Overview

overview

10

Static

static

toolspab2 (1).exe

windows7_x64

10

toolspab2 (1).exe

windows10_x64

10

toolspab2 (10).exe

windows7_x64

10

toolspab2 (10).exe

windows10_x64

10

toolspab2 (11).exe

windows7_x64

10

toolspab2 (11).exe

windows10_x64

10

toolspab2 (12).exe

windows7_x64

10

toolspab2 (12).exe

windows10_x64

10

toolspab2 (13).exe

windows7_x64

10

toolspab2 (13).exe

windows10_x64

10

toolspab2 (14).exe

windows7_x64

10

toolspab2 (14).exe

windows10_x64

10

toolspab2 (15).exe

windows7_x64

10

toolspab2 (15).exe

windows10_x64

10

toolspab2 (16).exe

windows7_x64

10

toolspab2 (16).exe

windows10_x64

10

toolspab2 (17).exe

windows7_x64

10

toolspab2 (17).exe

windows10_x64

10

toolspab2 (18).exe

windows7_x64

10

toolspab2 (18).exe

windows10_x64

10

toolspab2 (19).exe

windows7_x64

10

toolspab2 (19).exe

windows10_x64

10

toolspab2 (2).exe

windows7_x64

10

toolspab2 (2).exe

windows10_x64

10

toolspab2 (20).exe

windows7_x64

10

toolspab2 (20).exe

windows10_x64

10

toolspab2 (21).exe

windows7_x64

10

toolspab2 (21).exe

windows10_x64

10

toolspab2 (22).exe

windows7_x64

10

toolspab2 (22).exe

windows10_x64

10

toolspab2 (23).exe

windows7_x64

10

toolspab2 (23).exe

windows10_x64

10

Resubmissions

12-07-2021 16:55

210712-cvz622xsbj 10

10-07-2021 13:25

210710-pdfh7kft96 10

09-07-2021 23:00

210709-hewxkm1xlj 10

09-07-2021 16:08

210709-5ql27kyjqa 10

09-07-2021 14:08

210709-pt977a4bhe 10

08-07-2021 22:09

210708-3ypfnj5j7x 10

08-07-2021 13:30

210708-4hsk7y9f2x 10

08-07-2021 12:14

210708-8t5f9z9egj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    toolspab.rar

  • Size

    5.1MB

  • Sample

    210710-pdfh7kft96

  • MD5

    03bcf66328cf26085b60c21dd9e8bc82

  • SHA1

    8b2cd596a60495ccc9767254b2eec9071350c5a4

  • SHA256

    64dc2b5958fe37dd9733928c156e0c75ab544e2e0169f9f796c3f3db809bcbe5

  • SHA512

    77740835104940fd5ddaf89b450aa6e93183cd223fbf6dad0e7ab524c2438c95637a474bec1f32e63d59daff98fe09ea9bf74bd9175f1ddd58622e57056c884d

Score
10/10
raccoonredlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

1

C2

45.32.235.238:45555

Targets

    • Target

      toolspab2 (1).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    redlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon1

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      toolspab2 (10).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      toolspab2 (11).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      toolspab2 (12).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      toolspab2 (13).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      toolspab2 (14).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      toolspab2 (15).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      toolspab2 (16).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      toolspab2 (17).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      toolspab2 (18).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      toolspab2 (19).exe

    • Size

      315KB

    • MD5

      1d20e1f65938e837ef1b88f10f1bd6c3

    • SHA1

      703d7098dbfc476d2181b7fc041cc23e49c368f1

    • SHA256

      05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

    • SHA512

      f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      toolspab2 (2).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      toolspab2 (20).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      toolspab2 (21).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      toolspab2 (22).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      toolspab2 (23).exe

    • Size

      315KB

    • MD5

      585c257e0b345b762e7cdc407d8f9da2

    • SHA1

      ffee403d97b76c3460fc166b9d5ce1205cd216a5

    • SHA256

      4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6

    • SHA512

      14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8

    Score
    10/10
    redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojanraccoon

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

15
T1053

Persistence

Scheduled Task

15
T1053

Privilege Escalation

Scheduled Task

15
T1053

Defense Evasion

Virtualization/Sandbox Evasion

16
T1497

Credential Access

Credentials in Files

44
T1081

Discovery

Query Registry

64
T1012

Virtualization/Sandbox Evasion

16
T1497

System Information Discovery

63
T1082

Peripheral Device Discovery

16
T1120

Lateral Movement

Collection

Data from Local System

44
T1005

Exfiltration

Command and Control

Impact

Tasks

static1

Score
N/A

behavioral1

redlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral2

raccoonredlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral3

redlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral4

raccoonredlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral5

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral6

raccoonredlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral7

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral8

raccoonredlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral9

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral10

raccoonredlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral11

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral12

raccoonredlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral13

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral14

raccoonredlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral15

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral16

raccoonredlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral17

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral18

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral19

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral20

raccoonredlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral21

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral22

raccoonredlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral23

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral24

raccoonredlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral25

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral26

raccoonredlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral27

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral28

raccoonredlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral29

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral30

raccoonredlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral31

redlinesmokeloader1backdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10

behavioral32

raccoonredlinesmokeloaderbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
Score
10/10