610:$a1: \Opera Software\Opera Stable\Login Data
- 0x2938:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x2280:$a3: \Google\Chrome\User Data\Default\Login Data
|
| 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x4758:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x4534:$str2: MsgBox.exe
- 0x47c4:$str4: \System32\cmd.exe
- 0x4408:$str6: Ave_Maria
- 0x3ca0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x2fa0:$str8: SMTP Password
- 0x2280:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x3c6c:$str12: \sqlmap.dll
|
| 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x4805:$r1: Classes\Folder\shell\open\command
- 0x4828:$k1: DelegateExecute
|
| 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x420c:$s1: RDPClip
- 0x48f4:$s2: Grabber
- 0x4408:$s3: Ave_Maria Stealer OpenSource
- 0x4508:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x1d78:$s8: warzone160
|
| 18.3.chrome.exe.3e7cd10.0.raw.unpack | HKTL_NET_GUID_Lime_RAT | Detects VB.NET red/black-team tools via typelibguid | Arnim Rupp | - 0x5bbe1:$typelibguid11: c1b608bb-7aed-488d-aa3b-0c96625d26c0
- 0x4809:$typelibguid17: 5de018bd-941d-4a5d-bed5-fbdd111aba76
|
| 19.0.chrome.exe.a20000.2.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 19.0.chrome.exe.a20000.2.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 18.3.chrome.exe.3e7cd10.0.unpack | HKTL_NET_GUID_Lime_RAT | Detects VB.NET red/black-team tools via typelibguid | Arnim Rupp | - 0x2a09:$typelibguid17: 5de018bd-941d-4a5d-bed5-fbdd111aba76
|
| 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
| 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
| 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x3e80:$a1: \Opera Software\Opera Stable\Login Data
- 0x41a8:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x3af0:$a3: \Google\Chrome\User Data\Default\Login Data
|
| 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x5fc8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x5da4:$str2: MsgBox.exe
- 0x6034:$str4: \System32\cmd.exe
- 0x5c78:$str6: Ave_Maria
- 0x5510:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x4810:$str8: SMTP Password
- 0x3af0:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x54dc:$str12: \sqlmap.dll
- 0xd80:$str16: Elevation:Administrator!new
- 0xea0:$str17: /n:%temp%
|
| 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x6075:$r1: Classes\Folder\shell\open\command
- 0x6098:$k1: DelegateExecute
|
| 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x5a7c:$s1: RDPClip
- 0x6164:$s2: Grabber
- 0x5c78:$s3: Ave_Maria Stealer OpenSource
- 0x5d78:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0xea0:$s6: /n:%temp%\ellocnak.xml
- 0xed0:$s7: Hey I'm Admin
- 0x35e8:$s8: warzone160
|
| 15.0.wtqsCpda..exe.540000.0.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 15.0.wtqsCpda..exe.540000.0.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
| 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
| 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x3e80:$a1: \Opera Software\Opera Stable\Login Data
- 0x41a8:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x3af0:$a3: \Google\Chrome\User Data\Default\Login Data
|
| 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x5fc8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x5da4:$str2: MsgBox.exe
- 0x6034:$str4: \System32\cmd.exe
- 0x5c78:$str6: Ave_Maria
- 0x5510:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x4810:$str8: SMTP Password
- 0x3af0:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x54dc:$str12: \sqlmap.dll
- 0xd80:$str16: Elevation:Administrator!new
- 0xea0:$str17: /n:%temp%
|
| 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x6075:$r1: Classes\Folder\shell\open\command
- 0x6098:$k1: DelegateExecute
|
| 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x5a7c:$s1: RDPClip
- 0x6164:$s2: Grabber
- 0x5c78:$s3: Ave_Maria Stealer OpenSource
- 0x5d78:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0xea0:$s6: /n:%temp%\ellocnak.xml
- 0xed0:$s7: Hey I'm Admin
- 0x35e8:$s8: warzone160
|
