Overview

overview

10

Static

static

toolspab2 (1).exe

windows7_x64

10

toolspab2 (1).exe

windows10_x64

10

toolspab2 (10).exe

windows7_x64

10

toolspab2 (10).exe

windows10_x64

10

toolspab2 (11).exe

windows7_x64

10

toolspab2 (11).exe

windows10_x64

10

toolspab2 (12).exe

windows7_x64

10

toolspab2 (12).exe

windows10_x64

10

toolspab2 (13).exe

windows7_x64

10

toolspab2 (13).exe

windows10_x64

10

toolspab2 (14).exe

windows7_x64

10

toolspab2 (14).exe

windows10_x64

10

toolspab2 (15).exe

windows7_x64

10

toolspab2 (15).exe

windows10_x64

10

toolspab2 (16).exe

windows7_x64

10

toolspab2 (16).exe

windows10_x64

toolspab2 (17).exe

windows7_x64

10

toolspab2 (17).exe

windows10_x64

10

toolspab2 (18).exe

windows7_x64

10

toolspab2 (18).exe

windows10_x64

10

toolspab2 (19).exe

windows7_x64

10

toolspab2 (19).exe

windows10_x64

10

toolspab2 (2).exe

windows7_x64

10

toolspab2 (2).exe

windows10_x64

10

toolspab2 (20).exe

windows7_x64

10

toolspab2 (20).exe

windows10_x64

10

toolspab2 (21).exe

windows7_x64

10

toolspab2 (21).exe

windows10_x64

10

toolspab2 (22).exe

windows7_x64

10

toolspab2 (22).exe

windows10_x64

10

toolspab2 (23).exe

windows7_x64

10

toolspab2 (23).exe

windows10_x64

10

Resubmissions

12-07-2021 16:55

210712-cvz622xsbj 10

10-07-2021 13:25

210710-pdfh7kft96 10

09-07-2021 23:00

210709-hewxkm1xlj 10

09-07-2021 16:08

210709-5ql27kyjqa 10

09-07-2021 14:08

210709-pt977a4bhe 10

08-07-2021 22:09

210708-3ypfnj5j7x 10

08-07-2021 13:30

210708-4hsk7y9f2x 10

08-07-2021 12:14

210708-8t5f9z9egj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    toolspab.rar

  • Size

    5.1MB

  • Sample

    210708-4hsk7y9f2x

  • MD5

    03bcf66328cf26085b60c21dd9e8bc82

  • SHA1

    8b2cd596a60495ccc9767254b2eec9071350c5a4

  • SHA256

    64dc2b5958fe37dd9733928c156e0c75ab544e2e0169f9f796c3f3db809bcbe5

  • SHA512

    77740835104940fd5ddaf89b450aa6e93183cd223fbf6dad0e7ab524c2438c95637a474bec1f32e63d59daff98fe09ea9bf74bd9175f1ddd58622e57056c884d

Score
10/10
gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar1517824agressorbtconlybackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

1

C2

45.32.235.238:45555

Extracted

Family

redline

Botnet

agressor

C2

65.21.122.45:8085

Extracted

Family

vidar

Version

39.4

Botnet

824

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    824

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

BtcOnly

C2

185.53.46.82:3214

Extracted

Family

vidar

Version

39.4

Botnet

517

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    517

Targets

    • Target

      toolspab2 (1).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    smokeloaderbackdoortrojangluptebametasploitraccoonredlinetofseevidar1824agressordiscoverydropperevasioninfostealerloaderpersistencespywarestealervmprotect

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      toolspab2 (10).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1agressorbackdoorinfostealertrojangluptebametasploitraccoonsocelarstofseevidar824discoverydropperevasionloaderpersistencespywarestealervmprotect

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      toolspab2 (11).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    smokeloaderbackdoortrojangluptebametasploitraccoonredlinetofseevidar1824agressordiscoverydropperevasioninfostealerloaderpersistencespywarestealervmprotect

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      toolspab2 (12).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    smokeloaderbackdoortrojanraccoonredlinetofseevidar1824agressordiscoveryevasioninfostealerpersistencespywarestealervmprotect

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      toolspab2 (13).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1agressorbackdoorinfostealertrojanraccoondiscoveryspywarestealer

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      toolspab2 (14).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    smokeloaderbackdoortrojanredlinesocelarsvidar1824agressordiscoveryinfostealerspywarestealervmprotect

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      toolspab2 (15).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    smokeloaderbackdoortrojangluptebametasploitraccoonredlinesocelarstofseevidar824agressorbtconlydiscoverydropperevasioninfostealerloaderpersistencespywarestealervmprotect

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      toolspab2 (16).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    raccoonsmokeloaderbackdoordiscoveryspywarestealertrojan

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      toolspab2 (17).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    raccoonredlinesmokeloader1agressorbackdoordiscoveryinfostealerspywarestealertrojan

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      toolspab2 (18).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1agressorbackdoorinfostealerspywarestealertrojangluptebametasploitraccoonsocelarstofseevidar824discoverydropperevasionloaderpersistencevmprotect

