Resubmissions

13-08-2021 10:16

210813-wpta271jdx 10

08-08-2021 23:00

210808-fgs5g9pxfs 10

07-08-2021 23:12

210807-g2jw1lmd4a 10

07-08-2021 16:10

210807-51nhct4kfx 10

06-08-2021 23:43

210806-gc2271nxwj 10

06-08-2021 06:00

210806-f443x39x8a 10

05-08-2021 17:08

210805-97y6banvvx 10

04-08-2021 17:25

210804-hkxx2ntr8x 10

04-08-2021 12:12

210804-rjbg4b4y7n 10

03-08-2021 17:12

210803-r2h7ytjwqj 10

General

  • Target

    8.rar

  • Size

    94.9MB

  • Sample

    210723-kdnghf1d4e

  • MD5

    f6e2e5e7a38bff1204b1db40674ed32e

  • SHA1

    382e84e729a0949da4a993b6e04f6529271e4ca2

  • SHA256

    2205e931fcca292889c4845eb2b0e961fc7b598c276b6abf71bb5cf6c59c1132

  • SHA512

    34fff661f1bbaf6340b29306946cb721eb79c9c20d859df32f549d0bb13e22c59cc44097b30ab5d3ad46e0afa95981cffbf6d8a41cea97b8b72c15899b16de9e

Malware Config

Extracted

Path

C:\_readme.txt

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-N3p42CffoV Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: managerhelper@airmail.cc Your personal ID: 0318ewgfDdOcMcAt2OQZqFzJadYhow9MqoFd992adkvAnhUo2b
Emails

manager@mailtemp.ch

managerhelper@airmail.cc

URLs

https://we.tl/t-N3p42CffoV

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

AniNEW

C2

akedauiver.xyz:80

Extracted

Family

fickerstealer

C2

37.0.8.225:80

Extracted

Family

vidar

Version

39.7

Botnet

865

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    865

Extracted

Family

vidar

Version

39.7

Botnet

903

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    903

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

39.7

Botnet

921

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    921

Extracted

Family

redline

C2

woltelorda.xyz:80

Extracted

Family

redline

Botnet

SewPalpadin

C2

185.215.113.114:8887

Extracted

Family

redline

Botnet

sel19

C2

dwarimlari.xyz:80

Extracted

Family

redline

Botnet

sel20

C2

dwarimlari.xyz:80

Extracted

Family

vidar

Version

39.6

Botnet

517

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    517

Extracted

Family

redline

Botnet

723

C2

qumaranero.xyz:80

Extracted

Family

redline

Botnet

23_7_r

C2

zertypelil.xyz:80

Extracted

Family

redline

Botnet

NEW_STAB

C2

45.14.49.71:18845

Targets

    • Target

      8 (1).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (10).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (11).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Nirsoft

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (12).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (13).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (14).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (15).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (16).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      8 (17).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (18).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      8 (19).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      8 (2).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Nirsoft

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (20).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (21).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (22).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (23).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

14
T1053

Command-Line Interface

13
T1059

Persistence

Modify Existing Service

16
T1031

Registry Run Keys / Startup Folder

16
T1060

Scheduled Task

14
T1053

Privilege Escalation

Scheduled Task

14
T1053

Defense Evasion

Modify Registry

48
T1112

Disabling Security Tools

16
T1089

Virtualization/Sandbox Evasion

13
T1497

File Permissions Modification

10
T1222

Install Root Certificate

16
T1130

Credential Access

Credentials in Files

64
T1081

Discovery

Query Registry

84
T1012

Virtualization/Sandbox Evasion

13
T1497

System Information Discovery

100
T1082

Peripheral Device Discovery

16
T1120

Remote System Discovery

15
T1018

Collection

Data from Local System

64
T1005

Command and Control

Web Service

16
T1102

Tasks

static1

Score
N/A

behavioral1

fickerstealergluptebametasploitraccoonredlinesmokeloadersocelarsvidar865903933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral2

