Overview

overview

10

Static

static

8 (1).exe

windows7_x64

10

8 (1).exe

windows10_x64

10

8 (10).exe

windows7_x64

10

8 (10).exe

windows10_x64

8 (11).exe

windows7_x64

10

8 (11).exe

windows10_x64

10

8 (12).exe

windows7_x64

8 (12).exe

windows10_x64

10

8 (13).exe

windows7_x64

10

8 (13).exe

windows10_x64

10

8 (14).exe

windows7_x64

10

8 (14).exe

windows10_x64

10

8 (15).exe

windows7_x64

10

8 (15).exe

windows10_x64

10

8 (16).exe

windows7_x64

10

8 (16).exe

windows10_x64

10

8 (17).exe

windows7_x64

10

8 (17).exe

windows10_x64

10

8 (18).exe

windows7_x64

10

8 (18).exe

windows10_x64

10

8 (19).exe

windows7_x64

10

8 (19).exe

windows10_x64

10

8 (2).exe

windows7_x64

10

8 (2).exe

windows10_x64

10

8 (20).exe

windows7_x64

10

8 (20).exe

windows10_x64

10

8 (21).exe

windows7_x64

10

8 (21).exe

windows10_x64

10

8 (22).exe

windows7_x64

10

8 (22).exe

windows10_x64

10

8 (23).exe

windows7_x64

10

8 (23).exe

windows10_x64

Resubmissions

13-08-2021 10:16

210813-wpta271jdx 10

08-08-2021 23:00

210808-fgs5g9pxfs 10

07-08-2021 23:12

210807-g2jw1lmd4a 10

07-08-2021 16:10

210807-51nhct4kfx 10

06-08-2021 23:43

210806-gc2271nxwj 10

06-08-2021 06:00

210806-f443x39x8a 10

05-08-2021 17:08

210805-97y6banvvx 10

04-08-2021 17:25

210804-hkxx2ntr8x 10

04-08-2021 12:12

210804-rjbg4b4y7n 10

03-08-2021 17:12

210803-r2h7ytjwqj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8.rar

  • Size

    94.9MB

  • Sample

    210720-m13qg7e2ra

  • MD5

    f6e2e5e7a38bff1204b1db40674ed32e

  • SHA1

    382e84e729a0949da4a993b6e04f6529271e4ca2

  • SHA256

    2205e931fcca292889c4845eb2b0e961fc7b598c276b6abf71bb5cf6c59c1132

  • SHA512

    34fff661f1bbaf6340b29306946cb721eb79c9c20d859df32f549d0bb13e22c59cc44097b30ab5d3ad46e0afa95981cffbf6d8a41cea97b8b72c15899b16de9e

Score
10/10
fickerstealergluptebametasploitredlinesmokeloadervidar19_7_r2007828865903921933aninewisus_2.0sel17aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealerthemidatrojanupxvmprotect

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

AniNEW

C2

akedauiver.xyz:80

Extracted

Family

redline

Botnet

sel17

C2

dwarimlari.xyz:80

Extracted

Family

redline

Botnet

2007

C2

37.1.219.52:6534

Extracted

Family

vidar

Version

39.7

Botnet

921

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    921

Extracted

Family

vidar

Version

39.6

Botnet

903

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    903

Extracted

Family

redline

Botnet

Isus_2.0

C2

45.14.49.91:60919

Extracted

Family

redline

Botnet

19_7_r

C2

xtarweanda.xyz:80

Extracted

Family

fickerstealer

C2

37.0.8.225:80

Extracted

Family

vidar

Version

39.7

Botnet

865

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    865

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

39.7

Botnet

828

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    828

Targets

    • Target

      8 (1).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    redlinesmokeloadervidar933aninewsel17aspackv2backdoordiscoveryevasioninfostealerpersistencestealertrojanfickerstealergluptebametasploit19_7_r2007865903921isus_2.0dropperloaderspywarethemidaupxvmprotect

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Nirsoft

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      8 (10).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealergluptebametasploitredlinesmokeloadervidar933aninewsel17aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealertrojanvmprotect

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Nirsoft

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      8 (11).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealergluptebametasploitredlinesmokeloadervidar865903921933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojanvmprotectsel17upx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      8 (12).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    smokeloadervidar933aspackv2backdoorpersistencestealertrojanupxvmprotectfickerstealerredline19_7_r2007903921isus_2.0sel17discoveryevasioninfostealerransomwarespywarethemida

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Nirsoft

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      8 (13).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    gluptebametasploitredlinesmokeloadervidar865903933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealertrojanupxvmprotectfickerstealer921aninewspyware

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Nirsoft

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      8 (14).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealergluptebametasploitredlinesmokeloadervidar865903933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojanvmprotect2007921isus_2.0sel17themidaupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Nirsoft

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      8 (15).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealergluptebametasploitredlinesmokeloadervidar921933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealertrojan2007865903sel17spywarethemidaupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      8 (16).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealerredlinevidaraninewaspackv2discoveryevasioninfostealerpersistencestealertrojansmokeloader903921933backdoorspywarethemidaupxvmprotect

