Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    setup_x86_x64_install - копия (10).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  cryptbotfickerstealergluptebaguloadermetasploitplugxredlinesmokeloadervidarservaniaspackv2backdoordiscoverydownloaderdropperevasioninfostealerloaderspywarestealertrojandiscordstealerpersistenceupx

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot Payload

  • DiscordStealer

    Discord_Stealer.

    discordstealer

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    setup_x86_x64_install - копия (11).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  cryptbotfickerstealergluptebaguloadermetasploitplugxredlinesmokeloadervidarservaniaspackv2backdoorbootkitdiscoverydownloaderdropperevasioninfostealerloaderpersistencespywarestealertrojanelysiumstealerdiscordstealerupx

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot Payload

  • DiscordStealer

    Discord_Stealer.

    discordstealer

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral3behavioral4

• • Target

    setup_x86_x64_install - копия (12).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  fickerstealerguloaderplugxredlinesmokeloadervidarservaniaspackv2backdoordiscoverydownloaderevasioninfostealerpersistencespywarestealertrojangluptebametasploitdropperloaderupx

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral5behavioral6

• • Target

    setup_x86_x64_install - копия (13).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  guloaderplugxredlinesmokeloadervidaraspackv2backdoordiscoverydownloaderevasioninfostealerstealertrojanupxelysiumstealergluptebametasploitservanidiscordstealerdropperloaderpersistencespyware

  • DiscordStealer

    Discord_Stealer.

    discordstealer

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral7behavioral8

• • Target

    setup_x86_x64_install - копия (14).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  gluptebaguloadermetasploitplugxredlinesmokeloadervidarservaniaspackv2backdoordiscoverydownloaderdropperevasioninfostealerloaderstealertrojanupx

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral9behavioral10

• • Target

    setup_x86_x64_install - копия (15).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  cryptbotfickerstealergluptebaguloadermetasploitplugxredlinesmokeloadervidarservaniaspackv2backdoorbootkitdiscoverydownloaderdropperevasioninfostealerloaderpersistencespywarestealertrojanupx

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot Payload

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral11behavioral12

• • Target

    setup_x86_x64_install - копия (16).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  guloaderplugxredlinesmokeloadervidarservaniaspackv2backdoordiscoverydownloaderevasioninfostealerpersistencespywarestealertrojanupxelysiumstealergluptebametasploitdiscordstealerdropperloader

  • DiscordStealer

    Discord_Stealer.

    discordstealer

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral13behavioral14

• • Target

    setup_x86_x64_install - копия (17).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  cryptbotfickerstealergluptebaguloadermetasploitplugxredlinesmokeloadervidarservaniaspackv2backdoordiscoverydownloaderdropperevasioninfostealerloaderpersistencespywarestealertrojanupxelysiumstealer

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot Payload

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral15behavioral16

• • Target

    setup_x86_x64_install - копия (18).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  fickerstealerguloaderredlinesmokeloadervidarservaniaspackv2backdoordiscoverydownloaderevasioninfostealerpersistencestealertrojanupxgluptebametasploitplugxdiscordstealerdropperloaderspyware

  • DiscordStealer

    Discord_Stealer.

    discordstealer

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral17behavioral18

• • Target

    setup_x86_x64_install - копия (19).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  cryptbotfickerstealergluptebaguloadermetasploitplugxredlinesmokeloadervidarservaniaspackv2backdoordiscoverydownloaderdropperevasioninfostealerloaderpersistencespywarestealertrojan

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot Payload

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral19behavioral20

• • Target

    setup_x86_x64_install - копия (2).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  1^/10
  behavioral21behavioral22

• • Target

    setup_x86_x64_install - копия (20).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  cryptbotfickerstealergluptebaguloadermetasploitplugxredlinesmokeloadervidarservaniaspackv2backdoorbootkitdiscoverydownloaderdropperevasioninfostealerloaderpersistencespywarestealertrojanelysiumstealerupx

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot Payload

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Installed Components in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral23behavioral24

• • Target

    setup_x86_x64_install - копия (21).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  fickerstealerplugxredlinesmokeloadervidarservaniaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojancryptbotguloaderdownloaderupx

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral25behavioral26

• • Target

    setup_x86_x64_install - копия (22).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  fickerstealergluptebaguloadermetasploitplugxredlinesmokeloadervidarservaniaspackv2backdoorbootkitdiscoverydownloaderdropperevasioninfostealerloaderpersistencespywarestealertrojanelysiumstealerupx

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral27behavioral28

• • Target

    setup_x86_x64_install - копия (23).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  cryptbotfickerstealergluptebaguloadermetasploitplugxredlinesmokeloadervidarservaniaspackv2backdoorbootkitdiscoverydownloaderdropperevasioninfostealerloaderpersistencespywarestealertrojanupxelysiumstealer

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot Payload

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral29behavioral30

• • Target

    setup_x86_x64_install - копия (3).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

  Score

  10^/10

  cryptbotfickerstealerguloaderplugxredlinesmokeloadervidarservaniaspackv2backdoordiscoverydownloaderevasioninfostealerpersistencespywarestealertrojanelysiumstealergluptebametasploitdropperloaderupx

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot Payload

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral31behavioral32