Azorult

An information stealer that was first discovered in 2016, targeting browsing history and passwords.

DcRat

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

Dridex

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Glupteba

Glupteba is a modular loader written in Golang with various components.

Glupteba Payload

IcedID, BokBot

IcedID is a banking trojan capable of stealing credentials.

MetaSploit

Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

NetSupport

NetSupport is a remote access tool sold as a legitimate system administration software.

Pony,Fareit

Pony is a Remote Access Trojan application that steals information.

Raccoon

Simple but powerful infostealer which was very active in 2019.

RedLine

RedLine Stealer is a malware family written in C#, first appearing in early 2020.

RedLine Payload

SmokeLoader

Modular backdoor trojan in use since 2014.

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

Taurus Stealer

Taurus is an infostealer first seen in June 2020.

Taurus Stealer Payload

Turns off Windows Defender SpyNet reporting

Vidar

Vidar is an infostealer based on Arkei stealer.

Windows security bypass

xmrig

XMRig is a high performance, open source, cross platform CPU/GPU miner.

Checks for common network interception software

Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

Dridex Loader

Detects Dridex both x86 and x64 loader in memory.

IcedID First Stage Loader

XMRig Miner Payload

Blocklisted process makes network request

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Stops running service(s)

UPX packed file

Detects executables packed with UPX/modified UPX open source packer.