xx

╭─msm@mercury /home/msm/21576/dumps
╰─$ rip ./500.400000.58880.recovered.exe
[+][anal] Loaded modules: dridex, teslacrypt, spora, netwire, tinba_dga, cryptomix, kronos, reactor, hancitor, chthonic, nymaim, citadel, cryptoshield, torrentlocker, madlocker, emotet, bunitu, smokeloader, pony, andromeda, gootkit, cryptowall, zeus, bublik, panda, sendsafe, ruckguv, dyre, locky, vmzeus, shifu, sage, tofsee, cerber, odinaff, kovter, vawtrak, kbot, isfb, zloader, necurs, trickbot, h1n1, torment, slave, kins, tinba
Potential malware family dected: ['tofsee']
malware data:

{
  "other": [
    "MSConfig",
    "svchost.exe",
    "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
    "Local Settings:init",
    "USERPROFILE",
    "DevData",
    "SOFTWARE\\Microsoft\\DeviceControl",
    "%s\\%i%i%i%i.bat",
    "Local Settings\\Application Data\\Microsoft\\Windows\\UsrClass.dat.tmp",
    "\\\\.\\pipe\\stdinout",
    ".exe",
    "@echo off\r\n:next_try\r\ndel \"%s\">nul\r\nif exist \"%s\" (\r\nping 127.0.0.1 >nul\r\ngoto next_try\r\n)\r\ndel \"%%"
  ],
  "type": "tofsee",
  "urls": [
    {
      "ip": "103.233.97.57",
      "port": 465
    },
    {
      "ip": "123.249.0.22",
      "port": 465
    },
    {
      "ip": "111.121.193.242",
      "port": 465
    }
  ]
}