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      toolspab2 (19).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    smokeloaderbackdoortrojanraccoonredlineagressordiscoveryinfostealerspywarestealer

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      toolspab2 (2).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    smokeloaderbackdoortrojanraccoonredlinetofseevidar1517824agressordiscoveryinfostealerpersistencespywarestealer

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      toolspab2 (20).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    smokeloaderbackdoortrojangluptebametasploitraccoonredlinesocelarsvidar1824agressordiscoverydropperevasioninfostealerloaderpersistencespywarestealervmprotect

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      toolspab2 (21).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    smokeloaderbackdoortrojanraccoondiscoveryspywarestealer

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      toolspab2 (22).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    smokeloaderbackdoortrojanraccoonredlinetofseevidar1824agressordiscoveryevasioninfostealerpersistencespywarestealervmprotect

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      toolspab2 (23).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    smokeloaderbackdoortrojanraccoonredlinetofseevidar1824agressordiscoveryevasioninfostealerpersistencespywarestealervmprotect

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

9
T1050

Modify Existing Service

8
T1031

Registry Run Keys / Startup Folder

8
T1060

Privilege Escalation

New Service

9
T1050

Defense Evasion

File Permissions Modification

10
T1222

Modify Registry

17
T1112

Install Root Certificate

9
T1130

Credential Access

Credentials in Files

51
T1081

Discovery

Query Registry

39
T1012

System Information Discovery

40
T1082

Peripheral Device Discovery

16
T1120

Lateral Movement

Collection

Data from Local System

51
T1005

Exfiltration

Command and Control

Web Service

11
T1102

Impact

Tasks

static1

Score
N/A

behavioral1

smokeloaderbackdoortrojan
Score
10/10

behavioral2

gluptebametasploitraccoonredlinesmokeloadertofseevidar1824agressorbackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanvmprotect
Score
10/10

behavioral3

redlinesmokeloader1agressorbackdoorinfostealertrojan
Score
10/10

behavioral4

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar1824agressorbackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanvmprotect
Score
10/10

behavioral5

smokeloaderbackdoortrojan
Score
10/10

behavioral6

gluptebametasploitraccoonredlinesmokeloadertofseevidar1824agressorbackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanvmprotect
Score
10/10

behavioral7

smokeloaderbackdoortrojan
Score
10/10

behavioral8

raccoonredlinesmokeloadertofseevidar1824agressorbackdoordiscoveryevasioninfostealerpersistencespywarestealertrojanvmprotect
Score
10/10

behavioral9

redlinesmokeloader1agressorbackdoorinfostealertrojan
Score
10/10

behavioral10

raccoonredlinesmokeloaderagressorbackdoordiscoveryinfostealerspywarestealertrojan
Score
10/10

behavioral11

smokeloaderbackdoortrojan
Score
10/10

behavioral12

redlinesmokeloadersocelarsvidar1824agressorbackdoordiscoveryinfostealerspywarestealertrojanvmprotect
Score
10/10

behavioral13

smokeloaderbackdoortrojan
Score
10/10

behavioral14

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar824agressorbtconlybackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanvmprotect
Score
10/10

behavioral15

raccoonsmokeloaderbackdoordiscoveryspywarestealertrojan
Score
10/10

behavioral16

Score
1/10

behavioral17

raccoonredlinesmokeloader1agressorbackdoordiscoveryinfostealerspywarestealertrojan
Score
10/10

behavioral18

raccoonsmokeloaderbackdoordiscoveryspywarestealertrojan
Score
10/10

behavioral19

redlinesmokeloader1agressorbackdoorinfostealerspywarestealertrojan
Score
10/10

behavioral20

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar1824agressorbackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanvmprotect
Score
10/10

behavioral21

smokeloaderbackdoortrojan
Score
10/10

behavioral22

raccoonredlinesmokeloaderagressorbackdoordiscoveryinfostealerspywarestealertrojan
Score
10/10

behavioral23

smokeloaderbackdoortrojan
Score
10/10

behavioral24

raccoonredlinesmokeloadertofseevidar1517824agressorbackdoordiscoveryinfostealerpersistencespywarestealertrojan
Score
10/10

behavioral25

smokeloaderbackdoortrojan
Score
10/10

behavioral26

gluptebametasploitraccoonredlinesmokeloadersocelarsvidar1824agressorbackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanvmprotect
Score
10/10

behavioral27

smokeloaderbackdoortrojan
Score
10/10

behavioral28

raccoonsmokeloaderbackdoordiscoveryspywarestealertrojan
Score
10/10

behavioral29

smokeloaderbackdoortrojan
Score
10/10

behavioral30

raccoonredlinesmokeloadertofseevidar1824agressorbackdoordiscoveryevasioninfostealerpersistencespywarestealertrojanvmprotect
Score
10/10

behavioral31

smokeloaderbackdoortrojan
Score
10/10

behavioral32

raccoonredlinesmokeloadertofseevidar1824agressorbackdoordiscoveryevasioninfostealerpersistencespywarestealertrojanvmprotect
Score
10/10