fickerstealerraccoonredlinesmokeloadersocelarsvidar903921933aninewaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral3

redlinesmokeloaderaninewsewpalpadinaspackv2backdoorinfostealerpersistencetrojanupx
Score
10/10

behavioral4

redlinesmokeloadersocelarsvidar903921933aninewsel19sel20aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral5

raccoonredlinevidar933sel20aspackv2discoveryevasioninfostealerpersistencespywarestealersuricatatrojanupx
Score
10/10

behavioral6

fickerstealergluptebametasploitraccoonredlinesmokeloadersocelarsvidar865903921933aninewsel19sel20aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral7

raccoonredlinesmokeloadersocelarsaninewaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojanupx
Score
10/10

behavioral8

redlinesmokeloadersocelarsvidar903921933aninewsel19sel20aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojanupxvmprotect
Score
10/10

behavioral9

raccoonredlinesmokeloadervidar517933sewpalpadinaspackv2backdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealersuricatatrojanupx
Score
10/10

behavioral10

fickerstealerraccoonredlinesmokeloadersocelarsvidar723903921933sel19aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral11

fickerstealerredlinesmokeloadersocelarsvidar933sel19aspackv2backdoordiscoveryevasioninfostealerstealersuricatathemidatrojan
Score
10/10

behavioral12

fickerstealergluptebametasploitredlinesmokeloadersocelarsvidar23_7_r865903933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral13

fickerstealerredlinesmokeloadervidar933aninewaspackv2backdoorevasioninfostealerpersistencestealersuricatatrojan
Score
10/10

behavioral14

fickerstealerraccoonredlinesmokeloadersocelarsvidar23_7_r865921933aninewnew_stabaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral15

fickerstealergluptebametasploitredlinesmokeloadervidar865933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealersuricatatrojanupxvmprotect
Score
10/10

behavioral16

Score
1/10

behavioral17

redlineaninewaspackv2infostealerpersistenceupx
Score
10/10

behavioral18

fickerstealerraccoonredlinesmokeloadersocelarsvidar865903921933aninewaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojanupx
Score
10/10

behavioral19

redlinesmokeloadervidar517921933aninewsel20aspackv2backdoordiscoveryevasioninfostealerpersistencestealersuricatatrojan
Score
10/10

behavioral20

Score
1/10

behavioral21

redlinesmokeloadervidar921933aninewnew_stabaspackv2backdoordiscoveryevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral22

redlinesmokeloadervidar933aspackv2backdoorinfostealerpersistencestealersuricatatrojanupx
Score
10/10

behavioral23

fickerstealergluptebametasploitredlinesmokeloadervidar865903921933sel20aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral24

fickerstealergluptebametasploitraccoonredlinesmokeloadersocelarsvidar723865903921933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral25

fickerstealergluptebametasploitredlinesmokeloadersocelarsvidar933aninewaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealersuricatatrojanupxvmprotect
Score
10/10

behavioral26

fickerstealerraccoonredlinesmokeloadersocelarsvidar723865903921933aninewaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojanupx
Score
10/10

behavioral27

redlinevidar933aspackv2evasioninfostealerpersistencestealersuricatathemidatrojanupx
Score
10/10

behavioral28

fickerstealerraccoonredlinesmokeloadersocelarsvidar865903921933sel19sel20aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral29

redlinesmokeloadervidar933aninewaspackv2backdoordiscoveryevasioninfostealerpersistencestealersuricatatrojan
Score
10/10

behavioral30

raccoonredlinesmokeloadersocelarsvidar933aninewsel20aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojanupxvmprotect
Score
10/10

behavioral31

fickerstealerredlinesmokeloadervidar933aninewnew_stabaspackv2backdoorevasioninfostealerpersistencespywarestealersuricatatrojanupx
Score
10/10

behavioral32

fickerstealerraccoonredlinesmokeloadersocelarsvidar723903921933aninewsel19aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojanupx
Score
10/10