Azorult

An information stealer that was first discovered in 2016, targeting browsing history and passwords.

Deletes Windows Defender Definitions

Uses mpcmdrun utility to delete all AV definitions.

Djvu Ransomware

Ransomware which is a variant of the STOP family.

Glupteba

Glupteba is a modular loader written in Golang with various components.

Glupteba Payload

MetaSploit

Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

PlugX

PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

Pony,Fareit

Pony is a Remote Access Trojan application that steals information.

Raccoon

Simple but powerful infostealer which was very active in 2019.

RedLine

RedLine Stealer is a malware family written in C#, first appearing in early 2020.

RedLine Payload

SmokeLoader

Modular backdoor trojan in use since 2014.

Suspicious use of NtCreateUserProcessOtherParentProcess

Tofsee

Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

Vidar

Vidar is an infostealer based on Arkei stealer.

Windows security bypass

xmrig

XMRig is a high performance, open source, cross platform CPU/GPU miner.

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies boot configuration data using bcdedit

Nirsoft

XMRig Miner Payload

Creates new service(s)

Drops file in Drivers directory

Executes dropped EXE

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Rootkits can use kernel patching to embed themselves in an operating system.

Sets service image path in registry

Suspicious Office macro

Office document equipped with 4.0 macros.

UPX packed file

Detects executables packed with UPX/modified UPX open source packer.

VMProtect packed file

Detects executables packed with VMProtect commercial packer.