Overview

overview

10

Static

static

8 (1).exe

windows7_x64

10

8 (1).exe

windows10_x64

10

8 (10).exe

windows7_x64

10

8 (10).exe

windows10_x64

10

8 (11).exe

windows7_x64

10

8 (11).exe

windows10_x64

10

8 (12).exe

windows7_x64

10

8 (12).exe

windows10_x64

10

8 (13).exe

windows7_x64

10

8 (13).exe

windows10_x64

8 (14).exe

windows7_x64

10

8 (14).exe

windows10_x64

10

8 (15).exe

windows7_x64

10

8 (15).exe

windows10_x64

10

8 (16).exe

windows7_x64

10

8 (16).exe

windows10_x64

10

8 (17).exe

windows7_x64

10

8 (17).exe

windows10_x64

10

8 (18).exe

windows7_x64

10

8 (18).exe

windows10_x64

10

8 (19).exe

windows7_x64

10

8 (19).exe

windows10_x64

10

8 (2).exe

windows7_x64

10

8 (2).exe

windows10_x64

10

8 (20).exe

windows7_x64

10

8 (20).exe

windows10_x64

10

8 (21).exe

windows7_x64

10

8 (21).exe

windows10_x64

10

8 (22).exe

windows7_x64

10

8 (22).exe

windows10_x64

10

8 (23).exe

windows7_x64

10

8 (23).exe

windows10_x64

10

Resubmissions

13-08-2021 10:16

210813-wpta271jdx 10

08-08-2021 23:00

210808-fgs5g9pxfs 10

07-08-2021 23:12

210807-g2jw1lmd4a 10

07-08-2021 16:10

210807-51nhct4kfx 10

06-08-2021 23:43

210806-gc2271nxwj 10

06-08-2021 06:00

210806-f443x39x8a 10

05-08-2021 17:08

210805-97y6banvvx 10

04-08-2021 17:25

210804-hkxx2ntr8x 10

04-08-2021 12:12

210804-rjbg4b4y7n 10

03-08-2021 17:12

210803-r2h7ytjwqj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8.rar

  • Size

    94.9MB

  • Sample

    210719-3p6w49e392

  • MD5

    f6e2e5e7a38bff1204b1db40674ed32e

  • SHA1

    382e84e729a0949da4a993b6e04f6529271e4ca2

  • SHA256

    2205e931fcca292889c4845eb2b0e961fc7b598c276b6abf71bb5cf6c59c1132

  • SHA512

    34fff661f1bbaf6340b29306946cb721eb79c9c20d859df32f549d0bb13e22c59cc44097b30ab5d3ad46e0afa95981cffbf6d8a41cea97b8b72c15899b16de9e

Score
10/10
fickerstealergluptebametasploitredlinesmokeloadervidar865903933alaninewoboze_new_servsel16sel17aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

39.6

Botnet

903

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    903

Extracted

Family

vidar

Version

39.6

Botnet

865

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    865

Extracted

Family

redline

Botnet

oboze_new_serv

C2

86.106.181.209:18845

Extracted

Family

fickerstealer

C2

37.0.8.225:80

Extracted

Family

redline

Botnet

sel16

C2

dwarimlari.xyz:80

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

AniNEW

C2

akedauiver.xyz:80

Extracted

Family

redline

Botnet

sel17

C2

dwarimlari.xyz:80

Extracted

Family

redline

Botnet

AL

C2

tstamore.info:80

Targets

    • Target

      8 (1).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    aspackv2evasionpersistencetrojanupxfickerstealergluptebametasploitredlinesmokeloadervidar865903933oboze_new_servsel16backdoordiscoverydropperinfostealerloaderspywarestealerthemidavmprotect

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      8 (10).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealerredlinesmokeloadervidar933aninewaspackv2backdoorinfostealerpersistencestealertrojanupx865903sel16sel17evasion