| 19.0.chrome.exe.a20000.3.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 19.0.chrome.exe.a20000.3.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 1.2.DocumentoSENAMHI20222103.exe.2ff89af.3.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
| 1.2.DocumentoSENAMHI20222103.exe.2ff89af.3.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
| 1.2.DocumentoSENAMHI20222103.exe.2ff89af.3.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
| 18.3.chrome.exe.3e8812f.1.raw.unpack | HKTL_NET_GUID_Lime_RAT | Detects VB.NET red/black-team tools via typelibguid | Arnim Rupp | - 0x507c2:$typelibguid11: c1b608bb-7aed-488d-aa3b-0c96625d26c0
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x17ff0:$c1: Elevation:Administrator!new:
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x138e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack | AveMaria_WarZone | unknown | unknown | - 0x15a30:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1580c:$str2: MsgBox.exe
- 0x15a9c:$str4: \System32\cmd.exe
- 0x156e0:$str6: Ave_Maria
- 0x14f78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14278:$str8: SMTP Password
- 0x13558:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x14f44:$str12: \sqlmap.dll
- 0x17ff0:$str16: Elevation:Administrator!new
- 0x18110:$str17: /n:%temp%
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x15add:$r1: Classes\Folder\shell\open\command
- 0x15b00:$k1: DelegateExecute
|
| 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x154e4:$s1: RDPClip
- 0x15bcc:$s2: Grabber
- 0x156e0:$s3: Ave_Maria Stealer OpenSource
- 0x157e0:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x18110:$s6: /n:%temp%\ellocnak.xml
- 0x18140:$s7: Hey I'm Admin
- 0x13050:$s8: warzone160
|
| 15.2.wtqsCpda..exe.2b22c9c.1.raw.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 15.2.wtqsCpda..exe.2b22c9c.1.raw.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x8310:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x8428:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x8524:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 15.2.wtqsCpda..exe.540000.0.unpack | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
| 15.2.wtqsCpda..exe.540000.0.unpack | MALWARE_Win_LimeRAT | LimeRAT payload | ditekSHen | - 0x66dc:$s1: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr
- 0x5efa:$s2: \vboxhook.dll
- 0x63a2:$s3: Win32_Processor.deviceid="CPU0"
- 0x62c4:$s4: select CommandLine from Win32_Process where Name='{0}'
- 0x6380:$s5: Minning...
- 0x6332:$s6: Regasm.exe
- 0x67de:$s7: Flood!
- 0x61c4:$s8: Rans-Status
|
| 18.2.chrome.exe.53f0000.7.raw.unpack | HKTL_NET_GUID_Lime_RAT | Detects VB.NET red/black-team tools via typelibguid | Arnim Rupp | - 0x4809:$typelibguid17: 5de018bd-941d-4a5d-bed5-fbdd111aba76
|
| 18.3.chrome.exe.3e81c45.2.raw.unpack | HKTL_NET_GUID_Lime_RAT | Detects VB.NET red/black-team tools via typelibguid | Arnim Rupp | - 0x56cac:$typelibguid11: c1b608bb-7aed-488d-aa3b-0c96625d26c0
|
| 18.2.chrome.exe.53d0000.1.unpack | HKTL_NET_GUID_Lime_RAT | Detects VB.NET red/black-team tools via typelibguid | Arnim Rupp | - 0x65d1:$typelibguid11: c1b608bb-7aed-488d-aa3b-0c96625d26c0
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x2610:$a1: \Opera Software\Opera Stable\Login Data
- 0x2938:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x2280:$a3: \Google\Chrome\User Data\Default\Login Data
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x4758:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x4534:$str2: MsgBox.exe
- 0x47c4:$str4: \System32\cmd.exe
- 0x4408:$str6: Ave_Maria
- 0x3ca0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x2fa0:$str8: SMTP Password
- 0x2280:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x3c6c:$str12: \sqlmap.dll
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x4805:$r1: Classes\Folder\shell\open\command
- 0x4828:$k1: DelegateExecute
|
| 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x420c:$s1: RDPClip
- 0x48f4:$s2: Grabber
- 0x4408:$s3: Ave_Maria Stealer OpenSource
- 0x4508:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x1d78:$s8: warzone160
|
| Click to see the 103 entries |
Edit tour
DocumentoSENAMHI20222103.exe (PID: 6576 cmdline: 
cmd.exe (PID: 1033668 cmdline: 
