Overview
overview
10Static
static
FD3E3 (1).exe
windows7_x64
10FD3E3 (1).exe
windows10_x64
10FD3E3 (10).exe
windows7_x64
10FD3E3 (10).exe
windows10_x64
10FD3E3 (11).exe
windows7_x64
FD3E3 (11).exe
windows10_x64
10FD3E3 (12).exe
windows7_x64
10FD3E3 (12).exe
windows10_x64
10FD3E3 (13).exe
windows7_x64
10FD3E3 (13).exe
windows10_x64
10FD3E3 (14).exe
windows7_x64
10FD3E3 (14).exe
windows10_x64
10FD3E3 (15).exe
windows7_x64
10FD3E3 (15).exe
windows10_x64
10FD3E3 (16).exe
windows7_x64
10FD3E3 (16).exe
windows10_x64
10FD3E3 (17).exe
windows7_x64
10FD3E3 (17).exe
windows10_x64
10FD3E3 (18).exe
windows7_x64
10FD3E3 (18).exe
windows10_x64
10FD3E3 (19).exe
windows7_x64
10FD3E3 (19).exe
windows10_x64
10FD3E3 (2).exe
windows7_x64
10FD3E3 (2).exe
windows10_x64
10FD3E3 (20).exe
windows7_x64
10FD3E3 (20).exe
windows10_x64
10FD3E3 (21).exe
windows7_x64
10FD3E3 (21).exe
windows10_x64
10FD3E3 (22).exe
windows7_x64
10FD3E3 (22).exe
windows10_x64
10FD3E3 (23).exe
windows7_x64
10FD3E3 (23).exe
windows10_x64
10General
-
Target
krev.rar
-
Size
71.4MB
-
Sample
210717-tl7wh7rk7a
-
MD5
64025eaffa7d2859d64207242ffe37a1
-
SHA1
65f46e2ad836eb98cd76ed055553e7b2fbd7ce4f
-
SHA256
5590707d57f936098e12cdeb2b0509cb7a280de296ac0140cc7741b8f345dd8f
-
SHA512
98ee34a39ca0c951f15326f564434e2fb17ba574c54056922a659172f2ca9823725dbe8e8edeba62cd3ffa086228089709d629e1362bdfdcd09e77fb98318dae
Static task
static1
Behavioral task
behavioral1
Sample
FD3E3 (1).exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
FD3E3 (1).exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
FD3E3 (10).exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
FD3E3 (10).exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
FD3E3 (11).exe
Resource
win7v20210408
Behavioral task
behavioral6
Sample
FD3E3 (11).exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
FD3E3 (12).exe
Resource
win7v20210408
Behavioral task
behavioral8
Sample
FD3E3 (12).exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
FD3E3 (13).exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
FD3E3 (13).exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
FD3E3 (14).exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
FD3E3 (14).exe
Resource
win10v20210408
Behavioral task
behavioral13
Sample
FD3E3 (15).exe
Resource
win7v20210410
Behavioral task
behavioral14
Sample
FD3E3 (15).exe
Resource
win10v20210408
Behavioral task
behavioral15
Sample
FD3E3 (16).exe
Resource
win7v20210410
Behavioral task
behavioral16
Sample
FD3E3 (16).exe
Resource
win10v20210408
Behavioral task
behavioral17
Sample
FD3E3 (17).exe
Resource
win7v20210410
Behavioral task
behavioral18
Sample
FD3E3 (17).exe
Resource
win10v20210410
Behavioral task
behavioral19
Sample
FD3E3 (18).exe
Resource
win7v20210408
Behavioral task
behavioral20
Sample
FD3E3 (18).exe
Resource
win10v20210410
Behavioral task
behavioral21
Sample
FD3E3 (19).exe
Resource
win7v20210408
Behavioral task
behavioral22
Sample
FD3E3 (19).exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
FD3E3 (2).exe
Resource
win7v20210408
Behavioral task
behavioral24
Sample
FD3E3 (2).exe
Resource
win10v20210410
Behavioral task
behavioral25
Sample
FD3E3 (20).exe
Resource
win7v20210408
Behavioral task
behavioral26
Sample
FD3E3 (20).exe
Resource
win10v20210410
Behavioral task
behavioral27
Sample
FD3E3 (21).exe
Resource
win7v20210410
Behavioral task
behavioral28
Sample
FD3E3 (21).exe
Resource
win10v20210408
Behavioral task
behavioral29
Sample
FD3E3 (22).exe
Resource
win7v20210410
Behavioral task
behavioral30
Sample
FD3E3 (22).exe
Resource
win10v20210408
Behavioral task
behavioral31
Sample
FD3E3 (23).exe
Resource
win7v20210410
Behavioral task
behavioral32
Sample
FD3E3 (23).exe
Resource
win10v20210410
Malware Config
Extracted
vidar
39.4
933
https://sergeevih43.tumblr.com/
-
profile_id
933
Extracted
redline
Cana
176.111.174.254:56328
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
Extracted
vidar
39.6
865
https://sslamlssa1.tumblr.com/
-
profile_id
865
Extracted
metasploit
windows/single_exec
Extracted
redline
sel14
dwarimlari.xyz:80
Extracted
redline
ABUZA_BOG
45.14.49.91:60919
Extracted
vidar
39.6
408
https://sslamlssa1.tumblr.com/
-
profile_id
408
Extracted
redline
15_7_r
xtarweanda.xyz:80
Targets
-
-
Target
FD3E3 (1).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (10).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (11).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (12).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (13).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (14).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (15).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (16).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (17).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (18).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (19).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (2).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (20).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (21).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (22).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FD3E3 (23).exe
-
Size
2.7MB
-
MD5
fd3e375cbd09c6e1260ce52d3fe91b9c
-
SHA1
59eac2602d5955b8d846fb337665bfc43934c87e
-
SHA256
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
-
SHA512
f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
31Registry Run Keys / Startup Folder
30New Service
15Defense Evasion
Modify Registry
75Disabling Security Tools
30Virtualization/Sandbox Evasion
16File Permissions Modification
16Install Root Certificate
15