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      8 (11).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealerredlinesmokeloadervidar865933aninewsel17aspackv2backdoorinfostealerstealerthemidatrojanvmprotect903evasionpersistenceupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      8 (12).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    redlinesmokeloadervidar933aninewsel16aspackv2backdoorevasioninfostealerpersistencestealertrojanfickerstealergluptebametasploit865903oboze_new_servdropperloaderupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      8 (13).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    redlinesmokeloadervidar933aninewsel16aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      8 (14).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    redlinesmokeloaderaninewsel16aspackv2backdoorevasioninfostealerpersistencestealertrojanfickerstealervidar903933oboze_new_servsel17discoveryupxvmprotect

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      8 (15).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    gluptebametasploitredlinesmokeloadervidar865933aninewaspackv2backdoordropperevasioninfostealerloaderpersistencestealertrojanvmprotectfickerstealer903oboze_new_servsel16sel17discoveryupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      8 (16).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    gluptebametasploitredlinesmokeloadervidar865933aninewsel16sel17aspackv2backdoordropperinfostealerloaderpersistencestealertrojanvmprotectfickerstealer903discoveryevasionthemidaupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      8 (17).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    redlinesmokeloadervidar933aninewaspackv2backdoorevasioninfostealerstealerthemidatrojanoboze_new_servsel16sel17discoverypersistenceupx

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      8 (18).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    redlinesmokeloadervidar933alaninewaspackv2backdoorevasioninfostealerpersistencestealertrojanfickerstealer865903discoverythemidaupxvmprotect

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      8 (19).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealerredlinesmokeloadervidar933aspackv2backdoorinfostealerstealerthemidatrojanvmprotect903aninewoboze_new_servsel16discoverypersistencespywareupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      8 (2).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    redlinesmokeloadervidar933alaninewaspackv2backdoorevasioninfostealerpersistencestealertrojan903oboze_new_servdiscoveryupx

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      8 (20).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    redlinesmokeloadervidar933aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojanoboze_new_servsel16upx

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      8 (21).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    redlinesmokeloaderaninewaspackv2backdoorevasioninfostealerpersistencestealertrojanupxvidar933oboze_new_servsel16sel17

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      8 (22).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealerredlinesmokeloadervidar865933aninewsel16sel17aspackv2backdoorinfostealerpersistencestealertrojanvmprotectoboze_new_servdiscoveryevasionspywarethemidaupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      8 (23).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    redlinesmokeloadervidar865903933aninewaspackv2backdoorevasioninfostealerpersistencestealertrojanoboze_new_servsel16sel17upxvmprotect

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

15
T1031

Registry Run Keys / Startup Folder

16
T1060

Privilege Escalation

Defense Evasion

Modify Registry

44
T1112

Disabling Security Tools

15
T1089

Virtualization/Sandbox Evasion

1
T1497

File Permissions Modification

8
T1222

Install Root Certificate

13
T1130

Credential Access

Credentials in Files

14
T1081

Discovery

Query Registry

39
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

50
T1082

Peripheral Device Discovery

16
T1120

Remote System Discovery

16
T1018

Lateral Movement

Collection

Data from Local System

14
T1005

Exfiltration

Command and Control

Web Service

16
T1102

Impact

Tasks

static1

Score
N/A

behavioral1

aspackv2evasionpersistencetrojanupx
Score
10/10

behavioral2

fickerstealergluptebametasploitredlinesmokeloadervidar865903933oboze_new_servsel16aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral3

fickerstealerredlinesmokeloadervidar933aninewaspackv2backdoorinfostealerpersistencestealertrojanupx
Score
10/10

behavioral4

fickerstealerredlinesmokeloadervidar865903933aninewsel16sel17aspackv2backdoorevasioninfostealerpersistencestealertrojanupx
Score
10/10

behavioral5

fickerstealerredlinesmokeloadervidar865933aninewsel17aspackv2backdoorinfostealerstealerthemidatrojanvmprotect
Score
10/10