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      8 (17).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealergluptebametasploitredlinesmokeloadervidar865903921933aninewsel17aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojanvmprotect19_7_r2007isus_2.0themidaupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      8 (18).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealerredlinesmokeloadervidar828921933aspackv2backdoordiscoveryevasioninfostealerpersistencestealertrojanvmprotectgluptebametasploit2007865903aninewsel17dropperloaderransomwarespywareupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      8 (19).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealergluptebametasploitredlinesmokeloadervidar828865933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojan2007903921sel17ransomwareupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      8 (2).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealerredlinevidar865903933aspackv2discoveryevasioninfostealerpersistencespywarestealertrojanvmprotectsmokeloader921aninewsel17backdoorthemidaupx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      8 (20).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealerredlinevidar903aninewaspackv2discoveryevasioninfostealerpersistencestealertrojanupxsmokeloader2007921933sel17backdoorspywarethemida

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      8 (21).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealergluptebametasploitredlinesmokeloadervidar828865903921933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanvmprotectsel17upx

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      8 (22).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealergluptebametasploitredlinesmokeloadervidar828865903933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanupx2007921aninewsel17ransomwarethemida

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      8 (23).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    Score
    10/10
    fickerstealergluptebametasploitredlinesmokeloadervidar828921933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanupxvmprotect

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • redlinestealer

      RedlineStealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Nirsoft

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

16
T1031

Registry Run Keys / Startup Folder

16
T1060

Privilege Escalation

Defense Evasion

Modify Registry

62
T1112

Disabling Security Tools

16
T1089

Virtualization/Sandbox Evasion

15
T1497

File Permissions Modification

13
T1222

Install Root Certificate

16
T1130

Credential Access

Credentials in Files

60
T1081

Discovery

Query Registry

93
T1012

Virtualization/Sandbox Evasion

15
T1497

System Information Discovery

95
T1082

Peripheral Device Discovery

16
T1120

Remote System Discovery

16
T1018

Lateral Movement

Collection

Data from Local System

60
T1005

Exfiltration

Command and Control

Web Service

16
T1102

Impact

Tasks

static1

Score
N/A

behavioral1

redlinesmokeloadervidar933aninewsel17aspackv2backdoordiscoveryevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral2

fickerstealergluptebametasploitredlinesmokeloadervidar19_7_r2007865903921933isus_2.0sel17aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral3

fickerstealergluptebametasploitredlinesmokeloadervidar933aninewsel17aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealertrojanvmprotect
Score
10/10

behavioral4

Score
1/10

behavioral5

fickerstealergluptebametasploitredlinesmokeloadervidar865903921933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojanvmprotect
Score
10/10

behavioral6

redlinesmokeloadervidar903921933aninewsel17aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojanupxvmprotect
Score
10/10

behavioral7

smokeloadervidar933aspackv2backdoorpersistencestealertrojanupxvmprotect
Score
10/10

behavioral8

fickerstealerredlinesmokeloadervidar19_7_r2007903921933isus_2.0sel17aspackv2backdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral9

gluptebametasploitredlinesmokeloadervidar865903933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealertrojanupxvmprotect
Score
10/10

behavioral10

fickerstealerredlinesmokeloadervidar903921933aninewaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojanupxvmprotect
Score
10/10

behavioral11

fickerstealergluptebametasploitredlinesmokeloadervidar865903933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojanvmprotect
Score
10/10

behavioral12

fickerstealerredlinesmokeloadervidar2007865903921933aninewisus_2.0sel17aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral13

fickerstealergluptebametasploitredlinesmokeloadervidar921933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealertrojan
Score
10/10

behavioral14

fickerstealergluptebametasploitredlinesmokeloadervidar2007865903921933aninewsel17aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojanupx
Score
10/10

behavioral15

fickerstealerredlinevidaraninewaspackv2discoveryevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral16

fickerstealerredlinesmokeloadervidar903921933aninewaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral17

fickerstealergluptebametasploitredlinesmokeloadervidar865903921933aninewsel17aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojanvmprotect
Score
10/10

behavioral18

fickerstealergluptebametasploitredlinesmokeloadervidar19_7_r2007865903921933isus_2.0sel17aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral19

fickerstealerredlinesmokeloadervidar828921933aspackv2backdoordiscoveryevasioninfostealerpersistencestealertrojanvmprotect
Score
10/10

behavioral20

fickerstealergluptebametasploitredlinesmokeloadervidar2007865903921933aninewsel17aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojanupxvmprotect
Score
10/10

behavioral21

fickerstealergluptebametasploitredlinesmokeloadervidar828865933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojan
Score
10/10

behavioral22

redlinesmokeloadervidar2007903921933aninewsel17aspackv2backdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral23

fickerstealerredlinevidar865903933aspackv2discoveryevasioninfostealerpersistencespywarestealertrojanvmprotect
Score
10/10

behavioral24

fickerstealerredlinesmokeloadervidar903921933aninewsel17aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealerthemidatrojanupxvmprotect
Score
10/10

behavioral25

fickerstealerredlinevidar903aninewaspackv2discoveryevasioninfostealerpersistencestealertrojanupx
Score
10/10

behavioral26

redlinesmokeloadervidar2007903921933aninewsel17aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealerthemidatrojanupx
Score
10/10

behavioral27

fickerstealergluptebametasploitredlinesmokeloadervidar828865903921933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanvmprotect
Score
10/10

behavioral28

redlinesmokeloadervidar903921933aninewsel17aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojanupx
Score
10/10

behavioral29

fickerstealergluptebametasploitredlinesmokeloadervidar828865903933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanupx
Score
10/10

behavioral30

redlinesmokeloadervidar2007903921933aninewsel17aspackv2backdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojanupx
Score
10/10

behavioral31

fickerstealergluptebametasploitredlinesmokeloadervidar828921933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanupxvmprotect
Score
10/10

behavioral32

Score
1/10