behavioral6

fickerstealerredlinesmokeloadervidar865903933aspackv2backdoorevasioninfostealerpersistencestealerthemidatrojanupx
Score
10/10

behavioral7

redlinesmokeloadervidar933aninewsel16aspackv2backdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral8

fickerstealergluptebametasploitredlinesmokeloadervidar865903933aninewoboze_new_servsel16aspackv2backdoordropperevasioninfostealerloaderpersistencestealertrojanupx
Score
10/10

behavioral9

redlinesmokeloadervidar933aninewsel16aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojan
Score
10/10

behavioral10

Score
1/10

behavioral11

redlinesmokeloaderaninewsel16aspackv2backdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral12

fickerstealerredlinesmokeloadervidar903933oboze_new_servsel16sel17aspackv2backdoordiscoveryevasioninfostealerpersistencestealertrojanupxvmprotect
Score
10/10

behavioral13

gluptebametasploitredlinesmokeloadervidar865933aninewaspackv2backdoordropperevasioninfostealerloaderpersistencestealertrojanvmprotect
Score
10/10

behavioral14

fickerstealerredlinesmokeloadervidar865903933aninewoboze_new_servsel16sel17aspackv2backdoordiscoveryevasioninfostealerpersistencestealertrojanupxvmprotect
Score
10/10

behavioral15

gluptebametasploitredlinesmokeloadervidar865933aninewsel16sel17aspackv2backdoordropperinfostealerloaderpersistencestealertrojanvmprotect
Score
10/10

behavioral16

fickerstealergluptebametasploitredlinesmokeloadervidar865903933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealerthemidatrojanupxvmprotect
Score
10/10

behavioral17

redlinesmokeloadervidar933aninewaspackv2backdoorevasioninfostealerstealerthemidatrojan
Score
10/10

behavioral18

redlinesmokeloadervidar933aninewoboze_new_servsel16sel17aspackv2backdoordiscoveryevasioninfostealerpersistencestealertrojanupx
Score
10/10

behavioral19

redlinesmokeloadervidar933alaninewaspackv2backdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral20

fickerstealerredlinesmokeloadervidar865903933aninewaspackv2backdoordiscoveryevasioninfostealerpersistencestealerthemidatrojanupxvmprotect
Score
10/10

behavioral21

fickerstealerredlinesmokeloadervidar933aspackv2backdoorinfostealerstealerthemidatrojanvmprotect
Score
10/10

behavioral22

fickerstealerredlinesmokeloadervidar903933aninewoboze_new_servsel16aspackv2backdoordiscoveryinfostealerpersistencespywarestealertrojanupx
Score
10/10

behavioral23

redlinesmokeloadervidar933alaninewaspackv2backdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral24

redlinesmokeloadervidar903933aninewoboze_new_servaspackv2backdoordiscoveryevasioninfostealerpersistencestealertrojanupx
Score
10/10

behavioral25

redlinesmokeloadervidar933aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojan
Score
10/10

behavioral26

redlinesmokeloadervidar933oboze_new_servsel16aspackv2backdoorevasioninfostealerpersistencestealertrojanupx
Score
10/10

behavioral27

redlinesmokeloaderaninewaspackv2backdoorevasioninfostealerpersistencestealertrojanupx
Score
10/10

behavioral28

redlinesmokeloadervidar933aninewoboze_new_servsel16sel17aspackv2backdoorinfostealerpersistencestealertrojanupx
Score
10/10

behavioral29

fickerstealerredlinesmokeloadervidar865933aninewsel16sel17aspackv2backdoorinfostealerpersistencestealertrojanvmprotect
Score
10/10

behavioral30

fickerstealerredlinesmokeloadervidar865933oboze_new_servsel16sel17aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral31

redlinesmokeloadervidar865903933aninewaspackv2backdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral32

redlinesmokeloadervidar933oboze_new_servsel16sel17aspackv2backdoorinfostealerpersistencestealertrojanupxvmprotect
Score
10/10